SlideShare a Scribd company logo

W3 conf hill-html5-security-realities

B
Brad Hill

Slides for "HTML5 Security Realities" talk at W3Conf: Practical Standards for Web Professionals 2013. Brad Hill - PayPal @hillbrad

1 of 60
HTML5 Security Realities Brad Hill, PayPal bhill@paypal-inc.com @hillbrad W3Conf: Practical standards for web professionals 21 -22 February 2013 San Francisco
โ€œThe reason that the Web browser is the principal entry point for malware is the number of choices that a browser offers up to whomever is at the other end. Evolving technologies like HTML5 promise to make this significantly worse.โ€ โ€“ Dan Geer
In the next 30 minutes: โ€ข Show you real code using new standards to: โ€“ Solve Script Injection Vulnerabilities โ€“ Build Secure Mashups โ€ข HTML5 is a big step forward in security for the Web platform
Solving Script Injection
Script Injection, also known as Cross-Site Scripting or XSS, is the most common Web Application vulnerability. In 2007, WhiteHat estimated that 90% of sites were vulnerable.
XSS in a nutshell: If somebody elseโ€™s code gets to run in your WebApp, itโ€™s not your WebApp anymore. + Same-Origin Policy = XSS anywhere on your domain is XSS everywhere on your domain.
Current defenses: โ€ข Input filtering โ€“ Strip dangerous characters and tags from user data โ€ข Output encoding โ€“ Encode user data so it isnโ€™t treated as markup โ€œHTML5 broke my XSS filter!โ€
YES. html5sec.org lists a dozen new XSS vectors in new tags and attributes in HTML5. But your filter was already broken.
</a/style='-=a&#x5c;b expr65 ss/* &#x2a/ion(URL='javascript:&# x25;5cu0&#48; 64ocum&#x25;5cu0&#48;64oc um&#x25;5cu0&#48;65nt.writ& #x25;5cu0&#48;65(1)' )'>
1;-- <?f><x:!ฮผ!:x/style=`b&#x5c;65h 0061vior:url(#def&#x61ult#time 2)';'`/onbegin=&#x5b๏ฟฝ=u00&# 054;1le&#114t&#40&#x31)&#x5 d&#x2f/&#xy,z>
W3 conf hill-html5-security-realities
XSS Filters Were Doomed Filters are a server-side attempt to simulate the client-side parser and execution environment. Butโ€ฆ โ€ข Every browser parser operated differently โ€ข The algorithms were secret โ€ข Every browser had proprietary features, tags and syntax โ€ข Accepting bad markup was a feature
W3 conf hill-html5-security-realities
Generously coercing a shambling mound of line noise into an application is no longer a competitive feature.
By standardizing the technology for building Rich Web Applications, HTML5 began a fundamental shift in the security posture of the Web as a platform.
W3 conf hill-html5-security-realities
Proprietary platforms compete for developers by offering features. Open platform implementers compete for users by offering quality.
And now, BACK TO SOLVING SCRIPT INJECTION
New and Better Anti-XSS Approaches Even if we now have some hope of simulating the browser parser for HTML5โ€ฆ Not easy, definitely not future-proof. Misses client-only data flows. Why not get help from the client?
Content Security Policy 25 6.0 6.0 6.0 10 X-Content-Security-Policy X-WebKit-CSP (sandbox only) HTTP header to enforce, in the client, a least- privilege environment for script and other content.
W3 conf hill-html5-security-realities
Content-Security-Policy: default-src 'self'; object-src 'none'; img-src https://uploads.example-board.net https://cdn.example-board.com data:; script-src https://code.example-board.net https://www.google-analytics.com; frame-src *.youtube.com; report-uri https://www.example- board.net/cspViolations.xyz
Content Security Policy 1.0 default-src Everything script-src Scripts object-src Plugins style-src CSS img-src Images media-src Audio + Video frame-src Frame content font-src Fonts connect-src Script-loaded content (e.g. XHR) sandbox Same as HTML5 iframe sandbox reporturi Violation reporting
The catchโ€ฆ โ€ข CSP enforces code / data separation โ€ข This means: NO inline script or css NO eval, even in libraries (can be disabled, but sacrifices many of the benefits of CSP)
<script> function doSomething ()โ€ฆ </script> <button onClick="doSomething()"> Click Here!</button>
<!--myPageScript.js--> function doSomething ()โ€ฆ Document.addEventListener(โ€˜DOMContentLoader', function() { for var b in document.querySelectorAll('.clickmeโ€˜)) e.addEventListener('click', doSomething); }); <!--myPageContent.html--> <script src="myPageScript.js"></script> <button class="clickme">Click Here!</button>
Coming soon in CSP 1.1 โ€ข Whitelisting of inline scripts and CSS โ€ข More granular origins โ€ข Better control of plugins and media types โ€ข Control and reporting for reflected XSS filters โ€ข META tag support https://dvcs.w3.org/hg/content-security- policy/raw-file/tip/csp-specification.dev.html
Templating Templating is one of the oldest and most widely used Web application construction patterns. But it is a hive of XSS villainy because it has never been a first-class feature in the client.
HTML Templates New spec in progress in the WebApps WG: https://dvcs.w3.org/hg/webcomponents/raw- file/tip/spec/templates/index.html Declare templates as first-class client-side objects for increased performance, reduced XSS risk.
