Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your Web Application

Dheeraj Joshi
July 16, 2016
Technology
0
6.2k

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

Dheeraj Joshi

July 16, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Beyond Scanning
djadmin
0
280
Let's talk Security
djadmin
0
7.1k

Other Decks in Technology

See All in Technology
RedMica 2.3 (2023-05) 新機能ハイライト およびRedmineの2023年5月までの半年間の主要な開発成果
vividtone
0
140
Microsoft Build 2023 ふりかえり - IoT と AI 周りを中心に
mode86
0
160
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
26k
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
200
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
1.1k
全AWSエンジニアに捧ぐ、CloudWatch 設計・運用 虎の巻 / CloudWatch design and operation bible
iselegant
29
11k
Sprasia, Inc. - Sprasia Engineers Culture Deck
sprasiainc
0
110
新リリース:microCMSテンプレート
microcms
1
770
フィンテックとは何か / What is FinTech?
ks91
PRO
0
120
AI完全初心者でも最新の生成AIの仕組がわかった気になれるプレゼン
shimap_sampo
5
1.9k
データマイニングと機械学習-SVM
trycycle
0
150
GO TechTalk #19 タクシーアプリ『GO』事業成長を支えるデータ分析基盤の継続的改善!
mot_techtalk
2
1k

Featured

See All Featured
Six Lessons from altMBA
skipperchong
16
2.5k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
1.5k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
We Have a Design System, Now What?
morganepeng
38
6.2k
Three Pipe Problems
jasonvnalue
89
9.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Designing for humans not robots
tammielis
245
24k
Designing the Hi-DPI Web
ddemaree
273
33k
Clear Off the Table
cherdarchuk
81
300k
Scaling GitHub
holman
453
140k

Transcript

  1. Let’s talk Security
    Secure your Web Application - Best Practices
    Dheeraj Joshi
    @dheerajhere

    View Slide

  2. ● Front-End @
    ● Previously @
    ● Open Source (medium-cli)
    ● Ambidextrous TT Player
    About Me

    View Slide

  3. More...
    I wear White Hat.
    Uber, CKEditor, Dropbox,
    MailChimp, Recruiterbox, InVision,
    DigitalOcean, Intuit, Groupon, etc.
    What makes me happy?

    View Slide

  4. Agenda
    ● Why ?
    ● Cross-site Scripting (XSS)
    ● Cross-site Request Forgery (CSRF)
    ● Content Security Policy (CSP)
    ● Useful Headers
    ● Other Best Practices
    ● Live Demo

    View Slide

  5. Why should Startups
    Care about Security?
    Startups & SMEs are known to cut
    corners. One of the first things they
    cut is ‘Security'.

    View Slide

  6. View Slide

  7. Github
    Reused password attack

    View Slide

  8. HACKER PUTS HOSTING SERVICE “CODE
    SPACES” OUT OF BUSINESS
    The Shutdown

    View Slide

  9. CROSS SITE SCRIPTING - XSS
    ● XSS attack users
    ● “Javascript Injection”
    ● Exploits can be bad,
    really bad..

    View Slide

  10. What is XSS?
    Typical Reflected XSS

    View Slide

  11. Stored XSS

    View Slide

  12. DOM XSS

    View Slide

  13. Protect Yourself
    ● Input Validation
    ● Ensure that outputs are HTML
    encoded
    ● Don’t reinvent the wheel (Use
    proven sanitizers)
    ● Analyze places where DOM
    elements are created

    View Slide

  14. ngBind attribute
    $sanitize - service in module ngSanitize
    Sanitizes an html string by stripping all potentially dangerous
    tokens.

    View Slide

  15. ● Add HTTPOnly, Secure attributes on Session
    Cookie

    View Slide

  16. CROSS-SITE REQUEST
    FORGERY (CSRF)

    View Slide

  17. Because the attack is carried out
    by the victim, CSRF can bypass:
    ● HTTP Auth
    ● Session-based auth
    ● Firewalls
    CSRF Attacks

    View Slide

  18. Prevention

    View Slide

  19. ● Only accepting POST requests
    ● Referer Protection
    ● Multi-Step Transactions
    ● URL Rewriting
    ● application/json
    “CSRF Myths”
    Preventions that Won’t work

    View Slide

  20. XSS + CSRF =

    View Slide

  21. Content Security Policy (CSP)

    View Slide

  22. List of useful HTTP headers
    ● Strict-Transport-Security:
    max-age=16070400; includeSubDomains
    ● X-Frame-Options: deny
    ● X-XSS-Protection: 1; mode=block

    View Slide

  23. Prevent Information Disclosure
    Hide X-Powered-By
    Or try this ;)

    View Slide

  24. Target=”_blank”
    ● Access `window.opener`.
    ● Fix `rel=noopener`.
    (Firefox : rel=noreferrer)
    ● window.opener = null;

    View Slide

  25. How to improve ?
    ● SECURITY.md
    ● Security audits
    ● Discuss Vulnerabilities

    View Slide

  26. Show Time !

    View Slide

  27. Thank you
    @dheerajhere
    @djadmin

    View Slide