SlideShare a Scribd company logo

WebAppSec Updates from W3C

Natasha Rooney
Natasha Rooney

Talk given at W3C's Developer Meetup during TPAC in Sapporo, Japan

Technology
1 of 40
Download to read offline
@thisNatasha WebAppSec Updates from W3C Natasha Rooney @thisNatasha GSMA Web Technologist W3C WebMob Co-Chair www.w3.org/Mobile/IG/
@thisNatasha Web features are getting more powerful. Developers: how can we help developers make better choices or protect their apps? Users: how can we help protect users? What’s happening? Service Workers WebRTC Geolocation Permissions
@thisNatasha WebAppSec Working Group …[T]he mission of the Web Application Security Working Group is to develop technical and policy mechanisms to improve the security of and enable secure cross-site communications for applications on the Web. Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
@thisNatasha WebAppSec: Goals [1] Attack Surface Reduction: allow applications to restrict or forbid dangerous features [2] Secure Mashups: mechanisms for secure resource sharing and messaging across origins [3] Manageability: Uniform policy control points from which to manage these risks [4] Develop a policy mechanism: standardized means for security policy declaration Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
@thisNatasha WebAppSec: Work 2015 Charter Content Security Policy (CSP) Lvl 2, Lvl X User Interface Security Directives for CSP Mixed Content (MIX) Sub Resource Integrity Referrer Policy Credential Management API Suborigin Namespaces Confinement with Origin Web Labels Entry Point Regulation for Web Apps Permissions API Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
@thisNatasha Let’s go through some work! Clear Site Data COWL Credential Management Other Updates
@thisNatasha Clear Site Data W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015
@thisNatasha Clear Site Data W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 “Instruct a user agent to clear a site’s locally stored data related to a host.” - Web Applications store data on user’s computer - Data is sensitive and valuable - Some removed via JavaScript, others not: Cookies: OK HTTPonly cookies: Not OK Cache: Not OK
@thisNatasha Clear Site Data: Examples W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 Signs out of “Super Secret Social Network” via a CSRF-protected POST The site author wishes to ensure that locally stored data is removed. Response HTTP header: https://supersecretsocialnetwork.example.com/logout // Signing Out / Kill Switch Clear-Site-Data: * // Keep Critical Cookies Clear-Site-Data: storage; executionContexts; cache
@thisNatasha Clear Site Data: Example 2 W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 Target a specific app subdomain by including a request to that subdomain as part of the logout landing page: - Request’s preflight return: proper CORS headers - Actual requests return header: fetch("https://minus.megacorp.example.com/clear-site-data", { method: "POST", mode: "cors", headers: new Headers({ "CSRF": "[insert sekrit token here]" }) }); Clear-Site-Data: *
@thisNatasha Confinement with Origin Web Labels (COWL) W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015
@thisNatasha Confinement with Origin Web Labels (COWL) W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 “Specifying privacy and integrity policies on data, in the form of origin labels, and a mechanism for confining code according to such policies.” - third party scripts puts user’s data confidentiality and integrity at risk! - CORs and CSP can help! - But not where that data can be used...
@thisNatasha Confinement with Origin Web Labels (COWL) W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 COWL: - developer states that a password is confidential to https://example.com - It can then be shared with (e.g.) a third-party password checker. - The third-party password checker is confined and respects the policy on the password: COWL disallows it from disclosing the password to any origin other than https://example.com. - Confines code at the Context Level - Developers can set restrictions on shared data - Stop code from being shared outside specified origins - Can compartmentalise apps to specify privileges