With CSP and a careful application architecture XSS can be solved today. In the near future it will be possible using more familiar and better performing idioms.
Secure Mashups โ€œHTML5 and CORS give new ways to bypass the Same-Origin Policy!โ€
A โ€œmashupโ€ incorporates content from multiple origins under different administrative control. Today, more apps than not are authenticated mashups: ads, analytics, federated login How did we do this before HTML5?
Flash, with crossdomain.xml <?xml version="1.0"?> <!--https://www.foo.com/crossdomain.xml-- > <cross-domain-policy> <allow-access-from domain=โ€œwww.example-analytics.com"/> </cross-domain-policy>
Janโ€™s Rule: โ€œGive someone an ACL, and theyโ€™ll put in a *.โ€
A โ€œ*โ€ in your master crossdomain.xml policy means your usersโ€™ information is vulnerable to any malicious SWF, anywhere on the Web
I canโ€™t use Flash on iOS anywayโ€ฆ What about HTML-only methods?
<script src=โ€œforeignOrigin"> Same-Origin Loophole Browser example-2.com Origin=example.com <script src= https://example-2.com/x.js> (function( window, undefined ) {โ€ฆ example.com
AKA โ€“ โ€œJSONPโ€ โ€ข โ€œJSON with paddingโ€ <script src=โ€œexample.com/jsonp?callback=fooโ€> โ€ข Returns JSON data โ€œpaddedโ€ with a call to the function you specified. โ€ข You hopeโ€ฆitโ€™s still script!
This pattern injects somebody elseโ€™s code into your application. Remember what the definition of XSS was?
W3 conf hill-html5-security-realities
<script src="//connect.facebook.net/en_US/all.js"> </script>
W3 conf hill-html5-security-realities
We can build it better. We have the technology.
Cross-Origin Resource Sharing (CORS) 22 5.1 3.2 15 15 2.1 10 7 Voluntarily relax the Same-Origin Policy with an HTTP header to allow permissioned sharing on a resource-by-resource basis Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: someorigin.com
CORS Client Example var xhr = new XMLHttpRequest(); xhr.open(method, xDomainUrl, true); xhr.withCredentials = true; xhr.onload = function() { var responseText = xhr.responseText; validatedResponse = validate(responseText); }; xhr.onerror = function() { console.log('There was an error!'); }; xhr.send();
The difference: Script src gives you code you have no choice but to TRUST CORS gives you data you can VERIFY
What about the * in CORS? * cannot be used for a resource that supports credentials. * in Access-Control-Allow-Origin gives other origins only the same view they already have from their own server. Access-Control-Allow-Origin: * is actually one of the safest ways to use CORS!
What if you need data from somebody who doesnโ€™t publish a CORS API?
sandboxed iframes 23 5.1 4.2 15 2.1 10 7 and postMessage 23 5.1 4.2 16 12.1 2.1 8 7
trusted.mydomain.com/foo.html <iframe sandbox=โ€œallow-scriptsโ€ src=โ€œintegration.mydomain.com/wrapLogin.html โ€> </iframe> By using a different domain name, many benefits of the sandbox can be achieved, even in browsers that donโ€™t support it.
integration.mydomain.com/wrapLogin.html <html> <script src=โ€œforeigndomain.com/login.jsโ€> </script> <script> window.parent.postMessage(loginName, โ€œtrusted.mydomain.comโ€); </script> </html>
trusted.mydomain.com/foo.html <iframe sandbox=โ€œallow-scriptsโ€ src=โ€œuntrusted.mydomain.com/untrusted.htmlโ€> </iframe> <script> window.addEventListener("message", receiveMessage, false); receiveMessage = function(event) { if(event.origin == โ€œuntrusted.mydomain.comโ€) { var data = sanitizeData(event.data); } <script>
But wait, thereโ€™s more! What if you do this to your own code?
http://www.cs.berkeley.edu/~devdatta /papers/LeastPrivileges.pdf
Hackers HATE Him!!!! Reduce your Trusted Computing Base by 95% with this one simple HTML5 trick!!!
Summary: HTML5 HTML5 and the Open Web Platform are improving the security of the Web ecosystem. Rich Web Apps are not new, and HTML5 offers big security improvements compared to the proprietary plugin technologies itโ€™s actually replacing.
Summary: Script Injection โ€ข Script Injection, aka XSS, can be a solved problem with proper application architecture and new client-side technologies. โ€ข Avoid incomplete server-side simulation, solve it directly in the client environment: โ€“ Content Security Policy โ€“ HTML Templates
Summary: Mashups โ€ข Use CORS to get (and validate) data, not code โ€ข Use iframes and postMessage to isolate legacy mashup APIs โ€ข Treat your own code like a mashup: Use the Same-Origin Policy as a powerful privilege separation technique for secure application architecture in HTML5 https://github.com/devd/html5privsep
Ongoing work in WebAppSec WG: โ€ข Content Security Policy 1.1 โ€ข User Interface Security to Kill Clickjacking โ€ข Sub-Resource Integrity โ€ข More important work underway in the Web Cryptography WG
public-webappsec-request@w3.org Thank you! Questions? Brad Hill, PayPal bhill@paypal-inc.com @hillbrad W3Conf: Practical standards for web professionals 21 -22 February 2013 San Francisco

