SlideShare a Scribd company logo

Site Security Policy - Yahoo! Security Week

1 of 23
Download to read offline
Web Application Security
and the Browser
Brandon Sterne
5/15/2008
Agenda
• Browsers can do more to protect users and
  websites

• “Intranet Hacking”
    •   Protect the resources that live inside the firewall or home
        router

• Cross-site Scripting and Cross-Site Request
  Forgery
    •   Protect users and websites from each other in a world
        where the Same-Origin policy is often broken



2
Not the only solution...
• Best Option: Writing secure applications
    •   Employ good input and output filtering
    •   Check form keys, HTTP Referer, etc.
    •   Follow security best practices   [1]


• Defense in Depth
    •   Writing reliably secure web applications is hard
    •   The browser can provide an additional layer of security
        and can intervene to prevent malicious activity


[1] http://www.owasp.org/index.php/Secure_Coding_Principles


3
Hacking the Intranet
• Malicious webpages use the victim's browser to make
  HTTP requests to protected intranet resources
    •   Corporate directories, IP telephones, printers, routers

• Any firewall that blocks unwanted ports and services
  provides no protection here because HTTP is enabled
  everywhere

• Any web-enabled device can be potentially attacked
  by malicious content
    •   Home routers have been attacked using this technique to
        tamper with DNS settings, etc.
    •   Ask Jeremiah Grossman about what other types of evil you
        can cause using these techniques


4
Drawing the Boundary
• Why should websites on the Internet be able to
  initiate requests to resources in my intranet?

• Let's draw a line between “public” and “private”
  resources (RFC1918 is a good start)

• Mozilla is developing a patch to prevent public
  resources from making requests to private resources
  (but allowing the reverse)




5
Easy, Tiger... Not So Fast
• Proxies complicate matters
    •   There are many, usually corporate, environments that use HTTP
        proxies for their web surfing, e.g. WebSense
    •   Even some home users configure their browser to use an internal
        web proxy

• How should we treat proxied content?
    •   Mark all proxied content as “public”?
        –   Protects intranet resources but breaks a lot of functionality
    •   Place proxy outside NAT environment and use it for “public”
        resources only
        –   Lots of work for IT department: reconfigure network and DNS
    •   Rely on proxies to mark resources as “public” and “private”?
        –   Introduces external dependency on other services to behave predictably

• Any Ideas? Really.
6
Ad

Recommended

Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Applying Security Controls on REST APIs
Applying Security Controls on REST APIsApplying Security Controls on REST APIs
Applying Security Controls on REST APIsErick Belluci Tedeschi
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 

More Related Content

What's hot

List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
 Ghost in the Browser: Broad-Scale Espionage with Bitsquatting Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with BitsquattingBishop Fox
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 

What's hot (20)

List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
 Ghost in the Browser: Broad-Scale Espionage with Bitsquatting Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
Ghost in the Browser: Broad-Scale Espionage with Bitsquatting
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
WordPress Security: Defend yourself against digital invaders
WordPress Security:Defend yourself against digital invadersWordPress Security:Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invaders
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 

Viewers also liked

Security Awareness 9-10-09 v5 Web Browser
Security Awareness 9-10-09 v5 Web BrowserSecurity Awareness 9-10-09 v5 Web Browser
Security Awareness 9-10-09 v5 Web BrowserCatherine MacAllister
 
More Browser Basics, Tips & Tricks 2 Draft 17
More Browser Basics, Tips & Tricks 2 Draft 17More Browser Basics, Tips & Tricks 2 Draft 17
More Browser Basics, Tips & Tricks 2 Draft 17msz
 
Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17msz
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksRaghu Addanki
 
More Browser Basics, Tips & Tricks 3 Draft 8
More Browser Basics, Tips & Tricks 3 Draft 8More Browser Basics, Tips & Tricks 3 Draft 8
More Browser Basics, Tips & Tricks 3 Draft 8msz
 
IT103Microsoft Windows XP/OS Chap12
IT103Microsoft Windows XP/OS Chap12IT103Microsoft Windows XP/OS Chap12
IT103Microsoft Windows XP/OS Chap12blusmurfydot1
 
