Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

Mike West
PRO
June 03, 2019
Programming
1
160

Web Platform Security @ TechDays 2019

Web Platform Security.

Mike West
PRO

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
100
Isolation by Default
mikewest
PRO
0
1.8k
The Web We Can Ship
mikewest
PRO
0
450
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.8k
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
410
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
110
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
900
BSides Munich
mikewest
PRO
0
320
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.4k

Other Decks in Programming

See All in Programming
最新TCAキャッチアップ
0si43
0
190
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
120
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
890
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
Outline View in SwiftUI
1024jp
1
330
watsonx.ai Dojo #4 生成AIを使ったアプリ開発、応用編
oniak3ibm
PRO
1
140
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
役立つログに取り組もう
irof
28
9.6k
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
3
690
Realtime API 入門
riofujimon
0
150

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
What's new in Ruby 2.0
geeforr
343
31k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
How to Ace a Technical Interview
jacobian
276
23k
Six Lessons from altMBA
skipperchong
27
3.5k
Automating Front-end Workflow
addyosmani
1366
200k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
97

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019