Recommended

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
ย 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
ย 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
ย 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
robwinch
ย 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
Philippe De Ryck
ย 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
ย 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
ย 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
ย 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
ย 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
ย 
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
CODE BLUE
ย 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
ย 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
ย 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
ย 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
ย 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
ย 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
ย 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
ย 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
ย 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
ย 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
ย 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
Ken Belva
ย 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
ย 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
ย 
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
CODE BLUE
ย 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
ย 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
ย 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
ย 
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
Andrei Zmievski
ย 
User eXperience & Front End Development
User eXperience & Front End DevelopmentUser eXperience & Front End Development
User eXperience & Front End Development
andreafallaswork
ย 

More Related Content

What's hot (20)

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
ย 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
ย 
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
CODE BLUE
ย 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
ย 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
ย 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
ย 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
ย 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
ย 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
ย 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
ย 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
ย 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
ย 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
ย 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
Ken Belva
ย 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
ย 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
ย 
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
CODE BLUE
ย 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
ย 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
ย 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
ย 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
ย 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
ย 
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
[CB16] 80ๆ™‚้–“ใงWebใ‚’ไธ€ๅ‘จ:ใ‚ฏใƒญใƒ ใƒŸใ‚ฆใƒ ใ‚ชใƒผใƒˆใƒกใƒผใ‚ทใƒงใƒณใซใ‚ˆใ‚‹ใ‚นใ‚ฑใƒผใƒฉใƒ–ใƒซใชใƒ•ใ‚ฃใƒณใ‚ฌใƒผใƒ—ใƒชใƒณใƒˆ by Isaac Dawson
CODE BLUE
ย 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
ย 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
ย 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
ย 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
ย 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
ย 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
ย 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
ย 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
ย 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
ย 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
ย 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
Ken Belva
ย 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
ย 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
ย 
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrรฉs Riancho
CODE BLUE
ย 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
ย 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
ย 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
ย 

