No privilege, no risk - Devoxx 2013

Slide 1

Slide 1 text

@mikewest #DV13-security No privilege, no risk A client-side security cornucopia Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest Slides: https://mkw.st/r/devoxx13

Slide 2

Slide 2 text

http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

Slide 3

Slide 3 text

http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

Slide 4

Slide 4 text

"Enigma" - skittledog, http://flic.kr/p/9VjJz5 Step 0: Encrypt all traffic.

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Set-Cookie: ...; secure; HttpOnly

Slide 9

Slide 9 text

Strict-Transport-Security: max-age=2592000; includeSubDomains

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Public-Key-Pins: max-age=2592000; pin-sha256="4n972H…yw4uqe/baXc="

Slide 12

Slide 12 text

"Framed in the Valley" - cobalt123, http://www.flickr.com/photos/cobalt/5354090310/ Limit Unanticipated Framing.

Slide 13

Slide 13 text

Click me! I am happy!

Slide 14

Slide 14 text

X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN

Slide 15

Slide 15 text

"X-Frame-Options: All about Clickjacking?" https://cure53.de/xfo-clickjacking.pdf

Slide 16

Slide 16 text

"Sniff" - tiny banquet committee, http://www.flickr.com/photos/tinybanquet/880076486 Prevent MIME-Type Sniffing.

Slide 17

Slide 17 text

X-Content-Type-Options: nosniff

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

"Finance - Financial Injection - Finance" - doug8888, http://www.flickr.com/photos/doug88888/4561376850/ Mitigate content injection.

Slide 20

Slide 20 text

scheme://host:port

Slide 21

Slide 21 text

beAwesome(); beEvil();

Slide 22

Slide 22 text

beAwesome();

Hello, beEvil();

Slide 23

Slide 23 text

p { color: {{USER_COLOR}}; }

Hello {{USER_NAME}}, view your Account.

var id = {{USER_ID}};

Slide 24

Slide 24 text

"I discount the probability of perfection." -Alex Russell

Slide 25

Slide 25 text

"We are all idiots with deadlines." -Mike West

Slide 26

Slide 26 text

X-XSS-Protection: 1; mode=block or X-XSS-Protection: 0 but not X-XSS-Protection: 1

Slide 27

Slide 27 text

X-XSS-Protection: 1; mode=block; report=https://example.com/url

Slide 28

Slide 28 text

http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

Slide 29

Slide 29 text

Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net

Slide 30

Slide 30 text

Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi

Slide 31

Slide 31 text

Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }

Slide 32

Slide 32 text

function handleClick() { ... } Click me! Click me!

Slide 33

Slide 33 text

Click me! Click me! function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }

Slide 34

Slide 34 text

Content-Security-Policy: script-src 'nonce-afbvjn+afpo-j1qer'; Click me! Click me! function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }

Slide 35

Slide 35 text

Content-Security-Policy: script-src 'sha256-afbvjn+...afpo-j1qer'; Click me! Click me! function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }

Slide 36

Slide 36 text

"Sandbox Shadow" - Scott Robinson, http://www.flickr.com/photos/clearlyambiguous/27454797 Limit IFrame Capabilities

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Slide 39

Slide 39 text

http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/ goo.gl/WJjv10

Slide 40

Slide 40 text

"Vandalised Red Telephone Box" - Jon Pinder, http://www.flickr.com/photos/rofanator/5364666818 Secure Cross-Origin Communication

Slide 41

Slide 41 text

var frame = document.querySelector('iframe'); frame.contentWindow.postMessage(message, 'example.com'); window.addEventListener('message', function (e) { if (e.origin === 'example.com') // Do something amazing in response! });

Slide 42

Slide 42 text

var frame = document.querySelector('iframe'); frame.contentWindow.postMessage(message, '*'); window.addEventListener('message', function (e) { if (e.origin === "null" && e.source === frame.contentWindow) // Do something amazing in response! });

Slide 43

Slide 43 text

window.addEventListener('message', function (e) { if (e.origin !== window.location.origin) return; // Do something amazing in response! e.source.postMessage(result, e.origin); });

Slide 44

Slide 44 text

var channel = new MessageChannel(); // channel.port1 <-> channel.port2 frame.contentWindow.postMessage( 'init', '*', [ channel.port2 ]); channel.port1.postMessage(message); channel.port1.addEventListener('message', ...);

Slide 45

Slide 45 text

"Enigma" - skittledog, http://flic.kr/p/9VjJz5 Moar Encryption

Slide 46

Slide 46 text

http://nick.bleeken.eu/presentations/devoxx-2013/

Slide 47

Slide 47 text

https://mkw.st/r/devoxx13 Thanks! Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest Slides: https://mkw.st/r/devoxx13