Web Application Security: future standards and technologies

5b723186bd1e23af569bd623f193a2b9?s=47 oxdef
June 06, 2015
Programming
0
17

Web Application Security: future standards and technologies

OWASP Russia Meetup #3

5b723186bd1e23af569bd623f193a2b9?s=128

oxdef

June 06, 2015
Tweet

Want more?

5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
61
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
30
5b723186bd1e23af569bd623f193a2b9?s=48 oxdef
0
8
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
2
500
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
14
870
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
6
470
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
300
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
8
620
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
9
330
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
360
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
5
900
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
230

Transcript

  1. 1.

    OWASP Russia Meetup #3 Web Application Security: future standards and

    technologies
  2. 2.
    None
  3. 3.
    None
  4. 4.

    Web Application Security Working Group The mission of the Web

    Application Security Working Group, part of the Security Activity, is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication. http://www.w3.org/2014/12/webappsec-charter-2015
  5. 5.

    Agenda • CSP2 (very shortly) • Subresource Integrity • Referrer

    Policy • Credential Management API • Confinement with Origin Web Labels • Entry Point Regulation for Web Applications
  6. 6.

    CSP2 • www.w3.org/TR/CSP2/ • nonces & hashes!!!11111 • frame-ancestors to

    replace X-Frame- Options • unsafe-redirect • The CSP HTTP Request Header • More information in violation reports
  7. 7.

    CSP2 nonces Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce- Nc3n83cn...9hc3'

    <script nonce="Nc3n83cn...9hc3"> alert("Allowed because nonce is valid.") </script>
  8. 8.

    Subresource Integrity • www.w3.org/TR/SRI/ • Integrity verification via cryptographic hash

    <script src="https://example.com/example- framework.js" integrity="sha256- C6CB9UYIS9UJeq...5Twh+Y5qFQmYg=" crossorigin="anonymous"></script>
  9. 9.
    None
  10. 10.

    RefeRRer Policy • www.w3.org/TR/referrer-policy/ • <meta name="referrer" content="origin"> • None,

    None when downgrade, Origin Only, Origin when cross-origin, Unsafe URL
  11. 11.

    Credential Management API • www.w3.org/TR/credential-management-1/ • Allow websites to more

    directly interact with the user agent’s credential manager • Help to detect sign-in via a third-party • Changing Password
  12. 12.

    Password-based Sign-in navigator.credentials.get({ "types": [ "password" ] }).then( function(credential) {

    if (!credential) { // show basic form return; } if (credential.type == "PasswordCredential") { credential.send("https://example.com/login") .then(function (response) { // signin succeeded! }); } else { // See the Federated Sign-in example } });
  13. 13.

    And the last... • Confinement with Origin Web Labels •

    Entry Point Regulation for Web Applications • Permissions API • Suborigin Namespaces • Mixed Content • User Interface Security Directives for Content Security Policy
  14. 14.
    None
  15. 15.

    Thanks! mailto:oxdef@oxdef.info