Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No privilege, no risk - Devoxx 2013

Mike West
PRO
November 14, 2013
Programming
1
500

No privilege, no risk - Devoxx 2013

Mike West
PRO

November 14, 2013
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
100
Isolation by Default
mikewest
PRO
0
1.7k
The Web We Can Ship
mikewest
PRO
0
440
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.8k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
160
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
410
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
110
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
890
BSides Munich
mikewest
PRO
0
320

Other Decks in Programming

See All in Programming
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
520
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
Realtime API 入門
riofujimon
0
110
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
僕がつくった48個のWebサービス達
yusukebe
18
17k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430
JaSST 24 九州:ワークショップ(は除く) 実践!マインドマップを活用したソフトウェアテスト+活用事例
satohiroyuki
0
260
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
150
Go言語でターミナルフレンドリーなAIコマンド、afaを作った/fukuokago20_afa
monochromegane
2
140
qmuntal/stateless のススメ
sgash708
0
120
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
offers_20241022_imakiire.pdf
imakurusu
2
360

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
229
18k
A designer walks into a library…
pauljervisheath
202
24k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
We Have a Design System, Now What?
morganepeng
50
7.2k
Building an army of robots
kneath
302
42k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Typedesign – Prime Four
hannesfritz
39
2.4k
YesSQL, Process and Tooling at Scale
rocio
167
14k
How STYLIGHT went responsive
nonsquared
95
5.2k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
A Philosophy of Restraint
colly
203
16k

Transcript

  1. @mikewest #DV13-security No privilege, no risk A client-side security cornucopia

    Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest Slides: https://mkw.st/r/devoxx13

  2. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  3. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html

  4. "Enigma" - skittledog, http://flic.kr/p/9VjJz5 Step 0: Encrypt all traffic.

  5. None
  6. None
  7. None

  8. Set-Cookie: ...; secure; HttpOnly

  9. Strict-Transport-Security: max-age=2592000; includeSubDomains

  10. None

  11. Public-Key-Pins: max-age=2592000; pin-sha256="4n972H…yw4uqe/baXc="

  12. "Framed in the Valley" - cobalt123, http://www.flickr.com/photos/cobalt/5354090310/ Limit Unanticipated Framing.

  13. Click me! I am happy!

  14. X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN

  15. "X-Frame-Options: All about Clickjacking?" https://cure53.de/xfo-clickjacking.pdf

  16. "Sniff" - tiny banquet committee, http://www.flickr.com/photos/tinybanquet/880076486 Prevent MIME-Type Sniffing.

  17. X-Content-Type-Options: nosniff

  18. None

  19. "Finance - Financial Injection - Finance" - doug8888, http://www.flickr.com/photos/doug88888/4561376850/ Mitigate

    content injection.

  20. scheme://host:port

  21. <script> beAwesome(); </script> <script> beEvil(); </script>

  22. <script> beAwesome(); </script> <!-- <p>Hello, {$name}!</p> --> <p>Hello, <script> beEvil();

    </script></p>

  23. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

    view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->

  24. "I discount the probability of perfection." -Alex Russell

  25. "We are all idiots with deadlines." -Mike West

  26. X-XSS-Protection: 1; mode=block or X-XSS-Protection: 0 but not X-XSS-Protection: 1

  27. X-XSS-Protection: 1; mode=block; report=https://example.com/url

  28. http://www.html5rocks.com/en/tutorials/security/content-security-policy/ https://mkw.st/r/csp

  29. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net

  30. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi

  31. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }

  32. <script> function handleClick() { ... } </script> <button onclick="handleClick()">Click me!</button>

    <a href="javascript:handleClick()">Click me!</a>

  33. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clckr">Click me!</button> <a href="#"

    class="clckr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }

  34. Content-Security-Policy: script-src 'nonce-afbvjn+afpo-j1qer'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script nonce="afbvjn+afpo-j1qer"> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>

  35. Content-Security-Policy: script-src 'sha256-afbvjn+...afpo-j1qer'; <button class="clckr">Click me!</button> <a href="#" class="clckr">Click me!</a>

    <script> function handleClick() { ... } function init() { var e; for (e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); } </script>

  36. "Sandbox Shadow" - Scott Robinson, http://www.flickr.com/photos/clearlyambiguous/27454797 Limit IFrame Capabilities

  37. <iframe src="page.html" sandbox></iframe> <!-- * Unique origin * No plugins.

    * No script. * No form submissions. * No top-level navigation. * No popups. * No autoplay. * No pointer lock. * No seamless iframes. -->

  38. <iframe src="page.html" sandbox="allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation"> </iframe> <!--

    * No plugins. * No seamless iframes. -->

  39. http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/ goo.gl/WJjv10

  40. "Vandalised Red Telephone Box" - Jon Pinder, http://www.flickr.com/photos/rofanator/5364666818 Secure Cross-Origin

    Communication

  41. <script> var frame = document.querySelector('iframe'); frame.contentWindow.postMessage(message, 'example.com'); window.addEventListener('message', function (e)

    { if (e.origin === 'example.com') // Do something amazing in response! }); </script>

  42. <script> var frame = document.querySelector('iframe'); frame.contentWindow.postMessage(message, '*'); window.addEventListener('message', function (e)

    { if (e.origin === "null" && e.source === frame.contentWindow) // Do something amazing in response! }); </script>

  43. <script> window.addEventListener('message', function (e) { if (e.origin !== window.location.origin) return;

    // Do something amazing in response! e.source.postMessage(result, e.origin); }); </script>

  44. <script> var channel = new MessageChannel(); // channel.port1 <-> channel.port2

    frame.contentWindow.postMessage( 'init', '*', [ channel.port2 ]); channel.port1.postMessage(message); channel.port1.addEventListener('message', ...); </script>

  45. "Enigma" - skittledog, http://flic.kr/p/9VjJz5 Moar Encryption

  46. http://nick.bleeken.eu/presentations/devoxx-2013/

  47. https://mkw.st/r/devoxx13 Thanks! Mike West https://mikewest.org G+: mkw.st/+ Twitter: @mikewest Slides:

    https://mkw.st/r/devoxx13