@thisNatasha COWL: Example Confining untrusted third-party services W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 - https://example.com wishes to use the untrusted https://passwordcheck.com - https://example.com uses COWL to add a confidentiality policy (a label) to the password before sending it to https://passwordcheck.com // Create new policy using Labels that specifies that the password is sensitive // to https://example.com and should only be disclosed to this origin: var policy = new Label(window.location.origin); // Associate the label with the password: var labeledPassword = new LabeledObject(password, {confidentiality: policy}); // Send the labeled password to the checker iframe: checker.postMessage(labeledPassword, "https://untrusted.com"); // Register listener to receive a response from checker, etc.
@thisNatasha COWL: Example Confining untrusted third-party services W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 1. https://passwordcheck.com checks the password 2. COWL limits the iframe to communicating with origins that preserve the password’s confidentiality (https://example.com). 3. This “policy” is enforced mandatorily 4. https://passwordcheck.com cannot send the password elsewhere Note: https://passwordcheck.com can communite with other origins before inpecting the password. // Create new policy using Labels that specifies that the password is sensitive // to https://example.com and should only be disclosed to this origin: var policy = new Label(window.location.origin); // Associate the label with the password: var labeledPassword = new LabeledObject(password, {confidentiality: policy}); // Send the labeled password to the checker iframe: checker.postMessage(labeledPassword, "https://untrusted.com"); // Register listener to receive a response from checker, etc.
@thisNatasha COWL: Examples Sharing data with mashups / privilege separation W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 - https://example.com wishes to allow https://mashup.com access to data. - Server operator can set COWL response header to: 1. https://mashup.com can access data through CORs 2. COWL header says data can only be shared with https://example.com - Give different privileges according to users. 1. Content of user1 does not interfere with any other user. 2. Content of user1 cannot leak anywhere else. Access-Control-Allow-Origin: https://mashup.com Sec-COWL: data-confidentiality [ ["https://example.com"] ] Sec-COWL: ctx-privilege [ ['self', 'cowl://user1'] ]
@thisNatasha Credential Management W3CWorkingDraft Draft:http://w3c.github.io/webappsec-credential- management/ Charter: 2015
@thisNatasha Credential Management W3CWorkingDraft Draft:http://w3c.github.io/webappsec-credential- management/ Charter: 2015 “[R]equest a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use” - Autofilled credentials - Hard for some use cases: e.g. credentials sent through XHR - Credential Manager API can help!
@thisNatasha Credential Management: Password-based Sign-in W3CWorkingDraft Draft:http://w3c.github.io/webappsec-credential- management/ Charter: 2015 navigator.credentials.get({ "password": true }).then( function(credential) { if (!credential) { // The user either doesn’t have credentials for this site, or // refused to share them. Insert some code here to show a basic // login form (or, ideally, do nothing, since this API should // really be progressive enhancement on top of an existing form). return; } if (credential.type == "password") { fetch("https://example.com/loginEndpoint", { body: credential.toFormData(), method: "POST" }) .then(function (response) { // Notify the user that signin succeeded! Do amazing, signed-in things! }); } else { // in Spec: federated sign-in example } });
@thisNatasha WebAppSec: Other Updates Spec Updates - Candidate Recommendation: Subresource Integrity - Candidate Recommendation: Mixed Content - Password generation in Credential Manager - Published: COWL - Referrer turned into a distinct header - Mixed Content and DASH - Permissions API Working Draft - HSTS, mixed content, and priming: fetch resources using HTTPS even if the URL uses the "http:" Group Management Updates - Specs now on Github - Berlin Face-to-Face Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
@thisNatasha WebAppSec: At TPAC TPAC 2015 29-30 October - Credential Management - Content Security Policy - Referrer Policy - Joint session with Web Payments WG on secure API design - COWL - CSP Embedded Enforcement Agenda Link Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
@thisNatasha ありがとう! Natasha Rooney @thisNatasha GSMA Web Technologist W3C WebMob Co-Chair www.w3.org/Mobile/IG/ Thanks to Brad Hill (Chair) & Mike West (editor) from the WebAppSec WG! Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
