Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Writing an (in)secure      webapp   JSCONF 2011 // Adam Baldwin
insecure webapps          I lied - There are no “3 easy steps”Writing (in)secure Webapps   //   JSCONF   //    MAY 2011
Introduction    @adam_baldwin    Co-Founder of nGenuity    PenTester of webs    Curator of evilpacket.netWriting (in)secur...
Writing (in)secure Webapps   //   JSCONF   //   MAY 2011
Stuff to talk about    •  Writing insecure apps    • # Navigation    • Output Encoding    • Piles of other crapWriting (in...
Writing InsecureWriting (in)secure Webapps   //   JSCONF   //   MAY 2011
Why is it so easy?    •  Resource constrained    • Landscape always changing    • Engineering vs innovationWriting (in)sec...
#! navigation zomgWriting (in)secure Webapps   //   JSCONF   //   MAY 2011
# navigation         /#http://evilpacket.net/login                CORS is awesomeWriting (in)secure Webapps   //   JSCONF ...
Cross-Site Scripting                                  fireblog.comWriting (in)secure Webapps   //   JSCONF        //   MAY ...
Context Matters    It’s not okay to just encode    “><‘&    <img src=#{STUFF}/>    <img src=a onerror=CODE/>Writing (in)se...
ESAPI / jquery-encoder    $(#submit-entity-payload).click(function() {        var payload = $(#entity-payload).val();     ...
Content Security Policy *      Example 1: A server wants all content to come from its own domain:      X-Content-Security-...
Other Crap That Matters    •  Cross-Site Request Forgery    • Clickjacking (X-Frame-Options)    • Cookies (HTTPOnly / Secu...
Questions?info@ngenuity-is.com // ngenuity-is.com
ReferencesnGenuity:         http://ngenuity-is.comEvilpacket:         http://evilpacket.netJavaScript-based ESAPI: An In-D...
Upcoming SlideShare
Loading in …5
×

Writing an (in)secure webapp in 3 easy steps

3,502 views

Published on

jsconf 2011 slidedeck on security in web applications. Track B

Published in: Technology
  • Be the first to comment

Writing an (in)secure webapp in 3 easy steps

  1. Writing an (in)secure webapp JSCONF 2011 // Adam Baldwin
  2. insecure webapps I lied - There are no “3 easy steps”Writing (in)secure Webapps // JSCONF // MAY 2011
  3. Introduction @adam_baldwin Co-Founder of nGenuity PenTester of webs Curator of evilpacket.netWriting (in)secure Webapps // JSCONF // MAY 2011
  4. Writing (in)secure Webapps // JSCONF // MAY 2011
  5. Stuff to talk about • Writing insecure apps • # Navigation • Output Encoding • Piles of other crapWriting (in)secure Webapps // JSCONF // MAY 2011
  6. Writing InsecureWriting (in)secure Webapps // JSCONF // MAY 2011
  7. Why is it so easy? • Resource constrained • Landscape always changing • Engineering vs innovationWriting (in)secure Webapps // JSCONF // MAY 2011
  8. #! navigation zomgWriting (in)secure Webapps // JSCONF // MAY 2011
  9. # navigation /#http://evilpacket.net/login CORS is awesomeWriting (in)secure Webapps // JSCONF // MAY 2011
  10. Cross-Site Scripting fireblog.comWriting (in)secure Webapps // JSCONF // MAY 2011
  11. Context Matters It’s not okay to just encode “><‘& <img src=#{STUFF}/> <img src=a onerror=CODE/>Writing (in)secure Webapps // JSCONF // MAY 2011
  12. ESAPI / jquery-encoder $(#submit-entity-payload).click(function() {     var payload = $(#entity-payload).val();     $(#entity- container).html( $.encoder.encodeForHTML(payload) ); });Writing (in)secure Webapps // JSCONF // MAY 2011
  13. Content Security Policy * Example 1: A server wants all content to come from its own domain: X-Content-Security-Policy: default-src self Example 2: An auction site wants to allow images from anywhere, plugin content from a list of trusted media providers including a content distribution network, and scripts only from a server under its control hosting sanitized ECMAScript: X-Content-Security-Policy: default-src self; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com* Firefox 4 only Writing (in)secure Webapps // JSCONF // MAY 2011
  14. Other Crap That Matters • Cross-Site Request Forgery • Clickjacking (X-Frame-Options) • Cookies (HTTPOnly / Secure) • ...Writing (in)secure Webapps // JSCONF // MAY 2011
  15. Questions?info@ngenuity-is.com // ngenuity-is.com
  16. ReferencesnGenuity: http://ngenuity-is.comEvilpacket: http://evilpacket.netJavaScript-based ESAPI: An In-Depth Overview: https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdfContent Security Policy: http://people.mozilla.com/~bsterne/content-security-policy/jQuery Encoder: http://plugins.jquery.com/project/jqencoder http://software.digital-ritual.net/jqencoder/ Writing (in)secure Webapps // JSCONF // MAY 2011

×