Securing Web Applications

1,641 views

Published on

Learn how to take advantage of browser security improvements to help protect your Web applications and visitors.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,641
On SlideShare
0
From Embeds
0
Number of Embeds
65
Actions
Shares
0
Downloads
59
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing Web Applications

  1. 1. Securing Web Applications
  2. 2. IE 7 significantly reduced attack surface against the browser and local machine…
  3. 3. …but Social Engineering and exploitation of add-ons continues to grow. WebApp attacks (CSRF, XSS, ClickJacking, splitting) may be the next big vector. And the next generation of attackers is coming out of grade school.
  4. 4. Worst of all, it turns out that crime does pay after all.
  5. 5. Why is browser security so elusive?
  6. 6. The security architecture of the current web platform was largely an afterthought.
  7. 7. Maybe there’s a shortcut?
  8. 8. We could block nearly 100% of exploits by removing one component from the system…
  9. 9. Or, we could block a majority of exploits by removing a different component from the system…
  10. 10. So, if we re-architect everything, or get rid of the users, or get rid of the network, then security might be easy. FAIL
  11. 11. Making the correct tradeoffs is hard.
  12. 12. IE8 Security Vision IE8 is the most secure browser by default.
  13. 13. IE8 Security Investments Address the evolving threat landscape Browser & Social Web App Add-on Engineering Vulnerabilities Vulnerabilities
  14. 14. What’s the best way to develop secure, performant, and reliable C/C++ code?
  15. 15. Don’t.
  16. 16. Non-Binary Extensibility
  17. 17. Non-Binary Extensibility
  18. 18. Non-Binary Extensibility
  19. 19. Non-Binary Extensibility
  20. 20. Lots of other investments
  21. 21. The Weakest Link
  22. 22. Sometimes, threats are obvious…
  23. 23. …but bad guys are getting smarter…
  24. 24. Fake codecs and add-ons
  25. 25. Fake antivirus scanners & utilities
  26. 26. A more effective warning?
  27. 27. SmartScreen Download Block
  28. 28. SmartScreen Block Page
  29. 29. Domain Highlighting
  30. 30. HTTPS - Extended Validation
  31. 31. HTTPS Mistakes
  32. 32. Insecure Login Form
  33. 33. Certificate Mismatch
  34. 34. Mixed Content - Prompt
  35. 35. Mixed Content Blocked
  36. 36. Mixed Content shown – No lock
  37. 37. Mixed Content - Troubleshooting
  38. 38. Preventing XSS
  39. 39. XSS Threats Researcher Bryan Sullivan: “XSS is the new buffer overflow.”
  40. 40. XSS Statistics HTTP Response Predictable Splitting Other Resource 5% 6% Location 5% SQL Leakage 5% Content Spoofing 6% Info Leakage 4% XSS 70% Source: WhiteHat Security, August 2008
  41. 41. IE8 XSS Filter
  42. 42. Comprehensive XSS Protection
  43. 43. Securing Mashups
  44. 44. How are mashups built today?
  45. 45. XDomainRequest
  46. 46. HTML5 postMessage()
  47. 47. postMessage – Sending // Find target frame var oFrame = document.getElementsByTagName('iframe')[0]; // postMessage will only deliver the 'Hello’ // message if the frame is currently // at the expected target site oFrame.contentWindow.postMessage('Hello', 'http://recipient.example.com');
  48. 48. postMessage – Listening // Listen for the event. For non-IE, use // addEventListener instead. document.attachEvent('onmessage', function(e){ if (e.domain == 'expected.com') { // e.data contains the string // We can use it here. But how? } });
  49. 49. JavaScript Object Notation {quot;Weatherquot;: { quot;Cityquot;: quot;Seattlequot;, quot;Zipquot;: 98052, quot;Forecastquot;: { quot;Todayquot;: quot;Sunnyquot;, quot;Tonightquot;: quot;Darkquot;, quot;Tomorrowquot;: quot;Sunnyquot; } }}
  50. 50. JavaScript Object Notation
  51. 51. Native JSON Support
  52. 52. window.toStaticHTML() window.toStaticHTML( quot;This is some <b>HTML</b> with embedded script following... <script> alert('bang!'); </script>!“ ); returns: This is some <b>HTML</b> with embedded script following... !
  53. 53. Putting it all together… if (window.XDomainRequest){ var xdr = new XDomainRequest(); xdr.onload = function(){ var objWeather = JSON.parse(xdr.responseText); var oSpan = window.document.getElementById(quot;spnWeatherquot;); oSpan.innerHTML = window.toStaticHTML( quot;Tonight it will be <b>quot; + objWeather.Weather.Forecast.Tonight + quot;</b> in <u>quot; + objWeather.Weather.City + quot;</u>.quot; ); }; xdr.open(quot;POSTquot;, quot;http://evil.example.com/getweather.aspxquot;); xdr.send(quot;98052quot;); }
  54. 54. Best Practices Microsoft Anti-Cross Site Scripting Library Content-Type: text/html; charset=UTF-8 Set-Cookie: secret=value; httponly
  55. 55. ClickJacking
  56. 56. Hosting unsafe files
  57. 57. MIME-Sniffing image/* Content-Disposition: attachment;filename=“file.htm”; X-Download-Options: NoOpen
  58. 58. Privacy
  59. 59. File Upload Control Server no longer gets full filename: Content-Disposition: form-data; name=quot;file1quot;; filename=quot;File.zip“ Local JavaScript sees a fixed path for compatibility: file1.value == “C:fakepathFile.zip”
  60. 60. Enhanced Cleanup
  61. 61. InPrivate™
  62. 62. InPrivate™ Browsing Bonus: Helps mitigate CSS “Visited Links” History theft vector
  63. 63. Background on 3rd Party Aggregation Contoso.com Woodgrovebank.com Tailspin.com Southridge1-1.com Farbrican.com adventureworks.com Litware-final.com Example.com User Visits 5 4 1 7 2 8 3 6 Unique Sites 1 1 Prosware-sol.com 3rd party Syndicator Web server
  64. 64. Watcher Passive Security Auditor http://websecuritytool.codeplex.com/
  65. 65. Creating a great experience on Digg with IE8 IE8 in the real world Building high performance web applications and sites
  66. 66. ericlaw@microsoft.com Please fill out your evaluation forms! T54F
  67. 67. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

×