@thisNatasha Unused Slides Past this Point!
@thisNatasha Clear Site Data W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 General Syntax: Clear-Site-Data = 1#option option = parameter *( OWS ";" [ OWS parameter ] ) parameter = key [ BWS "=" value ] key = token value = token / quoted-string // Parameters: // cache, cookies, storage, executionContexts, *
@thisNatasha Content Security Policy (CSP) W3CCandidateRecommendation Draft: www.w3.org/TR/CSP/ http://content-security-policy.com/ Charter: 2013 & 2015
@thisNatasha Content Security Policy (CSP) W3CCandidateRecommendation The Web Security Model is based on “Same Origin Policy” ● Code from https://mybank.com should only have access to https://mybank.com’s data ● https://evil.example.com should certainly never be allowed access. Content Security Policy is a HTTP Header which can help! Draft: www.w3.org/TR/CSP/ http://content-security-policy.com/ Charter: 2013 & 2015 Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
@thisNatasha CSP 2: What’s Different? W3CCandidateRecommendation New things in Content Security Policy Level 2 include: [1] New “Delivery Methods” e.g HTML <meta> element [2] Dealing with multiple policies all will be obeyed! [3] Dealing with Workers! How do we deal with Shared or ServiceWorkers? [5] New Directives e.g. referrer, plugin-types, form-action, frame-ancestors Charter: 2015 Draft: www.w3.org/TR/CSP2/
@thisNatasha Subresource Integrity (SRI) W3CWorkingDraft Draft: www.w3.org/TR/SRI/ Charter: 2015
@thisNatasha Subresource Integrity (SRI) Security Measures E.g. TLS, HSTS, and pinned public keys authenticate only the server, not the content. Attacker can still change content! W3CWorkingDraft Draft: www.w3.org/TR/SRI/ Charter: 2015 <script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg? ct=application/javascript">
@thisNatasha Referrer Policy W3CWorkingDraft Draft: www.w3.org/TR/referrer-policy/ Charter: 2015
@thisNatasha Referrer Policy Referrer Policy says what a site should do about the Referrer Header. How do you do it? [1] Content Security Policy (CSP) directive [2] Content Security Policy (CSP) meta tag [3] Via a meta element with a name of referrer. [4] Implicitly, via inheritance. W3CWorkingDraft Draft: www.w3.org/TR/referrer-policy/ Charter: 2015
@thisNatasha Mixed Content W3CWorkingDraft Draft: www.w3.org/TR/mixed-content/ Charter: 2015
@thisNatasha Mixed Content Does your HTTPS site contain content with HTTP links? Then you have MIXED CONTENT! MIxed Content details how user agents should treat these resources. W3CWorkingDraft Draft: www.w3.org/TR/mixed-content/ Charter: 2015
@thisNatasha Do we need to do more? Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/ How powerful are Powerful Features? Can features become too powerful? Do we need to enforce HTTPS or other measures for these APIs? Do we need full HTTPS? The IAB supported HTTPS for new protocol development. Should the W3C do the same thing?
@thisNatasha Powerful Features Document https://w3c.github.io/webappsec/specs/powerfulfeatures/
@thisNatasha Powerful Features Document https://w3c.github.io/webappsec/specs/powerfulfeatures/ [1] How can web features (APIs) be abused? [2] Categorising - access to sensitive data? (Credential Management) - access to a sensor? (Geolocation) - holds state of origin? (Service Workers) - Permission is required? [3] Defining some algorithms Using TLS, HTTPS, localhost, file, packaged, preconfigured = Trusted Otherwise not Trusted
@thisNatasha Do we need to do more? Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/ How powerful are Powerful Features? Can features become too powerful? Do we need to enforce HTTPS or other measures for these APIs? Do we need full HTTPS? The IAB supported HTTPS for new protocol development. Should the W3C do the same thing?
@thisNatasha Transition to HTTPS https://github.com/w3ctag/web-https
@thisNatasha Transition to HTTPS https://github.com/w3ctag/web-https “Therefore, the TAG finds that the Web platform should be designed to actively prefer secure origins — typically, by encouraging use of HTTPS URLs instead of HTTP ones. Furthermore, the end-to-end nature of TLS encryption must not be compromised on the Web, in order to preserve this trust.”
@thisNatasha Clear Site Data: Open Issues W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 - Integrating with Fetch - Still in control of Web Developer, not the user - No github issues!

