Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Mozilla Observatory First Draft
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
luke crouch
March 15, 2021
Technology
150
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Mozilla Observatory First Draft
luke crouch
March 15, 2021
More Decks by luke crouch
See All by luke crouch
Mr. Brokebot: Lethal language attacks against AI agents
groovecoder
0
120
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
110
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
85
Cryptography: 500 BC to https
groovecoder
0
220
VPNs
groovecoder
0
160
Digital Privacy & Security
groovecoder
0
280
Cryptography: 500 BC to Quantum Computing
groovecoder
0
1k
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
120
Can we protect Privacy without breaking the web
groovecoder
0
180
Other Decks in Technology
See All in Technology
SONiC Scale-Up Working Group から探る Scale-UpやUltraEthernet機能の実装方法
ebiken
PRO
2
480
PostgreSQL 19 新機能概要 OSC Hokkaido 2026
nori_shinoda
0
240
スタートアップにAmazon EKSは早すぎる? マルチプロダクト戦略を加速する Platform Engineeringの実践 / Is Amazon EKS Too Soon for Startups? Practical Platform Engineering to Accelerate a Multi-Product Strategy
elmodev09
1
1.8k
Agile and AI Redmine Japan 2026
hiranabe
4
470
データレイクの「見えない問題」を可視化する
sansantech
PRO
1
200
Flow 不死:AI 時代 DevOps 的不變本質
cheng_wei_chen
2
500
アジャイルな経理と Claude Code と経営の未来
kawaguti
PRO
3
190
AIチャットの改善から見えた、良いAI体験とは / What Constitutes a Good AI Experience: Insights from Improving AI Chat
kubode
0
120
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
330
脱SaaS!FDEを支えるプロビジョニングと分離設計
knih
0
300
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
220
レガシーな広告配信システムでのAI駆動開発/運用の挑戦
i16fujimoto
0
120
Featured
See All Featured
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
signer
PRO
0
3.6k
We Are The Robots
honzajavorek
0
250
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
118
120k
Facilitating Awesome Meetings
lara
57
7k
Abbi's Birthday
coloredviolet
3
8.2k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
1
1.3k
Rails Girls Zürich Keynote
gr2m
96
14k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
56k
A better future with KSS
kneath
240
18k
New Earth Scene 8
popppiees
3
2.4k
The Spectacular Lies of Maps
axbom
PRO
1
820
Transcript
Luke Crouch For learning and doing web app security
Me Luke Crouch • Privacy & Security Engineer, Mozilla •
Board member, Techlahoma Foundation • I’ve had 4 cups of coffee already ☕ ☕ ☕ ☕
This talk • 112 slides in ~15m • Mozilla Observatory
• Website • Command-line tool • API • Questions
How many of you use a tool to scan your
web site or app for security issues? 🙋
In Mozilla research, 16% say Yes n=1,181 web engineers *old
data
In Mozilla research, 47% say No n=1,181 web developers *old
data
Why don’t you use something to scan your web site
or app?
40% say: I don’t need it
Can’t have security vulnerabilities … … if you don’t know
about your security vulnerabilities.
17% say they “need to” use a tool
THANK YOU!
Because even if your app or site may not seem
like a target …
Your users may be re-using their password …
• their bank • their PayPal • their workplace •
their healthcare provider • their password manager (!) • their computer • etc. • their email • which gives an attacker access to all of those others!
So if your app is hacked, their other accounts could
get hacked too.
Next (rhetorical) question …
Which of the following security tech applies to your code?
• Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
🤷🤷
Which of the following security tech applies to your code?
• Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
How do you know what you need to know?
Luke Crouch For learning and doing web app security
None
None
None
None
None
None
Observatory helps me focus on learning the most important security
for my code right now.
Because the reason most of us don’t do all this
… • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
we don’t have time to do it all.
