Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DotSecutiry - Counter Spells and the Art of Kee...

DotSecutiry - Counter Spells and the Art of Keeping your Application Safe

dotSecurity Paris 2017

ingrid epure

April 21, 2017
Tweet

More Decks by ingrid epure

Other Decks in Programming

Transcript

  1. 55 authors 665 commits to master 750 commits to all

    branches March 20, 2017 – April 20, 2017 1,967 file changes 29,064 additions / 21,314 deletions shipping to prod > 100times a day
  2. [ avoid having to decide if html is safe ]

    dangerouslySetInnerHTML - React htmlSafe in Ember trustAsHtml - Angular
  3. each component decides on implementation while invocation remains the same

    composition instead of inheritance better encapsulation and clarity
  4. create a text node set attributes append the anchor child

    element return the the node use the DOM to create an element
  5. Avoid Triple Curlies TripliciCrispusExpellus (Tri-pli-ci-crispus ) using on direct user

    input can introduce vulnerabilities {{{ {{{ = htmlSafe() for templates
  6. newly opened tab can change the window.opener.location to a phishing

    page window.opener.location is fair game Firefox uses noreferrer-only until v.52 partial access to the linking page via window.opener
  7. use the abstract syntax tree ( AST ) for Mustache:

    MustacheStatement target= ‘_blank’ / elements : ElementNode & node attributes plug it in with your cli
  8. postBuild hook to get real-time feedback find + grep +

    regexp + wc to get the count compare the count against a static limit fail the build if numbers don’t match
  9. [ regexp are like black magic. They're powerful & get

    the job done, but you also fear them and might have to sell your soul in the process ] [ regexp rage by ingride ]
  10. EsLint BonumLintum (bonum-LINT-um) EL Introduce a line in the sand

    for blacklisted methods Use linters for real-time feedback in dev
  11. esLint CLI + custom rule to get the count fail

    the build if errorCount > max allowed enable esLint cache for increased performance integration with ember-cli
  12. Content Security Policy SecuritasContentus (SECUR-itas-kontent-us ) mitigates XSS & data-injection

    attacks CSP use to whitelist "safe" script hosts use v2 and v3 only use with hash-source & nonce-source