Viewers also liked (20)

The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
Andrei Zmievski
ย 
User eXperience & Front End Development
User eXperience & Front End DevelopmentUser eXperience & Front End Development
User eXperience & Front End Development
andreafallaswork
ย 
Front end Tips Tricks & Tools
Front end Tips Tricks & ToolsFront end Tips Tricks & Tools
Front end Tips Tricks & Tools
Sandeep Ramgolam
ย 
Front End Tooling and Performance - Codeaholics HK 2015
Front End Tooling and Performance - Codeaholics HK 2015Front End Tooling and Performance - Codeaholics HK 2015
Front End Tooling and Performance - Codeaholics HK 2015
Holger Bartel
ย 
Sinau Bareng Frontend Web Development @ DiLo Malang
Sinau Bareng Frontend Web Development @ DiLo MalangSinau Bareng Frontend Web Development @ DiLo Malang
Sinau Bareng Frontend Web Development @ DiLo Malang
Moch. Zamroni
ย 
Frontend automation and stability
Frontend automation and stabilityFrontend automation and stability
Frontend automation and stability
Mรกtรฉ Nรกdasdi
ย 
Frontend SPOF
Frontend SPOFFrontend SPOF
Frontend SPOF
Patrick Meenan
ย 
Webinar: Front End Web Development - Trendy Web Designs Using HTML5
Webinar: Front End Web Development - Trendy Web Designs Using HTML5Webinar: Front End Web Development - Trendy Web Designs Using HTML5
Webinar: Front End Web Development - Trendy Web Designs Using HTML5
Edureka!
ย 
Architecting your Frontend
Architecting your FrontendArchitecting your Frontend
Architecting your Frontend
Ruben Teijeiro
ย 
ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)
ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)
ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)
Joseph Chiang
ย 
Grunt js for the Enterprise Vol.1: Frontend Performance with Phantomas
Grunt js for the Enterprise Vol.1: Frontend Performance with PhantomasGrunt js for the Enterprise Vol.1: Frontend Performance with Phantomas
Grunt js for the Enterprise Vol.1: Frontend Performance with Phantomas
David Amend
ย 
Wrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web ApplicationsWrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web Applications
Ryan Roemer
ย 
A modern front end development workflow for Magnolia at Atlassian
A modern front end development workflow for Magnolia at AtlassianA modern front end development workflow for Magnolia at Atlassian
A modern front end development workflow for Magnolia at Atlassian
Magnolia
ย 
How to Build Front-End Web Apps that Scale - FutureJS
How to Build Front-End Web Apps that Scale - FutureJSHow to Build Front-End Web Apps that Scale - FutureJS
How to Build Front-End Web Apps that Scale - FutureJS
Phil Leggetter
ย 
Frontend technologies
Frontend technologiesFrontend technologies
Frontend technologies
Jose Ramon Roblero Ruiz
ย 
Modern Frontend Technology
Modern Frontend TechnologyModern Frontend Technology
Modern Frontend Technology
Ship Hsu
ย 
Frontend at Scale - The Tumblr Story
Frontend at Scale - The Tumblr StoryFrontend at Scale - The Tumblr Story
Frontend at Scale - The Tumblr Story
Chris Miller
ย 
Front End Development Workflow Tools
Front End Development Workflow ToolsFront End Development Workflow Tools
Front End Development Workflow Tools
Ahmed Elmehri
ย 
TechTalk #85 : Latest Frontend Technologies
TechTalk #85 : Latest Frontend TechnologiesTechTalk #85 : Latest Frontend Technologies
TechTalk #85 : Latest Frontend Technologies
bincangteknologi
ย 
The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...
The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...
The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...
Prasid Pathak
ย 
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
The Good, the Bad, and the Ugly: What Happened to Unicode and PHP 6
Andrei Zmievski
ย 
User eXperience & Front End Development
User eXperience & Front End DevelopmentUser eXperience & Front End Development
User eXperience & Front End Development
andreafallaswork
ย 
Front end Tips Tricks & Tools
Front end Tips Tricks & ToolsFront end Tips Tricks & Tools
Front end Tips Tricks & Tools
Sandeep Ramgolam
ย 
Front End Tooling and Performance - Codeaholics HK 2015
Front End Tooling and Performance - Codeaholics HK 2015Front End Tooling and Performance - Codeaholics HK 2015
Front End Tooling and Performance - Codeaholics HK 2015
Holger Bartel
ย 
Sinau Bareng Frontend Web Development @ DiLo Malang
Sinau Bareng Frontend Web Development @ DiLo MalangSinau Bareng Frontend Web Development @ DiLo Malang
Sinau Bareng Frontend Web Development @ DiLo Malang
Moch. Zamroni
ย 
Frontend automation and stability
Frontend automation and stabilityFrontend automation and stability
Frontend automation and stability
Mรกtรฉ Nรกdasdi
ย 
Frontend SPOF
Frontend SPOFFrontend SPOF
Frontend SPOF
Patrick Meenan
ย 
Webinar: Front End Web Development - Trendy Web Designs Using HTML5
Webinar: Front End Web Development - Trendy Web Designs Using HTML5Webinar: Front End Web Development - Trendy Web Designs Using HTML5
Webinar: Front End Web Development - Trendy Web Designs Using HTML5
Edureka!
ย 
Architecting your Frontend
Architecting your FrontendArchitecting your Frontend
Architecting your Frontend
Ruben Teijeiro
ย 
ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)
ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)
ๅปบ็ซ‹ๅ‰็ซฏๅผ€ๅ‘ๅ›ข้˜Ÿ (Front-end Development Environment)
Joseph Chiang
ย 
Grunt js for the Enterprise Vol.1: Frontend Performance with Phantomas
Grunt js for the Enterprise Vol.1: Frontend Performance with PhantomasGrunt js for the Enterprise Vol.1: Frontend Performance with Phantomas
Grunt js for the Enterprise Vol.1: Frontend Performance with Phantomas
David Amend
ย 
Wrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web ApplicationsWrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web Applications
Ryan Roemer
ย 
A modern front end development workflow for Magnolia at Atlassian
A modern front end development workflow for Magnolia at AtlassianA modern front end development workflow for Magnolia at Atlassian
A modern front end development workflow for Magnolia at Atlassian
Magnolia
ย 
How to Build Front-End Web Apps that Scale - FutureJS
How to Build Front-End Web Apps that Scale - FutureJSHow to Build Front-End Web Apps that Scale - FutureJS
How to Build Front-End Web Apps that Scale - FutureJS
Phil Leggetter
ย 
Frontend technologies
Frontend technologiesFrontend technologies
Frontend technologies
Jose Ramon Roblero Ruiz
ย 
Modern Frontend Technology
Modern Frontend TechnologyModern Frontend Technology
Modern Frontend Technology
Ship Hsu
ย 
Frontend at Scale - The Tumblr Story
Frontend at Scale - The Tumblr StoryFrontend at Scale - The Tumblr Story
Frontend at Scale - The Tumblr Story
Chris Miller
ย 
Front End Development Workflow Tools
Front End Development Workflow ToolsFront End Development Workflow Tools
Front End Development Workflow Tools
Ahmed Elmehri
ย 
TechTalk #85 : Latest Frontend Technologies
TechTalk #85 : Latest Frontend TechnologiesTechTalk #85 : Latest Frontend Technologies
TechTalk #85 : Latest Frontend Technologies
bincangteknologi
ย 
The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...
The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...
The Frontend Developer Landscape Explained and the Rise of Advanced Frontend ...
Prasid Pathak
ย 