But, there’s plenty of “quick wins” you can get with
a little bit of time
So, let’s get started …
⚠ Disclaimer: don’t be evil ⚠
You should only use security scanning and testing tools with
permission
So … don’t go scan a bunch of government websites
Now … let’s go scan a bunch of government websites
hackerone.com
None
None
None
So basically, GSA gives permission to scan some sites, within
certain scope and under certain conditions
None
Let’s try the first one on the list: itdashboard.gov
None
None
None
None
Loading external scripts over (insecure) HTTP - WCGW? 🤷
None
None
https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>
https://itdashboard.gov <script src=“http://ajax.googleapis.com/…”></script> HTTP HTTP
None
None
https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>
None
https://itdashboard.gov <html> <head> <script src=“http://ajax.googleapis.com/…” integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" > </script> </head>
</html>
None
None
None
None
None
None
https://www.keycdn.com/support/what-is-mime-sniffing
https://itdashboard.gov <script src=“/user-uploads/image.jpg”></script> /user-uploads/ js in image.jpg file js in
image.jpg file
None
Does your server set the right Content-Type for scripts and
styles?
Yes?
This is “easy” - you can add: X-Content-Type-Options: nosniff across
your entire server.
X-Content-Type-Options is the first recommended fix, because it’s easier than
others …
No?
Do you need to support old IE browsers? • No?
• add X-Content-Type-Options: nosniff • Yes? • Sorry to hear that • Does your site need to render user uploads in pages? • No? add X-Content-Type-Options: nosniff • Yes? • Sorry again …
This is how improving your security works
1. Find a potential vulnerability 2. Learn about the potential
attack(s) 3. Determine how much if affects your code specifically 4. Make an appropriate fix 5. Repeat
So, what’s next for itdashboard.gov ?
Normally, you would make the recommended fix …
None
And then
But since GSA won’t give us access to deploy code
on itdashboard.gov …
Let’s just check out the other tests in the report
…
None
None
X-XSS-Protection
None
None
But what does it actually do?
None
https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>
X-XSS-Protection: 1; mode-block
https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>
None
You might as well take care of older browser users
(they need all they help they can get!)
Do you need to render HTML from url params? •
No? • add X-XSS-Protection: 1; mode-block • Yes? • No you don’t. add X-XSS-Protection: 1; mode-block • For real you do? • No, for real you don’t.
None
Observatory Command-Line Interface
npm install observatory-cli
observatory itdashboard.gov --zero --format=report
None
So, same tests and results
Note: no “Recommendation”
But you could put this in your CI pipeline to
scan a dev or stage site on every code change
And you can make CI fail if the score drops
below a certain level
None
Observatory API
https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/api.md
https://http-observatory.security.mozilla.org/api/v1 • POST /analyze?host=itdashboard.gov • hidden=true&rescan=true • GET /analyze?host=itdashboard.gov •
returns a “scan object” with a scan ID • GET /getScanResults?scan=<scan ID>
Now, let’s scan ALL the GSA sites in scope …
None
None
⚠ Disclaimer: don’t be evil ⚠
You should only use security scanning and testing tools with
permission
Questions • Mozilla Observatory • Website • Command-line tool •
API • 3rd-party scans • What else?
Appendix
None
None
None
None
None
None
So, let’s go see where itdashboard.gov might be vulnerable?
None
View source …
None
src=“http:// Phrase not found 🤔
None
“or use protocol-relative URLs” like src=“//
None
So, if someone accessed this page via insecure http:// ,
we could hack the script
But, if someone accessed this page via insecure http:// ,
we could just hack the page
So when would this ever be a real problem?
When would someone ever access this page over insecure http://
? 🙋
What if someone types “itdashboard.gov” without https?
What if another page links to “itdashboard.gov” without https?
When would someone run this page over insecure http:// ?
When would someone run this page at http://127.0.0.1 ?
None
None
None
Content Security Policy … what’s that?
Insert lots of content about CSP