Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Counter spells and the art of keeping you application safe

Counter spells and the art of keeping you application safe

Emberconf 2017

An Engineer's guide to front-end security using Ember .

ingrid epure

March 28, 2017

More Decks by ingrid epure

Other Decks in Programming


  1. 2008: first-ever Android device Google releases Chrome HTML 5 is

    introduced GIFAR attack - someone discovers a way to hide an executable jar in a GIF
  2. yes, cats are planning to kill you or at least

    steal your identity and your money
  3. [ the first rule of web security is to never

    ( ever! ) trust user-submitted data ]
  4. 37 authors 190 commits to master 220 commits to all

    branches March 13, 2017 - March 20, 2017 892 file changes 5816 additions / 15584 deletions shipping to prod > 100times a day
  5. Jun 2016: Ingrid starts working with Ember Ingrid has to

    fix an image uploading / real time preview issue without introducing an XSS vulnerability. Sep 2016: Ingrid has a backend and infra background, so she goes and decides to look more into it.
  6. Content Security Policy SecuritasContentus (SECUR-itas-kontent-us ) New browser feature for

    mitigating XSS and data-injection attacks CSP Use to whitelist "safe" script hosts ember-cli-content-security-policy
  7. Content-Security-Policy: script-src 'self' static.mysite.com HTTP Refused to load the script

    ‘http://pure-evil.com/evil.js' because it violates the following Content Security Policy directive: "script-src 'self' static.mysite.com”. HTML
  8. Avoid htmlSafe htmlTutusExpellus (html-tutus-expellus) S Never use directly on user

    input Use only with proper sanitization Your controller should not html Power up: contextual components
  9. use the DOM to create a text node set style

    attributes append the anchor child element return the the node
  10. Avoid Triple Curlies TripliciCrispusExpellus (Tri-pli-ci-crispus ) using on direct user

    input can introduce vulnerabilities {{{ htmlSafe() for templates Mark HTML code as safe to execute
  11. partial access to the linking page via the window.opener object.

    newly opened tab can change the window.opener.location to a phishing page some of the permissions are automatically negated by cross-domain restrictions, but window.location is fair game
  12. postBuild hook to get real-time feedback find + grep +

    regexp + wc to get the count compare the count against a static limit fail the build if numbers don’t match
  13. [ regexp are like black magic. They're powerful & get

    the job done, but you also fear them and might have to sell your soul in the process ] [ regexp rage by ingride ]
  14. EsLint BonumLintum (bonum-LINT-um) EL Introduce a line in the sand

    for blacklisted methods Use linters for real-time feedback in dev
  15. esLint CLI + custom rule to get the count fail

    the build if errorCount > max allowed enable esLint cache for increased performance
  16. OWASP TOP 10 CROSS SITE SCRIPTING (XSS) Sensitive Data Exposure

    Information Disclosure Broken Authentication 
 & Session Management