Social network privacy & security
Social network privacy & securitySocial network privacy & security
Social network privacy & securitynadikari123
 
The Dark Side of Social Media: Privacy Concerns
The Dark Side of Social Media: Privacy ConcernsThe Dark Side of Social Media: Privacy Concerns
The Dark Side of Social Media: Privacy ConcernsCorinne Weisgerber
 
Chapter 4 Using a Web Browser
Chapter 4 Using a Web BrowserChapter 4 Using a Web Browser
Chapter 4 Using a Web BrowserPatty Ramsey
 

Viewers also liked (13)

Internet
InternetInternet
Internet
 
Security Awareness 9-10-09 v5 Web Browser
Security Awareness 9-10-09 v5 Web BrowserSecurity Awareness 9-10-09 v5 Web Browser
Security Awareness 9-10-09 v5 Web Browser
 
More Browser Basics, Tips & Tricks 2 Draft 17
More Browser Basics, Tips & Tricks 2 Draft 17More Browser Basics, Tips & Tricks 2 Draft 17
More Browser Basics, Tips & Tricks 2 Draft 17
 
Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser Attacks
 
More Browser Basics, Tips & Tricks 3 Draft 8
More Browser Basics, Tips & Tricks 3 Draft 8More Browser Basics, Tips & Tricks 3 Draft 8
More Browser Basics, Tips & Tricks 3 Draft 8
 
IT103Microsoft Windows XP/OS Chap12
IT103Microsoft Windows XP/OS Chap12IT103Microsoft Windows XP/OS Chap12
IT103Microsoft Windows XP/OS Chap12
 
3D Internet
3D Internet3D Internet
3D Internet
 
Social network privacy & security
Social network privacy & securitySocial network privacy & security
Social network privacy & security
 
The Dark Side of Social Media: Privacy Concerns
The Dark Side of Social Media: Privacy ConcernsThe Dark Side of Social Media: Privacy Concerns
The Dark Side of Social Media: Privacy Concerns
 
Chapter 4 Using a Web Browser
Chapter 4 Using a Web BrowserChapter 4 Using a Web Browser
Chapter 4 Using a Web Browser
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to Site Security Policy - Yahoo! Security Week

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security ThreatsHTS Hosting
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfcyberhacker7
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Sajjad "JJ" Arshad
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 

Similar to Site Security Policy - Yahoo! Security Week (20)

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security Threats
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdf
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 

Recently uploaded

Research Showcase 2024 final presentation slides
Research Showcase 2024 final presentation slidesResearch Showcase 2024 final presentation slides
Research Showcase 2024 final presentation slidesenterpriseresearchcentre
 
EAPJ Vol VIII February 2024.pdf
EAPJ Vol VIII February 2024.pdfEAPJ Vol VIII February 2024.pdf
EAPJ Vol VIII February 2024.pdfDarryl_Carr
 
Pernod Ricard presentation at CAGNY 2024
Pernod Ricard presentation at CAGNY 2024Pernod Ricard presentation at CAGNY 2024
Pernod Ricard presentation at CAGNY 2024Neil Kimberley
 
SARomics Biostructures 2024 Company Presentation
SARomics Biostructures 2024 Company PresentationSARomics Biostructures 2024 Company Presentation
SARomics Biostructures 2024 Company PresentationSalam Al-Karadaghi
 
02.20 Webinar - Online Giving Trends.pdf
02.20 Webinar - Online Giving Trends.pdf02.20 Webinar - Online Giving Trends.pdf
02.20 Webinar - Online Giving Trends.pdfBloomerang
 
SlideEgg_300445-Apple Inc(1).pptx case study
SlideEgg_300445-Apple Inc(1).pptx case studySlideEgg_300445-Apple Inc(1).pptx case study
SlideEgg_300445-Apple Inc(1).pptx case studyindobanglatradeinter
 
