Writing an (in)secure      webapp   JSCONF 2011 // Adam Baldwin
insecure webapps          I lied - There are no “3 easy steps”Writing (in)secure Webapps   //   JSCONF   //    MAY 2011
Introduction    @adam_baldwin    Co-Founder of nGenuity    PenTester of webs    Curator of evilpacket.netWriting (in)secur...
Writing (in)secure Webapps   //   JSCONF   //   MAY 2011
Stuff to talk about    •  Writing insecure apps    • # Navigation    • Output Encoding    • Piles of other crapWriting (in...
Writing InsecureWriting (in)secure Webapps   //   JSCONF   //   MAY 2011
Why is it so easy?    •  Resource constrained    • Landscape always changing    • Engineering vs innovationWriting (in)sec...
#! navigation zomgWriting (in)secure Webapps   //   JSCONF   //   MAY 2011
# navigation         /#http://evilpacket.net/login                CORS is awesomeWriting (in)secure Webapps   //   JSCONF ...
Cross-Site Scripting                                  fireblog.comWriting (in)secure Webapps   //   JSCONF        //   MAY ...
Context Matters    It’s not okay to just encode    “><‘&    <img src=#{STUFF}/>    <img src=a onerror=CODE/>Writing (in)se...
ESAPI / jquery-encoder    $(#submit-entity-payload).click(function() {        var payload = $(#entity-payload).val();     ...
Content Security Policy *      Example 1: A server wants all content to come from its own domain:      X-Content-Security-...
Other Crap That Matters    •  Cross-Site Request Forgery    • Clickjacking (X-Frame-Options)    • Cookies (HTTPOnly / Secu...
Questions?info@ngenuity-is.com // ngenuity-is.com
ReferencesnGenuity:         http://ngenuity-is.comEvilpacket:         http://evilpacket.netJavaScript-based ESAPI: An In-D...
Upcoming SlideShare
Loading in …5
×

Writing an (in)secure webapp in 3 easy steps

3,341 views

Published on

jsconf 2011 slidedeck on security in web applications. Track B

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,341
On SlideShare
0
From Embeds
0
Number of Embeds
58
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Writing an (in)secure webapp in 3 easy steps

    1. Writing an (in)secure webapp JSCONF 2011 // Adam Baldwin
    2. insecure webapps I lied - There are no “3 easy steps”Writing (in)secure Webapps // JSCONF // MAY 2011
    3. Introduction @adam_baldwin Co-Founder of nGenuity PenTester of webs Curator of evilpacket.netWriting (in)secure Webapps // JSCONF // MAY 2011
    4. Writing (in)secure Webapps // JSCONF // MAY 2011
    5. Stuff to talk about • Writing insecure apps • # Navigation • Output Encoding • Piles of other crapWriting (in)secure Webapps // JSCONF // MAY 2011
    6. Writing InsecureWriting (in)secure Webapps // JSCONF // MAY 2011
    7. Why is it so easy? • Resource constrained • Landscape always changing • Engineering vs innovationWriting (in)secure Webapps // JSCONF // MAY 2011
    8. #! navigation zomgWriting (in)secure Webapps // JSCONF // MAY 2011
    9. # navigation /#http://evilpacket.net/login CORS is awesomeWriting (in)secure Webapps // JSCONF // MAY 2011
    10. Cross-Site Scripting fireblog.comWriting (in)secure Webapps // JSCONF // MAY 2011
    11. Context Matters It’s not okay to just encode “><‘& <img src=#{STUFF}/> <img src=a onerror=CODE/>Writing (in)secure Webapps // JSCONF // MAY 2011
    12. ESAPI / jquery-encoder $(#submit-entity-payload).click(function() {     var payload = $(#entity-payload).val();     $(#entity- container).html( $.encoder.encodeForHTML(payload) ); });Writing (in)secure Webapps // JSCONF // MAY 2011
    13. Content Security Policy * Example 1: A server wants all content to come from its own domain: X-Content-Security-Policy: default-src self Example 2: An auction site wants to allow images from anywhere, plugin content from a list of trusted media providers including a content distribution network, and scripts only from a server under its control hosting sanitized ECMAScript: X-Content-Security-Policy: default-src self; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com* Firefox 4 only Writing (in)secure Webapps // JSCONF // MAY 2011
    14. Other Crap That Matters • Cross-Site Request Forgery • Clickjacking (X-Frame-Options) • Cookies (HTTPOnly / Secure) • ...Writing (in)secure Webapps // JSCONF // MAY 2011
    15. Questions?info@ngenuity-is.com // ngenuity-is.com
    16. ReferencesnGenuity: http://ngenuity-is.comEvilpacket: http://evilpacket.netJavaScript-based ESAPI: An In-Depth Overview: https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdfContent Security Policy: http://people.mozilla.com/~bsterne/content-security-policy/jQuery Encoder: http://plugins.jquery.com/project/jqencoder http://software.digital-ritual.net/jqencoder/ Writing (in)secure Webapps // JSCONF // MAY 2011

    ×