Mitigate Maliciousness                      Mike West          https://mikewest.org/           G+: https://mkw.st/+       ...
<script>  doAstoundinglyAwesomeThing();</script><script>  sneakilyExfiltrateUserData();</script>
XSS is scary.
scheme://host:port
https://www.owasp.org/index.php/ XSS_Filter_Evasion_Cheat_Sheet
<style>  p { color: {{USER_COLOR}}; }</style><p>  Hello {{USER_NAME}}, view your  <a href="{{USER_URL}}">Account</a>.</p><...
[][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[...
alert(1)[][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![...
“I discount the   probabilityof perfection.”        -Alex Russell
Not “if”, but “when”.
Before all else, send data securely
$ curl -I http://mkw.st/HTTP/1.1 301 Moved PermanentlyServer: nginx/1.3.7Date: Sun, 11 Nov 2012 19:36:15 GMTContent-Type: ...
Set-Cookie: ...; secure; HttpOnly
Strict-Transport-Security:    max-age=2592000;    includeSubDomains
Public-Key-Pins: max-age=2592000;      pin-sha1="4n972H…60yw4uqe/baXc=";      pin-sha1="IvGeLsbqzP…j2xVTdXgc="http://tools...
http://www.html5rocks.com/en/tutorials/  security/transport-layer-security/
Limit the browser’s capabilities   “Every program and every privileged user   of the system should operate using the   lea...
http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html
http://w3.org/TR/CSP11
Content-Security-Policy:  default-src none;  style-src https://mikewestdotorg.hasacdn.net;  frame-src https://www.youtube....
Content-Security-Policy:  default-src ...;  script-src ...;  object-src ...;  style-src ...;  img-src ...;  media-src ...;...
<script>  function handleClick() { ... }</script><button onclick="handleClick()">Click me!</button><a href="javascript:han...
<!-- index.html --><script src="clickHandler.js"></script><button class="clickable">Click me!</button><a href="#" class="c...
Content-Security-Policy-Report-Only:  default-src https:;  report-uri https://example.com/csp-violations{    "csp-report":...
http://www.html5rocks.com/en/tutorials/   security/content-security-policy/
Remember two things:  HTTPS: http://goo.gl/Pw6wU    CSP: http://goo.gl/QcuaKQuestions?               mkwst@google.com     ...
Even fewer privileges!
<iframe src="page.html" sandbox></iframe><!--  * Unique origin  * No plugins.  * No script.  * No form submissions.  * No ...
<iframe src="page.html"  sandbox="allow-forms allow-pointer-lock allow-popups           allow-same-origin allow-scripts   ...
<!-- User-generated content? (in The Near Future™) --><iframe  seamless  srcdoc="<p>This is a comment!</p>"  sandbox></ifr...
http://www.html5rocks.com/en/tutorials/      security/sandboxed-iframes/
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Upcoming SlideShare
Loading in …5
×

Mitigate Maliciousness -- jQuery Europe 2013

3,652 views

Published on

jQuery has made it possible for developers to move more and more complex application logic down from the server to the client. This is a huge opportunity for JavaScript developers, and at the same time presents a tempting target for folks with malicious intent. It's more critical than ever to ensure that we're doing the right things with regard to security, and happily, modern browsers are here to help. Here, we'll talk about some of the new ways in which you can mitigate the effects of cross-site scripting and other attacks.

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total views
3,652
On SlideShare
0
From Embeds
0
Number of Embeds
115
Actions
Shares
0
Downloads
19
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Mitigate Maliciousness -- jQuery Europe 2013

  1. 1. Mitigate Maliciousness Mike West https://mikewest.org/ G+: https://mkw.st/+ Twitter: @mikewest
  2. 2. <script> doAstoundinglyAwesomeThing();</script><script> sneakilyExfiltrateUserData();</script>
  3. 3. XSS is scary.
  4. 4. scheme://host:port
  5. 5. https://www.owasp.org/index.php/ XSS_Filter_Evasion_Cheat_Sheet
  6. 6. <style> p { color: {{USER_COLOR}}; }</style><p> Hello {{USER_NAME}}, view your <a href="{{USER_URL}}">Account</a>.</p><script> var id = {{USER_ID}};</script><!-- DEBUG: {{INFO}} -->
  7. 7. [][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()
  8. 8. alert(1)[][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+[+!+[]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[+!+[]]]+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]])()
  9. 9. “I discount the probabilityof perfection.” -Alex Russell
  10. 10. Not “if”, but “when”.
  11. 11. Before all else, send data securely
  12. 12. $ curl -I http://mkw.st/HTTP/1.1 301 Moved PermanentlyServer: nginx/1.3.7Date: Sun, 11 Nov 2012 19:36:15 GMTContent-Type: text/htmlContent-Length: 184Connection: keep-aliveKeep-Alive: timeout=20Location: https://mkw.st/
  13. 13. Set-Cookie: ...; secure; HttpOnly
  14. 14. Strict-Transport-Security: max-age=2592000; includeSubDomains
  15. 15. Public-Key-Pins: max-age=2592000; pin-sha1="4n972H…60yw4uqe/baXc="; pin-sha1="IvGeLsbqzP…j2xVTdXgc="http://tools.ietf.org/html/draft-ietf-websec-key-pinning
  16. 16. http://www.html5rocks.com/en/tutorials/ security/transport-layer-security/
  17. 17. Limit the browser’s capabilities “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” Jerome H. Saltzer, "Protection and the control of information sharing in multics"
  18. 18. http://traumwerk.stanford.edu/philolog/2009/10/homers_odyssey_in_art_sirens_f.html
  19. 19. http://w3.org/TR/CSP11
  20. 20. Content-Security-Policy: default-src none; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src self https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net
  21. 21. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi
  22. 22. <script> function handleClick() { ... }</script><button onclick="handleClick()">Click me!</button><a href="javascript:handleClick()">Click me!</a>
  23. 23. <!-- index.html --><script src="clickHandler.js"></script><button class="clickable">Click me!</button><a href="#" class="clickable">Click me!</a><!-- clickHandler.js -->function handleClick() { ...}document.addEventListener(DOMContentLoader, function() { for (var e in document.querySelectorAll(.clickable)) e.addEventListener(click, clickHandler);});
  24. 24. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations{ "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src self", "original-policy": "...", "line-number": "10" }}
  25. 25. http://www.html5rocks.com/en/tutorials/ security/content-security-policy/
  26. 26. Remember two things: HTTPS: http://goo.gl/Pw6wU CSP: http://goo.gl/QcuaKQuestions? mkwst@google.com mkw.st/+ @mikewest
  27. 27. Even fewer privileges!
  28. 28. <iframe src="page.html" sandbox></iframe><!-- * Unique origin * No plugins. * No script. * No form submissions. * No top-level navigation. * No popups. * No autoplay. * No pointer lock. * No seamless iframes.-->
  29. 29. <iframe src="page.html" sandbox="allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation"></iframe><!-- * No plugins. * No seamless iframes.-->
  30. 30. <!-- User-generated content? (in The Near Future™) --><iframe seamless srcdoc="<p>This is a comment!</p>" sandbox></iframe>
  31. 31. http://www.html5rocks.com/en/tutorials/ security/sandboxed-iframes/

×