Front End Web Security is hard. This deck goes through why there's no hope of patching every hole and suggests the opposite approach via whitelisting (old news, right?). Also suggests we try to make security sexier so more people buy-in.
Practicing Safe ScriptAlex Sexton
View Slide
I work at .
which is in .California
but…
I live in .Texas
The web has a lot incommon with Texas.
“The wild west.”
In 1985, Texas had a problem.
Littering
Some Texans defended their“God-given right to litter.”
ಠ_ಠ
There were fines for littering.
photo by Curtis Gregory Perry
But no one seemed to care.
The state tried some slogans.
But these slogans apparentlydid not resonate withthe core offenders
Males 18-24“Bubbas in Pickup Trucks”
In 1985 Texas trieda new campaign:
The campaign reduced litteron Texas highways!72%!from 1986 to 1990.
My point is…
“Hey everyone, you should make yourwebsites more secure because it’s important.”!Probably isn’t going to do the trick.
DON’T!MESS!WITH!XSSAlso probablywon’t work.
Web developers,not security researchers,are the core audience.
Web security is hard.
“All you have to do is nevermake a single mistake.”- I Think Mike West
“I discount the probabilityof perfection.”- Alex Russell
Content Injection
Everyone has a friend thatalways seems to pick“alert(‘hacked!’);” as their username.
My User Agent
My Friend, Mike Taylor’s User AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) alert(‘lol’); Gecko/20100101 Firefox/25.0
Samy
So let’s just detectmalicious scripts!
alert(1)
The Billy HoffmanWhitespace Attack <br/>!<br/>
The Billy HoffmanWhitespace Attack <br/>!<br/>Malicious Code
The Billy HoffmanWhitespace Attack <br/>!<br/>tabtab tabspace space
The Billy HoffmanWhitespace Attack <br/>!<br/>11 10 0
You cannot detectmalicious code.
output.replace(//, ‘’);<br/>
CSS Hacks
Old School
Link Visited LinkgetComputedStyle( getComputedStyle( )) ===\o\|o|/o/Pretty muchPeople Celebrating(or screaming on fire)
Timing Attacks
Security by Inaccuracy
requestAnimationFrame + :visited = ಠ_ಠ
Link Visited Link
Link Visited Link<16ms>60msTime to render
Set-Cookie ‘csrf=0003’
It gets worse.
Contextis White Paper
Cross-Domain Data Snoopingvia SVG Filters and OCR
We need a new approach.
ContentSecurityPolicy
Disallow Inline JS, CSSBy Default!
Disallow evalBy Default!
Disallow Cross DomainJS, CSS, IMG, Fonts
Report Violations!
A White ListThat’s the key!
Good Security GoesBeyond Content Injection
HTTPS Everywhere
HTTPS Only
301 Redirecthttp
httpsHSTS
Frame Busting
Disallow asan iFrameX-Frame-Options
It’s “security by default.”At least muchcloser…
You can rely a little less onbeing perfect.
it only matters ifeveryone buys in.But
We need our own slogan.
We need developers totake pride in makingsecure applications.
Don’t Mess With The Web
Let’s do something aboutit together.
Thanks!@SlexAxtonSpecial Thanks To:Mike West * 1000Adam BaldwinContextisMDN