Ch 11 Haunted Castle on Hallows Eve.pptx
Ch 11 Haunted Castle on Hallows Eve.pptxCh 11 Haunted Castle on Hallows Eve.pptx
Ch 11 Haunted Castle on Hallows Eve.pptxdeveloperarafat360
 
Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...
Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...
Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...Lviv Startup Club
 
Your Expert Guide to CX Orchestration & Enhancing Customer Journeys
Your Expert Guide to CX Orchestration & Enhancing Customer JourneysYour Expert Guide to CX Orchestration & Enhancing Customer Journeys
Your Expert Guide to CX Orchestration & Enhancing Customer JourneysAggregage
 
Questions to Answer to Prepare for Zero Budget Marketing .docx
Questions to Answer to Prepare for Zero Budget Marketing .docxQuestions to Answer to Prepare for Zero Budget Marketing .docx
Questions to Answer to Prepare for Zero Budget Marketing .docxPrecious Mvulane CA (SA),RA
 
Zero Budget Marketing Strategy with KPIs for a Cleaning Detergent Training ...
Zero Budget Marketing  Strategy with KPIs for a Cleaning Detergent  Training ...Zero Budget Marketing  Strategy with KPIs for a Cleaning Detergent  Training ...
Zero Budget Marketing Strategy with KPIs for a Cleaning Detergent Training ...Precious Mvulane CA (SA),RA
 
The Coca-Cola Company Presentation at CAGNY 2024.pdf
The Coca-Cola Company Presentation at  CAGNY 2024.pdfThe Coca-Cola Company Presentation at  CAGNY 2024.pdf
The Coca-Cola Company Presentation at CAGNY 2024.pdfNeil Kimberley
 
5 Common Writing Mistakes Infographic.pdf
5 Common Writing Mistakes Infographic.pdf5 Common Writing Mistakes Infographic.pdf
5 Common Writing Mistakes Infographic.pdfRemar Barquilla
 
Presentation_bagus tentang glaucoma gitu.pptx
Presentation_bagus tentang glaucoma gitu.pptxPresentation_bagus tentang glaucoma gitu.pptx
Presentation_bagus tentang glaucoma gitu.pptxkamismisteri
 
PUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdf
PUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdfPUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdf
PUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdfUniversity of Exeter MA Publishing
 
Grevault battery storage system manufacturer
Grevault battery storage system manufacturerGrevault battery storage system manufacturer
Grevault battery storage system manufacturerGrevault
 
D2 meeting agenda 02.12.24.hehehheeebebepdf
D2 meeting agenda 02.12.24.hehehheeebebepdfD2 meeting agenda 02.12.24.hehehheeebebepdf
D2 meeting agenda 02.12.24.hehehheeebebepdfsundaysantos13
 
Actionable Fundraising Planning - Slide Presentation.pptx.pdf
Actionable Fundraising Planning - Slide Presentation.pptx.pdfActionable Fundraising Planning - Slide Presentation.pptx.pdf
Actionable Fundraising Planning - Slide Presentation.pptx.pdfBloomerang
 

Recently uploaded (20)

Research Showcase 2024 final presentation slides
Research Showcase 2024 final presentation slidesResearch Showcase 2024 final presentation slides
Research Showcase 2024 final presentation slides
 
EAPJ Vol VIII February 2024.pdf
EAPJ Vol VIII February 2024.pdfEAPJ Vol VIII February 2024.pdf
EAPJ Vol VIII February 2024.pdf
 
Stand Out on the Road with a Creative Box Truck Wrap
Stand Out on the Road with a Creative Box Truck WrapStand Out on the Road with a Creative Box Truck Wrap
Stand Out on the Road with a Creative Box Truck Wrap
 
Pernod Ricard presentation at CAGNY 2024
Pernod Ricard presentation at CAGNY 2024Pernod Ricard presentation at CAGNY 2024
Pernod Ricard presentation at CAGNY 2024
 
SARomics Biostructures 2024 Company Presentation
SARomics Biostructures 2024 Company PresentationSARomics Biostructures 2024 Company Presentation
SARomics Biostructures 2024 Company Presentation
 