Recommended

SPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartSPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartJenkins NS
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Restful webservices
Restful webservicesRestful webservices
Restful webservicesLuqman Shareef
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)ClubHack
 
Rest web services
Rest web servicesRest web services
Rest web servicesPaulo Gandra de Sousa
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themElad Elrom
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 

Recommended

SPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartSPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartJenkins NS
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Restful webservices
Restful webservicesRestful webservices
Restful webservicesLuqman Shareef
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)ClubHack
 
Rest web services
Rest web servicesRest web services
Rest web servicesPaulo Gandra de Sousa
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themElad Elrom
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIEyal Vardi
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
CS6262_Group9_FinalReport
CS6262_Group9_FinalReportCS6262_Group9_FinalReport
CS6262_Group9_FinalReportGarrett Mallory
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB APIThang Chung
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web ServicesChristopher Bartling
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiTiago Knoch
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web servicesnbuddharaju
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API TrainingChalermpon Areepong
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsIdo Flatow
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
 
Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1ghkadous
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 

More Related Content

What's hot

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIEyal Vardi
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
CS6262_Group9_FinalReport
CS6262_Group9_FinalReportCS6262_Group9_FinalReport
CS6262_Group9_FinalReportGarrett Mallory
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiTiago Knoch
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web servicesnbuddharaju
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsIdo Flatow
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
 

What's hot (20)

Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
CS6262_Group9_FinalReport
CS6262_Group9_FinalReportCS6262_Group9_FinalReport
CS6262_Group9_FinalReport
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 
ASP.NET WEB API
ASP.NET WEB APIASP.NET WEB API
ASP.NET WEB API
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web api
 
Overview of RESTful web services
Overview of RESTful web servicesOverview of RESTful web services
Overview of RESTful web services
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP Fundamentals
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
 

Similar to WebAppSec Updates from W3C

Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1ghkadous
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...Thomas Witt
 
Crud tutorial en
Crud tutorial enCrud tutorial en
Crud tutorial enforkgrown
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Stefaan Ponnet, Fusebox
Stefaan Ponnet, FuseboxStefaan Ponnet, Fusebox
Stefaan Ponnet, Fuseboxnascomgenk
 
Web application development_dos_and_donts
Web application development_dos_and_dontsWeb application development_dos_and_donts
Web application development_dos_and_dontshuynhvanphuc
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Web Technologies - forms and actions
Web Technologies - forms and actionsWeb Technologies - forms and actions
Web Technologies - forms and actionsAren Zomorodian
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web DevelopmentRobert J. Stein
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
H2O 3 REST API Overview
H2O 3 REST API OverviewH2O 3 REST API Overview
H2O 3 REST API OverviewRaymond Peck
 
H2O 3 REST API Overview
H2O 3 REST API OverviewH2O 3 REST API Overview
H2O 3 REST API OverviewSri Ambati
 
CC Technology Summit 3 Update
CC Technology Summit 3 UpdateCC Technology Summit 3 Update
CC Technology Summit 3 UpdateNathan Yergler
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Similar to WebAppSec Updates from W3C (20)

Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platform
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
 
contentDM
contentDMcontentDM
contentDM
 
Crud tutorial en
Crud tutorial enCrud tutorial en
Crud tutorial en
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Stefaan Ponnet, Fusebox
Stefaan Ponnet, FuseboxStefaan Ponnet, Fusebox
Stefaan Ponnet, Fusebox
 
Web application development_dos_and_donts
Web application development_dos_and_dontsWeb application development_dos_and_donts
Web application development_dos_and_donts
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Old WP REST API, New Tricks
Old WP REST API, New TricksOld WP REST API, New Tricks
Old WP REST API, New Tricks
 
Web Technologies - forms and actions
Web Technologies - forms and actionsWeb Technologies - forms and actions
Web Technologies - forms and actions
 
Advanced Web Development
Advanced Web DevelopmentAdvanced Web Development
Advanced Web Development
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
H2O 3 REST API Overview
H2O 3 REST API OverviewH2O 3 REST API Overview
H2O 3 REST API Overview
 
