Demystifying UI security

Transcript

1. None

2. Demystifying UI security Hiren Dave Senior Tech Lead, iBASEt India

   Software Pvt Ltd. Co Organizer GDG Ahmedabad and Laravel Live Ahmedabad Twitter : @hjdave https://hirendave.com

3. Today’s Agenda Why Security is so important on UI side?

   Understanding the possible threats Most Common Web Security Vulnerabilities

4. Why Security is so important on UI side? Why Security

   is major headache?

5. JavaScript is the Culprit JavaScript is so much powerful and

   browsers are smarts All Server side processes are moving to client side. Client side business logic Client side routing Client side access control Client side data storage Caching etc.

6. Understanding the possible threats

7. Trust Never Ever Trust your end user Check all the

   user inputs like Source of input Content of input How it was transmitted Check for immutability Secure Identity of User Always check authentication and authorization Always have Role and User Based Access Control on server

8. Data Transmission Always Use HTTPS Secure your cookies Just transfer

   the necessary data Use proper data formats Don’t over engineer it

9. Data Storage Client Side or Server Side? Keep only necessary

   data Clear the data on session expire Check for leakage and possible impact Identity of Data Use proper cryptography

10. Credentials Hard coded in the code? By mistake checking in

    to your version control Easily accessible? All team members have access to credentials? Are you changing it frequently? Only share when it’s needed.

11. Always Use Updated Libraries Keep checking the newer version of

    libraries Keep it updated in your application Don’t wait for the updates Always check before you update

12. Most Common Web Security Vulnerabilities

13. OWASP Top 10 SQL Injection Cross Site Scripting Broken Authentication

    and Session Management Insecure Direct Object References Cross Site Request Forgery Security Misconfiguration Insecure Cryptographic Storage Failure to restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards

14. SQL Injection Manipulate SQL statements by manipulating user input Data

    can be modified in database TRUST Do not trust user input Use latest libraries

15. Cross Site Scripting (XSS) XSS is an attack which allows

    the attacker to execute the scripts on the victim’s browser. Can run Malwares in your application TRUST Do not trust user input Set content security policy Use proper response headers

16. Broken Authentication and Session Management Forgot to clear cookies after

    session expires Gain unauthorized access to the system DATA STORAGE User Server side session management Enforce policies for user credentials

17. Insecure Direct Object References Mistakes for Developers Gain unauthorized access

    to the objects and can manipulate system. TRUST Implement strict access control checks

18. Cross Site Request Forgery Execute unwanted actions on a web

    application in which user session is active. Can manipulate User’s data TRUST, DATA TRANSMISSION Always use HTTPS Implement anti CSRF token SameSite flag in cookie Check the data

19. Security Misconfiguration Mis configuration on server side, framework, application, file

    access etc. Attacker can gain access to system TRUST Setup proper server architecture Setup proper security configurations

20. Insecure Cryptographic Storage Sensitive data is not stored properly Attacker

    can use data to steal the identity DATA STORAGE Use proper cryptography to store the data Setup access control

21. Failure to restrict URL Access Improper set up of authorization

    Attacker can gain access to unauthorized URLs TRUST, DATA TRANSMISSION Implement strong access control checks Role based authentication

22. Insufficient Transport Layer Protection Not using SSL, and proper cryptography

    while transmission Attacker can gain access to user’s personal data DATA TRANSMISSION Always use HTTPS User proper cryptography

23. Unvalidated Redirects and Forwards Lack of proper validations before redirect

    and forward Attacker can redirect user to malwares TRUST Avoid using redirects