02.20 Webinar - Online Giving Trends.pdf
02.20 Webinar - Online Giving Trends.pdf02.20 Webinar - Online Giving Trends.pdf
02.20 Webinar - Online Giving Trends.pdf
 
SlideEgg_300445-Apple Inc(1).pptx case study
SlideEgg_300445-Apple Inc(1).pptx case studySlideEgg_300445-Apple Inc(1).pptx case study
SlideEgg_300445-Apple Inc(1).pptx case study
 
Ch 11 Haunted Castle on Hallows Eve.pptx
Ch 11 Haunted Castle on Hallows Eve.pptxCh 11 Haunted Castle on Hallows Eve.pptx
Ch 11 Haunted Castle on Hallows Eve.pptx
 
Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...
Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...
Ivan Verkalets: The Relevance of ISO 9001 & 27001 for Outsourcing Excellence ...
 
Your Expert Guide to CX Orchestration & Enhancing Customer Journeys
Your Expert Guide to CX Orchestration & Enhancing Customer JourneysYour Expert Guide to CX Orchestration & Enhancing Customer Journeys
Your Expert Guide to CX Orchestration & Enhancing Customer Journeys
 
Questions to Answer to Prepare for Zero Budget Marketing .docx
Questions to Answer to Prepare for Zero Budget Marketing .docxQuestions to Answer to Prepare for Zero Budget Marketing .docx
Questions to Answer to Prepare for Zero Budget Marketing .docx
 
Zero Budget Marketing Strategy with KPIs for a Cleaning Detergent Training ...
Zero Budget Marketing  Strategy with KPIs for a Cleaning Detergent  Training ...Zero Budget Marketing  Strategy with KPIs for a Cleaning Detergent  Training ...
Zero Budget Marketing Strategy with KPIs for a Cleaning Detergent Training ...
 
The Coca-Cola Company Presentation at CAGNY 2024.pdf
The Coca-Cola Company Presentation at  CAGNY 2024.pdfThe Coca-Cola Company Presentation at  CAGNY 2024.pdf
The Coca-Cola Company Presentation at CAGNY 2024.pdf
 
5 Common Writing Mistakes Infographic.pdf
5 Common Writing Mistakes Infographic.pdf5 Common Writing Mistakes Infographic.pdf
5 Common Writing Mistakes Infographic.pdf
 
Presentation_bagus tentang glaucoma gitu.pptx
Presentation_bagus tentang glaucoma gitu.pptxPresentation_bagus tentang glaucoma gitu.pptx
Presentation_bagus tentang glaucoma gitu.pptx
 
PUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdf
PUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdfPUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdf
PUBLISHING AND LITERARY NETWORKS IN THE SOUTH WEST_EBOOK_WCOVER.pdf
 
Digital Transformation & Improvement Pocketbook
Digital Transformation & Improvement PocketbookDigital Transformation & Improvement Pocketbook
Digital Transformation & Improvement Pocketbook
 
Grevault battery storage system manufacturer
Grevault battery storage system manufacturerGrevault battery storage system manufacturer
Grevault battery storage system manufacturer
 
D2 meeting agenda 02.12.24.hehehheeebebepdf
D2 meeting agenda 02.12.24.hehehheeebebepdfD2 meeting agenda 02.12.24.hehehheeebebepdf
D2 meeting agenda 02.12.24.hehehheeebebepdf
 
Actionable Fundraising Planning - Slide Presentation.pptx.pdf
Actionable Fundraising Planning - Slide Presentation.pptx.pdfActionable Fundraising Planning - Slide Presentation.pptx.pdf
Actionable Fundraising Planning - Slide Presentation.pptx.pdf
 

