Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security: future standards and technologies

oxdef
June 06, 2015
Programming
0
160

Web Application Security: future standards and technologies

OWASP Russia Meetup #3

oxdef

June 06, 2015
Tweet

More Decks by oxdef

See All by oxdef
How to improve software security with OWASP open source initiatives
oxdef
0
64
Keynote at ZeroNights X (2021)
oxdef
0
26
Security Culture: Here be Hackers
oxdef
0
240
OWASP Top 10 - 2017 What’s inside?
oxdef
0
210
И разработчик станет хакером!
oxdef
0
26
Implementing Content Security Policy at a Large Scale
oxdef
0
260
Security in developer’s life: knowledge is power
oxdef
0
140
HTTPS by default - no more clear
oxdef
0
11
Content Security Policy - the panacea for XSS or placebo?
oxdef
0
150

Other Decks in Programming

See All in Programming
20年ものの巨大レガシープロダクトを PHP 8.0にアップデートした際の対策と得られた知見
akamah
3
2k
Kotlin Multiplatform Mobile でiOSとAndroidの実装差異を無くす
teamlab
PRO
0
160
The Lesser-Known Kotlin Features
antonarhipov
0
260
V8 as a container on CDN Edge worker
mizchi
5
950
Attacking web without JS - CSS injection
aszx87410
0
1.7k
モバイルアプリの行動ログの「仕込み」を快適にする / iOSDC Japan 2022 - Mobile App Logging
yujif
1
1.9k
SwiftUI Navigation のすべて
kalupas226
8
3.1k
Angular's Future without NgModules: Architectures with Standalone Components
manfredsteyer
PRO
0
100
フラットなPHPからオブジェクト指向で自動テストのあるPHPへ、そしてフレームワークへ #phpcon2022
77web
1
630
Git 未経験者 が GitHub Actions で もがいた話 / 20220914 git beginner uses github actions
mackey0225
1
400
SASユーザー総会2022:Time-varying treatmentsに対するIPTW法による因果効果の推定
norihirosuzuki
0
220
IaC運用してみて感じた 素晴らしさとアンチパターン
yuki_kurono
0
150

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
56
6.5k
Bash Introduction
62gerente
598
210k
Thoughts on Productivity
jonyablonski
45
2.5k
Why Our Code Smells
bkeepers
PRO
324
55k
Building an army of robots
kneath
300
40k
Building Your Own Lightsaber
phodgson
95
4.7k
The Brand Is Dead. Long Live the Brand.
mthomps
47
2.8k
Music & Morning Musume
bryan
35
4.4k
Agile that works and the tools we love
rasmusluckow
319
19k
The Pragmatic Product Professional
lauravandoore
19
3.2k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
223
49k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
213
20k

Transcript

  1. OWASP Russia Meetup #3 Web Application Security: future standards and

    technologies
  2. None
  3. None

  4. Web Application Security Working Group The mission of the Web

    Application Security Working Group, part of the Security Activity, is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication. http://www.w3.org/2014/12/webappsec-charter-2015

  5. Agenda • CSP2 (very shortly) • Subresource Integrity • Referrer

    Policy • Credential Management API • Confinement with Origin Web Labels • Entry Point Regulation for Web Applications

  6. CSP2 • www.w3.org/TR/CSP2/ • nonces & hashes!!!11111 • frame-ancestors to

    replace X-Frame- Options • unsafe-redirect • The CSP HTTP Request Header • More information in violation reports

  7. CSP2 nonces Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce- Nc3n83cn...9hc3'

    <script nonce="Nc3n83cn...9hc3"> alert("Allowed because nonce is valid.") </script>

  8. Subresource Integrity • www.w3.org/TR/SRI/ • Integrity verification via cryptographic hash

    <script src="https://example.com/example- framework.js" integrity="sha256- C6CB9UYIS9UJeq...5Twh+Y5qFQmYg=" crossorigin="anonymous"></script>
  9. None

  10. RefeRRer Policy • www.w3.org/TR/referrer-policy/ • <meta name="referrer" content="origin"> • None,

    None when downgrade, Origin Only, Origin when cross-origin, Unsafe URL

  11. Credential Management API • www.w3.org/TR/credential-management-1/ • Allow websites to more

    directly interact with the user agent’s credential manager • Help to detect sign-in via a third-party • Changing Password

  12. Password-based Sign-in navigator.credentials.get({ "types": [ "password" ] }).then( function(credential) {

    if (!credential) { // show basic form return; } if (credential.type == "PasswordCredential") { credential.send("https://example.com/login") .then(function (response) { // signin succeeded! }); } else { // See the Federated Sign-in example } });

  13. And the last... • Confinement with Origin Web Labels •

    Entry Point Regulation for Web Applications • Permissions API • Suborigin Namespaces • Mixed Content • User Interface Security Directives for Content Security Policy
  14. None

  15. Thanks! mailto:oxdef@oxdef.info