$30 off During Our Annual Pro Sale. View Details »

BSides Munich

BSides Munich

Mike West
PRO

April 03, 2017
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. Mike West, @mikewest, [email protected]
    https://goo.gl/F0o9kR
    Hardening the
    Web Platform

    View Slide

  2. Slides: https://goo.gl/F0o9kR

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. https://goo.gl/MycPb7

    View Slide

  7. "Sharpening", https://flic.kr/p/sbo18H

    View Slide

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  10. View Slide

  11. https://securethe.news/

    View Slide

  12. https://letsencrypt.org/

    View Slide

  13. https://caddyserver.com/

    View Slide

  14. https://goo.gl/ptS8FO
    https://goo.gl/nzbqQo

    View Slide

  15. Pro tip: Content-Security-Policy:
    default-src https:;
    report-uri /reports-r-us

    View Slide

  16. Content-Security-Policy: upgrade-insecure-requests
    https://goo.gl/hcin3m

    View Slide

  17. https://goo.gl/51hqZa

    View Slide

  18. https://goo.gl/Kd2eMQ

    View Slide

  19. https://goo.gl/ciyreA

    View Slide

  20. https://goo.gl/rStTGz

    View Slide

  21. AppCache
    getUserMedia
    crypto.subtle.*
    ServiceWorker
    navigator.credentials
    navigator.geolocation
    PaymentRequest
    EME
    https://goo.gl/rStTGz
    Notification

    View Slide

  22. https://goo.gl/Wwpnjw
    https://goo.gl/fzVgNt

    View Slide

  23. 127.0.0.1
    192.168.1.1
    192.220.74.179
    https://goo.gl/Wwpnjw

    View Slide

  24. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

    View Slide

  25. https://goo.gl/Wamh7S

    View Slide

  26. default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src
    render.githubusercontent.com; connect-src 'self' uploads.github.com
    status.github.com api.github.com www.google-analytics.com
    github-cloud.s3.amazonaws.com wss://live.github.com; font-src
    assets-cdn.github.com; form-action 'self' github.com gist.github.com;
    frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src
    'self' data: assets-cdn.github.com identicons.github.com
    www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com
    *.githubusercontent.com; media-src 'none'; object-src
    assets-cdn.github.com; plugin-types application/x-shockwave-flash;
    script-src assets-cdn.github.com; style-src 'unsafe-inline'
    assets-cdn.github.com

    View Slide

  27. https://goo.gl/lJq6jj
    https://goo.gl/dqPkYn

    View Slide

  28. script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com
    https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com
    https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com
    https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com
    https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com
    data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com
    https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com
    blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com
    https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com
    https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self';
    style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com
    https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com
    https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self';
    frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com
    https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com
    https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com
    https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com
    https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com
    https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data:
    https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com
    https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com
    https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com
    blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

    View Slide

  29. https://goo.gl/wSH6sV

    View Slide

  30. https://srihash.org/

    View Slide

  31. https://goo.gl/yxEJiO
    https://goo.gl/IrPX7b

    View Slide

  32. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

    View Slide

  33. https://goo.gl/QcZIBI

    View Slide

  34. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/
    ✘ Set-Cookie: __Host-SID=12345
    ✘ Set-Cookie: __Host-SID=12345; Secure
    ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com
    ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/
    ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/
    ✘ Set-Cookie: __Secure-SID=12345; Secure;
    ✘ Set-Cookie: __Secure-SID=12345

    View Slide

  35. https://goo.gl/gF2clJ

    View Slide

  36. https://goo.gl/FHAeAm

    View Slide

  37. Credential Management API @ I/O: https://goo.gl/FbrO5x
    navigator.credentials.get({
    "password": true, "unmediated": true
    })
    .then(c => {
    if (!c) return;
    // Hooray, we have a credential!
    signInToYourApplication(c);
    });

    View Slide

  38. Credential Management API @ I/O: https://goo.gl/FbrO5x
    function signInToYourApplication(c) {
    fetch("/signin", {
    "method": "POST", "credentials": c
    })
    .then(r => {
    if (r.status == 200) {
    renderSignedInExperience(r);
    // or:
    window.location = "/signedin";
    } else {
    renderUsefulErrorMessage();
    }
    });
    }

    View Slide

  39. View Slide

  40. https://goo.gl/Un07eJ

    View Slide

  41. https://goo.gl/ILUP12

    View Slide

  42. https://goo.gl/eZ9SKg

    View Slide

  43. scheme://host:port

    View Slide

  44. scheme://host:port
    scheme://sub1_host:port scheme://sub2_host:port

    View Slide

  45. https://goo.gl/VhLsq2

    View Slide

  46. View Slide

  47. Thank you!
    https://goo.gl/F0o9kR
    @mikewest
    [email protected]

    View Slide