Web Security: A Primer for Developers
-
Upload
mike-north -
Category
Technology
-
view
505 -
download
1
Transcript of Web Security: A Primer for Developers
![Page 1: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/1.jpg)
Web SecurityA Primer for Web App DevelopersJune 21, 2017
Mike NorthFluent Conf
© 2017, Mike Works, Inc. All Rights Reserved
![Page 2: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/2.jpg)
Web Security MICHAEL L NORTH
Addepar Apple Buffer
Checkmate Dollar Shave
Club Ericsson
Facebook Freshbooks
Github Google Heroku
Intercom Iora Health
LinkedIn Microsoft
Netflix Pagerduty Pivotshare
Practice Fusion Thoughtbot
Ticketfly Travis-CI Tumblr Twitch Yahoo
Zenefits
Teaching developers from…
![Page 3: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/3.jpg)
Web Security MICHAEL L NORTH
We have a BIG problem• Features & Deadlines vs. Security
• Web Developers have fallen behind
• Attacks are escalating in severity
• Barriers to staging an attack are lower than ever
![Page 4: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/4.jpg)
Web Security MICHAEL L NORTH
Our Strawman
Strawbank [email protected]
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
http://strawbank.com • Cookie-based "session" authentication
• List of accounts
• Ability to lookup other accounts & transfer funds
![Page 5: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/5.jpg)
Web Security MICHAEL L NORTH
The HacksNETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
![Page 6: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/6.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Starbucks WiFi
HTTP HTTP
![Page 7: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/7.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middlePublic WiFi: Trusted forever by default
![Page 8: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/8.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middleWiFi Devices broadcast what they're looking for
![Page 9: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/9.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middleRouter as DNS
![Page 10: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/10.jpg)
Web Security
ATTACK
MICHAEL L NORTH
DNS Hijacking
![Page 11: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/11.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Starbucks WiFi
Airport Free WiFi
💥💥💥
![Page 12: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/12.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
WiFi Pineapple• Linux • 2x Wifi Cards • High gain antennas • "App store"
2000mw WiFi
9dB antenna
![Page 13: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/13.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
![Page 14: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/14.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
![Page 15: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/15.jpg)
Web Security MICHAEL L NORTH
Let's say you've locked down WiFi
![Page 16: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/16.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Femtocell
📱
📱
📱
📱
![Page 17: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/17.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
Man in the middle
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
https://strawbank.com🔒
• TLS not SSL
• Private key needed to read or alter request/response
• Getting a cert requires "Domain Validation"
![Page 18: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/18.jpg)
Web Security MICHAEL L NORTH
~56% of the web uses HTTPS
% of page loads over
HTTPS
Time
![Page 19: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/19.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Man in the Middle II
![Page 20: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/20.jpg)
Web Security MICHAEL L NORTH
[1] https://arstechnica.com/security/2009/07/benign-security-warnings-have-trained-users-to-ignore-them/ [2] https://adrifelt.github.io/sslinterstitial-chi.pdf [3] http://lorrie.cranor.org/pubs/bridging-gap-warnings.pdf
After extensive data-driven improvement to Chrome warning messages, 42% of users ignore
them instead of over 70% [2]
42%
51%Over 50% of users don't understand
eavesdropping vs. malware risk factors [3]
44%"...at least 44 percent of the top 382,860 SSL-enabled websites had certificates that
would trigger warnings" [1]
![Page 21: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/21.jpg)
Web Security
ATTACK
MICHAEL L NORTH
SSLStrip
🔒 HTTPS 🔒 HTTPS
🔒 HTTPSHTTPStrawbank
Begins with downgrade to HTTP
![Page 22: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/22.jpg)
Web Security
ATTACK
MICHAEL L NORTH
SSLStrip
🔒 HTTPS
🔒 HTTPSHTTPStrawbank
Client continues with HTTP, Server is unaware
HTTP
![Page 23: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/23.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
HTTP Strict Transport Security
Strict-Transport-Security: max-age=31536000; includeSubDomains
Do not allow plain HTTP
• Failure to include subdomains permits a broad range of cookie-related attacks
• There's still the issue of the first request
![Page 24: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/24.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
HSTS Preload
![Page 25: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/25.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
HSTS WARNINGDEFENSE
![Page 26: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/26.jpg)
Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!
