Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking Front-End Apps

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Alex Sexton Alex Sexton
February 12, 2014
Technology
2.5k
3

Hacking Front-End Apps

My talk on client side web security as given at the jQuery Conference 2014 in San Diego

Avatar for Alex Sexton

Alex Sexton

February 12, 2014

More Decks by Alex Sexton

See All by Alex Sexton
Your Very Own Component Library
Avatar for Alex Sexton slexaxton
5
750
Front-End Ops - jQuery Conf Chicago 2014
Avatar for Alex Sexton slexaxton
1
1k
Practicing Safe Script
Avatar for Alex Sexton slexaxton
18
2.9k

Other Decks in Technology

See All in Technology
AI バイブコーティングでキーボード不要?!
Avatar for Sam Akada samakada
0
680
UIライブラリに依存しすぎないReact Native設計を目指して
Avatar for Takahiro Kato grandbig
0
190
AgentCore×VPCでの設計パターンn選と勘所
Avatar for Har1101 har1101
4
370
「SaaSの次の時代」に重要性を増すステークホルダーマネジメントの要諦 ~解像度を圧倒的に高めPdMの価値を最大化させる方法~
Avatar for KAKEHASHI kakehashi
PRO
3
3.5k
M5Stack CoreS3とZephyr(RTOS)で Edge AIっぽいことしてみた
Avatar for misoji engineer iotengineer22
0
410
AI駆動開発で生産性を追いかけたら、行き着いたのは品質とシフトレフトだった
Avatar for Koichiro Matsuoka littlehands
0
260
COBOL婆さんの伝説
Avatar for フクイ poropinai1966
0
130
AIはハッカーを減らすのか、増やすのか?──現役ホワイトハッカーから見るAI時代のリアル【MEGU-Meet】
Avatar for サイバーセキュリティクラウド cscengineer
PRO
0
260
Oracle Cloud Infrastructure:2026年4月度サービス・アップデート
Avatar for oracle4engineer oracle4engineer
PRO
0
260
AI와 협업하는 조직으로의 여정
Avatar for Arawn Park arawn
0
580
Claude Code を安全に使おう勉強会 / Claude Code Security Basics
Avatar for MasahiroKawahara masahirokawahara
12
39k
EMから幅を広げるために最近挑戦していること / Recent challenges I'm undertaking to expand my horizons beyond EM
Avatar for hiro-torii hiro_torii
1
180

Featured

See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
52k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
10k
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
1
530
Design in an AI World
Avatar for tapps tapps
1
210
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
320
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
130
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
380
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
100
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
130
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
49
9.9k

Transcript

  1. Hacking Front-End Apps Alex Sexton

  2. I work at .

  3. which is in . California

  4. but…

  5. I live in . Texas

  6. The web has a lot in common with Texas.

  7. “The wild west.”

  8. In 1985, Texas had a problem.

  9. None

  10. Littering

  11. Some Texans defended their “God-given right to litter.”

  12. ಠ_ಠ

  13. There were fines for littering.

  14. photo by Curtis Gregory Perry

  15. But no one seemed to care.

  16. The state tried some slogans.

  17. None

  18. But these slogans apparently did not resonate with the core

    offenders

  19. Males 18-24 “Bubbas in Pickup Trucks”

  20. In 1985 Texas tried a new campaign:

  21. None

  22. The campaign reduced litter on Texas highways ! 72% !

    from 1986 to 1990.

  23. My point is…

  24. “Hey everyone, you should make your websites more secure because

    it’s important.” ! Probably isn’t going to do the trick.

  25. DON’T! MESS! WITH! XSS Also probably won’t work.

  26. Web developers, not security researchers, are the core audience.

  27. Web security is hard.

  28. “All you have to do is never make a single

    mistake.” - I Think Mike West

  29. “I discount the probability of perfection.” - Alex Russell

  30. Content Injection

  31. None
  32. None
  33. None

  34. Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”

      as their username.

  35. My User Agent

  36. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

  37. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

  38. ಠ_ಠ

  39. Samy

  40. None
  41. None
  42. None

  43. ಠ_ಠ

  44. So let’s just detect malicious scripts!

  45. None

  46. alert(1)

  47. The Billy Hoffman Whitespace Attack <script>   ! </script>

  48. The Billy Hoffman Whitespace Attack <script>   ! </script> Malicious

    Code

  49. The Billy Hoffman Whitespace Attack <script>   ! </script> tab

    tab tab space space

  50. The Billy Hoffman Whitespace Attack <script>   ! </script> 1

    1 1 0 0

  51. You cannot detect malicious code.

  52. output.replace(/<script>/, ‘’);

  53. CSS Hacks

  54. Old School

  55. None

  56. Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty

    much People Celebrating (or screaming on fire)

  57. Timing Attacks

  58. Security by Inaccuracy

  59. requestAnimationFrame + :visited = ಠ_ಠ

  60. requestAnimationFrame + :visited = ಠ_ಠ

  61. requestAnimationFrame + :visited = ಠ_ಠ

  62. Link Visited Link

  63. Link Visited Link <16ms >60ms Time to render

  64. JSON-P

  65. MORE LIKE JSON-Pretty-Insecure

  66. “I’d really like it if someone could run arbitrary dynamic

    scripts on my page” - JSONP Users

  67. You wouldn’t do this.

  68. So don’t do this.

  69. A Leak In The Response

  70. YouProbablyShouldUseCORS.tumblr.com

  71. enable-cors.org

  72. Try to say CROSS SITE! REQUEST FORGERY 5 times fast.

  73. Set-Cookie ‘csrf=0003’

  74. Set-Cookie ‘csrf=0003’

  75. None
  76. None
  77. None

  78. It gets worse.

  79. Contextis White Paper

  80. Cross-Domain Data Snooping via SVG Filters and OCR

  81. None

  82. ಠ_ಠ

  83. We need a new approach.

  84. Content Security Policy

  85. None

  86. Disallow Inline JS, CSS By Default!

  87. Disallow eval By Default!

  88. Disallow Cross Domain JS, CSS, IMG, Fonts

  89. Report Violations!

  90. None

  91. A White List That’s the key!

  92. Good Security Goes Beyond Content Injection

  93. <iframe sandbox>

  94. HTTPS Everywhere

  95. HTTPS Everywhere

  96. HTTPS Only

  97. 301 Redirect http

  98. https HSTS

  99. Frame Busting

  100. Disallow as an iFrame X-Frame-Options

  101. It’s “security by default.” At least much closer…

  102. You can rely a little less on being perfect.

  103. it only matters if everyone buys in. But

  104. We need our own slogan.

  105. We need developers to take pride in making secure applications.

  106. Don’t Mess With The Web

  107. ಠ_ಠ

  108. Let’s do something about it together.

  109. Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam

    Baldwin Contextis MDN