H2O 3 REST API Overview
H2O 3 REST API OverviewH2O 3 REST API Overview
H2O 3 REST API Overview
 
CC Technology Summit 3 Update
CC Technology Summit 3 UpdateCC Technology Summit 3 Update
CC Technology Summit 3 Update
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

More from Natasha Rooney

Web Authentication: a Future Without Passwords?
Web Authentication: a Future Without Passwords?Web Authentication: a Future Without Passwords?
Web Authentication: a Future Without Passwords?Natasha Rooney
 
JQuery UK Service Workers Talk
JQuery UK Service Workers TalkJQuery UK Service Workers Talk
JQuery UK Service Workers TalkNatasha Rooney
 
STV Voting System Explained
STV Voting System ExplainedSTV Voting System Explained
STV Voting System ExplainedNatasha Rooney
 
TCP and Mobile Networks Turbulent Relationship
TCP and Mobile Networks Turbulent RelationshipTCP and Mobile Networks Turbulent Relationship
TCP and Mobile Networks Turbulent RelationshipNatasha Rooney
 
Solving HTTP Problems With Code and Protocols
Solving HTTP Problems With Code and ProtocolsSolving HTTP Problems With Code and Protocols
Solving HTTP Problems With Code and ProtocolsNatasha Rooney
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specNatasha Rooney
 
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUICEvolving HTTP and making things QUIC
Evolving HTTP and making things QUICNatasha Rooney
 
JQuery UK February 2015: Service Workers On Vacay
JQuery UK February 2015: Service Workers On VacayJQuery UK February 2015: Service Workers On Vacay
JQuery UK February 2015: Service Workers On VacayNatasha Rooney
 
Making it Work Offline: Current & Future Offline APIs for Web Apps
Making it Work Offline: Current & Future Offline APIs for Web AppsMaking it Work Offline: Current & Future Offline APIs for Web Apps
Making it Work Offline: Current & Future Offline APIs for Web AppsNatasha Rooney
 
FirefoxOS Meetup - Updates on Offline in HTML5 Web Apps
FirefoxOS Meetup - Updates on Offline in HTML5 Web AppsFirefoxOS Meetup - Updates on Offline in HTML5 Web Apps
FirefoxOS Meetup - Updates on Offline in HTML5 Web AppsNatasha Rooney
 
Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...
Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...
Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...Natasha Rooney
 

More from Natasha Rooney (13)

MARNEW at IETF 94
MARNEW at IETF 94MARNEW at IETF 94
MARNEW at IETF 94
 
Web Authentication: a Future Without Passwords?
Web Authentication: a Future Without Passwords?Web Authentication: a Future Without Passwords?
Web Authentication: a Future Without Passwords?
 
JQuery UK Service Workers Talk
JQuery UK Service Workers TalkJQuery UK Service Workers Talk
JQuery UK Service Workers Talk
 
STV Voting System Explained
STV Voting System ExplainedSTV Voting System Explained
STV Voting System Explained
 
TCP and Mobile Networks Turbulent Relationship
TCP and Mobile Networks Turbulent RelationshipTCP and Mobile Networks Turbulent Relationship
TCP and Mobile Networks Turbulent Relationship
 
Solving HTTP Problems With Code and Protocols
Solving HTTP Problems With Code and ProtocolsSolving HTTP Problems With Code and Protocols
Solving HTTP Problems With Code and Protocols
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one spec
 
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUICEvolving HTTP and making things QUIC
Evolving HTTP and making things QUIC
 
JQuery UK February 2015: Service Workers On Vacay
JQuery UK February 2015: Service Workers On VacayJQuery UK February 2015: Service Workers On Vacay
JQuery UK February 2015: Service Workers On Vacay
 
GSMA in W3C
GSMA in W3CGSMA in W3C
GSMA in W3C
 
Making it Work Offline: Current & Future Offline APIs for Web Apps
Making it Work Offline: Current & Future Offline APIs for Web AppsMaking it Work Offline: Current & Future Offline APIs for Web Apps
Making it Work Offline: Current & Future Offline APIs for Web Apps
 
FirefoxOS Meetup - Updates on Offline in HTML5 Web Apps
FirefoxOS Meetup - Updates on Offline in HTML5 Web AppsFirefoxOS Meetup - Updates on Offline in HTML5 Web Apps
FirefoxOS Meetup - Updates on Offline in HTML5 Web Apps
 
Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...
Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...
Updates on Offline: “My AppCache won’t come back” and “ServiceWorker Tricks ...
 

