• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Writing an (in)secure webapp in 3 easy steps
 

Writing an (in)secure webapp in 3 easy steps

on

  • 2,991 views

jsconf 2011 slidedeck on security in web applications. Track B

jsconf 2011 slidedeck on security in web applications. Track B

Statistics

Views

Total Views
2,991
Views on SlideShare
2,941
Embed Views
50

Actions

Likes
2
Downloads
0
Comments
0

4 Embeds 50

http://lanyrd.com 41
http://webcache.googleusercontent.com 5
http://www.slideshare.net 2
http://www.schoox.com 2

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Writing an (in)secure webapp in 3 easy steps Writing an (in)secure webapp in 3 easy steps Presentation Transcript

  • Writing an (in)secure webapp JSCONF 2011 // Adam Baldwin
  • insecure webapps I lied - There are no “3 easy steps”Writing (in)secure Webapps // JSCONF // MAY 2011
  • Introduction @adam_baldwin Co-Founder of nGenuity PenTester of webs Curator of evilpacket.netWriting (in)secure Webapps // JSCONF // MAY 2011
  • Writing (in)secure Webapps // JSCONF // MAY 2011
  • Stuff to talk about • Writing insecure apps • # Navigation • Output Encoding • Piles of other crapWriting (in)secure Webapps // JSCONF // MAY 2011
  • Writing InsecureWriting (in)secure Webapps // JSCONF // MAY 2011
  • Why is it so easy? • Resource constrained • Landscape always changing • Engineering vs innovationWriting (in)secure Webapps // JSCONF // MAY 2011
  • #! navigation zomgWriting (in)secure Webapps // JSCONF // MAY 2011
  • # navigation /#http://evilpacket.net/login CORS is awesomeWriting (in)secure Webapps // JSCONF // MAY 2011
  • Cross-Site Scripting fireblog.comWriting (in)secure Webapps // JSCONF // MAY 2011
  • Context Matters It’s not okay to just encode “><‘& <img src=#{STUFF}/> <img src=a onerror=CODE/>Writing (in)secure Webapps // JSCONF // MAY 2011
  • ESAPI / jquery-encoder $(#submit-entity-payload).click(function() {     var payload = $(#entity-payload).val();     $(#entity- container).html( $.encoder.encodeForHTML(payload) ); });Writing (in)secure Webapps // JSCONF // MAY 2011
  • Content Security Policy * Example 1: A server wants all content to come from its own domain: X-Content-Security-Policy: default-src self Example 2: An auction site wants to allow images from anywhere, plugin content from a list of trusted media providers including a content distribution network, and scripts only from a server under its control hosting sanitized ECMAScript: X-Content-Security-Policy: default-src self; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com* Firefox 4 only Writing (in)secure Webapps // JSCONF // MAY 2011
  • Other Crap That Matters • Cross-Site Request Forgery • Clickjacking (X-Frame-Options) • Cookies (HTTPOnly / Secure) • ...Writing (in)secure Webapps // JSCONF // MAY 2011
  • Questions?info@ngenuity-is.com // ngenuity-is.com
  • ReferencesnGenuity: http://ngenuity-is.comEvilpacket: http://evilpacket.netJavaScript-based ESAPI: An In-Depth Overview: https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdfContent Security Policy: http://people.mozilla.com/~bsterne/content-security-policy/jQuery Encoder: http://plugins.jquery.com/project/jqencoder http://software.digital-ritual.net/jqencoder/ Writing (in)secure Webapps // JSCONF // MAY 2011