Site Security Policy - Yahoo! Security Week

  • 1. Web Application Security and the Browser Brandon Sterne 5/15/2008
  • 2. Agenda • Browsers can do more to protect users and websites • “Intranet Hacking” • Protect the resources that live inside the firewall or home router • Cross-site Scripting and Cross-Site Request Forgery • Protect users and websites from each other in a world where the Same-Origin policy is often broken 2
  • 3. Not the only solution... • Best Option: Writing secure applications • Employ good input and output filtering • Check form keys, HTTP Referer, etc. • Follow security best practices [1] • Defense in Depth • Writing reliably secure web applications is hard • The browser can provide an additional layer of security and can intervene to prevent malicious activity [1] http://www.owasp.org/index.php/Secure_Coding_Principles 3
  • 4. Hacking the Intranet • Malicious webpages use the victim's browser to make HTTP requests to protected intranet resources • Corporate directories, IP telephones, printers, routers • Any firewall that blocks unwanted ports and services provides no protection here because HTTP is enabled everywhere • Any web-enabled device can be potentially attacked by malicious content • Home routers have been attacked using this technique to tamper with DNS settings, etc. • Ask Jeremiah Grossman about what other types of evil you can cause using these techniques 4
  • 5. Drawing the Boundary • Why should websites on the Internet be able to initiate requests to resources in my intranet? • Let's draw a line between “public” and “private” resources (RFC1918 is a good start) • Mozilla is developing a patch to prevent public resources from making requests to private resources (but allowing the reverse) 5
  • 6. Easy, Tiger... Not So Fast • Proxies complicate matters • There are many, usually corporate, environments that use HTTP proxies for their web surfing, e.g. WebSense • Even some home users configure their browser to use an internal web proxy • How should we treat proxied content? • Mark all proxied content as “public”? – Protects intranet resources but breaks a lot of functionality • Place proxy outside NAT environment and use it for “public” resources only – Lots of work for IT department: reconfigure network and DNS • Rely on proxies to mark resources as “public” and “private”? – Introduces external dependency on other services to behave predictably • Any Ideas? Really. 6
  • 7. Site Security Policy •Background • Last 3 years: dramatic increase in both awareness [1][2] and exploitation [3] of Web Application Vulnerabilities • 2007: dozens of high profile attacks [4] against websites using Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) • Many sites have programs in place to find and remediate the vulnerabilities • Sheer size and complexity of websites make complete remediation of the security holes implausible [1] - http://weblog.infoworld.com/zeroday/archives/2007/10/study_90_percen.html [2] - http://weblog.infoworld.com/zeroday/archives/2007/11/report_90_perce.html [3] - http://www.webappsec.org/projects/whid/statistics.shtml [4] - http://www.webappsec.org/projects/whid/byyear_year_2007.shtml 7
  • 8. Again, browsers can do more... ● Protect users from vulnerable sites ● Protect sites from receiving forged requests ● Enable websites to define security policies that the browser enforces ● restrict the capabilities of web content which makes these attacks possible in the first place ● Not a silver bullet... only an additional layer of security 8
  • 9. Review: Cross-Site Scripting (XSS) • Many good XSS references available [5][6][7] • Exploits the client's trust of the server • 3 Types of XSS • Stored (Persistent) • Reflected • DOM-based • Cookie stealing, website defacement, XSS worms... [5] - http://www.cgisecurity.com/articles/xss-faq.shtml [6] - http://www.owasp.org/index.php/Cross_Site_Scripting [7] - http://ha.ckers.org/xss.html 9
  • 10. XSS and Site Security Policy • Provides a way for server administrators to reduce or eliminate XSS attack surface • Administrators specify which domains are valid sources of script • Browser only executes script in source files from white-listed domains 10
  • 11. XSS and Site Security Policy • Script-Source Instructions • Indicate a (potentially empty) set of domains that should be treated as valid sources of JavaScript • Any script embedded within the page and any script from non-white-listed hosts will not be executed • Consequence: authors must place event handling code in external script files • Syntax (open to debate) • Instructions contain one or more pairs of the form (“allow or deny”, “host item”) • Script-Source: allow *.example.com; deny public.example.com 11