Similar to W3 conf hill-html5-security-realities (20)

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
ย 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
ย 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
ย 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
Praveen kumar
ย 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
ย 
[refreshaustin] Adaptive Images in Responsive Web Design
[refreshaustin] Adaptive Images in Responsive Web Design[refreshaustin] Adaptive Images in Responsive Web Design
[refreshaustin] Adaptive Images in Responsive Web Design
Christopher Schmitt
ย 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
ย 
White paper screen
White paper screenWhite paper screen
White paper screen
eltincho89
ย 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
ย 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
ย 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
ย 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design
Christopher Schmitt
ย 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
Dilan Warnakulasooriya
ย 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
ย 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
ย 
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjgLec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
arfaouisalim
ย 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
ย 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
ย 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
ย 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
ย 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
ย 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
ย 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
ย 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
Praveen kumar
ย 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
ย 
[refreshaustin] Adaptive Images in Responsive Web Design
[refreshaustin] Adaptive Images in Responsive Web Design[refreshaustin] Adaptive Images in Responsive Web Design
[refreshaustin] Adaptive Images in Responsive Web Design
Christopher Schmitt
ย 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
ย 
White paper screen
White paper screenWhite paper screen
White paper screen
eltincho89
ย 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
ย 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
ย 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
ย 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design
Christopher Schmitt
ย 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
Dilan Warnakulasooriya
ย 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
ย 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
ย 
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjgLec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
arfaouisalim
ย 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
ย 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
ย 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
ย 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
ย 

Recently uploaded (20)

Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
ย 
Learn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step GuideLearn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step Guide
Marcel David
ย 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
ย 
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
ย 
Datastucture-Unit 4-Linked List Presentation.pptx
Datastucture-Unit 4-Linked List Presentation.pptxDatastucture-Unit 4-Linked List Presentation.pptx
Datastucture-Unit 4-Linked List Presentation.pptx
kaleeswaric3
ย 
#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018
#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018
#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018
Lynda Kane
ย 
Network Security. Different aspects of Network Security.
Network Security. Different aspects of Network Security.Network Security. Different aspects of Network Security.
Network Security. Different aspects of Network Security.
gregtap1
ย 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
ย 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
ย 
"PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System""PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System"
Jainul Musani
ย 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
ย 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
ย 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
ย 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
ย 
Drupalcamp Finland โ€“ Measuring Front-end Energy Consumption
Drupalcamp Finland โ€“ Measuring Front-end Energy ConsumptionDrupalcamp Finland โ€“ Measuring Front-end Energy Consumption
Drupalcamp Finland โ€“ Measuring Front-end Energy Consumption
Exove
ย 
Leading AI Innovation As A Product Manager - Michael Jidael
Leading AI Innovation As A Product Manager - Michael JidaelLeading AI Innovation As A Product Manager - Michael Jidael
Leading AI Innovation As A Product Manager - Michael Jidael
Michael Jidael
ย 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
ย 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
ย 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
ย 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
ย 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
ย 
Learn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step GuideLearn the Basics of Agile Development: Your Step-by-Step Guide
Learn the Basics of Agile Development: Your Step-by-Step Guide
Marcel David
ย 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
ย 
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
ย 
Datastucture-Unit 4-Linked List Presentation.pptx
Datastucture-Unit 4-Linked List Presentation.pptxDatastucture-Unit 4-Linked List Presentation.pptx
Datastucture-Unit 4-Linked List Presentation.pptx
kaleeswaric3
ย 
#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018
#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018
#AdminHour presents: Hour of Code2018 slide deck from 12/6/2018
Lynda Kane
ย 
Network Security. Different aspects of Network Security.
Network Security. Different aspects of Network Security.Network Security. Different aspects of Network Security.
Network Security. Different aspects of Network Security.
gregtap1
ย 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
ย 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
ย 
"PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System""PHP and MySQL CRUD Operations for Student Management System"
"PHP and MySQL CRUD Operations for Student Management System"
Jainul Musani
ย 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
ย 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
ย 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
ย 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
ย 
Drupalcamp Finland โ€“ Measuring Front-end Energy Consumption
Drupalcamp Finland โ€“ Measuring Front-end Energy ConsumptionDrupalcamp Finland โ€“ Measuring Front-end Energy Consumption
Drupalcamp Finland โ€“ Measuring Front-end Energy Consumption
Exove
ย 
Leading AI Innovation As A Product Manager - Michael Jidael
Leading AI Innovation As A Product Manager - Michael JidaelLeading AI Innovation As A Product Manager - Michael Jidael
Leading AI Innovation As A Product Manager - Michael Jidael
Michael Jidael
ย 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
ย 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
ย 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
ย 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
ย 

