SlideShare a Scribd company logo

PGDAY EU 2016 workshop - privacy and security

S
Steve Gill

This document discusses privacy and security considerations for PhoneGap applications. It begins by introducing the presenter and defining key terms like security and privacy. It then discusses the relationship between security and privacy, noting that good security is needed to protect privacy. The document outlines various types of attacks that could be mounted against a PhoneGap app, like SQL injection, cross-site scripting, and man-in-the-middle attacks. It provides recommendations for mitigating these risks, such as using whitelisting, content security policy, and certificate pinning. The presentation concludes by providing additional security resources.

Technology
1 of 62
Download to read offline
PRIVACY AND SECURITY PHONEGAP PHONEGAP DAY EU - MAY 20, 2016 1
WHO AM I? STEVE GILL ▸ Computer Scientist at Adobe ▸ @stevesgill ▸ https://github.com/stevengill ▸ stevengill97@gmail.com 2
TEXT DISCLAIMER ▸ This Workshop was written and performed by Tommy Williams (@devgeeks) at PhoneGap Day US.
What is the difference between “Security” and “Privacy”? 4
WHAT IS THEIR RELATIONSHIP? SECURITY AND PRIVACY GO HAND IN HAND 👬 ▸ One does not always guarantee the other ▸ Good security does not always keep data private ▸ Privacy is also a security issue (attack vectors, etc) 5
WHAT IS THEIR RELATIONSHIP? STRONG PRIVACY NEEDS SECURITY ▸ Without good security, Privacy cannot be protected from those with malicious intent 6
“HACK YOURSELF FIRST” TO QUOTE TROY HUNT (VIA JEREMIAH GROSSMAN): Fun resource: http://hackyourselffirst.troyhunt.com 7 https://www.webdirections.org/resources/hack-yourself-first-troy-hunt/
WHAT KINDS OF ATTACKS MIGHT BE MOUNTED AGAINST A PHONEGAP APP? PRETTY MUCH THE SAME AS THOSE USED TO ATTACK BROWSER APPS ▸ Direct API or Server Access ▸ Cross Site Scripting (XSS) ▸ Cross Site Request Forgery (CSRF) ▸ SQL Injection ▸ MitM ▸ Broken Auth and Session Management ▸ User Exploitation (Phishing, etc) ▸ Etc… 8
IS HACKING HARD? DOES IT TAKE MAD SKILLZ? 9
WHO ARE YOU CALLING A DORK… YA DORK? NOT GOING TO BOTHER DEMOING THIS, YOU GET THE IDEA GOOGLE DORKS 10
DON’T REQUIRE ADVANCED KNOWLEDGE PLENTY OF HACKING TOOLS 11
PIXFOR (THE VULNERABLE EDITION) OK, SO WHAT ARE WE GOING TO HACK ON TODAY? 12
GETTING STARTED RUNNING THE APP ▸ $ git clone https://github.com/devgeeks/pixfor-vulnerable ▸ $ cd pixfor-vulnerable ▸ $ npm install ▸ $ phonegap serve (and use the PhoneGap Developer App), or ▸ $ phonegap run [ios|android] [--device] ~ or ~ ▸ Open the PhoneGap Developer App and point it at:
 http://take.pixfor.me:8888 13
‘ OR 1=1; -- SQL INJECTION 14
ROBERT’; DROP TABLE STUDENTS; -- LITTLE BOBBY TABLES 15
DEMO TIME STOP! 16
WHAT CAN WE DO? SQL INJECTION 17
SQL INJECTION IF NOTHING ELSE ‣ Avoid SQL injection by use of parameterization ‣ This keeps untrusted input from breaking out of the parameter context ‣ And of course, listen to Bobby’s mom and sanitize your inputs 18
XSS CROSS SITE SCRIPTING 19
HTTPS://WWW.SEANCASSIDY.ME/LOSTPASS.HTML ಠ_ಠ BUT IS XSS THAT BIG OF A DEAL? 20
XSS TWO PRIMARY CONCERNS ▸ What are the sources of input? ▸ Where is this data going (the target)? 21
XSS TYPES OF SOURCES ▸ Location and URL Sources ▸ Cookies ▸ Referrer (less so in a PhoneGap app) ▸ Window Name ▸ Indirect Sources (Client side db such as sqlite/pouch/etc) ▸ Other Objects (Post Message/Intents/etc) 22
XSS TYPES OF TARGETS ▸ Execution Target ▸ HTML Element Target ▸ Set Location Target ▸ Control Flow Target ▸ …and more 23
XSS EXECUTION TARGET ▸ eval() ▸ onclick, onsubmit, … ▸ Function() ▸ script.src ▸ setTimeout() ▸ script.text ▸ setInterval() ▸ script.textContent ▸ setImmediate() ▸ script.innerText ▸ etc… 24
XSS HTML ELEMENT TARGET ▸ document.write ▸ document.writeln ▸ element.innerHTML ▸ element.insertAdjacentHTML ▸ Range.createContextualFragment ▸ HTMLButton.value ▸ etc… 25
XSS SET LOCATION TARGET ▸ window.location 26
XSS CONTROL FLOW TARGET ▸ this[foo](bar)
 
