Hacking Front-End Apps

Transcript

1. Hacking Front-End Apps Alex Sexton

2. I work at .

3. which is in . California

4. but…

5. I live in . Texas

6. The web has a lot in common with Texas.

7. “The wild west.”

8. In 1985, Texas had a problem.

9. None

10. Littering

11. Some Texans defended their “God-given right to litter.”

12. ಠ_ಠ

13. There were fines for littering.

14. photo by Curtis Gregory Perry

15. But no one seemed to care.

16. The state tried some slogans.

17. None

18. But these slogans apparently did not resonate with the core

    offenders

19. Males 18-24 “Bubbas in Pickup Trucks”

20. In 1985 Texas tried a new campaign:

21. None

22. The campaign reduced litter on Texas highways ! 72% !

    from 1986 to 1990.

23. My point is…

24. “Hey everyone, you should make your websites more secure because

    it’s important.” ! Probably isn’t going to do the trick.

25. DON’T! MESS! WITH! XSS Also probably won’t work.

26. Web developers, not security researchers, are the core audience.

27. Web security is hard.

28. “All you have to do is never make a single

    mistake.” - I Think Mike West

29. “I discount the probability of perfection.” - Alex Russell

30. Content Injection

31. None
32. None
33. None

34. Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”

      as their username.

35. My User Agent

36. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

37. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

38. ಠ_ಠ

39. Samy

40. None
41. None
42. None

43. ಠ_ಠ

44. So let’s just detect malicious scripts!

45. None

46. alert(1)

47. The Billy Hoffman Whitespace Attack <script>   ! </script>

48. The Billy Hoffman Whitespace Attack <script>   ! </script> Malicious

    Code

49. The Billy Hoffman Whitespace Attack <script>   ! </script> tab

    tab tab space space

50. The Billy Hoffman Whitespace Attack <script>   ! </script> 1

    1 1 0 0

51. You cannot detect malicious code.

52. output.replace(/<script>/, ‘’);

53. CSS Hacks

54. Old School

55. None

56. Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty

    much People Celebrating (or screaming on fire)

57. Timing Attacks

58. Security by Inaccuracy

59. requestAnimationFrame + :visited = ಠ_ಠ

60. requestAnimationFrame + :visited = ಠ_ಠ

61. requestAnimationFrame + :visited = ಠ_ಠ

62. Link Visited Link

63. Link Visited Link <16ms >60ms Time to render

64. JSON-P

65. MORE LIKE JSON-Pretty-Insecure

66. “I’d really like it if someone could run arbitrary dynamic

    scripts on my page” - JSONP Users

67. You wouldn’t do this.

68. So don’t do this.

69. A Leak In The Response

70. YouProbablyShouldUseCORS.tumblr.com

71. enable-cors.org

72. Try to say CROSS SITE! REQUEST FORGERY 5 times fast.

73. Set-Cookie ‘csrf=0003’

74. Set-Cookie ‘csrf=0003’

75. None
76. None
77. None

78. It gets worse.

79. Contextis White Paper

80. Cross-Domain Data Snooping via SVG Filters and OCR

81. None

82. ಠ_ಠ

83. We need a new approach.

84. Content Security Policy

85. None

86. Disallow Inline JS, CSS By Default!

87. Disallow eval By Default!

88. Disallow Cross Domain JS, CSS, IMG, Fonts

89. Report Violations!

90. None

91. A White List That’s the key!

92. Good Security Goes Beyond Content Injection

93. <iframe sandbox>

94. HTTPS Everywhere

95. HTTPS Everywhere

96. HTTPS Only

97. 301 Redirect http

98. https HSTS

99. Frame Busting

100. Disallow as an iFrame X-Frame-Options

101. It’s “security by default.” At least much closer…

102. You can rely a little less on being perfect.

103. it only matters if everyone buys in. But

104. We need our own slogan.

105. We need developers to take pride in making secure applications.

106. Don’t Mess With The Web

107. ಠ_ಠ

108. Let’s do something about it together.

109. Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam

     Baldwin Contextis MDN