HTML5 Security
-
Upload
ville-saeaevuori -
Category
Technology
-
view
825 -
download
0
description
Transcript of HTML5 Security
![Page 1: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/1.jpg)
SECURITY<!doctype html>
Ville Säävuori · · OWASP Helsinki · 15.6.2011
beyond the attack vectors
![Page 2: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/2.jpg)
I AM NOT A SECURITY EXPERT(But a Web Developer :)
![Page 3: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/3.jpg)
<!doctype html>
![Page 4: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/4.jpg)
html
![Page 5: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/5.jpg)
• API Metering
• Backups & Snapshots
• Counters
• Cloud/Cluster Management Tools
• Instrumentation/Monitoring
• Failover
• Node addition/removal and hashing
• Auto-scaling for cloud resources
• CSRF/XSS Protection
• Data Retention/Archival
• Deployment Tools
• Multiple Devs, Staging, Prod
• Data model upgrades
• Rolling deployments
• Multiple versions (selective beta)
• Bucket Testing
• Rollbacks
• CDN Management
• Distributed File Storage
• Distributed Log storage, analysis
• Graphing
• HTTP Caching
• Input/Output Filtering
• Memory Caching
• Non-relational Key Stores
• Rate Limiting
• Relational Storage
• Queues
• Rate Limiting
• Real-time messaging (XMPP)
• Search
• Ranging
• Geo
• Sharding
• Smart Caching
• Dirty-table management
http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites
![Page 6: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/6.jpg)
![Page 7: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/7.jpg)
![Page 8: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/8.jpg)
complex
http://www.flickr.com/photos/stuckincustoms/5069047950/
![Page 9: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/9.jpg)
![Page 10: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/10.jpg)
what is it?
![Page 11: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/11.jpg)
Markup likeGuido
intended it.
![Page 12: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/12.jpg)
Markup likeGuido Tim
intended it.
![Page 13: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/13.jpg)
Not Just Markup
anymore.
![Page 14: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/14.jpg)
security
![Page 15: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/15.jpg)
<audio> <video>
<footer>
<header>
<canvas>
![Page 16: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/16.jpg)
<audio>
![Page 17: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/17.jpg)
<audio src='foo.mp4'
preload='auto'>
![Page 18: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/18.jpg)
<input type='email' required pattern='.*@syneus\.fi'>
![Page 19: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/19.jpg)
HTTP/1.1 200 OKDate: Wed, 15 Jun 2011 17:45:00 GMTServer: Nginx/1.0.4Access-Control-Allow-Origin: http://syneus.fi
![Page 20: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/20.jpg)
local storagelocalStorage.setItem('name', 'Hello World!');
![Page 21: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/21.jpg)
Web Forms 2.0
![Page 22: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/22.jpg)
SVG
![Page 23: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/23.jpg)
CSS3div > p:last-of-type { ... }
![Page 24: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/24.jpg)
GeoLocationnavigator.geolocation.getCurrentPosition(show_map);
![Page 25: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/25.jpg)
<iframe sandbox="allow-scripts">
![Page 26: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/26.jpg)
in the wild
http://www.flickr.com/photos/sharkbait/2992242065/
![Page 27: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/27.jpg)
http://www.flickr.com/photos/rainbirder/5068808204/
common issues
![Page 28: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/28.jpg)
XSShttp://www.flickr.com/photos/rainbirder/5068808204/
![Page 29: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/29.jpg)
XSRFhttp://www.flickr.com/photos/rainbirder/5068808204/
![Page 30: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/30.jpg)
SQL Injectionhttp://www.flickr.com/photos/rainbirder/5068808204/
![Page 31: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/31.jpg)
Clickjackinghttp://www.flickr.com/photos/rainbirder/5068808204/
![Page 32: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/32.jpg)
ways to protect
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
![Page 33: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/33.jpg)
understand threats
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
![Page 34: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/34.jpg)
understand threats
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
no, really.
![Page 35: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/35.jpg)
sanitation
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
![Page 36: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/36.jpg)
test your code
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
![Page 37: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/37.jpg)
test your code
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
regularly.
![Page 38: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/38.jpg)
test your code
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
often.
![Page 39: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/39.jpg)
stay updated
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
![Page 40: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/40.jpg)
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe,
or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
— Sacramento Credit Union
![Page 41: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/41.jpg)
?
http://www.flickr.com/photos/remydwd/48898192/
![Page 42: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/42.jpg)
http://www.flickr.com/photos/amagill/51806161/
Best practices
![Page 43: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/43.jpg)
trust no one
http://www.flickr.com/photos/furryscalyman/673915993/
![Page 44: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/44.jpg)
use good toolsLet frameworks help you.
![Page 45: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/45.jpg)
but don’t trust them blindlyAgain. Understand what you’re doing.
![Page 46: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/46.jpg)
use secure protocols
HTTPS over HTTP
![Page 47: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/47.jpg)
outsource
hire someone
use a checklist
or
but at least
![Page 48: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/48.jpg)
understand your users
Mere mortals don’t behave like nerds.
![Page 49: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/49.jpg)
educate themWhy is it important to have a good password?
![Page 50: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/50.jpg)
www.syneus.fi/aiheet/html5
html5sec.org
lyh.fi/web_security
MORE
![Page 51: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/51.jpg)
Kiitos!Ville Säävuori
@uninen
![Page 52: HTML5 Security](https://reader033.fdocuments.net/reader033/viewer/2022052410/554e42b5b4c90518468b538a/html5/thumbnails/52.jpg)
www.syneus.fi/aiheet/html5
html5sec.org
lyh.fi/web_security
MORE