Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Mozilla Observatory First Draft
Search
luke crouch
March 15, 2021
Technology
150
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Mozilla Observatory First Draft
luke crouch
March 15, 2021
More Decks by luke crouch
See All by luke crouch
Mr. Brokebot: Lethal language attacks against AI agents
groovecoder
0
120
Pigeons to Padlocks: 5000 years of Network Security
groovecoder
0
110
cryptory-up-to-https-atlas-2024.pdf
groovecoder
0
85
Cryptography: 500 BC to https
groovecoder
0
220
VPNs
groovecoder
0
160
Digital Privacy & Security
groovecoder
0
280
Cryptography: 500 BC to Quantum Computing
groovecoder
0
1k
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
120
Can we protect Privacy without breaking the web
groovecoder
0
180
Other Decks in Technology
See All in Technology
起点・思考・出力で分解する 〜PM業務の自動化設計〜
kazu_kichi_67
1
1k
自宅LLMの話
jacopen
1
720
ぼっちではじめた登壇が「51名」「241件」の発信に化けた
subroh0508
1
310
データレイクの「見えない問題」を可視化する
sansantech
PRO
1
200
【2026年版】 ベクトル検索とEmbedding最前線
mocobeta
23
7.5k
WebGIS AI Agentの紹介
_shimizu
0
550
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
330
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
2
400
「軸足」は 固定しなくていい - 熱量と強みで描く、しなやかなキャリアの形
kakehashi
PRO
1
260
FPGAの開発コンペでZephyrを使ってみた
iotengineer22
0
200
不要なレビューをAIにまかせて AIコーディングの環境改善を加速した
shoota
1
260
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
cscengineer
PRO
2
160
Featured
See All Featured
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
200
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Designing for humans not robots
tammielis
254
26k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
210
sira's awesome portfolio website redesign presentation
elsirapls
0
280
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
310
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
610
The Mindset for Success: Future Career Progression
greggifford
PRO
0
370
Producing Creativity
orderedlist
PRO
348
40k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
62
44k
How to train your dragon (web standard)
notwaldorf
97
6.7k
Transcript
Luke Crouch For learning and doing web app security
Me Luke Crouch • Privacy & Security Engineer, Mozilla •
Board member, Techlahoma Foundation • I’ve had 4 cups of coffee already ☕ ☕ ☕ ☕
This talk • 112 slides in ~15m • Mozilla Observatory
• Website • Command-line tool • API • Questions
How many of you use a tool to scan your
web site or app for security issues? 🙋
In Mozilla research, 16% say Yes n=1,181 web engineers *old
data
In Mozilla research, 47% say No n=1,181 web developers *old
data
Why don’t you use something to scan your web site
or app?
40% say: I don’t need it
Can’t have security vulnerabilities … … if you don’t know
about your security vulnerabilities.
17% say they “need to” use a tool
THANK YOU!
Because even if your app or site may not seem
like a target …
Your users may be re-using their password …
• their bank • their PayPal • their workplace •
their healthcare provider • their password manager (!) • their computer • etc. • their email • which gives an attacker access to all of those others!
So if your app is hacked, their other accounts could
get hacked too.
Next (rhetorical) question …
Which of the following security tech applies to your code?
• Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
🤷🤷
Which of the following security tech applies to your code?
• Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
How do you know what you need to know?
Luke Crouch For learning and doing web app security
None
None
None
None
None
None
Observatory helps me focus on learning the most important security
for my code right now.
Because the reason most of us don’t do all this
… • Mixed Content • Subresource Integrity • Cross-Origin Resource Sharing • Cookies • Secure • HttpOnly • Content Security Policy • HTTP Strict Transport Security • Redirections • Referrer Policy • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options
we don’t have time to do it all.
