Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

Mike West
PRO
June 03, 2019
Programming
1
170

Web Platform Security @ TechDays 2019

Web Platform Security.

Mike West
PRO

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
110
Isolation by Default
mikewest
PRO
0
1.9k
The Web We Can Ship
mikewest
PRO
0
490
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
3.1k
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
440
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
120
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
960
BSides Munich
mikewest
PRO
0
330
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.5k

Other Decks in Programming

See All in Programming
Golangci-lint v2爆誕: 君たちはどうすべきか
logica0419
1
160
趣味全開のAITuber開発
kokushin
0
200
KawaiiLT 登壇資料 キャリアとモチベーション
hiiragi
0
150
七輪ライブラリー: Claude AI で作る Next.js アプリ
suneo3476
1
120
Amazon CloudWatchの地味だけど強力な機能紹介!
itotsum
0
180
メモリウォールを超えて:キャッシュメモリ技術の進歩
kawayu
0
1.9k
REALITY コマンド作成チュートリアル
nishiuriraku
0
110
Jakarta EE Meets AI
ivargrimstad
0
250
VitestのIn-Source Testingが便利
taro28
8
2.2k
Laravel × Clean Architecture
bumptakayuki
PRO
0
110
Cursor/Devin全社導入の理想と現実
saitoryc
23
17k
Deoptimization: How YJIT Speeds Up Ruby by Slowing Down / RubyKaigi 2025
k0kubun
0
1.3k

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
83
5.5k
Bash Introduction
62gerente
611
210k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
670
Visualization
eitanlees
146
16k
Documentation Writing (for coders)
carmenintech
69
4.7k
Rails Girls Zürich Keynote
gr2m
94
13k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
47
2.7k
Git: the NoSQL Database
bkeepers
PRO
430
65k
A Tale of Four Properties
chriscoyier
158
23k
[RailsConf 2023] Rails as a piece of cake
palkan
54
5.4k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Writing Fast Ruby
sferik
628
61k

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019