W3 conf hill-html5-security-realities

  • 1. HTML5 Security Realities Brad Hill, PayPal [email protected] @hillbrad W3Conf: Practical standards for web professionals 21 -22 February 2013 San Francisco
  • 2. โ€œThe reason that the Web browser is the principal entry point for malware is the number of choices that a browser offers up to whomever is at the other end. Evolving technologies like HTML5 promise to make this significantly worse.โ€ โ€“ Dan Geer
  • 3. In the next 30 minutes: โ€ข Show you real code using new standards to: โ€“ Solve Script Injection Vulnerabilities โ€“ Build Secure Mashups โ€ข HTML5 is a big step forward in security for the Web platform
  • 5. Script Injection, also known as Cross-Site Scripting or XSS, is the most common Web Application vulnerability. In 2007, WhiteHat estimated that 90% of sites were vulnerable.
  • 6. XSS in a nutshell: If somebody elseโ€™s code gets to run in your WebApp, itโ€™s not your WebApp anymore. + Same-Origin Policy = XSS anywhere on your domain is XSS everywhere on your domain.
  • 7. Current defenses: โ€ข Input filtering โ€“ Strip dangerous characters and tags from user data โ€ข Output encoding โ€“ Encode user data so it isnโ€™t treated as markup โ€œHTML5 broke my XSS filter!โ€
  • 8. YES. html5sec.org lists a dozen new XSS vectors in new tags and attributes in HTML5. But your filter was already broken.
  • 12. XSS Filters Were Doomed Filters are a server-side attempt to simulate the client-side parser and execution environment. Butโ€ฆ โ€ข Every browser parser operated differently โ€ข The algorithms were secret โ€ข Every browser had proprietary features, tags and syntax โ€ข Accepting bad markup was a feature
  • 14. Generously coercing a shambling mound of line noise into an application is no longer a competitive feature.
  • 15. By standardizing the technology for building Rich Web Applications, HTML5 began a fundamental shift in the security posture of the Web as a platform.
  • 17. Proprietary platforms compete for developers by offering features. Open platform implementers compete for users by offering quality.
  • 18. And now, BACK TO SOLVING SCRIPT INJECTION
  • 19. New and Better Anti-XSS Approaches Even if we now have some hope of simulating the browser parser for HTML5โ€ฆ Not easy, definitely not future-proof. Misses client-only data flows. Why not get help from the client?
  • 20. Content Security Policy 25 6.0 6.0 6.0 10 X-Content-Security-Policy X-WebKit-CSP (sandbox only) HTTP header to enforce, in the client, a least- privilege environment for script and other content.
  • 22. Content-Security-Policy: default-src 'self'; object-src 'none'; img-src https://uploads.example-board.net https://cdn.example-board.com data:; script-src https://code.example-board.net https://www.google-analytics.com; frame-src *.youtube.com; report-uri https://www.example- board.net/cspViolations.xyz
  • 23. Content Security Policy 1.0 default-src Everything script-src Scripts object-src Plugins style-src CSS img-src Images media-src Audio + Video frame-src Frame content font-src Fonts connect-src Script-loaded content (e.g. XHR) sandbox Same as HTML5 iframe sandbox reporturi Violation reporting
  • 24. The catchโ€ฆ โ€ข CSP enforces code / data separation โ€ข This means: NO inline script or css NO eval, even in libraries (can be disabled, but sacrifices many of the benefits of CSP)
  • 25. <script> function doSomething ()โ€ฆ </script> <button onClick="doSomething()"> Click Here!</button>
  • 26. <!--myPageScript.js--> function doSomething ()โ€ฆ Document.addEventListener(โ€˜DOMContentLoader', function() { for var b in document.querySelectorAll('.clickmeโ€˜)) e.addEventListener('click', doSomething); }); <!--myPageContent.html--> <script src="myPageScript.js"></script> <button class="clickme">Click Here!</button>
  • 27. Coming soon in CSP 1.1 โ€ข Whitelisting of inline scripts and CSS โ€ข More granular origins โ€ข Better control of plugins and media types โ€ข Control and reporting for reflected XSS filters โ€ข META tag support https://dvcs.w3.org/hg/content-security- policy/raw-file/tip/csp-specification.dev.html
  • 28. Templating Templating is one of the oldest and most widely used Web application construction patterns. But it is a hive of XSS villainy because it has never been a first-class feature in the client.
  • 29. HTML Templates New spec in progress in the WebApps WG: https://dvcs.w3.org/hg/webcomponents/raw- file/tip/spec/templates/index.html Declare templates as first-class client-side objects for increased performance, reduced XSS risk.
  • 30. With CSP and a careful application architecture XSS can be solved today. In the near future it will be possible using more familiar and better performing idioms.
  • 31. Secure Mashups โ€œHTML5 and CORS give new ways to bypass the Same-Origin Policy!โ€
  • 32. A โ€œmashupโ€ incorporates content from multiple origins under different administrative control. Today, more apps than not are authenticated mashups: ads, analytics, federated login How did we do this before HTML5?
  • 33. Flash, with crossdomain.xml <?xml version="1.0"?> <!--https://www.foo.com/crossdomain.xml-- > <cross-domain-policy> <allow-access-from domain=โ€œwww.example-analytics.com"/> </cross-domain-policy>
  • 34. Janโ€™s Rule: โ€œGive someone an ACL, and theyโ€™ll put in a *.โ€
  • 35. A โ€œ*โ€ in your master crossdomain.xml policy means your usersโ€™ information is vulnerable to any malicious SWF, anywhere on the Web
  • 36. I canโ€™t use Flash on iOS anywayโ€ฆ What about HTML-only methods?
  • 37. <script src=โ€œforeignOrigin"> Same-Origin Loophole Browser example-2.com Origin=example.com <script src= https://example-2.com/x.js> (function( window, undefined ) {โ€ฆ example.com
  • 38. AKA โ€“ โ€œJSONPโ€ โ€ข โ€œJSON with paddingโ€ <script src=โ€œexample.com/jsonp?callback=fooโ€> โ€ข Returns JSON data โ€œpaddedโ€ with a call to the function you specified. โ€ข You hopeโ€ฆitโ€™s still script!
  • 39. This pattern injects somebody elseโ€™s code into your application. Remember what the definition of XSS was?
  • 43. We can build it better. We have the technology.
  • 44. Cross-Origin Resource Sharing (CORS) 22 5.1 3.2 15 15 2.1 10 7 Voluntarily relax the Same-Origin Policy with an HTTP header to allow permissioned sharing on a resource-by-resource basis Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: someorigin.com
  • 45. CORS Client Example var xhr = new XMLHttpRequest(); xhr.open(method, xDomainUrl, true); xhr.withCredentials = true; xhr.onload = function() { var responseText = xhr.responseText; validatedResponse = validate(responseText); }; xhr.onerror = function() { console.log('There was an error!'); }; xhr.send();
  • 46. The difference: Script src gives you code you have no choice but to TRUST CORS gives you data you can VERIFY
  • 47. What about the * in CORS? * cannot be used for a resource that supports credentials. * in Access-Control-Allow-Origin gives other origins only the same view they already have from their own server. Access-Control-Allow-Origin: * is actually one of the safest ways to use CORS!
  • 48. What if you need data from somebody who doesnโ€™t publish a CORS API?
  • 49. sandboxed iframes 23 5.1 4.2 15 2.1 10 7 and postMessage 23 5.1 4.2 16 12.1 2.1 8 7
  • 50. trusted.mydomain.com/foo.html <iframe sandbox=โ€œallow-scriptsโ€ src=โ€œintegration.mydomain.com/wrapLogin.html โ€> </iframe> By using a different domain name, many benefits of the sandbox can be achieved, even in browsers that donโ€™t support it.
  • 51. integration.mydomain.com/wrapLogin.html <html> <script src=โ€œforeigndomain.com/login.jsโ€> </script> <script> window.parent.postMessage(loginName, โ€œtrusted.mydomain.comโ€); </script> </html>
  • 52. trusted.mydomain.com/foo.html <iframe sandbox=โ€œallow-scriptsโ€ src=โ€œuntrusted.mydomain.com/untrusted.htmlโ€> </iframe> <script> window.addEventListener("message", receiveMessage, false); receiveMessage = function(event) { if(event.origin == โ€œuntrusted.mydomain.comโ€) { var data = sanitizeData(event.data); } <script>
  • 53. But wait, thereโ€™s more! What if you do this to your own code?
  • 55. Hackers HATE Him!!!! Reduce your Trusted Computing Base by 95% with this one simple HTML5 trick!!!
  • 56. Summary: HTML5 HTML5 and the Open Web Platform are improving the security of the Web ecosystem. Rich Web Apps are not new, and HTML5 offers big security improvements compared to the proprietary plugin technologies itโ€™s actually replacing.
  • 57. Summary: Script Injection โ€ข Script Injection, aka XSS, can be a solved problem with proper application architecture and new client-side technologies. โ€ข Avoid incomplete server-side simulation, solve it directly in the client environment: โ€“ Content Security Policy โ€“ HTML Templates
  • 58. Summary: Mashups โ€ข Use CORS to get (and validate) data, not code โ€ข Use iframes and postMessage to isolate legacy mashup APIs โ€ข Treat your own code like a mashup: Use the Same-Origin Policy as a powerful privilege separation technique for secure application architecture in HTML5 https://github.com/devd/html5privsep
  • 59. Ongoing work in WebAppSec WG: โ€ข Content Security Policy 1.1 โ€ข User Interface Security to Kill Clickjacking โ€ข Sub-Resource Integrity โ€ข More important work underway in the Web Cryptography WG
  • 60. [email protected] Thank you! Questions? Brad Hill, PayPal [email protected] @hillbrad W3Conf: Practical standards for web professionals 21 -22 February 2013 San Francisco

