Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Frontend Security - Frontend Conf Zurich: 2013-08-30

Mike West
PRO
August 30, 2013
Programming
15
32k

Frontend Security - Frontend Conf Zurich: 2013-08-30

As the web platform grows in capability, we're moving more and more of our complex application logic down from the server to the client. This is a huge opportunity for frontend developers, but at the same time presents a tempting target for folks with malicious intent. It's more critical than ever to ensure that we're doing the right things with regard to security. Server-side best practice is well-understood: escape all output correctly, all the time. Given the number of successful content injection attacks seen in the wild, this obviously isn't as easy as it sounds.

Modern browsers are here to help. Here, we'll talk about some browser-side mechanisms like Content Security Policy that will deepen your defenses, and help mitigate the effects of cross-site scripting and other attacks.

Mike West
PRO

August 30, 2013
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
43
Isolation by Default
mikewest
PRO
0
1.4k
The Web We Can Ship
mikewest
PRO
0
290
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
130
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
380
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
87
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
700
BSides Munich
mikewest
PRO
0
270

Other Decks in Programming

See All in Programming
続・全力疾走中でも使えるストップウォッチアプリを作る 〜LiDARを使った精度への挑戦〜
ogijun2018
1
530
第2回 AWSとGitHub勉強会 - CodespacesとHelidonの利用 -
ogiwarat
0
110
GO TechTalk #22 Reactで描くタクシーアプリ『GO』の世界
mot_techtalk
0
160
The Unyielding Spirit Of Android - Droidcon NYC '23
adammc331
1
160
Rich UI implementation examples using Jetpack Compose (Jetpack Composeを活用した強力なUI表現の実装実例)
iimokoy
0
810
Building Tebukuro with Hotwire and Rails
murajun1978
0
150
Decoding Code Review - Elixir Conf US
elainenaomi
3
190
Dagger Hilt로 의존성 주입부터 멀티모듈화까지
fornewid
0
230
純SPAでNext.jsに対抗する 〜ページによってmetaタグを切り替える編〜
kiyoshiro
0
190
一日30回リリースを可能にするpixiv開発
picopico
0
850
近代フロントエンドの歴史とKuma UIの登場意義
poteboy
3
3.8k
PHP8.2にバージョンアップして もっと型表現を豊かにしよう
akitotsukahara
0
150

Featured

See All Featured
Infographics Made Easy
chrislema
236
17k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
41
11k
How STYLIGHT went responsive
nonsquared
89
4.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
870
Embracing the Ebb and Flow
colly
77
3.8k
Git: the NoSQL Database
bkeepers
PRO
420
61k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.3k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
Fireside Chat
paigeccino
18
2.2k
Why Our Code Smells
bkeepers
PRO
329
56k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
250

Transcript

  1. Frontend Security
    Mike West
    https://mikewest.org
    G+: mkw.st/+
    Twitter: @mikewest
    Video/Transcript:
    https://mkw.st/r/fec13

    View Slide

  2. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    https://mkw.st/r/csp

    View Slide

  3. View Slide

  4. XSS is scary.

    View Slide

  5. scheme://host:port

    View Slide

  6. <br/>beAwesome();<br/>
    <br/>beEvil();<br/>

    View Slide

  7. <br/>beAwesome();<br/>

    Hello, <br/>beEvil();<br/>!

    View Slide

  8. <br/>p { color: {{USER_COLOR}}; }<br/>

    Hello {{USER_NAME}}, view your
    Account.

    <br/>var id = {{USER_ID}};<br/>

    View Slide

  9. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
    goo.gl/XE0aW

    View Slide

  10. [][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])
    [+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])
    [+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]
    +!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]
    +(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+
    [[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    (!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    ([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+
    [])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+
    []+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+
    []+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+
    (!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+
    ([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()

    View Slide

  11. [][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])
    [+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])
    [+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]
    +!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]
    +(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+
    [[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    (!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+
    ([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+
    [])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]
    +!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+
    []+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+
    []+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+
    (!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+
    ([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+
    [[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()
    alert(1);

    View Slide

  12. "I discount the
    probability of
    perfection."
    -Alex Russell

    View Slide

  13. "We are all idiots
    with deadlines."
    -Mike West

    View Slide

  14. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

    View Slide

  15. View Slide

  16. http://w3.org/TR/CSP11

    View Slide

  17. Content-Security-Policy:
    default-src 'none';
    style-src https://mikewestdotorg.hasacdn.net;
    frame-src https://www.youtube.com
    https://www.speakerdeck.com;
    script-src https://mikewestdotorg.hasacdn.net
    https://ssl.google-analytics.com;
    img-src 'self'
    https://mikewestdotorg.hasacdn.net
    https://ssl.google-analytics.com;
    font-src https://mikewestdotorg.hasacdn.net

    View Slide

  18. Content-Security-Policy:
    default-src ...;
    script-src ...;
    object-src ...;
    style-src ...;
    img-src ...;
    media-src ...;
    frame-src ...;
    font-src ...;
    connect-src ...;
    sandbox ...;
    report-uri https://example.com/reporter.cgi

    View Slide

  19. Content-Security-Policy-Report-Only:
    default-src https:;
    report-uri https://example.com/csp-violations
    {
    "csp-report": {
    "document-uri": "http://example.org/page.html",
    "referrer": "http://evil.example.com/haxor.html",
    "blocked-uri": "http://evil.example.com/img.png",
    "violated-directive": "default-src 'self'",
    "original-policy": "...",
    "source-file": "http://example.com/script.js",
    "line-number": 10,
    "column-number": 11,
    }
    }

    View Slide

  20. <br/>function handleClick() { ... }<br/>
    Click me!
    Click me!

    View Slide



  21. Click me!
    Click me!

    function handleClick() {
    ...
    }
    function init() {
    for (var e in document.querySelectorAll('.clickr'))
    e.addEventListener('click', handleClick);
    }

    View Slide

  22. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    https://mkw.st/r/csp

    View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. $ curl -I http://mkw.st/
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.5.0
    Date: Tue, 27 Aug 2013 19:36:15 GMT
    Content-Type: text/html
    Content-Length: 184
    Connection: keep-alive
    Keep-Alive: timeout=20
    Location: https://mkw.st/

    View Slide

  27. $ curl -I https://mkw.st/
    HTTP/1.1 200 OK
    Server: nginx/1.5.0
    Date: Tue, 27 Aug 2013 19:42:31 GMT
    ...
    Strict-Transport-Security:
    max-age=2592000;
    includeSubDomains
    ...

    View Slide

  28. Set-Cookie: ...; secure; HttpOnly

    View Slide

  29. Public-Key-Pins:
    max-age=2592000;
    pin-sha1="4n972H…60yw4uqe/baXc="

    View Slide

  30. http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
    goo.gl/0aMqHM

    View Slide



  31. View Slide

  32. sandbox="allow-forms allow-pointer-lock
    allow-popups allow-same-origin
    allow-scripts allow-top-navigation">


    View Slide


  33. seamless
    srcdoc="This is a comment!"
    sandbox>

    View Slide

  34. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
    goo.gl/WJjv10

    View Slide

  35. https://mkw.st/r/fec13
    Danke!
    Mike West
    https://mikewest.org
    G+: mkw.st/+
    Twitter: @mikewest
    Video/Transcript: https://mkw.st/r/fec13

    View Slide