Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Dheeraj Joshi Dheeraj Joshi
November 15, 2016
Technology
0
480

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Avatar for Dheeraj Joshi

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
Avatar for Dheeraj Joshi djadmin
0
6.6k
Let's talk Security
Avatar for Dheeraj Joshi djadmin
0
7.6k

Other Decks in Technology

See All in Technology
いよいよ仕事を奪われそうな波が来たぜ
Avatar for kazzpapa3 kazzpapa3
2
200
Claude in Chromeで始める自律的フロントエンド開発
Avatar for morimorikochan diggymo
1
270
ドメイン駆動セキュリティへの道しるべ
Avatar for Aja9tochin pandayumi
0
180
Werner Vogelsが14年間 問い続けてきたこと
Avatar for Yusuke Shimizu yusukeshimizu
2
160
ファシリテーション勉強中 その場に何が求められるかを考えるようになるまで / 20260123 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
3
360
「全社導入」は結果。1人の熱狂が組織に伝播したmikanのn8n活用
Avatar for Sota Mikami sota_mikami
0
460
かわいい身体と声を持つ そういうものに私はなりたい
Avatar for よしむら@データマネジメント担当 yoshimura_datam
0
410
AI開発の落とし穴 〜馬には乗ってみよAIには添うてみよ〜
Avatar for SansanTech sansantech
PRO
8
3.1k
ReproでのicebergのStreaming Writeの検証と実運用にむけた取り組み
Avatar for Tomohiro Hashidate joker1007
0
430
Hardware/Software Co-design: Motivations and reflections with respect to security
Avatar for Bryan Cantrill bcantrill
1
250
[Iceberg Meetup #4] ゼロからはじめる: Apache Icebergとはなにか? / Apache Iceberg for Beginners
Avatar for Databricks Japan databricksjapan
0
420
Amazon Bedrock AgentCore EvaluationsでAIエージェントを評価してみよう!
Avatar for Yudai Jinno yuu551
0
140

Featured

See All Featured
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
330
40k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.1k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
2.6k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
1.5k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
791
250k
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
110
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
16k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
0
3.4k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.8k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Designing Powerful Visuals for Engaging Learning
Avatar for Mike Taylor tmiket
0
210

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin