Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking Front-End Apps
Search
Alex Sexton
February 12, 2014
Technology
2.5k
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Hacking Front-End Apps
My talk on client side web security as given at the jQuery Conference 2014 in San Diego
Alex Sexton
February 12, 2014
More Decks by Alex Sexton
See All by Alex Sexton
Your Very Own Component Library
slexaxton
5
750
Front-End Ops - jQuery Conf Chicago 2014
slexaxton
1
1k
Practicing Safe Script
slexaxton
18
2.9k
Other Decks in Technology
See All in Technology
気軽に使える"情報のハブ"としてのNotion活用 〜フロー情報の集積点 と、 Claude Code × Notion AI〜
syucream
1
150
iAEONの段階的リアーキテクト戦略 / iAEON's_Gradual_Re-architecture_Strategy
aeonpeople
0
220
Flow 不死:AI 時代 DevOps 的不變本質
cheng_wei_chen
0
100
自律型AIエージェントは何を破壊するのか
kojira
0
160
Kubernetesにおける学習基盤とLLMOpsの概要
ry
1
320
SONiCの統計情報を取得したい
sonic
0
200
AIのReact習熟度を測る
uhyo
2
640
2026TECHFRESH畢業分享會 - 葬送的通靈師:化系統與用戶雜訊成行動訊號
line_developers_tw
PRO
0
1.2k
AIソロプレナー時代に2ヶ月で20人増員した事業創造会社の開発組織の話
miyatakoji
0
690
アジャイルな経理と Claude Code と 経営の未来
kawaguti
PRO
3
150
2026 TECHFRESH 畢業分享會 - 開發日常大解密!從領域驅動到企業級上線
line_developers_tw
PRO
0
1.2k
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
findy_eventslides
2
160
Featured
See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Why Our Code Smells
bkeepers
PRO
340
58k
Leo the Paperboy
mayatellez
7
1.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
270
Kristin Tynski - Automating Marketing Tasks With AI
techseoconnect
PRO
0
270
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
62
54k
Building an army of robots
kneath
306
46k
Are puppies a ranking factor?
jonoalderson
1
3.6k
The browser strikes back
jonoalderson
0
1.3k
Bash Introduction
62gerente
615
220k
Building AI with AI
inesmontani
PRO
1
1.1k
Transcript
Hacking Front-End Apps Alex Sexton
I work at .
which is in . California
but…
I live in . Texas
The web has a lot in common with Texas.
“The wild west.”
In 1985, Texas had a problem.
None
Littering
Some Texans defended their “God-given right to litter.”
ಠ_ಠ
There were fines for littering.
photo by Curtis Gregory Perry
But no one seemed to care.
The state tried some slogans.
None
But these slogans apparently did not resonate with the core
offenders
Males 18-24 “Bubbas in Pickup Trucks”
In 1985 Texas tried a new campaign:
None
The campaign reduced litter on Texas highways ! 72% !
from 1986 to 1990.
My point is…
“Hey everyone, you should make your websites more secure because
it’s important.” ! Probably isn’t going to do the trick.
DON’T! MESS! WITH! XSS Also probably won’t work.
Web developers, not security researchers, are the core audience.
Web security is hard.
“All you have to do is never make a single
mistake.” - I Think Mike West
“I discount the probability of perfection.” - Alex Russell
Content Injection
None
None
None
Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”
as their username.
My User Agent
My Friend, Mike Taylor’s User Agent Mozilla/5.0 (Macintosh; Intel Mac
OS X 10.9; rv:25.0) <script>alert(‘lol’);</script> Gecko/20100101 Firefox/25.0
My Friend, Mike Taylor’s User Agent Mozilla/5.0 (Macintosh; Intel Mac
OS X 10.9; rv:25.0) <script>alert(‘lol’);</script> Gecko/20100101 Firefox/25.0
ಠ_ಠ
Samy
None
None
None
ಠ_ಠ
So let’s just detect malicious scripts!
None
alert(1)
The Billy Hoffman Whitespace Attack <script> ! </script>
The Billy Hoffman Whitespace Attack <script> ! </script> Malicious
Code
The Billy Hoffman Whitespace Attack <script> ! </script> tab
tab tab space space
The Billy Hoffman Whitespace Attack <script> ! </script> 1
1 1 0 0
You cannot detect malicious code.
output.replace(/<script>/, ‘’);
CSS Hacks
Old School
None
Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty
much People Celebrating (or screaming on fire)
Timing Attacks
Security by Inaccuracy
requestAnimationFrame + :visited = ಠ_ಠ
requestAnimationFrame + :visited = ಠ_ಠ
requestAnimationFrame + :visited = ಠ_ಠ
Link Visited Link
Link Visited Link <16ms >60ms Time to render
JSON-P
MORE LIKE JSON-Pretty-Insecure
“I’d really like it if someone could run arbitrary dynamic
scripts on my page” - JSONP Users
You wouldn’t do this.
So don’t do this.
A Leak In The Response
YouProbablyShouldUseCORS.tumblr.com
enable-cors.org
Try to say CROSS SITE! REQUEST FORGERY 5 times fast.
Set-Cookie ‘csrf=0003’
Set-Cookie ‘csrf=0003’
None
None
None
It gets worse.
Contextis White Paper
Cross-Domain Data Snooping via SVG Filters and OCR
None
ಠ_ಠ
We need a new approach.
Content Security Policy
None
Disallow Inline JS, CSS By Default!
Disallow eval By Default!
Disallow Cross Domain JS, CSS, IMG, Fonts
Report Violations!
None
A White List That’s the key!
Good Security Goes Beyond Content Injection
<iframe sandbox>
HTTPS Everywhere
HTTPS Everywhere
HTTPS Only
301 Redirect http
https HSTS
Frame Busting
Disallow as an iFrame X-Frame-Options
It’s “security by default.” At least much closer…
You can rely a little less on being perfect.
it only matters if everyone buys in. But
We need our own slogan.
We need developers to take pride in making secure applications.
Don’t Mess With The Web
ಠ_ಠ
Let’s do something about it together.
Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam
Baldwin Contextis MDN
slexaxton
syucream
aeonpeople
cheng_wei_chen
kojira
ry
sonic
uhyo
line_developers_tw
miyatakoji
kawaguti
findy_eventslides
kevinliebholz
bkeepers
mayatellez
reverentgeek
cassininazir
techseoconnect
madoxten
kneath
jonoalderson
62gerente
inesmontani
