Slide 1
Slide 1 text
Let’s talk Security
Secure your Web Application - Best Practices
Dheeraj Joshi
@dheerajhere
Slide 2
Slide 2 text
● Front-End @
● Previously @
● Open Source (medium-cli)
● Ambidextrous TT Player
About Me
Slide 3
Slide 3 text
More...
I wear White Hat.
Uber, CKEditor, Dropbox,
MailChimp, Recruiterbox, InVision,
DigitalOcean, Intuit, Groupon, etc.
What makes me happy?
Slide 4
Slide 4 text
Agenda
● Why ?
● Cross-site Scripting (XSS)
● Cross-site Request Forgery (CSRF)
● Content Security Policy (CSP)
● Useful Headers
● Other Best Practices
● Live Demo
Slide 5
Slide 5 text
Why should Startups
Care about Security?
Startups & SMEs are known to cut
corners. One of the first things they
cut is ‘Security'.
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
Github
Reused password attack
Slide 8
Slide 8 text
HACKER PUTS HOSTING SERVICE “CODE
SPACES” OUT OF BUSINESS
The Shutdown
Slide 9
Slide 9 text
CROSS SITE SCRIPTING - XSS
● XSS attack users
● “Javascript Injection”
● Exploits can be bad,
really bad..
Slide 10
Slide 10 text
What is XSS?
Typical Reflected XSS
Slide 11
Slide 11 text
Stored XSS
Slide 12
Slide 12 text
DOM XSS
Slide 13
Slide 13 text
Protect Yourself
● Input Validation
● Ensure that outputs are HTML
encoded
● Don’t reinvent the wheel (Use
proven sanitizers)
● Analyze places where DOM
elements are created
Slide 14
Slide 14 text
ngBind attribute
$sanitize - service in module ngSanitize
Sanitizes an html string by stripping all potentially dangerous
tokens.
Slide 15
Slide 15 text
● Add HTTPOnly, Secure attributes on Session
Cookie
Slide 16
Slide 16 text
CROSS-SITE REQUEST
FORGERY (CSRF)
Slide 17
Slide 17 text
Because the attack is carried out
by the victim, CSRF can bypass:
● HTTP Auth
● Session-based auth
● Firewalls
CSRF Attacks
Slide 18
Slide 18 text
Prevention
Slide 19
Slide 19 text
● Only accepting POST requests
● Referer Protection
● Multi-Step Transactions
● URL Rewriting
● application/json
“CSRF Myths”
Preventions that Won’t work
Slide 20
Slide 20 text
XSS + CSRF =
Slide 21
Slide 21 text
Content Security Policy (CSP)
Slide 22
Slide 22 text
List of useful HTTP headers
● Strict-Transport-Security:
max-age=16070400; includeSubDomains
● X-Frame-Options: deny
● X-XSS-Protection: 1; mode=block
Slide 23
Slide 23 text
Prevent Information Disclosure
Hide X-Powered-By
Or try this ;)
Slide 24
Slide 24 text
Target=”_blank”
● Access `window.opener`.
● Fix `rel=noopener`.
(Firefox : rel=noreferrer)
● window.opener = null;
Slide 25
Slide 25 text
How to improve ?
● SECURITY.md
● Security audits
● Discuss Vulnerabilities
Slide 26
Slide 26 text
Show Time !
Slide 27
Slide 27 text
Thank you
@dheerajhere
@djadmin