Recently uploaded

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

WebAppSec Updates from W3C

  • 1. @thisNatasha WebAppSec Updates from W3C Natasha Rooney @thisNatasha GSMA Web Technologist W3C WebMob Co-Chair www.w3.org/Mobile/IG/
  • 2. @thisNatasha Web features are getting more powerful. Developers: how can we help developers make better choices or protect their apps? Users: how can we help protect users? What’s happening? Service Workers WebRTC Geolocation Permissions
  • 3. @thisNatasha WebAppSec Working Group …[T]he mission of the Web Application Security Working Group is to develop technical and policy mechanisms to improve the security of and enable secure cross-site communications for applications on the Web. Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
  • 4. @thisNatasha WebAppSec: Goals [1] Attack Surface Reduction: allow applications to restrict or forbid dangerous features [2] Secure Mashups: mechanisms for secure resource sharing and messaging across origins [3] Manageability: Uniform policy control points from which to manage these risks [4] Develop a policy mechanism: standardized means for security policy declaration Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
  • 5. @thisNatasha WebAppSec: Work 2015 Charter Content Security Policy (CSP) Lvl 2, Lvl X User Interface Security Directives for CSP Mixed Content (MIX) Sub Resource Integrity Referrer Policy Credential Management API Suborigin Namespaces Confinement with Origin Web Labels Entry Point Regulation for Web Apps Permissions API Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
  • 6. @thisNatasha Let’s go through some work! Clear Site Data COWL Credential Management Other Updates
  • 8. @thisNatasha Clear Site Data W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 “Instruct a user agent to clear a site’s locally stored data related to a host.” - Web Applications store data on user’s computer - Data is sensitive and valuable - Some removed via JavaScript, others not: Cookies: OK HTTPonly cookies: Not OK Cache: Not OK
  • 9. @thisNatasha Clear Site Data: Examples W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 Signs out of “Super Secret Social Network” via a CSRF-protected POST The site author wishes to ensure that locally stored data is removed. Response HTTP header: https://supersecretsocialnetwork.example.com/logout // Signing Out / Kill Switch Clear-Site-Data: * // Keep Critical Cookies Clear-Site-Data: storage; executionContexts; cache
  • 10. @thisNatasha Clear Site Data: Example 2 W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 Target a specific app subdomain by including a request to that subdomain as part of the logout landing page: - Request’s preflight return: proper CORS headers - Actual requests return header: fetch("https://minus.megacorp.example.com/clear-site-data", { method: "POST", mode: "cors", headers: new Headers({ "CSRF": "[insert sekrit token here]" }) }); Clear-Site-Data: *
  • 11. @thisNatasha Confinement with Origin Web Labels (COWL) W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015
  • 12. @thisNatasha Confinement with Origin Web Labels (COWL) W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 “Specifying privacy and integrity policies on data, in the form of origin labels, and a mechanism for confining code according to such policies.” - third party scripts puts user’s data confidentiality and integrity at risk! - CORs and CSP can help! - But not where that data can be used...
  • 13. @thisNatasha Confinement with Origin Web Labels (COWL) W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 COWL: - developer states that a password is confidential to https://example.com - It can then be shared with (e.g.) a third-party password checker. - The third-party password checker is confined and respects the policy on the password: COWL disallows it from disclosing the password to any origin other than https://example.com. - Confines code at the Context Level - Developers can set restrictions on shared data - Stop code from being shared outside specified origins - Can compartmentalise apps to specify privileges
