Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking Front-End Apps

7ea369b9b67a85f638af2e0f5d708d2d?s=47 Alex Sexton
February 12, 2014
Technology
4
2.1k

Hacking Front-End Apps

My talk on client side web security as given at the jQuery Conference 2014 in San Diego

7ea369b9b67a85f638af2e0f5d708d2d?s=128

Alex Sexton

February 12, 2014
Tweet

More Decks by Alex Sexton

See All by Alex Sexton
Your Very Own Component Library
7ea369b9b67a85f638af2e0f5d708d2d?s=48 slexaxton
5
680
Front-End Ops - jQuery Conf Chicago 2014
7ea369b9b67a85f638af2e0f5d708d2d?s=48 slexaxton
1
960
Practicing Safe Script
7ea369b9b67a85f638af2e0f5d708d2d?s=48 slexaxton
18
2.4k

Other Decks in Technology

See All in Technology
俺の Laravel がこんなに速いわけがない! / My Laravel Too Fast
F04982ad61107b5408ad139966596316?s=48 hanhan1978
0
120
Citizen 개발기
748a6dc8b4eaba0fde62909e39be7987?s=48 outsider
0
340
HoloLens2とMetaQuest2どちらも動くWebXRアプリをBabylon.jsで作る
Bf0e54ea0d4ea19343ccfbe5d410a96b?s=48 iwaken71
0
250
情報の世界 2022年度 第11回「都市のデータ」 #情報の世界 / Data of City 2022
65241d0356dc5a93b0fec68bcf7b42ac?s=48 yumulab
0
120
Persistence in Serverless Applications - ServerlessDays NYC
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
0
270
Apple M1 CPUの脆弱性「PACMAN」について解説する
A40160195344f29eace8239fda27d3b5?s=48 kuzushiki
0
110
誰が正解を知っているのか / Who knows the right answer
95aaab3d693889550fd2e7ae02f2f789?s=48 takaking22
1
250
Camp Digital 2022: tailored advice
8fadc4cc83e533c19a6d13db9d46cb3e?s=48 kyliehavelock
0
150
Laravel.shibuyaで改善してきた IRT勉強会の運営方法について / IRT Study Session Improved Through Laravel Shibuya
F2ab92715fdcc539883d13af4b804ec1?s=48 fendo181
0
150
Strategyパターン
65389cd2b6fdc531dcc4af999e864593?s=48 hankehly
0
170
データ分析基盤のはじめかた
69a81d6d4d66a348e72f7a28b265fdbe?s=48 chanyou0311
0
130
Rethinking how distributed applications are built
08701c3eabe85450809695cf290ef675?s=48 tillrohrmann
0
130

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
261
25k
Code Reviewing Like a Champion
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
506
37k
The Brand Is Dead. Long Live the Brand.
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
46
2.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
88f4e84b94fe07cddbd9e6479d689192?s=48 soudai
39
13k
Designing Experiences People Love
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
130
22k
In The Pink: A Labor of Love
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
131
21k
The Web Native Designer (August 2011)
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.9k
Done Done
282d599b414022eba5096510f675b6e2?s=48 chrislema
174
14k
Rails Girls Zürich Keynote
24fc194843a71f10949be18d5a692682?s=48 gr2m
86
12k
Building Applications with DynamoDB
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
83
4.7k
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k
Gamification - CAS2011
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
75
3.9k

Transcript

  1. Hacking Front-End Apps Alex Sexton

  2. I work at .

  3. which is in . California

  4. but…

  5. I live in . Texas

  6. The web has a lot in common with Texas.

  7. “The wild west.”

  8. In 1985, Texas had a problem.

  9. None

  10. Littering

  11. Some Texans defended their “God-given right to litter.”

  12. ಠ_ಠ

  13. There were fines for littering.

  14. photo by Curtis Gregory Perry

  15. But no one seemed to care.

  16. The state tried some slogans.

  17. None

  18. But these slogans apparently did not resonate with the core

    offenders

  19. Males 18-24 “Bubbas in Pickup Trucks”

  20. In 1985 Texas tried a new campaign:

  21. None

  22. The campaign reduced litter on Texas highways ! 72% !

    from 1986 to 1990.

  23. My point is…

  24. “Hey everyone, you should make your websites more secure because

    it’s important.” ! Probably isn’t going to do the trick.

  25. DON’T! MESS! WITH! XSS Also probably won’t work.

  26. Web developers, not security researchers, are the core audience.

  27. Web security is hard.

  28. “All you have to do is never make a single

    mistake.” - I Think Mike West

  29. “I discount the probability of perfection.” - Alex Russell

  30. Content Injection

  31. None
  32. None
  33. None

  34. Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”

      as their username.

  35. My User Agent

  36. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

  37. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

  38. ಠ_ಠ

  39. Samy

  40. None
  41. None
  42. None

  43. ಠ_ಠ

  44. So let’s just detect malicious scripts!

  45. None

  46. alert(1)

  47. The Billy Hoffman Whitespace Attack <script>   ! </script>

  48. The Billy Hoffman Whitespace Attack <script>   ! </script> Malicious

    Code

  49. The Billy Hoffman Whitespace Attack <script>   ! </script> tab

    tab tab space space

  50. The Billy Hoffman Whitespace Attack <script>   ! </script> 1

    1 1 0 0

  51. You cannot detect malicious code.

  52. output.replace(/<script>/, ‘’);

  53. CSS Hacks

  54. Old School

  55. None

  56. Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty

    much People Celebrating (or screaming on fire)

  57. Timing Attacks

  58. Security by Inaccuracy

  59. requestAnimationFrame + :visited = ಠ_ಠ

  60. requestAnimationFrame + :visited = ಠ_ಠ

  61. requestAnimationFrame + :visited = ಠ_ಠ

  62. Link Visited Link

  63. Link Visited Link <16ms >60ms Time to render

  64. JSON-P

  65. MORE LIKE JSON-Pretty-Insecure

  66. “I’d really like it if someone could run arbitrary dynamic

    scripts on my page” - JSONP Users

  67. You wouldn’t do this.

  68. So don’t do this.

  69. A Leak In The Response

  70. YouProbablyShouldUseCORS.tumblr.com

  71. enable-cors.org

  72. Try to say CROSS SITE! REQUEST FORGERY 5 times fast.

  73. Set-Cookie ‘csrf=0003’

  74. Set-Cookie ‘csrf=0003’

  75. None
  76. None
  77. None

  78. It gets worse.

  79. Contextis White Paper

  80. Cross-Domain Data Snooping via SVG Filters and OCR

  81. None

  82. ಠ_ಠ

  83. We need a new approach.

  84. Content Security Policy

  85. None

  86. Disallow Inline JS, CSS By Default!

  87. Disallow eval By Default!

  88. Disallow Cross Domain JS, CSS, IMG, Fonts

  89. Report Violations!

  90. None

  91. A White List That’s the key!

  92. Good Security Goes Beyond Content Injection

  93. <iframe sandbox>

  94. HTTPS Everywhere

  95. HTTPS Everywhere

  96. HTTPS Only

  97. 301 Redirect http

  98. https HSTS

  99. Frame Busting

  100. Disallow as an iFrame X-Frame-Options

  101. It’s “security by default.” At least much closer…

  102. You can rely a little less on being perfect.

  103. it only matters if everyone buys in. But

  104. We need our own slogan.

  105. We need developers to take pride in making secure applications.

  106. Don’t Mess With The Web

  107. ಠ_ಠ

  108. Let’s do something about it together.

  109. Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam

    Baldwin Contextis MDN