Editor's Notes

  • #2: First, let me apologize that my slides arenโ€™t very pretty โ€“ itโ€™s tough to share a stage with so many of the most talented front-end engineers in the world and be the security person. But to that point, weโ€™ve seen a ton of really amazing stuff here so far, yesterday, this morning, and with more to come. I think itโ€™s safe to say that all the developers in the room are really excited about the possibilities of HTML5 and the Open Web Platform. But there is one group of people that isnโ€™t so excited about all of this: the security community.
  • #3: Almost since HTML5 was born, you canโ€™t go to a security conference or read the security tech press without finding HTML5 at the top of almost every list of threats. Itโ€™s framed it as part of an out-of-control spiral of complexity on the web thatโ€™s going to leave everyone vulnerable to more malware, more application-level compromises and more enterprise risk. Now, security people are grumpy by nature. We are constantly warning people of dangers ahead, and weโ€™re making a better living than ever because nobody ever listens. So, when it comes to HTML5, should you listen? Well, Iโ€™m here to say that no, in this case you shouldnโ€™t. Iโ€™ve been working on Web technologies and in security since 1994, and despite hearing about Lulzsec or Chinese hackers on the news every week, the security state of the Web today is better than it has ever been. In particular, weโ€™ve made very large advancements in the last few years, largely due to the rapid advancement of HTML5 and the Open Web Platform, and I think the next few years are going to continue that positive trajectory.
  • #4: At the last W3Conf I gave a talk with Scott Stender of iSEC Partners where we talked at a high level about some the ways HTML5 is changing security for modern web apps and what to be aware of. This time I want to show some real code on how to use new standards to tackle two of the biggest problems in Web security: solving Script Injection, and building secure mashups.Along the way, I hope Iโ€™ll convince you, and maybe, if some security people are watching, them, that HTML5 is a big step forward in security for the Web platform.
  • #5: So, not to lack ambition, letโ€™s tackle the biggest security problem on the Web first: Script Injection, also known as Cross-Site Scripting or XSS.
  • #6: This is the most common vulnerability on the Web โ€“ some studies have estimated its prevalence at 90%, and I believe that. One of the things HTML, of any version, is not good at is separating data and code, so any dynamic application tends to have script injection issues unless youโ€™ve specifically architected your app to avoid them.
  • #7: I hope that most everyone whoโ€™s a web developer today already has some idea of what XSS is, but in a nutshell:If somebody else gets to run code in your WebApp, itโ€™s not your WebApp anymore. And the Same-Origin Policy for JavaScript means that if there is an XSS vulnerability anywhere on your domain, everything on your domain is vulnerable. The attackers can take advantage of a single weakness to run amok in the browser, impersonate your users, and do anything they can do.
  • #8: Script Injection has been a known problem since 2001, and weโ€™ve come up with some server-side best defensive practices to prevent it: Input filtering, where we attempt to strip dangerous characters or tags from user input before we use it in markup, and Output encoding where we attempt to encode user data so that it isnโ€™t treated as markup by the browser.And one of the oldest security complaints about HTML5 is that it is going to break many existing XSS filters. If you have a blacklist filter that tries to strip specific tags and event handler attributes, HTML5 introduces a large number of new tags and features that wonโ€™t match your old rules.
  • #9: And, yes, this is true, and introducing new security risks into existing legacy systems is something we try really hard to avoid as we build new standards. But you know what? Every single blacklist filter for HTML4 is already broken. How can I be so confident? Because things like this:
  • #10: And this:
  • #11: Get interpreted as valid script in HTML4 in some browsers and can be used to mount attacks! Does your filter block those? How many browsers did you test it in?
  • #12: Those examples are from a book called Web Application Obfuscation by Gareth Heyes, Mario Heidrich, Eduardo Vela Nava and David Lindsay. An ENTIRE 280 PAGE BOOK full of stuff like that. Those examples I showed you are only the shore of a Lovecraftian continent of horror.
  • #13: How could they fill 280 pages with this stuff, and why are all of our XSS filters broken? They work in very limited contexts, but in a broader sense, they were doomed from the start, because an XSS filter is a server-side attempt to simulate the client-side parsing and execution environment, but before HTML5, every browser did this differently, how they did it was a secret, browsers were chock-full of proprietary features, tags and syntax, and accepting bad markup was actually considered a feature, in the tradition of Postelโ€™s Law.
  • #14: This is all to say that the security improvements of HTML5 start at the very foundations, because HTML5tโ€™s the first version of HTML to specify a normative state machine for parsing, including handling error conditions. Yes, there are new tags and new syntax, but if you want to know how browsers are going to parse markup, for the first time you can find out, and you can have some reasonable confidence that different browsers are going to act in a mostly consistent manner.
  • #15: The result of standardizing parsing is that generously coercing shambling mounds of random line noise into an application is no longer a competitive feature! And this is an insight and an outcome that doesnโ€™t just apply to parsing โ€“
  • #16: By standardizing the technology for building Rich Web Applications, HTML5 began a fundamental shift in the security posture of the Web as a platform.One of the biggest false charges leveled against HTML5 is that itโ€™s insecure because itโ€™s โ€œmore complex than HTML4.โ€ But thatโ€™s not the right comparison to make. HTML4 was never by itself the platform of the Web. The Rich Web Application has been with us for a decade, but it was built in terms of plugins โ€“ in Java, Flash and ActiveX.
  • #17: If youโ€™re the creator of one of these proprietary rich web app platform whether browser or plugin, you need to attract developers, so you live or die by how much you let developers do, not by how many security restrictions you put on them. You compete for developers and once you have them theyโ€™re locked in. If youโ€™re not happy with Javaโ€™s security record, you have to re-write your whole application to switch. If youโ€™re a user, you canโ€™t switch โ€“ you have to take it or leave it. On the contrary, if I was using an HTML5 app and my browser had a security record like Java, I could switch in a second, and the app developers wouldnโ€™t have to change anything.
  • #18: So the incentives of the Open Web Platform are different than theyโ€™ve been: Proprietary platforms compete for developers by offering features, and they can keep them because switching costs are high. On an open platform, switching costs are low, so implementers have to compete for users by offering them quality, which includes security.
  • #19: But enough soap box ranting โ€“ we were talking about solving script injection.