  • 14. @thisNatasha COWL: Example Confining untrusted third-party services W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 - https://example.com wishes to use the untrusted https://passwordcheck.com - https://example.com uses COWL to add a confidentiality policy (a label) to the password before sending it to https://passwordcheck.com // Create new policy using Labels that specifies that the password is sensitive // to https://example.com and should only be disclosed to this origin: var policy = new Label(window.location.origin); // Associate the label with the password: var labeledPassword = new LabeledObject(password, {confidentiality: policy}); // Send the labeled password to the checker iframe: checker.postMessage(labeledPassword, "https://untrusted.com"); // Register listener to receive a response from checker, etc.
  • 15. @thisNatasha COWL: Example Confining untrusted third-party services W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 1. https://passwordcheck.com checks the password 2. COWL limits the iframe to communicating with origins that preserve the password’s confidentiality (https://example.com). 3. This “policy” is enforced mandatorily 4. https://passwordcheck.com cannot send the password elsewhere Note: https://passwordcheck.com can communite with other origins before inpecting the password. // Create new policy using Labels that specifies that the password is sensitive // to https://example.com and should only be disclosed to this origin: var policy = new Label(window.location.origin); // Associate the label with the password: var labeledPassword = new LabeledObject(password, {confidentiality: policy}); // Send the labeled password to the checker iframe: checker.postMessage(labeledPassword, "https://untrusted.com"); // Register listener to receive a response from checker, etc.
  • 16. @thisNatasha COWL: Examples Sharing data with mashups / privilege separation W3CWorkingDraft Draft: https://w3c.github.io/webappsec-cowl/ Charter: 2015 - https://example.com wishes to allow https://mashup.com access to data. - Server operator can set COWL response header to: 1. https://mashup.com can access data through CORs 2. COWL header says data can only be shared with https://example.com - Give different privileges according to users. 1. Content of user1 does not interfere with any other user. 2. Content of user1 cannot leak anywhere else. Access-Control-Allow-Origin: https://mashup.com Sec-COWL: data-confidentiality [ ["https://example.com"] ] Sec-COWL: ctx-privilege [ ['self', 'cowl://user1'] ]
  • 18. @thisNatasha Credential Management W3CWorkingDraft Draft:http://w3c.github.io/webappsec-credential- management/ Charter: 2015 “[R]equest a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use” - Autofilled credentials - Hard for some use cases: e.g. credentials sent through XHR - Credential Manager API can help!
  • 19. @thisNatasha Credential Management: Password-based Sign-in W3CWorkingDraft Draft:http://w3c.github.io/webappsec-credential- management/ Charter: 2015 navigator.credentials.get({ "password": true }).then( function(credential) { if (!credential) { // The user either doesn’t have credentials for this site, or // refused to share them. Insert some code here to show a basic // login form (or, ideally, do nothing, since this API should // really be progressive enhancement on top of an existing form). return; } if (credential.type == "password") { fetch("https://example.com/loginEndpoint", { body: credential.toFormData(), method: "POST" }) .then(function (response) { // Notify the user that signin succeeded! Do amazing, signed-in things! }); } else { // in Spec: federated sign-in example } });
  • 20. @thisNatasha WebAppSec: Other Updates Spec Updates - Candidate Recommendation: Subresource Integrity - Candidate Recommendation: Mixed Content - Password generation in Credential Manager - Published: COWL - Referrer turned into a distinct header - Mixed Content and DASH - Permissions API Working Draft - HSTS, mixed content, and priming: fetch resources using HTTPS even if the URL uses the "http:" Group Management Updates - Specs now on Github - Berlin Face-to-Face Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
  • 21. @thisNatasha WebAppSec: At TPAC TPAC 2015 29-30 October - Credential Management - Content Security Policy - Referrer Policy - Joint session with Web Payments WG on secure API design - COWL - CSP Embedded Enforcement Agenda Link Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
