Your SlideShare is downloading. ×
0
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Securing Web Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Web Applications

1,425

Published on

Learn how to take advantage of browser security improvements to help protect your Web applications and visitors.

Learn how to take advantage of browser security improvements to help protect your Web applications and visitors.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,425
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
58
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing Web Applications
  • 2. IE 7 significantly reduced attack surface against the browser and local machine…
  • 3. …but Social Engineering and exploitation of add-ons continues to grow. WebApp attacks (CSRF, XSS, ClickJacking, splitting) may be the next big vector. And the next generation of attackers is coming out of grade school.
  • 4. Worst of all, it turns out that crime does pay after all.
  • 5. Why is browser security so elusive?
  • 6. The security architecture of the current web platform was largely an afterthought.
  • 7. Maybe there’s a shortcut?
  • 8. We could block nearly 100% of exploits by removing one component from the system…
  • 9. Or, we could block a majority of exploits by removing a different component from the system…
  • 10. So, if we re-architect everything, or get rid of the users, or get rid of the network, then security might be easy. FAIL
  • 11. Making the correct tradeoffs is hard.
  • 12. IE8 Security Vision IE8 is the most secure browser by default.
  • 13. IE8 Security Investments Address the evolving threat landscape Browser & Social Web App Add-on Engineering Vulnerabilities Vulnerabilities
  • 14. What’s the best way to develop secure, performant, and reliable C/C++ code?
  • 15. Don’t.
  • 16. Non-Binary Extensibility
  • 17. Non-Binary Extensibility
  • 18. Non-Binary Extensibility
  • 19. Non-Binary Extensibility
  • 20. Lots of other investments
  • 21. The Weakest Link
  • 22. Sometimes, threats are obvious…
  • 23. …but bad guys are getting smarter…
  • 24. Fake codecs and add-ons
  • 25. Fake antivirus scanners & utilities
  • 26. A more effective warning?
  • 27. SmartScreen Download Block
  • 28. SmartScreen Block Page
  • 29. Domain Highlighting
  • 30. HTTPS - Extended Validation
  • 31. HTTPS Mistakes
  • 32. Insecure Login Form
  • 33. Certificate Mismatch
  • 34. Mixed Content - Prompt
  • 35. Mixed Content Blocked
  • 36. Mixed Content shown – No lock
  • 37. Mixed Content - Troubleshooting
  • 38. Preventing XSS
  • 39. XSS Threats Researcher Bryan Sullivan: “XSS is the new buffer overflow.”
  • 40. XSS Statistics HTTP Response Predictable Splitting Other Resource 5% 6% Location 5% SQL Leakage 5% Content Spoofing 6% Info Leakage 4% XSS 70% Source: WhiteHat Security, August 2008
  • 41. IE8 XSS Filter
  • 42. Comprehensive XSS Protection
  • 43. Securing Mashups
  • 44. How are mashups built today?
  • 45. XDomainRequest
  • 46. HTML5 postMessage()
  • 47. postMessage – Sending // Find target frame var oFrame = document.getElementsByTagName('iframe')[0]; // postMessage will only deliver the 'Hello’ // message if the frame is currently // at the expected target site oFrame.contentWindow.postMessage('Hello', 'http://recipient.example.com');
  • 48. postMessage – Listening // Listen for the event. For non-IE, use // addEventListener instead. document.attachEvent('onmessage', function(e){ if (e.domain == 'expected.com') { // e.data contains the string // We can use it here. But how? } });
  • 49. JavaScript Object Notation {quot;Weatherquot;: { quot;Cityquot;: quot;Seattlequot;, quot;Zipquot;: 98052, quot;Forecastquot;: { quot;Todayquot;: quot;Sunnyquot;, quot;Tonightquot;: quot;Darkquot;, quot;Tomorrowquot;: quot;Sunnyquot; } }}
  • 50. JavaScript Object Notation
  • 51. Native JSON Support
  • 52. window.toStaticHTML() window.toStaticHTML( quot;This is some <b>HTML</b> with embedded script following... <script> alert('bang!'); </script>!“ ); returns: This is some <b>HTML</b> with embedded script following... !
  • 53. Putting it all together… if (window.XDomainRequest){ var xdr = new XDomainRequest(); xdr.onload = function(){ var objWeather = JSON.parse(xdr.responseText); var oSpan = window.document.getElementById(quot;spnWeatherquot;); oSpan.innerHTML = window.toStaticHTML( quot;Tonight it will be <b>quot; + objWeather.Weather.Forecast.Tonight + quot;</b> in <u>quot; + objWeather.Weather.City + quot;</u>.quot; ); }; xdr.open(quot;POSTquot;, quot;http://evil.example.com/getweather.aspxquot;); xdr.send(quot;98052quot;); }
  • 54. Best Practices Microsoft Anti-Cross Site Scripting Library Content-Type: text/html; charset=UTF-8 Set-Cookie: secret=value; httponly
  • 55. ClickJacking
  • 56. Hosting unsafe files
  • 57. MIME-Sniffing image/* Content-Disposition: attachment;filename=“file.htm”; X-Download-Options: NoOpen
  • 58. Privacy
  • 59. File Upload Control Server no longer gets full filename: Content-Disposition: form-data; name=quot;file1quot;; filename=quot;File.zip“ Local JavaScript sees a fixed path for compatibility: file1.value == “C:fakepathFile.zip”
  • 60. Enhanced Cleanup
  • 61. InPrivate™
  • 62. InPrivate™ Browsing Bonus: Helps mitigate CSS “Visited Links” History theft vector
  • 63. Background on 3rd Party Aggregation Contoso.com Woodgrovebank.com Tailspin.com Southridge1-1.com Farbrican.com adventureworks.com Litware-final.com Example.com User Visits 5 4 1 7 2 8 3 6 Unique Sites 1 1 Prosware-sol.com 3rd party Syndicator Web server
  • 64. Watcher Passive Security Auditor http://websecuritytool.codeplex.com/
  • 65. Creating a great experience on Digg with IE8 IE8 in the real world Building high performance web applications and sites
  • 66. ericlaw@microsoft.com Please fill out your evaluation forms! T54F
  • 67. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

×