Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking Front-End Apps
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Alex Sexton
February 12, 2014
Technology
3
2.5k
Hacking Front-End Apps
My talk on client side web security as given at the jQuery Conference 2014 in San Diego
Alex Sexton
February 12, 2014
Tweet
Share
More Decks by Alex Sexton
See All by Alex Sexton
Your Very Own Component Library
slexaxton
5
740
Front-End Ops - jQuery Conf Chicago 2014
slexaxton
1
1k
Practicing Safe Script
slexaxton
18
2.9k
Other Decks in Technology
See All in Technology
「OSアップデート:年に一度の「大仕事」を乗り切るQA戦略」_Mobile Tech Flex 〜4社合同!私たちのモバイル開発自慢大会〜
gu3
0
220
プロダクト開発の品質を守るAIコードレビュー:事例に見る導入ポイント
moongift
PRO
1
410
器用貧乏が強みになるまで ~「なんでもやる」が導いたエンジニアとしての現在地~
kakehashi
PRO
5
530
ローカルでLLMを使ってみよう
kosmosebi
0
190
あすけん_Developers_Summit_2026_-_Vibe_Coding起点での新機能開発で__あすけん_が乗り越えた壁.pdf
iwahiro
0
740
Getting started with Google Antigravity
meteatamel
0
360
Amazon Bedrock AgentCoreでブラウザ拡張型AI調査エージェントを開発した話 (シングルエージェント編)
nasuvitz
2
110
LINEアプリ開発のための Claude Code活用基盤の構築
lycorptech_jp
PRO
1
920
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
cybozuinsideout
PRO
10
74k
ブログの作成に音声AIツールを使って音声入力しようとした話
smt7174
1
170
社内ワークショップで終わらせない 業務改善AIエージェント開発
lycorptech_jp
PRO
1
340
教育現場のプロンプトエンジニアリング問題を 解決するAIエージェントを作成してみた
ryoshun
0
120
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Scaling GitHub
holman
464
140k
Game over? The fight for quality and originality in the time of robots
wayneb77
1
130
Chasing Engaging Ingredients in Design
codingconduct
0
120
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.1k
Everyday Curiosity
cassininazir
0
140
Test your architecture with Archunit
thirion
1
2.2k
Deep Space Network (abreviated)
tonyrice
0
76
WCS-LA-2024
lcolladotor
0
470
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
80
Abbi's Birthday
coloredviolet
2
5k
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.7k
Transcript
Hacking Front-End Apps Alex Sexton
I work at .
which is in . California
but…
I live in . Texas
The web has a lot in common with Texas.
“The wild west.”
In 1985, Texas had a problem.
None
Littering
Some Texans defended their “God-given right to litter.”
ಠ_ಠ
There were fines for littering.
photo by Curtis Gregory Perry
But no one seemed to care.
The state tried some slogans.
None
But these slogans apparently did not resonate with the core
offenders
Males 18-24 “Bubbas in Pickup Trucks”
In 1985 Texas tried a new campaign:
None
The campaign reduced litter on Texas highways ! 72% !
from 1986 to 1990.
My point is…
“Hey everyone, you should make your websites more secure because
it’s important.” ! Probably isn’t going to do the trick.
DON’T! MESS! WITH! XSS Also probably won’t work.
Web developers, not security researchers, are the core audience.
Web security is hard.
“All you have to do is never make a single
mistake.” - I Think Mike West
“I discount the probability of perfection.” - Alex Russell
Content Injection
None
None
None
Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”
as their username.
My User Agent
My Friend, Mike Taylor’s User Agent Mozilla/5.0 (Macintosh; Intel Mac
OS X 10.9; rv:25.0) <script>alert(‘lol’);</script> Gecko/20100101 Firefox/25.0
My Friend, Mike Taylor’s User Agent Mozilla/5.0 (Macintosh; Intel Mac
OS X 10.9; rv:25.0) <script>alert(‘lol’);</script> Gecko/20100101 Firefox/25.0
ಠ_ಠ
Samy
None
None
None
ಠ_ಠ
So let’s just detect malicious scripts!
None
alert(1)
The Billy Hoffman Whitespace Attack <script> ! </script>
The Billy Hoffman Whitespace Attack <script> ! </script> Malicious
Code
The Billy Hoffman Whitespace Attack <script> ! </script> tab
tab tab space space
The Billy Hoffman Whitespace Attack <script> ! </script> 1
1 1 0 0
You cannot detect malicious code.
output.replace(/<script>/, ‘’);
CSS Hacks
Old School
None
Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty
much People Celebrating (or screaming on fire)
Timing Attacks
Security by Inaccuracy
requestAnimationFrame + :visited = ಠ_ಠ
requestAnimationFrame + :visited = ಠ_ಠ
requestAnimationFrame + :visited = ಠ_ಠ
Link Visited Link
Link Visited Link <16ms >60ms Time to render
JSON-P
MORE LIKE JSON-Pretty-Insecure
“I’d really like it if someone could run arbitrary dynamic
scripts on my page” - JSONP Users
You wouldn’t do this.
So don’t do this.
A Leak In The Response
YouProbablyShouldUseCORS.tumblr.com
enable-cors.org
Try to say CROSS SITE! REQUEST FORGERY 5 times fast.
Set-Cookie ‘csrf=0003’
Set-Cookie ‘csrf=0003’
None
None
None
It gets worse.
Contextis White Paper
Cross-Domain Data Snooping via SVG Filters and OCR
None
ಠ_ಠ
We need a new approach.
Content Security Policy
None
Disallow Inline JS, CSS By Default!
Disallow eval By Default!
Disallow Cross Domain JS, CSS, IMG, Fonts
Report Violations!
None
A White List That’s the key!
Good Security Goes Beyond Content Injection
<iframe sandbox>
HTTPS Everywhere
HTTPS Everywhere
HTTPS Only
301 Redirect http
https HSTS
Frame Busting
Disallow as an iFrame X-Frame-Options
It’s “security by default.” At least much closer…
You can rely a little less on being perfect.
it only matters if everyone buys in. But
We need our own slogan.
We need developers to take pride in making secure applications.
Don’t Mess With The Web
ಠ_ಠ
Let’s do something about it together.
Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam
Baldwin Contextis MDN
slexaxton
gu3
moongift
kakehashi
kosmosebi
iwahiro
meteatamel
nasuvitz
lycorptech_jp
cybozuinsideout
smt7174
ryoshun
marcelosomers
holman
wayneb77
codingconduct
danielanewman
cassininazir
thirion
tonyrice
lcolladotor
techseoconnect
coloredviolet
jnunemaker
