Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your Web Application

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

Dheeraj Joshi

July 16, 2016
Tweet

More Decks by Dheeraj Joshi

Other Decks in Technology

Transcript

  1. Let’s talk Security
    Secure your Web Application - Best Practices
    Dheeraj Joshi
    @dheerajhere

    View Slide

  2. ● Front-End @
    ● Previously @
    ● Open Source (medium-cli)
    ● Ambidextrous TT Player
    About Me

    View Slide

  3. More...
    I wear White Hat.
    Uber, CKEditor, Dropbox,
    MailChimp, Recruiterbox, InVision,
    DigitalOcean, Intuit, Groupon, etc.
    What makes me happy?

    View Slide

  4. Agenda
    ● Why ?
    ● Cross-site Scripting (XSS)
    ● Cross-site Request Forgery (CSRF)
    ● Content Security Policy (CSP)
    ● Useful Headers
    ● Other Best Practices
    ● Live Demo

    View Slide

  5. Why should Startups
    Care about Security?
    Startups & SMEs are known to cut
    corners. One of the first things they
    cut is ‘Security'.

    View Slide

  6. View Slide

  7. Github
    Reused password attack

    View Slide

  8. HACKER PUTS HOSTING SERVICE “CODE
    SPACES” OUT OF BUSINESS
    The Shutdown

    View Slide

  9. CROSS SITE SCRIPTING - XSS
    ● XSS attack users
    ● “Javascript Injection”
    ● Exploits can be bad,
    really bad..

    View Slide

  10. What is XSS?
    Typical Reflected XSS

    View Slide

  11. Stored XSS

    View Slide

  12. DOM XSS

    View Slide

  13. Protect Yourself
    ● Input Validation
    ● Ensure that outputs are HTML
    encoded
    ● Don’t reinvent the wheel (Use
    proven sanitizers)
    ● Analyze places where DOM
    elements are created

    View Slide

  14. ngBind attribute
    $sanitize - service in module ngSanitize
    Sanitizes an html string by stripping all potentially dangerous
    tokens.

    View Slide

  15. ● Add HTTPOnly, Secure attributes on Session
    Cookie

    View Slide

  16. CROSS-SITE REQUEST
    FORGERY (CSRF)

    View Slide

  17. Because the attack is carried out
    by the victim, CSRF can bypass:
    ● HTTP Auth
    ● Session-based auth
    ● Firewalls
    CSRF Attacks

    View Slide

  18. Prevention

    View Slide

  19. ● Only accepting POST requests
    ● Referer Protection
    ● Multi-Step Transactions
    ● URL Rewriting
    ● application/json
    “CSRF Myths”
    Preventions that Won’t work

    View Slide

  20. XSS + CSRF =

    View Slide

  21. Content Security Policy (CSP)

    View Slide

  22. List of useful HTTP headers
    ● Strict-Transport-Security:
    max-age=16070400; includeSubDomains
    ● X-Frame-Options: deny
    ● X-XSS-Protection: 1; mode=block

    View Slide

  23. Prevent Information Disclosure
    Hide X-Powered-By
    Or try this ;)

    View Slide

  24. Target=”_blank”
    ● Access `window.opener`.
    ● Fix `rel=noopener`.
    (Firefox : rel=noreferrer)
    ● window.opener = null;

    View Slide

  25. How to improve ?
    ● SECURITY.md
    ● Security audits
    ● Discuss Vulnerabilities

    View Slide

  26. Show Time !

    View Slide

  27. Thank you
    @dheerajhere
    @djadmin

    View Slide