Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your Web Application

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

Dheeraj Joshi

July 16, 2016
Tweet

More Decks by Dheeraj Joshi

Other Decks in Technology

Transcript

  1. Let’s talk Security
    Secure your Web Application - Best Practices
    Dheeraj Joshi
    @dheerajhere

    View full-size slide

  2. ● Front-End @
    ● Previously @
    ● Open Source (medium-cli)
    ● Ambidextrous TT Player
    About Me

    View full-size slide

  3. More...
    I wear White Hat.
    Uber, CKEditor, Dropbox,
    MailChimp, Recruiterbox, InVision,
    DigitalOcean, Intuit, Groupon, etc.
    What makes me happy?

    View full-size slide

  4. Agenda
    ● Why ?
    ● Cross-site Scripting (XSS)
    ● Cross-site Request Forgery (CSRF)
    ● Content Security Policy (CSP)
    ● Useful Headers
    ● Other Best Practices
    ● Live Demo

    View full-size slide

  5. Why should Startups
    Care about Security?
    Startups & SMEs are known to cut
    corners. One of the first things they
    cut is ‘Security'.

    View full-size slide

  6. Github
    Reused password attack

    View full-size slide

  7. HACKER PUTS HOSTING SERVICE “CODE
    SPACES” OUT OF BUSINESS
    The Shutdown

    View full-size slide

  8. CROSS SITE SCRIPTING - XSS
    ● XSS attack users
    ● “Javascript Injection”
    ● Exploits can be bad,
    really bad..

    View full-size slide

  9. What is XSS?
    Typical Reflected XSS

    View full-size slide

  10. Protect Yourself
    ● Input Validation
    ● Ensure that outputs are HTML
    encoded
    ● Don’t reinvent the wheel (Use
    proven sanitizers)
    ● Analyze places where DOM
    elements are created

    View full-size slide

  11. ngBind attribute
    $sanitize - service in module ngSanitize
    Sanitizes an html string by stripping all potentially dangerous
    tokens.

    View full-size slide

  12. ● Add HTTPOnly, Secure attributes on Session
    Cookie

    View full-size slide

  13. CROSS-SITE REQUEST
    FORGERY (CSRF)

    View full-size slide

  14. Because the attack is carried out
    by the victim, CSRF can bypass:
    ● HTTP Auth
    ● Session-based auth
    ● Firewalls
    CSRF Attacks

    View full-size slide

  15. ● Only accepting POST requests
    ● Referer Protection
    ● Multi-Step Transactions
    ● URL Rewriting
    ● application/json
    “CSRF Myths”
    Preventions that Won’t work

    View full-size slide

  16. XSS + CSRF =

    View full-size slide

  17. Content Security Policy (CSP)

    View full-size slide

  18. List of useful HTTP headers
    ● Strict-Transport-Security:
    max-age=16070400; includeSubDomains
    ● X-Frame-Options: deny
    ● X-XSS-Protection: 1; mode=block

    View full-size slide

  19. Prevent Information Disclosure
    Hide X-Powered-By
    Or try this ;)

    View full-size slide

  20. Target=”_blank”
    ● Access `window.opener`.
    ● Fix `rel=noopener`.
    (Firefox : rel=noreferrer)
    ● window.opener = null;

    View full-size slide

  21. How to improve ?
    ● SECURITY.md
    ● Security audits
    ● Discuss Vulnerabilities

    View full-size slide

  22. Thank you
    @dheerajhere
    @djadmin

    View full-size slide