Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practicing Safe Script

Alex Sexton
December 03, 2013
Programming
18
2.8k

Practicing Safe Script

Front End Web Security is hard. This deck goes through why there's no hope of patching every hole and suggests the opposite approach via whitelisting (old news, right?). Also suggests we try to make security sexier so more people buy-in.

Alex Sexton

December 03, 2013
Tweet

More Decks by Alex Sexton

See All by Alex Sexton
Your Very Own Component Library
slexaxton
5
720
Front-End Ops - jQuery Conf Chicago 2014
slexaxton
1
1k
Hacking Front-End Apps
slexaxton
3
2.4k

Other Decks in Programming

See All in Programming
Jakarta EE meets AI
ivargrimstad
0
630
RubyLSPのマルチバイト文字対応
notfounds
0
120
EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM
nashiusagi
0
100
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170
Amazon Qを使ってIaCを触ろう!
maruto
0
420
Click-free releases & the making of a CLI app
oheyadam
2
120
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.8k
cmp.Or に感動した
otakakot
3
210
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
260
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340

Featured

See All Featured
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
A better future with KSS
kneath
238
17k
Building Adaptive Systems
keathley
38
2.3k
Scaling GitHub
holman
458
140k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Adopting Sorbet at Scale
ufuk
73
9.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
A designer walks into a library…
pauljervisheath
204
24k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
Automating Front-end Workflow
addyosmani
1366
200k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130

Transcript

  1. Practicing Safe Script Alex Sexton

  2. I work at .

  3. which is in . California

  4. but…

  5. I live in . Texas

  6. The web has a lot in common with Texas.

  7. “The wild west.”

  8. In 1985, Texas had a problem.

  9. None

  10. Littering

  11. Some Texans defended their “God-given right to litter.”

  12. ಠ_ಠ

  13. There were fines for littering.

  14. photo by Curtis Gregory Perry

  15. But no one seemed to care.

  16. The state tried some slogans.

  17. None

  18. But these slogans apparently did not resonate with the core

    offenders

  19. Males 18-24 “Bubbas in Pickup Trucks”

  20. In 1985 Texas tried a new campaign:

  21. None

  22. The campaign reduced litter on Texas highways ! 72% !

    from 1986 to 1990.

  23. My point is…

  24. “Hey everyone, you should make your websites more secure because

    it’s important.” ! Probably isn’t going to do the trick.

  25. DON’T! MESS! WITH! XSS Also probably won’t work.

  26. Web developers, not security researchers, are the core audience.

  27. Web security is hard.

  28. “All you have to do is never make a single

    mistake.” - I Think Mike West

  29. “I discount the probability of perfection.” - Alex Russell

  30. Content Injection

  31. None
  32. None
  33. None

  34. Everyone has a friend that always seems to pick “<script>alert(‘hacked!’);</script>”

      as their username.

  35. My User Agent

  36. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

  37. My Friend, Mike Taylor’s User Agent Mozilla/5.0  (Macintosh;  Intel  Mac

     OS  X  10.9;   rv:25.0)  <script>alert(‘lol’);</script>  Gecko/20100101   Firefox/25.0

  38. ಠ_ಠ

  39. Samy

  40. None
  41. None
  42. None

  43. ಠ_ಠ

  44. So let’s just detect malicious scripts!

  45. None

  46. alert(1)

  47. The Billy Hoffman Whitespace Attack <script>   ! </script>

  48. The Billy Hoffman Whitespace Attack <script>   ! </script> Malicious

    Code

  49. The Billy Hoffman Whitespace Attack <script>   ! </script> tab

    tab tab space space

  50. The Billy Hoffman Whitespace Attack <script>   ! </script> 1

    1 1 0 0

  51. You cannot detect malicious code.

  52. output.replace(/<script>/, ‘’);

  53. CSS Hacks

  54. Old School

  55. None

  56. Link Visited Link getComputedStyle( getComputedStyle( ) ) === \o\|o|/o/ Pretty

    much People Celebrating (or screaming on fire)

  57. Timing Attacks

  58. Security by Inaccuracy

  59. requestAnimationFrame + :visited = ಠ_ಠ

  60. requestAnimationFrame + :visited = ಠ_ಠ

  61. requestAnimationFrame + :visited = ಠ_ಠ

  62. Link Visited Link

  63. Link Visited Link <16ms >60ms Time to render

  64. Set-Cookie ‘csrf=0003’

  65. None
  66. None
  67. None

  68. It gets worse.

  69. Contextis White Paper

  70. Cross-Domain Data Snooping via SVG Filters and OCR

  71. None

  72. ಠ_ಠ

  73. We need a new approach.

  74. Content Security Policy

  75. None

  76. Disallow Inline JS, CSS By Default!

  77. Disallow eval By Default!

  78. Disallow Cross Domain JS, CSS, IMG, Fonts

  79. Report Violations!

  80. None

  81. A White List That’s the key!

  82. Good Security Goes Beyond Content Injection

  83. <iframe sandbox>

  84. HTTPS Everywhere

  85. HTTPS Everywhere

  86. HTTPS Only

  87. 301 Redirect http

  88. https HSTS

  89. Frame Busting

  90. Disallow as an iFrame X-Frame-Options

  91. It’s “security by default.” At least much closer…

  92. You can rely a little less on being perfect.

  93. it only matters if everyone buys in. But

  94. We need our own slogan.

  95. We need developers to take pride in making secure applications.

  96. Don’t Mess With The Web

  97. ಠ_ಠ

  98. Let’s do something about it together.

  99. Thanks! @SlexAxton Special Thanks To: Mike West * 1000 Adam

    Baldwin Contextis MDN