Writing an (in)secure webapp in 3 easy steps
•Télécharger en tant que KEY, PDF•
3 j'aime•1,591 vues
jsconf 2011 slidedeck on security in web applications. Track B
Recommandé
Contenu connexe
Tendances
Tendances (10)
Similaire à Writing an (in)secure webapp in 3 easy steps
Similaire à Writing an (in)secure webapp in 3 easy steps (20)
Plus de Adam Baldwin
Plus de Adam Baldwin (14)
Dernier
Dernier (20)
Writing an (in)secure webapp in 3 easy steps
- 1. Writing an (in)secure webapp JSCONF 2011 // Adam Baldwin
- 2. insecure webapps I lied - There are no “3 easy steps” Writing (in)secure Webapps // JSCONF // MAY 2011
- 3. Introduction @adam_baldwin Co-Founder of nGenuity PenTester of webs Curator of evilpacket.net Writing (in)secure Webapps // JSCONF // MAY 2011
- 4. Writing (in)secure Webapps // JSCONF // MAY 2011
- 5. Stuff to talk about • Writing insecure apps • # Navigation • Output Encoding • Piles of other crap Writing (in)secure Webapps // JSCONF // MAY 2011
- 6. Writing Insecure Writing (in)secure Webapps // JSCONF // MAY 2011
- 7. Why is it so easy? • Resource constrained • Landscape always changing • Engineering vs innovation Writing (in)secure Webapps // JSCONF // MAY 2011
- 8. #! navigation zomg Writing (in)secure Webapps // JSCONF // MAY 2011
- 9. # navigation /#http://evilpacket.net/login CORS is awesome Writing (in)secure Webapps // JSCONF // MAY 2011
- 10. Cross-Site Scripting fireblog.com Writing (in)secure Webapps // JSCONF // MAY 2011
- 11. Context Matters It’s not okay to just encode “><‘& <img src=#{STUFF}/> <img src=a onerror=CODE/> Writing (in)secure Webapps // JSCONF // MAY 2011
- 12. ESAPI / jquery-encoder $('#submit-entity-payload').click(function() { var payload = $('#entity-payload').val(); $('#entity- container').html( $.encoder.encodeForHTML(payload) ); }); Writing (in)secure Webapps // JSCONF // MAY 2011
- 13. Content Security Policy * Example 1: A server wants all content to come from its own domain: X-Content-Security-Policy: default-src 'self' Example 2: An auction site wants to allow images from anywhere, plugin content from a list of trusted media providers including a content distribution network, and scripts only from a server under its control hosting sanitized ECMAScript: X-Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com * Firefox 4 only Writing (in)secure Webapps // JSCONF // MAY 2011
- 14. Other Crap That Matters • Cross-Site Request Forgery • Clickjacking (X-Frame-Options) • Cookies (HTTPOnly / Secure) • ... Writing (in)secure Webapps // JSCONF // MAY 2011
- 16. References nGenuity: http://ngenuity-is.com Evilpacket: http://evilpacket.net JavaScript-based ESAPI: An In-Depth Overview: https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdf Content Security Policy: http://people.mozilla.com/~bsterne/content-security-policy/ jQuery Encoder: http://plugins.jquery.com/project/jqencoder http://software.digital-ritual.net/jqencoder/ Writing (in)secure Webapps // JSCONF // MAY 2011
Notes de l'éditeur
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n