 (seems contrived, but allows arbitrary script execution if input `foo` is untrusted) 27
FRAMEWORKS A QUICK NOTE ABOUT 28
XSS FRAMEWORKS ▸ jQuery ▸ Angular ▸ React 29
XSS FRAMEWORKS - JQUERY ▸ jQuery is practically a target in and of itself (mostly fixed) ▸ be aware that old versions might be targets ▸ Choc-full of HTML element targets:
 element.add(userContent)
 element.append(userContent)
 element.after(userContent)
 element.html(userContent)
 etc… 30
XSS FRAMEWORKS - ANGULAR ▸ Old versions should be avoided and updated ▸ 1.1.5?
 <div class=“ng-app">
 {{constructor.constructor('alert(1)')()}}
 </div> ▸ Fixed now, but beware older versions 31
XSS FRAMEWORKS - REACT ▸ Gives a clue in the function name: dangerouslySetInnerHTML(), but devs still use it (static site generators, etc) ▸ Not using it also doesn’t alleviate the need to sanitize your inputs 32
XSS PROBLEMS WITH FRAMEWORKS ▸ Add complexity ▸ Abstract away targets (innerHTML, etc) ▸ Add syntactic sugar ▸ Add loopholes to browser security controls ‣ The frameworks and practices you use should (attempt to) be secure by default ‣ If your frameworks add syntactic sugar, be aware of the implications 33
XSS STAY. UP. TO. DATE. ▸ This applies to PhoneGap/Cordova and its plugins as much as your front-end JavaScript frameworks 34
WHAT CAN WE DO? XSS 35
XSS MINIMISE ATTACK SURFACE ▸ Avoid converting strings to scripts ▸ Avoid innerHTML wherever possible! ▸ Don't write your own HTML sanitizer (srsly) ▸ Whitelist* ▸ Content Security Policy (CSP)* * we’ll get to these in a bit 36
XSS AVOID CONVERTING STRINGS TO SCRIPTS ▸ eval, Function.apply, setTimeout("string"), etc ▸ inline event handlers like onclick="string", etc 37
XSS AVOID INNERHTML WHEREVER POSSIBLE! ▸ .textContent ▸ $(el).text() ▸ document.createElement/setAttribute ▸ Use a template system with escaping ▸ HOWEVER!! location targets are not as protected
 i.e.: <a href="{{value}}">...</a> 38
XSS DON'T WRITE YOUR OWN HTML SANITIZER If you MUST… ▸ Whitelist, NOT blacklist ▸ fail conservatively, better to fail to display nicely than to be insecure ▸ instead consider: DOMPurify, Angular's $sanitize, Bleach,js (for workers?), etc… 39
XSS TL;DR ‣ Avoid eval & innerHTML ‣ Use a template lang* with escaping, but be careful with attributes ‣ filter HTML input conservatively ‣ Whitelist / CSP * However, a lot of the tempting langs don’t play well CSP, but we’ll get to that… 40
YOU ARE AWAKE NEXT, MAYBE SOME FUN TO MAKE SURE 41
DO YOU RECOGNISE ANY OF THESE? #SFO FREE WIFI, 13WestMyrtle, 2WIRE012, 5099251212, @Hyatt-WiFi, @yvrairport, ACU, ADBEEmp2014, ADO, ATT2yrd6rC, AccessDenied, Admirals_Club, AdobeCorp, AdobeGuest, Aer_Lingus_WIFI, Amanda's iPhone, AmtrakConnect, AndroidAP, Avatar Hotel, Avcenter, BDLpublic, BELL647, BELL_WIFI, BERNIES CAFE, BWW-PUBLIC, Best Western Park Place, BestBuy, Boingo Hotspot, Boyd's iPhone 6 Plus, Bycen, CAFE ZUPAS, CORTECH_Guest, CSWireless5ghz, Cafe 