DotSecutiry - Counter Spells and the Art of Keeping your Application Safe

Transcript

1. counter-spells KEEPING YOUR APPLICATION SAFE and the art of

2. IN WHICH I REALLY WISH I DON’T DIE

3. None

4. story time

5. 55 authors 665 commits to master 750 commits to all

   branches March 20, 2017 – April 20, 2017 1,967 file changes 29,064 additions / 21,314 deletions shipping to prod > 100times a day

6. real-time editor that allows HTML input data sanitization is required

   ⚡
7. None

8. [ browsers are wonderful and weird ] ( really really

   weird )

9. [ .href can sometimes be undefined even if present ]

10. None
11. None

12. [ know your enemy. ] ( and that might not

    always be just users )

13. prepare for battle [ prepare your spells. ]

14. [ code that deals with weirdness better ] [ detect

    & alert on weirdness ]

15. HTML templates JavaScript controllers components

16. Html Escaping Hypertextescaptus (hyper-text-ESC-aptus ) web framework’s rendering layer escape

    HTML H Use for protection against XSS

17. .js .hbs .html

18. https://gist.github.com/ingride

19. [ avoid having to decide if html is safe ]

    dangerouslySetInnerHTML - React htmlSafe in Ember trustAsHtml - Angular

20. Good Components BonumPars (bonum-pars) GC make component arguments not be

    de-facto public API smaller components

21. just a simple title a styled message

22. ] - title component ] - body component super-card-component

23. each component decides on implementation while invocation remains the same

    composition instead of inheritance better encapsulation and clarity

24. https://embermap.com/topics/contextual- components/flexible-interfaces https://facebook.github.io/react/docs/composition-vs- inheritance.html

25. Good Helpers BonumAuxilium (bonum-auxilium) GH prefer updating the DOM over

    returning HTML

26. create a text node set attributes append the anchor child

    element return the the node use the DOM to create an element

27. Avoid Triple Curlies TripliciCrispusExpellus (Tri-pli-ci-crispus ) using on direct user

    input can introduce vulnerabilities {{{ {{{ = htmlSafe() for templates

28. good helpers + good components = ♥

29. Thou Shall Noopen NoopenerNoreferrerExpellus (apertus-tour-expellus) N always use noopener AND

    noreferrer with target=‘_blank’

30. newly opened tab can change the window.opener.location to a phishing

    page window.opener.location is fair game Firefox uses noreferrer-only until v.52 partial access to the linking page via window.opener

31. static analysers regexp are evil watermarks are ♥ Detect &

    Alert esLint & template linters

32. use the abstract syntax tree ( AST ) for Mustache:

    MustacheStatement target= ‘_blank’ / elements : ElementNode & node attributes plug it in with your cli

33. https://github.com/rwjblue/ember-template-lint

34. story time

35. [ before esLint there was… grep]

36. postBuild hook to get real-time feedback find + grep +

    regexp + wc to get the count compare the count against a static limit fail the build if numbers don’t match

37. [ regexp are like black magic. They're powerful & get

    the job done, but you also fear them and might have to sell your soul in the process ] [ regexp rage by ingride ]

38. EsLint BonumLintum (bonum-LINT-um) EL Introduce a line in the sand

    for blacklisted methods Use linters for real-time feedback in dev

39. esLint plugin with a custom rule that checks for blacklisted

    methods
40. None

41. esLint CLI + custom rule to get the count fail

    the build if errorCount > max allowed enable esLint cache for increased performance integration with ember-cli
42. None

43. from ♥ with [ blacklist methods addon coming soon ]

44. Content Security Policy SecuritasContentus (SECUR-itas-kontent-us ) mitigates XSS & data-injection

    attacks CSP use to whitelist "safe" script hosts use v2 and v3 only use with hash-source & nonce-source

45. CSP Clean code Tools block deal with weirdness alert on

    weirdness

46. [ thank you. ] @ingridepure @ingride