Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Beyond Scanning
Search
Dheeraj Joshi
November 15, 2016
Technology
0
460
Beyond Scanning
Slides from my talk at SeleniumConf UK 2016!
Dheeraj Joshi
November 15, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.6k
Let's talk Security
djadmin
0
7.5k
Other Decks in Technology
See All in Technology
LINE公式アカウントの技術スタックと開発の裏側
lycorptech_jp
PRO
0
370
これからアウトプットする人たちへ - アウトプットを支える技術 / that support output
soudai
PRO
18
5.4k
データとAIで未来を創るDatabricks - 君の可能性を加速させるプラットフォーム
taka_aki
0
110
Post-AIコーディング時代のエンジニア生存戦略
shinoyu
0
280
はじめての OSS コントリビューション 〜小さな PR が世界を変える〜
chiroito
4
290
“それなりに”安全なWebアプリケーションの作り方
xryuseix
0
360
お試しで oxlint を導入してみる #vuefes_aftertalk
bengo4com
2
1.5k
AIと共に開発する時代の組織、プロセス設計 freeeでの実践から見えてきたこと
freee
3
670
エンジニア採用と 技術広報の取り組みと注力点/techpr1112
nishiuma
0
140
Design and implementation of "Markdown to Google Slides" / phpconfuk 2025
k1low
1
400
Flutter DevToolsで発見! 本番アプリのパフォーマンス問題と改善の実践
goto_tsl
1
540
⽣成 AI で進化する AWS オブザーバビリティ
o11yfes2023
0
110
Featured
See All Featured
The World Runs on Bad Software
bkeepers
PRO
72
12k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Automating Front-end Workflow
addyosmani
1371
200k
A Tale of Four Properties
chriscoyier
162
23k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.5k
Become a Pro
speakerdeck
PRO
29
5.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.8k
Mobile First: as difficult as doing things right
swwweet
225
10k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.1k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.3k
Side Projects
sachag
455
43k
Transcript
Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,
etc. What makes me happy?
In this talk... • Why ? • Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo
Why should we Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
None
None
Password Reuse Attacks
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
Inject Malicious content • Exploits can be real bad
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Hunt... • Data <-> Code • Input Validation • Check
HTML Encoding • Sanitizers • Analyze places where DOM elements are created
XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html
• Check for HTTPOnly, Secure flag on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF = ?
Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)
HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny
• X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff
Defense • Strategy - Integrate into SDLC • Static Code
Analysis • Security Audits • CTFs
Show Time !
Questions ?
Thank you @dheerajhere @djadmin
djadmin
lycorptech_jp
soudai
taka_aki
shinoyu
chiroito
xryuseix
bengo4com
freee
nishiuma
k1low
goto_tsl
o11yfes2023
bkeepers
afnizarnur
addyosmani
chriscoyier
jcasabona
speakerdeck
denniskardys
mongodb
swwweet
tammyeverts
samanthasiow
sachag
