Secure your Web Application

Transcript

1. Let’s talk Security Secure your Web Application - Best Practices

   Dheeraj Joshi @dheerajhere

2. • Front-End @ • Previously @ • Open Source (medium-cli)

   • Ambidextrous TT Player About Me

3. More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,

   InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?

4. Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site

   Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo

5. Why should Startups Care about Security? Startups & SMEs are

   known to cut corners. One of the first things they cut is ‘Security'.
6. None

7. Github Reused password attack

8. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

   Shutdown

9. CROSS SITE SCRIPTING - XSS • XSS attack users •

   “Javascript Injection” • Exploits can be bad, really bad..

10. What is XSS? Typical Reflected XSS

11. Stored XSS

12. DOM XSS

13. Protect Yourself • Input Validation • Ensure that outputs are

    HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created

14. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.

15. • Add HTTPOnly, Secure attributes on Session Cookie

16. CROSS-SITE REQUEST FORGERY (CSRF)

17. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

18. Prevention

19. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

20. XSS + CSRF =

21. Content Security Policy (CSP)

22. List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •

    X-Frame-Options: deny • X-XSS-Protection: 1; mode=block

23. Prevent Information Disclosure Hide X-Powered-By Or try this ;)

24. Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)

    • window.opener = null;

25. How to improve ? • SECURITY.md • Security audits •

    Discuss Vulnerabilities

26. Show Time !

27. Thank you @dheerajhere @djadmin