But, there’s plenty of “quick wins” you can get with
a little bit of time
So, let’s get started …
⚠ Disclaimer: don’t be evil ⚠
You should only use security scanning and testing tools with
permission
So … don’t go scan a bunch of government websites
Now … let’s go scan a bunch of government websites
hackerone.com
None
None
None
So basically, GSA gives permission to scan some sites, within
certain scope and under certain conditions
None
Let’s try the first one on the list: itdashboard.gov
None
None
None
None
Loading external scripts over (insecure) HTTP - WCGW? 🤷
None
None
https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>
https://itdashboard.gov <script src=“http://ajax.googleapis.com/…”></script> HTTP HTTP
None
None
https://itdashboard.gov <html> <head> … <script src=“http://ajax.googleapis.com/…”></script> … </head> … </html>
None
https://itdashboard.gov <html> <head> <script src=“http://ajax.googleapis.com/…” integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" > </script> </head>
</html>
None
None
None
None
None
None
https://www.keycdn.com/support/what-is-mime-sniffing
https://itdashboard.gov <script src=“/user-uploads/image.jpg”></script> /user-uploads/ js in image.jpg file js in
image.jpg file
None
Does your server set the right Content-Type for scripts and
styles?
Yes?
This is “easy” - you can add: X-Content-Type-Options: nosniff across
your entire server.
X-Content-Type-Options is the first recommended fix, because it’s easier than
others …
No?
Do you need to support old IE browsers? • No?
• add X-Content-Type-Options: nosniff • Yes? • Sorry to hear that • Does your site need to render user uploads in pages? • No? add X-Content-Type-Options: nosniff • Yes? • Sorry again …
This is how improving your security works
1. Find a potential vulnerability 2. Learn about the potential
attack(s) 3. Determine how much if affects your code specifically 4. Make an appropriate fix 5. Repeat
So, what’s next for itdashboard.gov ?
Normally, you would make the recommended fix …
None
And then
But since GSA won’t give us access to deploy code
on itdashboard.gov …
Let’s just check out the other tests in the report
…
None
None
X-XSS-Protection
None
None
But what does it actually do?
None
https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>
X-XSS-Protection: 1; mode-block
https://itdashboard.gov/?param=<script>alert(1)</script> <html> <head><title>…</title></head> <body> <?php echo $_GET[‘param’] ?> </body> </html>
None
You might as well take care of older browser users
(they need all they help they can get!)
Do you need to render HTML from url params? •
No? • add X-XSS-Protection: 1; mode-block • Yes? • No you don’t. add X-XSS-Protection: 1; mode-block • For real you do? • No, for real you don’t.
None
Observatory Command-Line Interface
npm install observatory-cli
observatory itdashboard.gov --zero --format=report
None
So, same tests and results
Note: no “Recommendation”
But you could put this in your CI pipeline to
scan a dev or stage site on every code change
And you can make CI fail if the score drops
below a certain level
None
Observatory API
https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/api.md
https://http-observatory.security.mozilla.org/api/v1 • POST /analyze?host=itdashboard.gov • hidden=true&rescan=true • GET /analyze?host=itdashboard.gov •
returns a “scan object” with a scan ID • GET /getScanResults?scan=<scan ID>
Now, let’s scan ALL the GSA sites in scope …
None
None
⚠ Disclaimer: don’t be evil ⚠
You should only use security scanning and testing tools with
permission
Questions • Mozilla Observatory • Website • Command-line tool •
API • 3rd-party scans • What else?
Appendix
None
None
None
None
None
None
So, let’s go see where itdashboard.gov might be vulnerable?
None
View source …
None
src=“http:// Phrase not found 🤔
None
“or use protocol-relative URLs” like src=“//
None
So, if someone accessed this page via insecure http:// ,
we could hack the script
But, if someone accessed this page via insecure http:// ,
we could just hack the page
So when would this ever be a real problem?
When would someone ever access this page over insecure http://
? 🙋
What if someone types “itdashboard.gov” without https?
What if another page links to “itdashboard.gov” without https?
When would someone run this page over insecure http:// ?
When would someone run this page at http://127.0.0.1 ?
None
None
None
Content Security Policy … what’s that?
Insert lots of content about CSP