300, CapNet, CenturyLink1499, Cl-Wireless, CoJPublic, CoxWiFi, D&B_Guest, DIMTER, DIRECT-6bM2020 Series, DVG-N5402SP-212017, Detroit Airport Wi-Fi, DevMountain, DevMountainApt7, Douglas Guest, DrupalCon, ETS, El Mexsal, EmployeeHotspot, Engedi, EuropaCoffeehouse, FairPublic, Fly-Fi, FourSeasons Guest, Frahmbo's iPhone, Free PHX Boingo WiFi, FullCircle, Fusion-IO Guest, Google Starbucks, GoogleGuest, HI Express Richfield, HI Express Richfield , HOME-6CF2, HOME-C4C8, Handlery_San_Francisco, Happy Campers, HarborLink - Buffalo Wild Wings, Hope Alliance, Hyatt, IMEG-GUEST, ITGUEST, Jerk Grill, Joss, Kimpton, KingMaint, LYNDA-GUEST, Learntoprogram, MATHIS, MATHIS2, MH_Network, MMM_WiFi_Guest, MPLS, MiFi4620L Jetpack B472 Secure, MokiGuest, Mothership-guest, NETGEAR-Guest, NETGEAR53, NETGEAR82, NS FCCLA, OMA-Free-WiFi, OPTUSDN368CFC, OceanWiFi Very Hotspot, Ocho, Oscars, PCMC_Ice_Free_Wifi, PDI-Guest, PIGS, PPS, Park City Ice Patron Wifi, PhoneGap, Public, Quality, Quantum, Rain-Guest, Rangle.io WiFi, ReactWeek, Reclaim_EC, Redtail, Rogers, SDC2014, SEATAC-FREE-WIFI, SFUNET-SECURE, SGMC, SIN, SKYHARBOR PUBLIC WLAN, Seabay, Selnate, Shazron's iPhone 5, Shopify Guests, Solid Attendees, SouthwestWiFi, SpencerWireless, SpringOne2GX, Starbucks WiFi, Stratus018222, Streamyx Mobility, T-Mobile Broadband 67, TJR 008, TPCG0, Taco Bell, The Hotel Collection Guest WiFi, Two Jacks Pizza, U Street Cafe Wifi, UConnect, UNITE-295E, Virgin Hotels, WL, WebsterRec, Willowcreek, Wolverine-WiFi, WorkbarGuest, activehit, appigo47, attwifi, attwifibn, bPhone, baker, bycen, cabinsusa, dd-wrt, dlink, doraemon, duece, elive, ethostream, fazidin2, gogoinflight, hhonors, hhonors lobby, hhonors_lobby, hills, houseofnuts, iPhone (2), indiapalace, intermountain_guest, iviejuicebar, jexus, jucienjava, juicenjava, lhm-open, loganwifi, mikes, mywifi, nortel-wlan, qds_office, rangleio Extension, raspberry-pi, reSETguest, rogers, silvermtnsuites6, surveillance vehicle 2, testnet, video2g, wguest, xfinitywifi, zulkefley13@unifi 42
CONSTANTLY PROBING YOUR DEVICES ARE ALWAYS LOOKING FOR WIFI THEY KNOW ▸ These are called “Probe Requests” ▸ If the WiFi was unencrypted (no WEP/WPA, etc), then another device could see these probe requests and simply pretend to be that WiFi (i.e.: A WiFi Pineapple, etc) ▸ Most devices would then happily join and start sending traffic through the malicious WiFi spot ▸ Even easier is a “honey pot” like a WiFi called “FREE WIFI”, etc. Everyone likes free WiFi. 43
MAN IN THE MIDDLE (MITM) THESE ARE JUST SOME OF THE MANY WAYS TO BECOME A: "→☠←$ 44
DEMO I THINK THIS CALLS FOR ANOTHER 45
WHAT CAN WE DO? MITM 46
ALL OF THEM YES 47
LET’S ENCRYPT! TOO HARD? TOO EXPENSIVE? 48
CSP CONTENT SECURITY POLICY 49
CSP CSP IS AWESOME ▸ What is it? ▸ It’s a whitelist of content sources ▸ http://www.html5rocks.com/en/tutorials/security/ content-security-policy ▸ Cordova / PhoneGap “hello World” templates include a CSP 50
CSP HELLO WORLD <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> 51