![Page 27: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/27.jpg)
Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!
![Page 28: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/28.jpg)
Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!
![Page 29: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/29.jpg)
Web Security MICHAEL L NORTH
The HacksNETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
![Page 30: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/30.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Scripting (XSS)
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
Lisa's Savings
<select> <option value="1"> Mike's Checking !</option> <option value="2"> Lisa's Savings !</option> <option value="3"> Elliot's Checking <script src="https:"//""...totally-fine.js">!</script> !</option> !</select>
![Page 31: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/31.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Cross Site Scripting (XSS)
![Page 32: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/32.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Scripting (XSS)
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
<script src="http:
• Escape all user input
• Use a view layer that has thorough built-in XSS protection
• Don't forget about styles too!<img src="javascript:alert('XSS!')"!/>
![Page 33: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/33.jpg)
Web Security
WARNING
MICHAEL L NORTH
Cross-Site Scripting (XSS)
• How confident are you in the XSS protection of your OSS libraries?
• How carefully do people scrutinize browser plugins?
• If XSS happens, what's your exposure?
![Page 34: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/34.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Embedded Malware
![Page 35: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/35.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Embedded Malware
![Page 36: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/36.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
Embedded MalwareNever trust user-generated content
• Optimize all images (nearly always drops non-visual content)
• Avoid spreading "raw" attachments
• Limit file types for uploads
• Don't permit arbitrary HTML input
• Whitelist content that can be embedded
![Page 37: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/37.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery
Strawbank [email protected]
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
Lisa's Savings
<form name="badform" method="post" action="https:"//strawbank.com/api/transfer"> <input type="hidden" name="destination" value="2" !/> <input type="hidden" name="amount" value="8500" !/> !</form>
<script type="text/javascript"> document.badform.submit(); !</script>
![Page 38: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/38.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery• Exclusively targets state-changing requests
• Exploits browser "automatically" sending credentials
• A good reason to conform to RESTful HTTP verbs
• POST requests are also susceptible
<img src="https:"//strawbank.com/api/transfer?amount=8500&destination=12345">
![Page 39: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/39.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Request Forgery
• Only Basic or cookie authentication schemes are vulnerable
• Exception: "Client side cookie"
• CSRF Token - non-predictable and per-request
• Ensure CORS headers are appropriately restrictive
![Page 40: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/40.jpg)
Web Security
ATTACK
MICHAEL L NORTH
Clickjacking https://strawbank.com-securebank.cc?tok=108...🔒
Proceed
StrawCard
You're approved!Strawbank [email protected]
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com?amount=8500&dest=185...🔒
Lisa's Savings
![Page 41: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/41.jpg)
Web Security
DEFENSE
MICHAEL L NORTH
Clickjacking
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https:"//strawbank.com/
![Page 42: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/42.jpg)
Web Security MICHAEL L NORTH
The HacksNETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
![Page 43: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/43.jpg)
Web Security MICHAEL L NORTH
But Wait""...There's more.• SQL Injection
• Timing attacks
• Resource depletion attacks
• Session hijacking
• Execution after redirect
• Log Injection attacks
• Content Security Policy (CSP)
• Cache Poisoning
• Subresource Integrity (SRI)
• Sandboxing untrusted content
• Preventing attack escalation
• Encryption at rest: best practices
![Page 44: Web Security: A Primer for Developers](https://reader034.fdocuments.net/reader034/viewer/2022052514/5a65cb967f8b9ad05e8b468d/html5/thumbnails/44.jpg)
Web Security MICHAEL L NORTH
Thanks!
Want to know more? Ask me about a
security workshop