Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Practicing Safe Script Alex Sexton
Slide 2
Slide 2 text
I work at .
Slide 3
Slide 3 text
which is in . California
Slide 4
Slide 4 text
but…
Slide 5
Slide 5 text
I live in . Texas
Slide 6
Slide 6 text
The web has a lot in common with Texas.
Slide 7
Slide 7 text
“The wild west.”
Slide 8
Slide 8 text
In 1985, Texas had a problem.
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
Littering
Slide 11
Slide 11 text
Some Texans defended their “God-given right to litter.”
Slide 12
Slide 12 text
ಠ_ಠ
Slide 13
Slide 13 text
There were fines for littering.
Slide 14
Slide 14 text
photo by Curtis Gregory Perry
Slide 15
Slide 15 text
But no one seemed to care.
Slide 16
Slide 16 text
The state tried some slogans.
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
But these slogans apparently did not resonate with the core offenders
Slide 19
Slide 19 text
Males 18-24 “Bubbas in Pickup Trucks”
Slide 20
Slide 20 text
In 1985 Texas tried a new campaign:
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
The campaign reduced litter on Texas highways ! 72% ! from 1986 to 1990.
Slide 23
Slide 23 text
My point is…
Slide 24
Slide 24 text
“Hey everyone, you should make your websites more secure because it’s important.” ! Probably isn’t going to do the trick.
Slide 25
Slide 25 text
DON’T! MESS! WITH! XSS Also probably won’t work.
Slide 26
Slide 26 text
Web developers, not security researchers, are the core audience.
Slide 27
Slide 27 text
Web security is hard.
Slide 28
Slide 28 text
“All you have to do is never make a single mistake.” - I Think Mike West
Slide 29
Slide 29 text
“I discount the probability of perfection.” - Alex Russell
Slide 30
Slide 30 text
Content Injection
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
Everyone has a friend that always seems to pick “alert(‘hacked!’);” as their username.
Slide 35
Slide 35 text
My User Agent
Slide 36
Slide 36 text
My Friend, Mike Taylor’s User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) alert(‘lol’); Gecko/20100101 Firefox/25.0
Slide 37
Slide 37 text
My Friend, Mike Taylor’s User Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) alert(‘lol’); Gecko/20100101 Firefox/25.0
Slide 38
Slide 38 text
ಠ_ಠ
Slide 39
Slide 39 text
Samy
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
ಠ_ಠ
Slide 44
Slide 44 text
So let’s just detect malicious scripts!
Slide 45
Slide 45 text
No content
Slide 46
Slide 46 text
alert(1)
Slide 47
Slide 47 text
The Billy Hoffman Whitespace Attack !
Slide 48
Slide 48 text
The Billy Hoffman Whitespace Attack ! Malicious Code
Slide 49
Slide 49 text
The Billy Hoffman Whitespace Attack ! tab tab tab space space
Slide 50
Slide 50 text
The Billy Hoffman Whitespace Attack ! 1 1 1 0 0
Slide 51
Slide 51 text
You cannot detect malicious code.
Slide 52
Slide 52 text
output.replace(//, ‘’);
Slide 53
Slide 53 text
CSS Hacks
Slide 54
Slide 54 text
Old School
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty much People Celebrating (or screaming on fire)
Slide 57
Slide 57 text
Timing Attacks
Slide 58
Slide 58 text
Security by Inaccuracy
Slide 59
Slide 59 text
requestAnimationFrame + :visited = ಠ_ಠ
Slide 60
Slide 60 text
requestAnimationFrame + :visited = ಠ_ಠ
Slide 61
Slide 61 text
requestAnimationFrame + :visited = ಠ_ಠ
Slide 62
Slide 62 text
Link Visited Link
Slide 63
Slide 63 text
Link Visited Link <16ms >60ms Time to render
Slide 64
Slide 64 text
Set-Cookie ‘csrf=0003’
Slide 65
Slide 65 text
No content
Slide 66
Slide 66 text
No content
Slide 67
Slide 67 text
No content
Slide 68
Slide 68 text
It gets worse.
Slide 69
Slide 69 text
Contextis White Paper
Slide 70
Slide 70 text
Cross-Domain Data Snooping via SVG Filters and OCR
Slide 71
Slide 71 text
No content
Slide 72
Slide 72 text
ಠ_ಠ
Slide 73
Slide 73 text
We need a new approach.
Slide 74
Slide 74 text
Content Security Policy
Slide 75
Slide 75 text
No content
Slide 76
Slide 76 text
Disallow Inline JS, CSS By Default!
Slide 77
Slide 77 text
Disallow eval By Default!
Slide 78
Slide 78 text
Disallow Cross Domain JS, CSS, IMG, Fonts
Slide 79
Slide 79 text
Report Violations!
Slide 80
Slide 80 text
No content
Slide 81
Slide 81 text
A White List That’s the key!
Slide 82
Slide 82 text
Good Security Goes Beyond Content Injection
Slide 83
Slide 83 text
Slide 84
Slide 84 text
HTTPS Everywhere
Slide 85
Slide 85 text
HTTPS Everywhere
Slide 86
Slide 86 text
HTTPS Only
Slide 87
Slide 87 text
301 Redirect http
Slide 88
Slide 88 text
https HSTS
Slide 89
Slide 89 text
Frame Busting
Slide 90
Slide 90 text
Disallow as an iFrame X-Frame-Options
Slide 91
Slide 91 text
It’s “security by default.” At least much closer…
Slide 92
Slide 92 text
You can rely a little less on being perfect.
Slide 93
Slide 93 text
it only matters if everyone buys in. But
Slide 94
Slide 94 text
We need our own slogan.
Slide 95
Slide 95 text
We need developers to take pride in making secure applications.
Slide 96
Slide 96 text
Don’t Mess With The Web
Slide 97
Slide 97 text
ಠ_ಠ
Slide 98
Slide 98 text
Let’s do something about it together.
Slide 99
Slide 99 text
Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam Baldwin Contextis MDN