  • 22. @thisNatasha ありがとう! Natasha Rooney @thisNatasha GSMA Web Technologist W3C WebMob Co-Chair www.w3.org/Mobile/IG/ Thanks to Brad Hill (Chair) & Mike West (editor) from the WebAppSec WG! Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/
  • 24. @thisNatasha Clear Site Data W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 General Syntax: Clear-Site-Data = 1#option option = parameter *( OWS ";" [ OWS parameter ] ) parameter = key [ BWS "=" value ] key = token value = token / quoted-string // Parameters: // cache, cookies, storage, executionContexts, *
  • 25. @thisNatasha Content Security Policy (CSP) W3CCandidateRecommendation Draft: www.w3.org/TR/CSP/ http://content-security-policy.com/ Charter: 2013 & 2015
  • 26. @thisNatasha Content Security Policy (CSP) W3CCandidateRecommendation The Web Security Model is based on “Same Origin Policy” ● Code from https://mybank.com should only have access to https://mybank.com’s data ● https://evil.example.com should certainly never be allowed access. Content Security Policy is a HTTP Header which can help! Draft: www.w3.org/TR/CSP/ http://content-security-policy.com/ Charter: 2013 & 2015 Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
  • 27. @thisNatasha CSP 2: What’s Different? W3CCandidateRecommendation New things in Content Security Policy Level 2 include: [1] New “Delivery Methods” e.g HTML <meta> element [2] Dealing with multiple policies all will be obeyed! [3] Dealing with Workers! How do we deal with Shared or ServiceWorkers? [5] New Directives e.g. referrer, plugin-types, form-action, frame-ancestors Charter: 2015 Draft: www.w3.org/TR/CSP2/
  • 29. @thisNatasha Subresource Integrity (SRI) Security Measures E.g. TLS, HSTS, and pinned public keys authenticate only the server, not the content. Attacker can still change content! W3CWorkingDraft Draft: www.w3.org/TR/SRI/ Charter: 2015 <script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg? ct=application/javascript">
  • 31. @thisNatasha Referrer Policy Referrer Policy says what a site should do about the Referrer Header. How do you do it? [1] Content Security Policy (CSP) directive [2] Content Security Policy (CSP) meta tag [3] Via a meta element with a name of referrer. [4] Implicitly, via inheritance. W3CWorkingDraft Draft: www.w3.org/TR/referrer-policy/ Charter: 2015
  • 33. @thisNatasha Mixed Content Does your HTTPS site contain content with HTTP links? Then you have MIXED CONTENT! MIxed Content details how user agents should treat these resources. W3CWorkingDraft Draft: www.w3.org/TR/mixed-content/ Charter: 2015
  • 34. @thisNatasha Do we need to do more? Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/ How powerful are Powerful Features? Can features become too powerful? Do we need to enforce HTTPS or other measures for these APIs? Do we need full HTTPS? The IAB supported HTTPS for new protocol development. Should the W3C do the same thing?
  • 36. @thisNatasha Powerful Features Document https://w3c.github.io/webappsec/specs/powerfulfeatures/ [1] How can web features (APIs) be abused? [2] Categorising - access to sensitive data? (Credential Management) - access to a sensor? (Geolocation) - holds state of origin? (Service Workers) - Permission is required? [3] Defining some algorithms Using TLS, HTTPS, localhost, file, packaged, preconfigured = Trusted Otherwise not Trusted
  • 37. @thisNatasha Do we need to do more? Mailing List public-webappsec@w3.org Website www.w3.org/2011/webappsec/ How powerful are Powerful Features? Can features become too powerful? Do we need to enforce HTTPS or other measures for these APIs? Do we need full HTTPS? The IAB supported HTTPS for new protocol development. Should the W3C do the same thing?
  • 39. @thisNatasha Transition to HTTPS https://github.com/w3ctag/web-https “Therefore, the TAG finds that the Web platform should be designed to actively prefer secure origins — typically, by encouraging use of HTTPS URLs instead of HTTP ones. Furthermore, the end-to-end nature of TLS encryption must not be compromised on the Web, in order to preserve this trust.”
  • 40. @thisNatasha Clear Site Data: Open Issues W3CFirstPublicWorkingDraft Draft: https://w3c.github.io/webappsec-clear-site-data/ Charter: 2015 - Integrating with Fetch - Still in control of Web Developer, not the user - No github issues!