Save 37% off PRO during our Black Friday Sale! »

Secure your Web Application

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

July 16, 2016
Tweet

Transcript

  1. Let’s talk Security Secure your Web Application - Best Practices

    Dheeraj Joshi @dheerajhere
  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me
  3. More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,

    InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?
  4. Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site

    Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo
  5. Why should Startups Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. Github Reused password attack

  8. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown
  9. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..
  10. What is XSS? Typical Reflected XSS

  11. Stored XSS

  12. DOM XSS

  13. Protect Yourself • Input Validation • Ensure that outputs are

    HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created
  14. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.
  15. • Add HTTPOnly, Secure attributes on Session Cookie

  16. CROSS-SITE REQUEST FORGERY (CSRF)

  17. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
  18. Prevention

  19. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
  20. XSS + CSRF =

  21. Content Security Policy (CSP)

  22. List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •

    X-Frame-Options: deny • X-XSS-Protection: 1; mode=block
  23. Prevent Information Disclosure Hide X-Powered-By Or try this ;)

  24. Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)

    • window.opener = null;
  25. How to improve ? • SECURITY.md • Security audits •

    Discuss Vulnerabilities
  26. Show Time !

  27. Thank you @dheerajhere @djadmin