Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No privilege, no risk - Devoxx 2013

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
PRO
November 14, 2013
Programming
1
470

No privilege, no risk - Devoxx 2013

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West
PRO

November 14, 2013
Tweet

More Decks by Mike West

See All by Mike West
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
820
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
140
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
1.3k
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
1
94
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
330
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
63
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
580
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
240
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
5
1.3k

Other Decks in Programming

See All in Programming
13d64bff196e33cc6b352f226137d16e?s=48 monoqlo
0
230
F34964538565e89f55b1df6e33c9a1e8?s=48 kapsy1312
0
220
31107eb924f0f352bc3dc4916be5ba59?s=48 negi_andleek
0
200
08d5432a5bc31e6d9edec87b94cb1db1?s=48 k0kubun
2
1k
E505897a79eede1a676f92740261e8f8?s=48 kubode
1
530
27c093d0834208f4712faaaec38c2c5c?s=48 ramalho
3
500
4651f57d479e562a45dd624cc24dbee3?s=48 nsaito9628
1
180
7d709dd44f86dc8f2b7ddb4c48145dfc?s=48 jollyjoester
2
440
7a4968fbcd56e81f95a4f3c186141b52?s=48 kateinoigakukun
1
150
1a1d418bdf51cbf8fce1317f6c80a907?s=48 satoshi0212
3
270
4578d99b560b2a470e05288ef6766ac2?s=48 paulk
7
7.4k
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
0
470

Featured

See All Featured
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
240
23k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
91
3.6k
282d599b414022eba5096510f675b6e2?s=48 chrislema
174
14k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
75
3.8k
78b475797a14c84799063c7cd073962f?s=48 holman
451
140k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
593
210k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
19k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
314
18k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
263
11k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
37
4.6k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
372
43k
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
227
8.9k

Transcript

  1. @mikewest #DV13-security No privilege, no risk A client-side security cornucopia

    Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest Slides: https://mkw.st/r/devoxx13

  2. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  3. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  4. "Enigma" - skittledog, http://flic.kr/p/9VjJz5 Step 0: Encrypt all traffic.

  5. None
  6. None
  7. None

  8. Set-Cookie: ...; secure; HttpOnly

  9. Strict-Transport-Security: max-age=2592000; includeSubDomains

  10. None

  11. Public-Key-Pins: max-age=2592000; pin-sha256="4n972H…yw4uqe/baXc="

  12. "Framed in the Valley" - cobalt123, http://www.flickr.com/photos/cobalt/5354090310/ Limit Unanticipated Framing.

  13. Click me! I am happy!

  14. X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN

  15. "X-Frame-Options: All about Clickjacking?" https://cure53.de/xfo-clickjacking.pdf

  16. "Sniff" - tiny banquet committee, http://www.flickr.com/photos/tinybanquet/880076486 Prevent MIME-Type Sniffing.

  17. X-Content-Type-Options: nosniff

  18. None

  19. "Finance - Financial Injection - Finance" - doug8888, http://www.flickr.com/photos/doug88888/4561376850/ Mitigate

    content injection.

  20. scheme://host:port

  21. <script> beAwesome(); </script> <script> beEvil(); </script>

  22. <script> beAwesome(); </script> <!-- <p>Hello, {$name}!</p> --> <p>Hello, <script> beEvil();

    </script></p>

  23. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

    view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->

  24. "I discount the probability of perfection." -Alex Russell

  25. "We are all idiots with deadlines." -Mike West

  26. X-XSS-Protection: 1; mode=block or X-XSS-Protection: 0 but not X-XSS-Protection: 1

  27. X-XSS-Protection: 1; mode=block; report=https://example.com/url

  28. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

  29. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net

  30. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi

  31. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }

  32. <script> function handleClick() { ... } </script> <button onclick="handleClick()">Click me!</button>

    <a href="javascript:handleClick()">Click me!</a>

  33. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clckr">Click me!</button> <a href="#"

    class="clckr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }

  34. Content-Security-Policy: script-src 'nonce-afbvjn+afpo-j1qer'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script nonce="afbvjn+afpo-j1qer"> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>

  35. Content-Security-Policy: script-src 'sha256-afbvjn+...afpo-j1qer'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>

  36. "Sandbox Shadow" - Scott Robinson, http://www.flickr.com/photos/clearlyambiguous/27454797 Limit IFrame Capabilities

  37. <iframe src="page.html" sandbox></iframe> <!-- * Unique origin * No plugins.

    * No script. * No form submissions. * No top-level navigation. * No popups. * No autoplay. * No pointer lock. * No seamless iframes. -->

  38. <iframe src="page.html" sandbox="allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation"> </iframe> <!--

    * No plugins. * No seamless iframes. -->

  39. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/ goo.gl/WJjv10

  40. "Vandalised Red Telephone Box" - Jon Pinder, http://www.flickr.com/photos/rofanator/5364666818 Secure Cross-Origin

    Communication

  41. <script> var frame = document.querySelector('iframe'); frame.contentWindow.postMessage(message, 'example.com'); window.addEventListener('message', function (e)

    { if (e.origin === 'example.com') // Do something amazing in response! }); </script>

  42. <script> var frame = document.querySelector('iframe'); frame.contentWindow.postMessage(message, '*'); window.addEventListener('message', function (e)

    { if (e.origin === "null" && e.source === frame.contentWindow) // Do something amazing in response! }); </script>

  43. <script> window.addEventListener('message', function (e) { if (e.origin !== window.location.origin) return;

    // Do something amazing in response! e.source.postMessage(result, e.origin); }); </script>

  44. <script> var channel = new MessageChannel(); // channel.port1 <-> channel.port2

    frame.contentWindow.postMessage( 'init', '*', [ channel.port2 ]); channel.port1.postMessage(message); channel.port1.addEventListener('message', ...); </script>

  45. "Enigma" - skittledog, http://flic.kr/p/9VjJz5 Moar Encryption

  46. http://nick.bleeken.eu/presentations/devoxx-2013/

  47. https://mkw.st/r/devoxx13 Thanks! Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest Slides:

    https://mkw.st/r/devoxx13