Practicing Safe Script

Transcript

1. Practicing Safe Script Alex Sexton

2. I work at .

3. which is in . California

4. but…

5. I live in . Texas

6. The web has a lot in common with Texas.

7. “The wild west.”

8. In 1985, Texas had a problem.

9. None

10. Littering

11. Some Texans defended their “God-given right to litter.”

12. ಠ_ಠ

13. There were fines for littering.

14. photo by Curtis Gregory Perry

15. But no one seemed to care.

16. The state tried some slogans.

17. None

18. But these slogans apparently did not resonate with the core

    offenders

19. Males 18-24 “Bubbas in Pickup Trucks”

20. In 1985 Texas tried a new campaign:

21. None

22. The campaign reduced litter on Texas highways ! 72% !

    from 1986 to 1990.

23. My point is…

24. “Hey everyone, you should make your websites more secure because

    it’s important.” ! Probably isn’t going to do the trick.

25. DON’T! MESS! WITH! XSS Also probably won’t work.

26. Web developers, not security researchers, are the core audience.

27. Web security is hard.

28. “All you have to do is never make a single

    mistake.” - I Think Mike West

29. “I discount the probability of perfection.” - Alex Russell

30. Content Injection

31. None
32. None
33. None

34. Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”

      as their username.

35. My User Agent

36. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

37. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

38. ಠ_ಠ

39. Samy

40. None
41. None
42. None

43. ಠ_ಠ

44. So let’s just detect malicious scripts!

45. None

46. alert(1)

47. The Billy Hoffman Whitespace Attack <script>   ! </script>

48. The Billy Hoffman Whitespace Attack <script>   ! </script> Malicious

    Code

49. The Billy Hoffman Whitespace Attack <script>   ! </script> tab

    tab tab space space

50. The Billy Hoffman Whitespace Attack <script>   ! </script> 1

    1 1 0 0

51. You cannot detect malicious code.

52. output.replace(/<script>/, ‘’);

53. CSS Hacks

54. Old School

55. None

56. Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty

    much People Celebrating (or screaming on fire)

57. Timing Attacks

58. Security by Inaccuracy

59. requestAnimationFrame + :visited = ಠ_ಠ

60. requestAnimationFrame + :visited = ಠ_ಠ

61. requestAnimationFrame + :visited = ಠ_ಠ

62. Link Visited Link

63. Link Visited Link <16ms >60ms Time to render

64. Set-Cookie ‘csrf=0003’

65. None
66. None
67. None

68. It gets worse.

69. Contextis White Paper

70. Cross-Domain Data Snooping via SVG Filters and OCR

71. None

72. ಠ_ಠ

73. We need a new approach.

74. Content Security Policy

75. None

76. Disallow Inline JS, CSS By Default!

77. Disallow eval By Default!

78. Disallow Cross Domain JS, CSS, IMG, Fonts

79. Report Violations!

80. None

81. A White List That’s the key!

82. Good Security Goes Beyond Content Injection

83. <iframe sandbox>

84. HTTPS Everywhere

85. HTTPS Everywhere

86. HTTPS Only

87. 301 Redirect http

88. https HSTS

89. Frame Busting

90. Disallow as an iFrame X-Frame-Options

91. It’s “security by default.” At least much closer…

92. You can rely a little less on being perfect.

93. it only matters if everyone buys in. But

94. We need our own slogan.

95. We need developers to take pride in making secure applications.

96. Don’t Mess With The Web

97. ಠ_ಠ

98. Let’s do something about it together.

99. Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam

    Baldwin Contextis MDN