Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello World 2017 - Get the basics right!

Hello World Tech Conference
May 03, 2017
Technology
0
110

Hello World 2017 - Get the basics right!

Título: Get the basics right!
Autor: Renato Rodrigues
Contacto: https://twitter.com/simps0n

Hello World Tech Conference

May 03, 2017
Tweet

More Decks by Hello World Tech Conference

See All by Hello World Tech Conference
Hello World 2018 - Learn how to get that dream job at Google!
helloworldconf
0
100
Hello World 2018 - Introduction to Swift
helloworldconf
0
57
Hello World 2018 - Understanding attacker behaviors, motivations and common ways of operation
helloworldconf
0
59
Hello World 2018 - GraphQL A query language for your API
helloworldconf
1
77
Hello World 2018 - We need to talk about Preact
helloworldconf
1
75
Hello World 2018 - Why Ruby?
helloworldconf
0
39
Hello World 2018 - Recent Advances in Machine Learning
helloworldconf
0
59
Hello World 2018 - Quality from the start
helloworldconf
0
29
Hello World 2017 - React Native
helloworldconf
0
110

Other Decks in Technology

See All in Technology
LINEヤフーのウェブアクセシビリティ
lycorptech_jp
PRO
3
240
サービス開発におけるVue3とTypeScriptの親和性について
tsukuha
10
1.8k
Google Cloud Next '24 Recap in ZOZO AIにより変わる開発 運用/Development and operation changed by AI
gachimuchiengineer
0
370
AI JIMY - 登壇(インストール編)
hanacchi
0
160
B2C、B2B プロダクトマネジメントの違い(および思考の罠) / B2C, B2B PM and reduction fallacy
ykmc09
5
2.6k
エネルギープラットフォーマーを目指す東京ガス内製開発チームが始めたKubernetes
yussugi
1
270
テストコードを書きながらCompose Multiplatformを乗りこなす
subroh0508
0
160
5分で分かる(かもしれない) Vector engine for OpenSearch Serverless
tsukuboshi
1
460
知識と実践を紡ぐGenAI / Connecting Knowledge and experience with GenAI
aki_moon
2
200
エムスリーQAチーム紹介資料 / Introduction of M3 QA Team
m3_engineering
1
350
iThome2024 Wailing Wall of Enterprise Security
notsurprised
0
320
Laboratories in Science and Technology: Deep Neural Networks
keio_smilab
PRO
3
190

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
325
20k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
16
1.6k
Infographics Made Easy
chrislema
238
18k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
41
4.5k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
What's in a price? How to price your products and services
michaelherold
238
11k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
22
1.6k
Learning to Love Humans: Emotional Interface Design
aarron
268
39k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
124
40k
Why Our Code Smells
bkeepers
PRO
331
56k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k

Transcript

  1. GET THE BASICS RIGHT! HELLO WORLD 2017 by Renato Rodrigues

  2. RENATO RODRIGUES SIMPS0N //PATHONPROJECT.COM

  3. WEB APPS ISSUES OUT OF THE BOX OUT THERE

  4. WEB APPLICATIONS

  5. WHAT IS IT? In computing, a web application or web

    app is a client–server software application which the client (or user interface) runs in a web browser. https://en.wikipedia.org/wiki/Web_application

  6. CONCEPT MODERN APPS Images from Google Images.

  7. THE BIG PICTURE MAYBE WE SHOULD KNOW WHERE THEY LIVE!

    We know that a modern Web App is a pile of technology. How many stacks are being used? The links between them? Possible weaknesses? Can we understand:

  8. BROWSERS Images from Alrra Browser-Logos.

  9. ISSUES

  10. CROSS-SITE SCRIPTING (XSS)

  11. CROSS-SITE REQUEST FORGERY (CSRF)

  12. SQL INJECTION (SQLI)

  13. Remote Code Execution (RCE) XML External Entity (XXE) Session Fixation

    Dir Traversal Insecure Direct Object References Broken Authentication and Session Management Server Side Request Forgery (SSRF) Unvalidated Redirects and Forwards Insecure Cryptographic Storage Relative Path Overwrite (RPO) ...

  14. OUT OF THE BOX

  15. X-XSS-PROTECTION Sets the configuration for the cross-site scripting filters built

    into most browsers. The best configuration is "X- XSS-Protection: 1; mode=block". X-XSS-Protection 1; mode=block Information from SecurityHeaders.io

  16. X-FRAME-OPTIONS Tells the browser whether you want to allow your

    site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. X-Frame-Options SAMEORIGIN | DENY Information from SecurityHeaders.io

  17. X-CONTENT-TYPE-OPTIONS Stops a browser from trying to MIME-sniff the content

    type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff". X-Content-Type-Options nosniff Information from SecurityHeaders.io

  18. CONTENT-SECURITY-POLICY Is an "effective" measure to protect your site from

    several attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Content-Security-Policy default-src 'self'; script-src 'self' ... Information from SecurityHeaders.io CSP Builder (Helper): https://report-uri.io/home/generate

  19. STRICT-TRANSPORT-SECURITY Is an excellent feature to support on your site

    and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Strict-Transport-Security max-age=31536000; includeSubdomains; preload Information from SecurityHeaders.io

  20. PUBLIC-KEY-PINS Protects your site from MiTM attacks using rogue X.509

    certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised. Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report- uri="..." Information from SecurityHeaders.io

  21. SUBRESOURCE INTEGRITY Mechanism by which user agents may verify that

    a fetched resource has been delivered without unexpected manipulation. <script src="https://example.com/example-framework.js" integrity="sha384- Li9vy3DqF8tnTXu...gNR/VqsVpcw+T...Jr7" crossorigin="anonymous"></script> Information from . W3C

  22. COOKIES Session, Secure, HTTPOnly and SameSite INPUT VALIDATION Client and

    Serve Side Always! MORE TO COME: SUBORIGINS, REFERRER POLICY, EXPECT-CT ... Not out of box but...

  23. OUT THERE

  24. BUG BOUNTIES //cobalt.io - //bugcrowd.com - //hackerone.com - //synack.com Search

    for a Security Page A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs , especially those pertaining to exploits and vulnerabilities. https://en.wikipedia.org/wiki/Bug_bounty_program

  25. REPORT Discovery Date: dd/MM/YY - HH:mm:ss System/Domain: https://sub.website.com/ Vulnerability Type:

    XSS / RCE / CSRF / ... Description: Detailed explanation of the vulnerability Impact: In the context of the vulnerable service/app. Proof of Concept Data (PoC) * Works in: Google Chrome, Firefox, IE, Safari, ... * Attack Vector: How to trigger the vulnerability. * Payload: What triggers the vulnerability. PoC Image/Video: Visual proof. Mitigation: If we have an idea how to fix, we should suggest. Notes: If pertinent. Always remember to be polite!

  26. IT'S OVER! @ - SIMPS0N //PATHONPROJECT.COM