Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Micro Workshop: "Why & How you should do your HTTP Headers right?" by Santhosh Tuppad


HTTP Headers are MUST if the businesses care about Security. Some complain that they do not have the budget, but these little things don’t need a budget, but passion towards securing applications unless you are going with a deeper security assessment where it needs a specialist or an expert.

Most of the programmers and testers are not aware of HTTP Headers they can implement to mitigate deadly attacks such as Cross-Site Scripting, Clickjacking, MIME Sniffing attacks, Form Data HiJacking, Banners Revealing Sensitive Information etcetera.

Trust me, these just don’t take a lot of time to get right and build prevention mechanisms against certain types of dangerous vulnerabilities. Mind you, it doesn’t just apply to every variant of a specific attack but does surely help to strengthen the security wall.

This micro workshop is a demonstration based where two things will be spoken about:

1) What kind of attacks are we vulnerable to if we don’t use Secure HTTP Headers?

2) What needs to be done to mitigate security vulnerabilities by using these secure HTTP Headers?

We will have a lot of fun learning about HTTP Headers.

Key learning 1: Understand why HTTP Headers are important to your web applications?

Key learning 2: Learn how to implement these HTTP Headers in the right way?

Key learning 3: Mitigating attacks such as XSS, ClickJacking & other attacks.

Key learning 4: Get a perspective of how no secure HTTP Headers can cause ugly problems.

Key learning 5: Become HTTP Headers Advocate/Fighter in your organization.

Speaker Bio:

security tester. application security. owasp cheat-sheet contributor. network security. exploratory tester. test automator. zero-day vulnerability finder. award winner in the security area. international keynote speaker. coach & mentor. trainer.

Santhosh Tuppad has played different roles in his life which include being a Passionate Entrepreneur, Computer Engineer, Software Tester, JavaScript, and Python Programmer, Blogger, Reader, Trainer, Coach, Black-hat Thinker, White-hat Hacker, Grey-Hat hacker and what not. In this amazing journey of life, he has experienced his salvation. Not to forget that “Salvation comes at a price” and of course he has paid that price. Before he was known for being merciless, ruthless, unkind, evil, etc. And today he is known for kindness, humbleness, and some people call him “Privacy Fighter”. Santhosh is also one of the OWASP Cheatsheet Contributors and shares his knowledge on Security and Testing unconditionally. The world finds his ways “Unconventional”, but he thinks that it’s the best. 

Linkedin- https://www.linkedin.com/in/santhosh-tuppad-338b7412/
Twitter- https://twitter.com/santhoshst

  • Soyez le premier à commenter

Micro Workshop: "Why & How you should do your HTTP Headers right?" by Santhosh Tuppad

  1. 1. ABOUT SANTHOSH TUPPAD Santhosh began hacking at the age of 16 when the dialup connection was the need of the hour to connect to the internet. He began his journey by satisfying his need by hacking the dialup subscription of someone else. Since then he never stopped learning to craft better. Now, he helps companies across the globe to secure their software. Not to forget that he is also one of the OWASP [ Open Web Application Security Project ] CheatSheet Contributors. MDM Inc. | Social Media Strategy SANTHOSHST
  2. 2. WHAT ARE WE MISSING? (Secure) HTTP Headers are powerful and, they always mitigate some of the critical security vulnerabilities. SANTHOSHST
  3. 3. WHERE ARE THESE HTTP HEADERS? They can be found in request, response and other places. We shall focus on request and response in this. Well, that's okay. But, how do I find them in web browser? Let's see! SANTHOSHST
  4. 4. WHY ARE THEY IMPORTANT? HTTP Headers is a Powerful (Magical) Mantra. Not many developers / testers know about it. Act as a repellant against some vulnerabilities. If applied well, you can have a good time sleep. They can be ScareCrow/Decoy. SANTHOSHST
  5. 5. That's cool. Where are the bugs here? Let us focus on secure http headers and how to find things that matter. SANTHOSHST
  6. 6. Whenever I look into a web application, I inspect the request from the "Network Tab" in DevTools. Let us see "How?" SANTHOSHST
  7. 7. X-XSS-Protection Clear-Site-Data Upgrade-Insecure-Requests X-Frame-Options Content-Security-Policy HTTP Strict-Transport-Security X-Content-Type-Options SANTHOSHST (SOME) SECURE HTTP HEADERS
  8. 8. HOW TO DO THEM RIGHT? Understand the context of your application Read documentation and understand before you implement the http header policies Use Report-Only Mode if in doubt (It is like analytics for your CSP and others) Make sure you use "Can I Use" for "Browser Compatibility Check". Use the right extensions/tools to test/evaluate the policy before you report it as a bug or deployment. Repeat reading the documentation. READ READ MORE THINK THINK MORE EXPERIMENT SANTHOSHST
  9. 9. Wait... That's not it. There are many http headers which can be configured in order to provide various functionalities and also security as well. Mozilla Developer Network is a great source to study more. SANTHOSHST
  10. 10. A challenge for you: Let us see a demonstration of Malicious JavaScript now! And I encourage you to find a solution to mitigate this kind of demo'ed attack. SANTHOSHST
  11. 11. Extensions Used: CSP Evaluator CSP Mitigator ModHeader Wappalyzer Browser Compatibility Check https://caniuse.com/ Further Reading: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers SANTHOSHST
  12. 12. CONTACT ME FOR SECURITY! MAILING ADDRESS World�is my pitstop. EMAIL ADDRESS Santhosh.Tuppad@gmail.com PHONE NUMBER +91 98809 52643 TWITTER https://twitter.com/santhoshst LINKEDIN https://www.linkedin.com/in/santhosh-tuppad- 338b7412/ GOOGLE Search "Santhosh Tuppad"

×