  • 12. Impact on XSS • Dramatically changes the difficulty of mounting a successful XSS attack • Attacker needs to control the contents of white-listed JavaScript source files • Attacks using inline JavaScript are no longer effective • In some cases, XSS risk can be fully mitigated • Sites can choose to globally disallow JavaScript 12
  • 13. Review: Cross-Site Request Forgery (CSRF) • Many good CSRF references [8][9][10] • Exploits a server's trust of the requests it receives from clients • Attackers craft web content that creates bogus requests on behalf of the victim • Extremely widespread • Non-trivial solution • Best practice: create a CSRF-protection framework in your application, use it globally [8] - http://www.owasp.org/index.php/Cross-Site_Request_Forgery [9] - http://www.cgisecurity.com/articles/csrf-faq.shtml [10] - http://shiflett.org/articles/cross-site-request-forgeries 13
  • 14. CSRF and Site Security Policy • Provides controls for admins to define how websites handle cross-site requests • Ingress Filtering • Explicitly define which domains can initiate cross-site requests to resources in the site • Egress Filtering • Define domains to which content in their site can initiate requests • “Good net citizen” 14
  • 15. CSRF and Site Security Policy • Ingress Filtering: Request-Source Instructions • Indicate a (potentially empty) set of domains whose content should be allowed to request the resource • Supporting User-Agents will make a preemptive policy check before sending content-initiated cross-site requests • CSRF prevention is primarily the responsibility of the receiving server (precedence over Request-Target) • Similar to the Access-Control model [11] • Requests made via non-safe HTTP methods will be blocked if they violate security policy [11] - http://www.w3.org/TR/access-control/ 15
  • 16. CSRF and Site Security Policy • Syntax (open to debate) • Policy query – HEAD request from the UA to the cross-site resource – Contains HTTP header Policy-Query • Policy response: Request-Source – Instructions consist of one or more triplets of the form (“allow or deny”, “host item”, “list of HTTP methods”) plus optional “expires” value for policy caching – Request-Source: deny * post; allow * get; expires 60 – Request-Source: allow *.example.com post,get; deny public.example.com *; expires 3600 16
  • 17. CSRF and Site Security Policy • Egress Filtering: Request-Target Instructions • Indicate a (potentially empty) set of hosts to which page's content can make cross-site requests • Stop page content outbound communication • Prevents data from being exfiltrated from the site • Prevents additional non-intended resources from being included in the page • Restrict a website from being used as a platform to attack other websites via CSRF • May be useful for sites that permit users to post HTML and JavaScript in publicly accessible areas 17
  • 18. CSRF and Site Security Policy • Request-Target Syntax (open to debate) • Contains one or more triplets of the form (“allow or deny”, “host item”, “list of HTTP methods”) • Request-Target: allow *.example.com *, deny public.example.com post 18
  • 19. Impact on CSRF • Simple way for a website to prevent CSRF against its sensitive resources • Adds layer of security to an application's CSRF protection mechanisms • CSRF protection complicated to implement and difficult to integrate into existing web applications • Even properly implemented CSRF-protection systems will not stand up when XSS is present • Fully control how content inside and outside a website interacts 19
  • 20. Who Is Breaking Our Rules? • Site Security Policy can tell us when policies are “violated” • Report-URI instruction tells the browser where to send reports when something is blocked • A POST to the specified URI containing the full HTTP request which led to the policy violation • Possible Syntax: Report-URI: http://www.example.com/policy.cgi • Who is attacking us with XSS or CSRF? • Which of our pages are misconfigured? 20
  • 21. Backward Compatibility • Fully backward compatible • Will not affect sites or browsers which do not support Site Security Policy • User-Agents can disregard policy definition headers and fall back to Same-Origin policy • In the absence of policy headers, supporting Uas will fall back to Same-Origin • Admins can define Site Security Policy without fear of web compatibility problems 21
  • 22. Conclusions • Computer Security best achieved through a variety of overlapping controls • Site Security Policy aims to be one part of a larger defense-in-depth strategy • “Belt-and-braces...” -Gerv [12] • Mitigate broad classes of vulnerabilities (for supporting UAs) by defining a few simple rules • Admins should maintain normal security auditing and remediation process [12] - http://www.gerv.net/security/content-restrictions/ 22