Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Women of Silicon Roundabout security workshop

Jenny Duckett
May 11, 2017
Technology
0
240

Women of Silicon Roundabout security workshop

A short introductory workshop about web security run by Rosa Fox and Jenny Duckett at Women of Silicon Roundabout 2017

Exercise 1: https://www.codebashing.com/sql_demo
Exercise 2: https://cxa.codebashing.com/courses/nodejs/lessons/persistent_stored_xss

Jenny Duckett

May 11, 2017
Tweet

More Decks by Jenny Duckett

See All by Jenny Duckett
Encouraging a culture of learning across your organisation
jennyd
2
700
Moving government publishing to GOV.UK without breaking the web
jennyd
0
190

Other Decks in Technology

See All in Technology
組み込みLinuxの時系列
puhitaku
4
1.1k
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
130
TypeScript、上達の瞬間
sadnessojisan
45
13k
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
720
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
3
1.3k
"君は見ているが観察していない"で考えるインシデントマネジメント
grimoh
4
2.6k
Microsoft MVPになる前、なってから/Fukuoka_Tech_Women_Community_1_baba
nina01
0
190
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
160
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
410
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
[FOSS4G 2019 Niigata] AIによる効率的危険斜面抽出システムの開発について
nssv
0
270

Featured

See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Adopting Sorbet at Scale
ufuk
73
9.1k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Bash Introduction
62gerente
608
210k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
How STYLIGHT went responsive
nonsquared
95
5.2k
The World Runs on Bad Software
bkeepers
PRO
65
11k
What's in a price? How to price your products and services
michaelherold
243
12k
Visualization
eitanlees
145
15k
BBQ
matthewcrist
85
9.3k
Speed Design
sergeychernyshev
24
610
Building Applications with DynamoDB
mza
90
6.1k

Transcript

  1. Rosa Fox and Jenny Duckett Government Digital Service @rosaemerald, @jenny_duckett

  2. Welcome!

  3. GDS What do we mean by security on the web?

  4. GDS We aren’t security experts

  5. GDS Web security is a huge topic

  6. GDS ...but understanding some general principles really helps

  7. GDS Don’t trust user input

  8. GDS Tools can help, but understand how to use them

    properly and their limitations

  9. GDS There is one thing you need to know before

    we begin: Computer Misuse Act 1990 Unauthorised access to computer material can be punishable by imprisonment

  10. Code injection

  11. GDS Getting your code onto someone else’s server and making

    it run The code can come from any user input It can damage anything on the server

  12. GDS Practical exercise! First link at https://speakerdeck.com/jennyd https://www.codebashing.com/sql_demo Step 8

    email address = [email protected]

  13. GDS SQL injection 'SELECT * FROM data WHERE name=' +

    'bobby' + ';'

  14. GDS SQL injection 'SELECT * FROM data WHERE name=' +

    '1; DROP TABLE users' + ';'

  15. GDS https://xkcd.com/327/

  16. GDS Remote code execution using ImageMagick... ImageTragick!

  17. GDS “We had thousands of hits in the first 15

    minutes. We were at the top of hacker news, which a lot of people see. We were getting the word out on something tragickally simple to exploit. We'd do it again.” https://imagetragick.com/

  18. Code also runs in browsers

  19. GDS Cookies and Authentication (logging in!)

  20. Cross-site scripting (XSS)

  21. It’s useful to think of this as JavaScript injection GDS

  22. GDS Practical exercise! Second link at https://speakerdeck.com/jennyd https://cxa.codebashing.com/courses/nodejs /lessons/persistent_stored_xss

  23. What else can you do with XSS? GDS

  24. Two types of XSS: • persistent (stored) • reflected GDS

  25. http://example.com/search?query=<script>alert('xss')</script> GDS

  26. Social engineering

  27. GDS People are fallible

  28. GDS Make security that works for people https://www.ncsc.gov.uk/information/people-strongest-link

  29. GDS https://www.youtube.com/watch?v=bjYhmX_OUQQ

  30. Learn more about web security

  31. GDS OWASP Top 10 Falsehoods developers believe about security Ruby

    on Rails security guide www.hacksplaining.com Google Gruyere

  32. GDS https://speakerdeck.com/jennyd https://gdstechnology.blog.gov.uk/

  33. Thanks!