Hacking Front-End Apps

Hacking Front-End Apps Alex Sexton

I work at .

which is in . California

but…

I live in . Texas

The web has a lot in common with Texas.

“The wild west.”

In 1985, Texas had a problem.

Littering

Some Texans defended their “God-given right to litter.”

ಠ_ಠ

There were ﬁnes for littering.

photo by Curtis Gregory Perry

But no one seemed to care.

The state tried some slogans.

But these slogans apparently did not resonate with the core
oﬀenders

Males 18-24 “Bubbas in Pickup Trucks”

In 1985 Texas tried a new campaign:

The campaign reduced litter on Texas highways ! 72% !
from 1986 to 1990.

My point is…

“Hey everyone, you should make your websites more secure because
it’s important.” ! Probably isn’t going to do the trick.

DON’T! MESS! WITH! XSS Also probably won’t work.

Web developers, not security researchers, are the core audience.

Web security is hard.

“All you have to do is never make a single
mistake.” - I Think Mike West

“I discount the probability of perfection.” - Alex Russell

Content Injection

Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”
as their username.

My User Agent

My Friend, Mike Taylor’s User Agent Mozilla/5.0 (Macintosh; Intel Mac
OS X 10.9; rv:25.0) <script>alert(‘lol’);</script> Gecko/20100101 Firefox/25.0

ಠ_ಠ

So let’s just detect malicious scripts!

alert(1)

The Billy Hoﬀman Whitespace Attack <script> ! </script>

The Billy Hoﬀman Whitespace Attack <script> ! </script> Malicious
Code

The Billy Hoﬀman Whitespace Attack <script> ! </script> tab
tab tab space space

The Billy Hoﬀman Whitespace Attack <script> ! </script> 1
1 1 0 0

You cannot detect malicious code.

output.replace(/<script>/, ‘’);

CSS Hacks

Old School

Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty
much People Celebrating (or screaming on ﬁre)

Timing Attacks

Security by Inaccuracy

requestAnimationFrame + :visited = ಠ_ಠ

Link Visited Link

Link Visited Link <16ms >60ms Time to render

JSON-P

MORE LIKE JSON-Pretty-Insecure

“I’d really like it if someone could run arbitrary dynamic
scripts on my page” - JSONP Users

You wouldn’t do this.

So don’t do this.

A Leak In The Response

YouProbablyShouldUseCORS.tumblr.com

enable-cors.org

Try to say CROSS SITE! REQUEST FORGERY 5 times fast.

Set-Cookie ‘csrf=0003’

It gets worse.

Contextis White Paper

Cross-Domain Data Snooping via SVG Filters and OCR

ಠ_ಠ

We need a new approach.

Content Security Policy

Disallow Inline JS, CSS By Default!

Disallow eval By Default!

Disallow Cross Domain JS, CSS, IMG, Fonts

Report Violations!

A White List That’s the key!

Good Security Goes Beyond Content Injection

HTTPS Everywhere

HTTPS Only

301 Redirect http

https HSTS

Frame Busting

Disallow as an iFrame X-Frame-Options

It’s “security by default.” At least much closer…

You can rely a little less on being perfect.

it only matters if everyone buys in. But

We need our own slogan.

We need developers to take pride in making secure applications.

Don’t Mess With The Web

ಠ_ಠ

Let’s do something about it together.

Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam
Baldwin Contextis MDN

Hacking Front-End Apps

Hacking Front-End Apps

More Decks by Alex Sexton

Other Decks in Technology

Featured

Transcript