Web Platform Security @ TechDays 2019

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
June 03, 2019
Programming
1
32

Web Platform Security @ TechDays 2019

Web Platform Security.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West

June 03, 2019
Tweet

Want more?

3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
790
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
280
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
45
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
10
540
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
2
270
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
180
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
6
350
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
6
220
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
310
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
4
570
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
170
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
250

Transcript

  1. 1.

    Web Platform Security Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019

  2. 2.
    None
  3. 3.
    None
  4. 4.

    Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...
  5. 5.

    Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">
  6. 6.

    Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />
  7. 7.

    Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.
  8. 8.

    Collaborate in standards bodies

  9. 9.

    https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. 10.

    https://wicg.github.io/trusted-types

  11. 11.

    https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. 12.

    https://w3c.github.io/webappsec-fetch-metadata

  13. 13.

    https://github.com/whatwg/html/issues/3740

  14. 14.

    https://github.com/whatwg/fetch/issues/687

  15. 15.

    https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. 16.

    Thanks! Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019