$30 off During Our Annual Pro Sale. View Details »

Web Platform Security @ TechDays 2019

Mike West
PRO
June 03, 2019
Programming
1
130

Web Platform Security @ TechDays 2019

Web Platform Security.

Mike West
PRO

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
66
Isolation by Default
mikewest
PRO
0
1.5k
The Web We Can Ship
mikewest
PRO
0
320
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.1k
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
390
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
90
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
730
BSides Munich
mikewest
PRO
0
280
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.3k

Other Decks in Programming

See All in Programming
DMMプラットフォームにおけるコード品質を改善する取り組みの理想と現実
pospome
3
1.8k
文化祭入退場システムCracker (at U-22プログラミング・コンテスト)
pocopota
0
140
ニフティ社内ISUCON開催への道のり - NIFTY Tech Day 2023
niftycorp
0
140
「defineCustomElement」を活用した サービス共通のUIコンポーネントライブラリ
piyoppi
0
230
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
5
970
未定義動作でFizz Buzz / Undefined Fizz Buzz
kaityo256
PRO
1
290
エンジニア秘書が通訳する異文化コミュニケーションのあれこれ / engineer-communication
assu_ming
0
130
ちょうぜつ本の紹介 (クリーンアーキテクチャとパッケージ原則)
suzukimar
0
280
if 式と switch 式による SwiftUI のプレビューエラー対策
ojun9
1
200
コードを読みやすくしよう!〜秒で身に付くよい命名〜 (LT) - NIFTY Tech Day 2023
niftycorp
1
140
セシール、大地に立つ - NIFTY Tech Day 2023
niftycorp
0
120
生成AI×ノーコード (スピーディーなアプリ開発の新時代)
knr109
3
4.4k

Featured

See All Featured
Three Pipe Problems
jasonvnalue
89
9.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Git: the NoSQL Database
bkeepers
PRO
420
62k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
Design by the Numbers
sachag
272
18k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
15k
The Brand Is Dead. Long Live the Brand.
mthomps
48
7.5k
What the flash - Photography Introduction
edds
64
11k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k

Transcript

  1. Web Platform Security
    Mike West, Google Chrome
    @mikewest
    [email protected]
    http://bit.ly/wps_techdays_2019

    View Slide

  2. View Slide

  3. View Slide

  4. Google Vulnerability Reward Program (VRP) payouts in 2018
    XSS 35.6%
    CSRF 3.2%
    Clickjacking 4.2%
    Other web bugs 7.8%
    Non-web issues 49.1%
    Mobile app vulnerabilities
    Business logic (authorization)
    Server /network misconfigurations
    ...

    View Slide

  5. Injections

    foo.innerHTML = location.hash.slice(1)
    1. Logged in user visits attacker's page
    2. Attacker navigates user to a vulnerable URL
    3. Script runs, attacker gets access to user's session
    … and many other patterns
    Bugs: Cross-site scripting (XSS)
    https://victim.example/?query=<br/>

    View Slide

  6. Insufficient isolation
    1. Logged in user visits attacker's page
    2. Attacker sends cross-origin request to vulnerable URL
    3. Attacker takes action on behalf of user, or infers information
    about the user's data in the vulnerable app.
    Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ...






    View Slide

  7. Insufficient isolation
    New classes of flaws related to insufficient isolation on
    the web:
    - Microarchitectural issues (Spectre / Meltdown)
    - Advanced web APIs used by attackers
    - Improved exploitation techniques
    The number and severity of these flaws is growing.

    View Slide

  8. Collaborate in
    standards bodies

    View Slide

  9. https://w3c.github.io/webappsec-csp/
    https://csp.withgoogle.com/

    View Slide

  10. https://wicg.github.io/trusted-types

    View Slide

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis
    https://web.dev/samesite-cookies-explained/

    View Slide

  12. https://w3c.github.io/webappsec-fetch-metadata

    View Slide

  13. https://github.com/whatwg/html/issues/3740

    View Slide

  14. https://github.com/whatwg/fetch/issues/687

    View Slide

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

    View Slide

  16. Thanks!
    Mike West, Google Chrome
    @mikewest
    [email protected]
    http://bit.ly/wps_techdays_2019

    View Slide