Pro Yearly is on sale from $80 to $50! »

Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
140

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
5.9k
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.7k

Other Decks in Technology

See All in Technology
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
140
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
300
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
270
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
100
D0f5daa7cc3a26140c06ea29e5e235cc?s=48 noriyukitakei
0
180
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
130
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
2
940
64a4ba69d50590e592cd8e572454daa8?s=48 olegkovalov
0
210
Cc568a0b1284645f9fb927b2343eb87e?s=48 youtalk
0
370
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
360
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
110
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
160

Featured

See All Featured
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
12
630
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
9
1.2k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
346
20k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
192
8.7k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
113
25k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
494
110k
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
255
19k
78b475797a14c84799063c7cd073962f?s=48 holman
460
280k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
101
4.9k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
228
17k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
683
180k
245cee81a9c424266e5e401d844ea881?s=48 lara
15
2.5k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin