Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Browsers to Improve the Security of Your Webapp

Francois Marier
March 09, 2017
Programming
0
230

Getting Browsers to Improve the Security of Your Webapp

Most web developers have some knowledge of input sanitization and encryption, but what happens when you forget an edge case or when users are connected to a rogue access point?

Through the use of technologies like strict transport security, content security policy, sub-resource integrity, and the referrer policy, web developers can instruct browsers to add a second layer of defenses against the most common attacks.

https://confoo.ca/en/yul2017/session/getting-browsers-to-help-improve-the-security-of-your-webapp

Francois Marier

March 09, 2017
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
230
Hardening Firefox for Privacy and Security
fmarier
0
840
Security and Privacy on the Web in 2016
fmarier
0
170
Privacy and Tracking Protection in Firefox
fmarier
0
180
Security and Privacy on the Web in 2015
fmarier
0
140
Security and Privacy on the Web in 2015
fmarier
0
150
Integrity protection for third-party JavaScript
fmarier
1
640
URL to HTML
fmarier
1
170
Integrity protection for third-party JavaScript
fmarier
2
520

Other Decks in Programming

See All in Programming
PHPで任意精度演算を行って「正しい」金額計算をする方法 / Perform arbitrary precision arithmetic in PHP to achieve "accurate" monetary calculations
hiro_y
1
220
WantedlyでのCompose導入 / Introducing Jetpack Compose at Wantedly
kubode
1
110
ChatGPTによるデータ変換がもたらすインパクト
masahiro_nishimi
3
3.3k
10Xにおけるdbtの事例紹介
10xinc
0
950
いろいろなフレームワークの仕組みを index.php から読み解こう / index.php of each framework
okashoi
0
250
DevRel/Japan 2023 - 1つの事業部だけで行う DevRel とは
hcrane
0
310
新社会人でも活躍したい!〜新卒1年目で活躍するためのコツ〜
ogijun2018
1
270
NOT A HOTEL
AIコンシェルジュ「Kevin」の開発秘話
codehex
2
2.4k
What Ever Happened to Baby Rails App?
eatplaynap
1
550
Cloudflare 概論 Cloudflare Meetup Kick Off! #CloudflareUG
maroon1st
0
500
Réinventer le composant Console de Symfony
chalasr
3
460
社内のメンバーに「関数型プログラミングの学習・教育」についていろいろ聞いてみた
j5ik2o
1
320

Featured

See All Featured
Producing Creativity
orderedlist
PRO
335
38k
Teambox: Starting and Learning
jrom
124
7.9k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Reflections from 52 weeks, 52 projects
jeffersonlam
339
18k
Learning to Love Humans: Emotional Interface Design
aarron
263
38k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
Six Lessons from altMBA
skipperchong
15
2.4k
How to Ace a Technical Interview
jacobian
270
22k
Practical Orchestrator
shlominoach
178
9k
Embracing the Ebb and Flow
colly
76
3.6k
Adopting Sorbet at Scale
ufuk
65
7.9k

Transcript

  1. François Marier @fmarier
    Getting Browsers to Improve
    the Security of Your Webapp

    View Slide

  2. external
    resources
    user
    content
    cookies encryption

    View Slide

  3. external
    resources

    View Slide

  4. Subresource integrity
    mechanism for preventing
    tampering of static assets

    View Slide

  5. View Slide

  6. View Slide

  7. https://ajax.googleapis.com/ajax
    /libs/jquery/1.9.1/jquery.min.js

    View Slide

  8. what would happen if that
    server were compromised?

    View Slide

  9. View Slide

  10. Bad Things™
    steal sessions
    leak confidential data
    redirect to phishing sites
    enlist DDoS zombies

    View Slide

  11. simple solution

    View Slide

  12. instead of this:
    src=”https://ajax.googleapis.com...”>
    integrity=”sha256-1z4uG/+cVbhShP...”
    crossorigin=”anonymous”>

    View Slide

  13. src=”https://ajax.googleapis.com...”>
    integrity=”sha256-1z4uG/+cVbhShP...”
    crossorigin=”anonymous”>
    do this:

    View Slide

  14. guarantee:
    script won't change
    or it'll be blocked

    View Slide

  15. rel=”noopener”
    mechanism for disabling the
    window.opener object

    View Slide

  16. My Account

    Change my address

    Change my billing card

    Reset my password

    Delete my account

    Watch some cute kittens!

    View Slide

  17. My Account

    Change my address

    Change my billing card

    Reset my password

    Delete my account

    Watch some cute kittens!
    kittens!!!!!!!!

    View Slide


  18. View Slide

  19. window.opener.location

    View Slide

  20. window.opener.location

    View Slide

  21. window.opener.location =
    'http://stealmypasswd.org';

    View Slide

  22. My Account

    Change my address

    Change my billing card

    Reset my password

    Delete my account

    Watch some cute kittens!
    kittens!!!!!!!!

    View Slide

  23. Session Expired
    Username:
    Password:
    Log back in!
    kittens!!!!!!!!

    View Slide

  24. Session Expired
    Username:
    Password:
    Log back in!
    esnowden
    **********

    View Slide

  25. My Account

    Change my address

    Change my billing card

    Reset my password

    Delete my account

    Watch some cute kittens!

    View Slide

  26. solutions

    View Slide


  27. View Slide

  28. rel=”noopener”>

    View Slide

  29. window.opener == null

    View Slide

  30. Referrer Policy
    mechanism for trimming
    the Referer header

    View Slide

  31. View Slide

  32. http://example.com/search?q=serious+medical+condition
    Click here for
    the cheapest
    insurance
    around!
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
    bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
    Bla bla bla, bla bla, bla bla bla bla.

    View Slide

  33. View Slide

  34. Referrer-Policy: no-referrer


    View Slide

  35. Referrer-Policy: no-referrer


    View Slide

  36. Referrer-Policy: no-referrer

    referrerPolicy="no-referrer">

    View Slide

  37. no-referrer
    no-referrer-when-downgrade
    same-origin
    strict-origin
    strict-origin-when-cross-origin

    View Slide

  38. no-referrer
    no-referrer-when-downgrade
    same-origin
    strict-origin
    strict-origin-when-cross-origin

    View Slide

  39. no-referrer
    no-referrer-when-downgrade
    same-origin
    strict-origin
    strict-origin-when-cross-origin

    View Slide

  40. no-referrer
    no-referrer-when-downgrade
    same-origin
    strict-origin-when-cross-origin

    View Slide

  41. no-referrer
    no-referrer-when-downgrade
    same-origin
    strict-origin-when-cross-origin
    https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy

    View Slide

  42. user
    content

    View Slide

  43. Sandboxed iframes
    mechanism for restricting
    embedded documents

    View Slide


  44. View Slide

  45. window.parent

    View Slide

  46. seriousapp.com
    seriousappusercontent.com

    View Slide

  47. sandbox=””>

    View Slide

  48. scripts
    popups
    forms

    View Slide

  49. scripts
    popups
    forms
    https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox

    View Slide

  50. X-Content-Type-Options
    mechanism for disabling
    content type sniffing

    View Slide

  51. PDF

    View Slide

  52. Review Papers

    Witty-Title.pdf

    Serious-Sounding-Topic.pdf

    Series-of-buzzwords.pdf

    Celebrity-Paper.pdf

    Half-Ass-Paper.pdf

    View Slide

  53. %PDF-1.5


    <br/>...<br/>


    View Slide

  54. %PDF-1.5


    <br/>...<br/>


    View Slide


  55. name=”paper-id”
    value=”42”>
    name=”score”
    value=”100”>

    View Slide

  56. X-Content-Type-Options: nosniff

    View Slide

  57. Content Security Policy
    aka CSP
    mechanism for preventing XSS

    View Slide

  58. telling the browser the content
    that is allowed to load

    View Slide

  59. Hi y'all<br/>alert('p0wned');<br/>!
    Tweet!
    What's on your mind?

    View Slide

  60. without CSP

    View Slide

  61. Hi y'all!
    John Doe - just moments ago
    p0wned
    Ok

    View Slide

  62. with CSP

    View Slide

  63. Hi y'all!
    John Doe - just moments ago

    View Slide

  64. Content-Security-Policy:
    script-src 'self'
    https://cdn.example.com

    View Slide

  65. script-src
    object-src
    style-src
    img-src
    media-src
    font-src
    connect-src
    ...

