$30 off During Our Annual Pro Sale. View Details »

Practicing Safe Script

Alex Sexton
December 03, 2013

Practicing Safe Script

Front End Web Security is hard. This deck goes through why there's no hope of patching every hole and suggests the opposite approach via whitelisting (old news, right?). Also suggests we try to make security sexier so more people buy-in.

Alex Sexton

December 03, 2013
Tweet

More Decks by Alex Sexton

Other Decks in Programming

Transcript

  1. Practicing Safe Script
    Alex Sexton

    View Slide

  2. I work at .

    View Slide

  3. which is in .
    California

    View Slide

  4. but…

    View Slide

  5. I live in .
    Texas

    View Slide

  6. The web has a lot in
    common with Texas.

    View Slide

  7. “The wild west.”

    View Slide

  8. In 1985, Texas had a problem.

    View Slide

  9. View Slide

  10. Littering

    View Slide

  11. Some Texans defended their
    “God-given right to litter.”

    View Slide

  12. ಠ_ಠ

    View Slide

  13. There were fines for littering.

    View Slide

  14. photo by Curtis Gregory Perry

    View Slide

  15. But no one seemed to care.

    View Slide

  16. The state tried some slogans.

    View Slide

  17. View Slide

  18. But these slogans apparently
    did not resonate with
    the core offenders

    View Slide

  19. Males 18-24
    “Bubbas in Pickup Trucks”

    View Slide

  20. In 1985 Texas tried
    a new campaign:

    View Slide

  21. View Slide

  22. The campaign reduced litter
    on Texas highways
    !
    72%
    !
    from 1986 to 1990.

    View Slide

  23. My point is…

    View Slide

  24. “Hey everyone, you should make your
    websites more secure because it’s important.”
    !
    Probably isn’t going to do the trick.

    View Slide

  25. DON’T!
    MESS!
    WITH!
    XSS
    Also probably
    won’t work.

    View Slide

  26. Web developers,
    not security researchers,
    are the core audience.

    View Slide

  27. Web security is hard.

    View Slide

  28. “All you have to do is never
    make a single mistake.”
    - I Think Mike West

    View Slide

  29. “I discount the probability
    of perfection.”
    - Alex Russell

    View Slide

  30. Content Injection

    View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. Everyone has a friend that
    always seems to pick
    “alert(‘hacked!’);”  
    as their username.

    View Slide

  35. My User Agent

    View Slide

  36. My Friend, Mike Taylor’s User Agent
    Mozilla/5.0  (Macintosh;  Intel  Mac  OS  X  10.9;  
    rv:25.0)  alert(‘lol’);  Gecko/20100101  
    Firefox/25.0

    View Slide

  37. My Friend, Mike Taylor’s User Agent
    Mozilla/5.0  (Macintosh;  Intel  Mac  OS  X  10.9;  
    rv:25.0)  alert(‘lol’);  Gecko/20100101  
    Firefox/25.0

    View Slide

  38. ಠ_ಠ

    View Slide

  39. Samy

    View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. ಠ_ಠ

    View Slide

  44. So let’s just detect
    malicious scripts!

    View Slide

  45. View Slide

  46. alert(1)

    View Slide

  47. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>

    View Slide

  48. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    Malicious Code

    View Slide

  49. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    tab
    tab tab
    space space

    View Slide

  50. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    1
    1 1
    0 0

    View Slide

  51. You cannot detect
    malicious code.

    View Slide

  52. output.replace(//, ‘’);<br/>

    View Slide

  53. CSS Hacks

    View Slide

  54. Old School

    View Slide

  55. View Slide

  56. Link Visited Link
    getComputedStyle( getComputedStyle( )
    ) ===
    \o\|o|/o/
    Pretty much
    People Celebrating
    (or screaming on fire)

    View Slide

  57. Timing Attacks

    View Slide

  58. Security by Inaccuracy

    View Slide

  59. requestAnimationFrame + :visited = ಠ_ಠ

    View Slide

  60. requestAnimationFrame + :visited = ಠ_ಠ

    View Slide

  61. requestAnimationFrame + :visited = ಠ_ಠ

    View Slide

  62. Link Visited Link

    View Slide

  63. Link Visited Link
    <16ms
    >60ms
    Time to render

    View Slide

  64. Set-Cookie ‘csrf=0003’

    View Slide

  65. View Slide

  66. View Slide

  67. View Slide

  68. It gets worse.

    View Slide

  69. Contextis White Paper

    View Slide

  70. Cross-Domain Data Snooping
    via SVG Filters and OCR

    View Slide

  71. View Slide

  72. ಠ_ಠ

    View Slide

  73. We need a new approach.

    View Slide

  74. Content
    Security
    Policy

    View Slide

  75. View Slide

  76. Disallow Inline JS, CSS
    By Default!

    View Slide

  77. Disallow eval
    By Default!

    View Slide

  78. Disallow Cross Domain
    JS, CSS, IMG, Fonts

    View Slide

  79. Report Violations!

    View Slide

  80. View Slide

  81. A White List
    That’s the key!

    View Slide

  82. Good Security Goes
    Beyond Content Injection

    View Slide


  83. View Slide

  84. HTTPS Everywhere

    View Slide

  85. HTTPS Everywhere

    View Slide

  86. HTTPS Only

    View Slide

  87. 301 Redirect
    http

    View Slide

  88. https
    HSTS

    View Slide

  89. Frame Busting

    View Slide

  90. Disallow as
    an iFrame
    X-Frame-Options

    View Slide

  91. It’s “security by default.”
    At least much
    closer…

    View Slide

  92. You can rely a little less on
    being perfect.

    View Slide

  93. it only matters if
    everyone buys in.
    But

    View Slide

  94. We need our own slogan.

    View Slide

  95. We need developers to
    take pride in making
    secure applications.

    View Slide

  96. Don’t Mess With The Web

    View Slide

  97. ಠ_ಠ

    View Slide

  98. Let’s do something about
    it together.

    View Slide

  99. Thanks!
    @SlexAxton
    Special Thanks To:
    Mike West * 1000
    Adam Baldwin
    Contextis
    MDN

    View Slide