  • #20: And even though we finally have some hope of an accurate simulation of the browser in HTML5, thatโ€™s still not a great strategy. Itโ€™s complex, itโ€™s not future-proof, and it misses whatโ€™s called DOM XSS, vulnerabilities through data flows that canโ€™t be filtered at the server because the server never sees them.If script injection is a security issue at the client layer, why not solve it in the client?
  • #22: Maybe you remember the scene in the Odyssey where theyโ€™re about to sail past the Sirens. Odysseus knows that heโ€™ll go mad from the sirenโ€™s song, so he orders his crew to tie him to the mast and, whatever he says later, not to untie him.Thatโ€™s kind of what CSP does. It lets an app tell the browser to tie it to the mast.
  • #23: This is an example of a CSP header, and you can see itโ€™s pretty straightforward. We just list the origins that are allowed to load content.The difficult part here is that to get the full benefit, you canโ€™t use inline script or css, and thatโ€™s pretty problematic for existing apps.
  • #24: We can โ€ฆAnd CSP has a reporting feature, which makes deployment much easier, because you can measure whatโ€™s going to happen and build correct policies before you start enforcing them.
  • #28: So in CSP 1.1, we are working to fix this, by allowing whitelisting of inline scripts and css, along with other features like controlling the types of plugins that can run, and adding reporting to existing browser anti-XSS filters. So this is a great start on preventing XSS attacks that you can start using today, but thereโ€™s one other up and coming technology I want to touch on โ€“ and thatโ€™s HTML templates.
  • #30: So HTML templates are a new spec under development in the WebApps Working Group that allow you to declare templates as first-class client-side objects. Instead of dynamically building markup using strings concatenation and innerHTML, weโ€™ll have a pattern that has the potential to be both faster and offer much better security against script injection.
  • #31: What this boils down to is that:
  • #32: OK, so weโ€™ve solved XSS, which is a pretty good dayโ€™s workโ€“ but I also promised Iโ€™d show you how to build secure mashups in HTML5 โ€“ another thing that security folks like to say canโ€™t be done.
  • #33: So whatโ€™s a mashup? Itโ€™s when you include content from multiple sites in a single app. And I think weโ€™re all familiar with anonymous mashups, like putting Craigslist apartment listings onto a Google map, but what a lot people probably donโ€™t think about is that almost every major app today is part mashup โ€“ and moreover, theyโ€™re authenticated mashups. With features like advertising, analytics and federated login, weโ€™re sharing authenticated user data across origins at most places we visit on the Web.
  • #34: So Flash allows us to do this, using a policy file called crossdomain.xml, which defines ACLs for foreign SWFs. This policy file lets SWFs loaded from www.example-analytics.com to make requests, with cookies, and read the results, from www.foo.com.
  • #35: But we security folks are kind of cynical, weโ€™ve seen it all. And my friend Jan recently quippped: Give someone an ACL and theyโ€™ll put in a *.So what happens if you put a * in crossdomain.xml?
  • #36: Oops.. If you put * in your master policy file, you just allowed any malicious SWF anywhere on the Internet to access all your userโ€™s information. Game over. So thatโ€™s not greatโ€ฆ
  • #38: And the answer is that, since the beginning of the Same-Origin Policy, thereโ€™s always been a loophole. If I load content, and it sources script from another domain, that script becomes part of my application, effectively allowing us to read that information across domains and use this as a communication channel.
  • #40: But still, everyone thinks this is OK. We security people warn that this is dangerous, but nobody thinks anything bad is going to happen, they trust the people theyโ€™re getting this script from.Until two weeks agoโ€ฆ
  • #41: When Facebook broke the Internet. Did anyone see this? If you went to any of thousands of sites on the web, instead of seeing that site, you got a Facebook error page instead. Do you want to see the one line of code the broke the Internet?
  • #42: Well, this is the mashup pattern for Facebook Connect. So one bug here, and your application is at its mercy. But still, this was just a bug, it wasnโ€™t an attack.
  • #43: Hmmโ€ฆ This is what Facebook had to say, just a week after the connect fiasco. Now these arenโ€™t related and Iโ€™m sure that Facebook has really good security measures in place to make sure that a compromise of a developer workstation doesnโ€™t propagate out to impact code on the live site, but it should give you pause.The more we use insecure patterns like script src to connect the web, the more fragile we make it, and the more we make an individual API \\a single point of failure for the security of huge parts of the web, the harder the bad guys are going to try to exploit it.
  • #47: Script src gives you code that you have to trust, but CORS gives you data that you can validate.
  • #48: And it doesnโ€™t introduce any new Cross-Site Request Forgery attack surface.
  • #53: And so, in just a few lines of code, weโ€™ve locked our legacy mashup into a strong sandbox, and only let it pass notes. If it breaks or gets hacked, it canโ€™t reach out and affect rest of our application.
  • #54: But thereโ€™s more to this than I first realizedโ€ฆ.I mentioned this pattern for safe mashups at the last W3Conf in 2011, and Iโ€™m sure Iโ€™m wasnโ€™t the first to have done so, but I didnโ€™t realize how important it was until I saw a talk by Devdatta Akhwe at last yearโ€™s USENIX Security.In one of those brilliant insights that seems obvious once youโ€™ve heard it, Devdatta realized that this wasnโ€™t just a useful trick for legacy mashups โ€“ that it is actually a fundamental building block allowing privilege separation in HTML5 applications.
  • #55: What he said was basically, what if I treat my own code, and the libraries I host on my own domain, as being just as potentially dangerous as that foreign mashup? After all, if Iโ€™m building a complex app with tens of thousands of lines of JavaScript code, surely there are some latent bugs in there.And actually, the vast majority of that code doesnโ€™t even need to do sensitive things like access the userโ€™s cookie or perform transactions. We can apply the same architectural principles of privilege separation we use for architecting browsers or operating systems to our HTML5 applications using this iframe plus postMessage pattern.
  • #56: And he found that, for real-world applications using off-the-shelf libraries, by changing just a few lines of code, it was possible to reduce the trusted computing base of these applications by 95%, isolating all of those latent bugs into strong, browser-provided, same-origin sandboxes. So go check out this paper. If people pay attention to it, I think it has the potential to be one of the most important computer security papers of the decade and hugely reshape the risk profile of client-side WebApps.
  • #57: I could go on about many more features, but I think thatโ€™s a pretty good start. I hope Iโ€™ve convinced you that HTML5 and the Open Web Platform are improving the security of the Web ecosystem. Rich Web Apps arenโ€™t new, and HTML5 offers big security improvements compared to the proprietary plugin technologies itโ€™s actually replacing.