Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

Avatar for Mike West Mike West
June 03, 2019
Programming
1
180

Web Platform Security @ TechDays 2019

Web Platform Security.
Avatar for Mike West

Mike West

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
0
120
Isolation by Default
Avatar for Mike West mikewest
0
1.9k
The Web We Can Ship
Avatar for Mike West mikewest
0
500
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
0
3.3k
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
0
460
Web Platform Security @ CMS Security Summit
Avatar for Mike West mikewest
0
130
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
2
990
BSides Munich
Avatar for Mike West mikewest
0
340
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
5
1.5k

Other Decks in Programming

See All in Programming
明示と暗黙 ー PHPとGoの インターフェイスの違いを知る
Avatar for shimabox shimabox
2
530
dbt民主化とLLMによる開発ブースト ~ AI Readyな分析サイクルを目指して ~
Avatar for yosh_yumyum yoshyum
3
1k
AI時代の『改訂新版 良いコード/悪いコードで学ぶ設計入門』 / ai-good-code-bad-code
Avatar for MinoDriven minodriven
20
8.1k
PHPで始める振る舞い駆動開発(Behaviour-Driven Development)
Avatar for uutan1108 ohmori_yusuke
2
400
Hack Claude Code with Claude Code
Avatar for Akihiro Okuno choplin
5
2.3k
Google Agent Development Kit でLINE Botを作ってみた
Avatar for Kento.Yamada ymd65536
2
260
初学者でも今すぐできる、Claude Codeの生産性を10倍上げるTips
Avatar for Oikon s4yuba
16
12k
The Modern View Layer Rails Deserves: A Vision For 2025 And Beyond @ RailsConf 2025, Philadelphia, PA
Avatar for Marco Roth marcoroth
2
500
XP, Testing and ninja testing
Avatar for seki at druby.org m_seki
3
250
GPUを計算資源として使おう!
Avatar for prime number primenumber
1
170
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
Avatar for hideki kinjyo o0h
PRO
1
270
Flutterで備える!Accessibility Nutrition Labels完全ガイド
Avatar for 野瀬田 裕樹 yuukiw00w
0
170

Featured

See All Featured
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
346
40k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
524
40k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
351
20k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
15
1.5k
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
Building an army of robots
Avatar for Kyle Neath kneath
306
45k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
3.9k

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019