Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Women of Silicon Roundabout security workshop

Jenny Duckett
May 11, 2017
Technology
0
210

Women of Silicon Roundabout security workshop

A short introductory workshop about web security run by Rosa Fox and Jenny Duckett at Women of Silicon Roundabout 2017

Exercise 1: https://www.codebashing.com/sql_demo
Exercise 2: https://cxa.codebashing.com/courses/nodejs/lessons/persistent_stored_xss

Jenny Duckett

May 11, 2017
Tweet

More Decks by Jenny Duckett

See All by Jenny Duckett
Encouraging a culture of learning across your organisation
jennyd
2
630
Moving government publishing to GOV.UK without breaking the web
jennyd
0
180

Other Decks in Technology

See All in Technology
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.2k
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
220
〜小さく始めて大きく育てる〜データ分析基盤の開発から活用まで
kniino
0
2k
20240416_devopsdaystokyo
kzkmaeda
1
190
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs (QCon London)
inesmontani
PRO
1
150
NLP2024 参加報告LT ~RAGの生成評価と懇親戦略~ / nlp2024_attendee_presentation_LT_masuda
taro_masuda
1
200
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
700
カオナビの利用実績をアウトカムへつなげる旅 / example-of-data-management-startup-in-kaonavi
kaonavi
0
120
"好き"との生活/Regularly update profile with GitHub Actions
judeeeee
0
150
Terraformあれやこれ/terraform-this-and-that
emiki
4
390
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
240
アプリがつくるNOT A HOTELブランド
hokuts
1
450

Featured

See All Featured
The Cult of Friendly URLs
andyhume
74
5.7k
Being A Developer After 40
akosma
56
580k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
KATA
mclloyd
14
12k
Web development in the modern age
philhawksworth
202
10k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
GitHub's CSS Performance
jonrohan
1023
450k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
Teambox: Starting and Learning
jrom
128
8.4k

Transcript

  1. Rosa Fox and Jenny Duckett Government Digital Service @rosaemerald, @jenny_duckett

  2. Welcome!

  3. GDS What do we mean by security on the web?

  4. GDS We aren’t security experts

  5. GDS Web security is a huge topic

  6. GDS ...but understanding some general principles really helps

  7. GDS Don’t trust user input

  8. GDS Tools can help, but understand how to use them

    properly and their limitations

  9. GDS There is one thing you need to know before

    we begin: Computer Misuse Act 1990 Unauthorised access to computer material can be punishable by imprisonment

  10. Code injection

  11. GDS Getting your code onto someone else’s server and making

    it run The code can come from any user input It can damage anything on the server

  12. GDS Practical exercise! First link at https://speakerdeck.com/jennyd https://www.codebashing.com/sql_demo Step 8

    email address = [email protected]

  13. GDS SQL injection 'SELECT * FROM data WHERE name=' +

    'bobby' + ';'

  14. GDS SQL injection 'SELECT * FROM data WHERE name=' +

    '1; DROP TABLE users' + ';'

  15. GDS https://xkcd.com/327/

  16. GDS Remote code execution using ImageMagick... ImageTragick!

  17. GDS “We had thousands of hits in the first 15

    minutes. We were at the top of hacker news, which a lot of people see. We were getting the word out on something tragickally simple to exploit. We'd do it again.” https://imagetragick.com/

  18. Code also runs in browsers

  19. GDS Cookies and Authentication (logging in!)

  20. Cross-site scripting (XSS)

  21. It’s useful to think of this as JavaScript injection GDS

  22. GDS Practical exercise! Second link at https://speakerdeck.com/jennyd https://cxa.codebashing.com/courses/nodejs /lessons/persistent_stored_xss

  23. What else can you do with XSS? GDS

  24. Two types of XSS: • persistent (stored) • reflected GDS

  25. http://example.com/search?query=<script>alert('xss')</script> GDS

  26. Social engineering

  27. GDS People are fallible

  28. GDS Make security that works for people https://www.ncsc.gov.uk/information/people-strongest-link

  29. GDS https://www.youtube.com/watch?v=bjYhmX_OUQQ

  30. Learn more about web security

  31. GDS OWASP Top 10 Falsehoods developers believe about security Ruby

    on Rails security guide www.hacksplaining.com Google Gruyere

  32. GDS https://speakerdeck.com/jennyd https://gdstechnology.blog.gov.uk/

  33. Thanks!