Securing Web Applications

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Favorites, Groups & Events

    Securing Web Applications - Presentation Transcript

    1. Securing Web Applications
    2. IE 7 significantly reduced attack surface against the browser and local machine…
    3. …but Social Engineering and exploitation of add-ons continues to grow. WebApp attacks (CSRF, XSS, ClickJacking, splitting) may be the next big vector. And the next generation of attackers is coming out of grade school.
    4. Worst of all, it turns out that crime does pay after all.
    5. Why is browser security so elusive?
    6. The security architecture of the current web platform was largely an afterthought.
    7. Maybe there’s a shortcut?
    8. We could block nearly 100% of exploits by removing one component from the system…
    9. Or, we could block a majority of exploits by removing a different component from the system…
    10. So, if we re-architect everything, or get rid of the users, or get rid of the network, then security might be easy. FAIL
    11. Making the correct tradeoffs is hard.
    12. IE8 Security Vision IE8 is the most secure browser by default.
    13. IE8 Security Investments Address the evolving threat landscape Browser & Social Web App Add-on Engineering Vulnerabilities Vulnerabilities
    14. What’s the best way to develop secure, performant, and reliable C/C++ code?
    15. Don’t.
    16. Non-Binary Extensibility
    17. Non-Binary Extensibility
    18. Non-Binary Extensibility
    19. Non-Binary Extensibility
    20. Lots of other investments
    21. The Weakest Link
    22. Sometimes, threats are obvious…
    23. …but bad guys are getting smarter…
    24. Fake codecs and add-ons
    25. Fake antivirus scanners & utilities
    26. A more effective warning?
    27. SmartScreen Download Block
    28. SmartScreen Block Page
    29. Domain Highlighting
    30. HTTPS - Extended Validation
    31. HTTPS Mistakes
    32. Insecure Login Form
    33. Certificate Mismatch
    34. Mixed Content - Prompt
    35. Mixed Content Blocked
    36. Mixed Content shown – No lock
    37. Mixed Content - Troubleshooting
    38. Preventing XSS
    39. XSS Threats Researcher Bryan Sullivan: “XSS is the new buffer overflow.”
    40. XSS Statistics HTTP Response Predictable Splitting Other Resource 5% 6% Location 5% SQL Leakage 5% Content Spoofing 6% Info Leakage 4% XSS 70% Source: WhiteHat Security, August 2008
    41. IE8 XSS Filter
    42. Comprehensive XSS Protection
    43. Securing Mashups
    44. How are mashups built today?
    45. XDomainRequest
    46. HTML5 postMessage()
    47. postMessage – Sending // Find target frame var oFrame = document.getElementsByTagName('iframe')[0]; // postMessage will only deliver the 'Hello’ // message if the frame is currently // at the expected target site oFrame.contentWindow.postMessage('Hello', 'http://recipient.example.com');
    48. postMessage – Listening // Listen for the event. For non-IE, use // addEventListener instead. document.attachEvent('onmessage', function(e){ if (e.domain == 'expected.com') { // e.data contains the string // We can use it here. But how? } });
    49. JavaScript Object Notation {\"Weather\": { \"City\": \"Seattle\", \"Zip\": 98052, \"Forecast\": { \"Today\": \"Sunny\", \"Tonight\": \"Dark\", \"Tomorrow\": \"Sunny\" } }}
    50. JavaScript Object Notation
    51. Native JSON Support
    52. window.toStaticHTML() window.toStaticHTML( \"This is some <b>HTML</b> with embedded script following... <script> alert('bang!'); </script>!“ ); returns: This is some <b>HTML</b> with embedded script following... !
    53. Putting it all together… if (window.XDomainRequest){ var xdr = new XDomainRequest(); xdr.onload = function(){ var objWeather = JSON.parse(xdr.responseText); var oSpan = window.document.getElementById(\"spnWeather\"); oSpan.innerHTML = window.toStaticHTML( \"Tonight it will be <b>\" + objWeather.Weather.Forecast.Tonight + \"</b> in <u>\" + objWeather.Weather.City + \"</u>.\" ); }; xdr.open(\"POST\", \"http://evil.example.com/getweather.aspx\"); xdr.send(\"98052\"); }
    54. Best Practices Microsoft Anti-Cross Site Scripting Library Content-Type: text/html; charset=UTF-8 Set-Cookie: secret=value; httponly
    55. ClickJacking
    56. Hosting unsafe files
    57. MIME-Sniffing image/* Content-Disposition: attachment;filename=“file.htm”; X-Download-Options: NoOpen
    58. Privacy
    59. File Upload Control Server no longer gets full filename: Content-Disposition: form-data; name=\"file1\"; filename=\"File.zip“ Local JavaScript sees a fixed path for compatibility: file1.value == “C:\\fakepath\\File.zip”
    60. Enhanced Cleanup
    61. InPrivate™
    62. InPrivate™ Browsing Bonus: Helps mitigate CSS “Visited Links” History theft vector
    63. Background on 3rd Party Aggregation Contoso.com Woodgrovebank.com Tailspin.com Southridge1-1.com Farbrican.com adventureworks.com Litware-final.com Example.com User Visits 5 4 1 7 2 8 3 6 Unique Sites 1 1 Prosware-sol.com 3rd party Syndicator Web server
    64. Watcher Passive Security Auditor http://websecuritytool.codeplex.com/
    65. Creating a great experience on Digg with IE8 IE8 in the real world Building high performance web applications and sites
    66. ericlaw@microsoft.com Please fill out your evaluation forms! T54F
    67. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
    SlideShare Zeitgeist 2009

    + goodfridaygoodfriday Nominate

    custom

    831 views, 0 favs, 2 embeds more stats

    Learn how to take advantage of browser security imp more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 831
      • 820 on SlideShare
      • 11 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 29
    Most viewed embeds
    • 10 views on http://zfrylmz.com
    • 1 views on http://feeds2.feedburner.com

    more

    All embeds
    • 10 views on http://zfrylmz.com
    • 1 views on http://feeds2.feedburner.com

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    What's New

    © 2009 SlideShare Inc. All rights reserved.