Practicing Safe Script

Transcript

1. Practicing Safe Script
   Alex Sexton
   

   View Slide

2. I work at .
   

   View Slide

3. which is in .
   California
   

   View Slide

4. but…
   

   View Slide

5. I live in .
   Texas
   

   View Slide

6. The web has a lot in
   common with Texas.
   

   View Slide

7. “The wild west.”
   

   View Slide

8. In 1985, Texas had a problem.
   

   View Slide

9. View Slide

10. Littering
    

    View Slide

11. Some Texans defended their
    “God-given right to litter.”
    

    View Slide

12. ಠ_ಠ
    

    View Slide

13. There were fines for littering.
    

    View Slide

14. photo by Curtis Gregory Perry
    

    View Slide

15. But no one seemed to care.
    

    View Slide

16. The state tried some slogans.
    

    View Slide

17. View Slide

18. But these slogans apparently
    did not resonate with
    the core offenders
    

    View Slide

19. Males 18-24
    “Bubbas in Pickup Trucks”
    

    View Slide

20. In 1985 Texas tried
    a new campaign:
    

    View Slide

21. View Slide

22. The campaign reduced litter
    on Texas highways
    !
    72%
    !
    from 1986 to 1990.
    

    View Slide

23. My point is…
    

    View Slide

24. “Hey everyone, you should make your
    websites more secure because it’s important.”
    !
    Probably isn’t going to do the trick.
    

    View Slide

25. DON’T!
    MESS!
    WITH!
    XSS
    Also probably
    won’t work.
    

    View Slide

26. Web developers,
    not security researchers,
    are the core audience.
    

    View Slide

27. Web security is hard.
    

    View Slide

28. “All you have to do is never
    make a single mistake.”
    - I Think Mike West
    

    View Slide

29. “I discount the probability
    of perfection.”
    - Alex Russell
    

    View Slide

30. Content Injection
    

    View Slide

31. View Slide

32. View Slide

33. View Slide

34. Everyone has a friend that
    always seems to pick
    “alert(‘hacked!’);”  
    as their username.
    

    View Slide

35. My User Agent
    

    View Slide

36. My Friend, Mike Taylor’s User Agent
    Mozilla/5.0  (Macintosh;  Intel  Mac  OS  X  10.9;  
    rv:25.0)  alert(‘lol’);  Gecko/20100101  
    Firefox/25.0
    

    View Slide

37. My Friend, Mike Taylor’s User Agent
    Mozilla/5.0  (Macintosh;  Intel  Mac  OS  X  10.9;  
    rv:25.0)  alert(‘lol’);  Gecko/20100101  
    Firefox/25.0
    

    View Slide

38. ಠ_ಠ
    

    View Slide

39. Samy
    

    View Slide

40. View Slide

41. View Slide

42. View Slide

43. ಠ_ಠ
    

    View Slide

44. So let’s just detect
    malicious scripts!
    

    View Slide

45. View Slide

46. alert(1)
    

    View Slide

47. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    

    View Slide

48. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    Malicious Code
    

    View Slide

49. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    tab
    tab tab
    space space
    

    View Slide

50. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    1
    1 1
    0 0
    

    View Slide

51. You cannot detect
    malicious code.
    

    View Slide

52. output.replace(//, ‘’);<br/>

    View Slide

53. CSS Hacks
    

    View Slide

54. Old School
    

    View Slide

55. View Slide

56. Link Visited Link
    getComputedStyle( getComputedStyle( )
    ) ===
    \o\|o|/o/
    Pretty much
    People Celebrating
    (or screaming on fire)
    

    View Slide

57. Timing Attacks
    

    View Slide

58. Security by Inaccuracy
    

    View Slide

59. requestAnimationFrame + :visited = ಠ_ಠ
    

    View Slide

60. requestAnimationFrame + :visited = ಠ_ಠ
    

    View Slide

61. requestAnimationFrame + :visited = ಠ_ಠ
    

    View Slide

62. Link Visited Link
    

    View Slide

63. Link Visited Link
    <16ms
    >60ms
    Time to render
    

    View Slide

64. Set-Cookie ‘csrf=0003’
    

    View Slide

65. View Slide

66. View Slide

67. View Slide

68. It gets worse.
    

    View Slide

69. Contextis White Paper
    

    View Slide

70. Cross-Domain Data Snooping
    via SVG Filters and OCR
    

    View Slide

71. View Slide

72. ಠ_ಠ
    

    View Slide

73. We need a new approach.
    

    View Slide

74. Content
    Security
    Policy
    

    View Slide

75. View Slide

76. Disallow Inline JS, CSS
    By Default!
    

    View Slide

77. Disallow eval
    By Default!
    

    View Slide

78. Disallow Cross Domain
    JS, CSS, IMG, Fonts
    

    View Slide

79. Report Violations!
    

    View Slide

80. View Slide

81. A White List
    That’s the key!
    

    View Slide

82. Good Security Goes
    Beyond Content Injection
    

    View Slide

83. 
    

    View Slide

84. HTTPS Everywhere
    

    View Slide

85. HTTPS Everywhere
    

    View Slide

86. HTTPS Only
    

    View Slide

87. 301 Redirect
    http
    

    View Slide

88. https
    HSTS
    

    View Slide

89. Frame Busting
    

    View Slide

90. Disallow as
    an iFrame
    X-Frame-Options
    

    View Slide

91. It’s “security by default.”
    At least much
    closer…
    

    View Slide

92. You can rely a little less on
    being perfect.
    

    View Slide

93. it only matters if
    everyone buys in.
    But
    

    View Slide

94. We need our own slogan.
    

    View Slide

95. We need developers to
    take pride in making
    secure applications.
    

    View Slide

96. Don’t Mess With The Web
    

    View Slide

97. ಠ_ಠ
    

    View Slide

98. Let’s do something about
    it together.
    

    View Slide

99. Thanks!
    @SlexAxton
    Special Thanks To:
    Mike West * 1000
    Adam Baldwin
    Contextis
    MDN
    

    View Slide