    View Slide

  66. script-src
    object-src
    style-src
    img-src
    media-src
    font-src
    connect-src
    ...
    https://developer.mozilla.org/docs/Web/HTTP/CSP

    View Slide

  67. cookies

    View Slide

  68. View Slide

  69. 1234

    View Slide

  70. Set-Cookie: sessionid=1234

    View Slide

  71. 1234

    View Slide

  72. 1234

    View Slide

  73. document.cookie

    View Slide

  74. Cookie options
    mechanism for restricting
    the scope of cookies

    View Slide

  75. Set-Cookie: sessionid=1234;
    httponly

    View Slide

  76. document.cookie == null

    View Slide

  77. Set-Cookie: sessionid=1234;
    secure

    View Slide

  78. 1234

    View Slide

  79. View Slide

  80. good, but not great

    View Slide

  81. 1234

    View Slide

  82. Set-Cookie: sessionid=1234

    View Slide

  83. 1234

    View Slide

  84. 666

    View Slide

  85. 666

    View Slide

  86. Cookie prefixes
    mechanism for enforcing
    cookie restrictions

    View Slide

  87. Set-Cookie: __Secure-sessionid=1234;
    secure

    View Slide

  88. __Secure-sessionid=666

    View Slide

  89. View Slide

  90. encryption

    View Slide

  91. HTTPS
    mechanism for securing
    information in transit

    View Slide

  92. if you're not using it, now is the time to start :)

    View Slide

  93. View Slide

  94. HTTPS is not enough
    you need to do it properly

    View Slide

  95. RC4

    View Slide

  96. SHA-1
    RC4

    View Slide

  97. SHA-1
    1024-bit certificates
    RC4

    View Slide

  98. SHA-1
    1024-bit certificates
    RC4 weak DH parameters

    View Slide

  99. View Slide

  100. https://mozilla.github.io/server-side-tls/ssl-config-generator/

    View Slide

  101. https://www.ssllabs.com/ssltest/

    View Slide

  102. Strict Transport Security
    aka HSTS
    mechanism for preventing
    HTTPS to HTTP downgrades

    View Slide

  103. telling the browser that your site
    should never be reached over HTTP

    View Slide

  104. View Slide

  105. GET bank.com 301

    GET https://bank.com 200

    no HSTS, no sslstrip

    View Slide

  106. GET bank.com → 200
    no HSTS, with sslstrip

    View Slide

  107. what does HSTS look like?

    View Slide

  108. Strict-Transport-Security: max-age=31536000

    View Slide

  109. with HSTS, with sslstrip
    GET https://bank.com 200

    View Slide

  110. no HTTP traffic for
    sslstrip to tamper with

    View Slide

  111. https://hstspreload.org/

    View Slide

  112. referrer policy
    subresource integrity
    noopener
    cookie prefixes
    cookie options
    sandboxed iframes
    x-content-type-options
    content security policy
    https
    strict transport
    security

    View Slide

  113. Questions?
    feedback:
    [email protected]
    @fmarier
    mozilla.dev.security
    © 2017 François Marier
    This work is licensed under a
    Creative Commons Attribution-ShareAlike 4.0 License.

    View Slide

  114. photo credits:
    explosion: https://www.flickr.com/photos/-cavin-/2313239884/
    kittens: https://www.flickr.com/photos/londonlooks/5693093073
    cookie: https://www.flickr.com/photos/amagill/34754258/

    View Slide