PHONEGAP SPECIFIC OK, LET’S GET MORE 52
WHITELIST CORDOVA-PLUGIN-WHITELIST 53
WHITELIST READ AND UNDERSTAND THE WHITELIST GUIDE ‣ http://cordova.apache.org/docs/en/latest/guide/appdev/ whitelist/index.html ‣ <access origin=“https://*.mydomain.com" /> ‣ On iOS: ‣ Application Transport Security (ATS) ‣ <access origin="https://*.mydomain.com" minimum-tls- version="TLSv1.1" requires-forward-secrecy="false" /> 54
IFRAMES THE PROBLEM WITH 55
THE PROBLEM WITH IFRAMES ACCESS TO THE “BRIDGE” ‣ If content is served in an iframe from a whitelisted domain, that domain will have access to the native Cordova bridge ‣ This means that if you whitelist a third-party advertising network and serve those ads through an iframe, it is possible that a malicious ad will be able to break out of the iframe and perform malicious actions ‣ Be careful what you whitelist 56
CERTIFICATE PINNING GETTING HARDCORE WITH 57
CERTIFICATE PINNING (LIMITED) OPTIONS FOR CERT PINNING ‣ Cordova does not support true certificate pinning ‣ There are ways to approximate certificate pinning ‣ TOFU (yum) ‣ EddyVerbruggen/SSLCertificateChecker-PhoneGap- Plugin ‣ True certificate pinning for some platforms ‣ wymsee/cordova-HTTP 58
SELF-SIGNED CERTIFICATES FOR DEVELOPMENT ONLY! 59
MORE… SOME MORE ADVICE FROM THE SECURITY GUIDE ‣ Do not use Android Gingerbread (2.3)! ‣ Use InAppBrowser for outside links ‣ Validate all user input (worth repeating) ‣ Do not cache sensitive data ‣ Don't use eval() unless you know what you're doing ‣ Do not assume that your source code is secure 60
RESOURCES A FEW RESOURCES AS YOU GO FORWARD ‣ OWASP Top 10 - http://www.veracode.com/directory/owasp- top-10 ‣ SQL Injection Myths and Fallacies - http://www.slideshare.net/ billkarwin/sql-injection-myths-and-fallacies ‣ PhoneGap Platform Security wiki - https://github.com/phonegap/ phonegap/wiki/Platform-Security ‣ Online Security Confs - http://www.tunnelsup.com/online- security-conferences ‣ HTML4 Security Cheat Sheet - https://html5sec.org/ 61
LET’S STAY SAFE OUT THERE THANKS, AND 62 💖

Recommended

PhoneGap talk from Singapore
PhoneGap talk from SingaporePhoneGap talk from Singapore
PhoneGap talk from SingaporeSteve Gill
 
Phonegap facebook- plugin
Phonegap facebook- pluginPhonegap facebook- plugin
Phonegap facebook- pluginSteve Gill
 
Phonegap facebook plugin - Seoul & Tokyo
Phonegap facebook plugin - Seoul & TokyoPhonegap facebook plugin - Seoul & Tokyo
Phonegap facebook plugin - Seoul & TokyoSteve Gill
 
PhoneGap Slides from HTML5 Next and Now
PhoneGap Slides from HTML5 Next and NowPhoneGap Slides from HTML5 Next and Now
PhoneGap Slides from HTML5 Next and NowSteve Gill
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 

Recommended

PhoneGap talk from Singapore
PhoneGap talk from SingaporePhoneGap talk from Singapore
PhoneGap talk from SingaporeSteve Gill
 
Phonegap facebook- plugin
Phonegap facebook- pluginPhonegap facebook- plugin
Phonegap facebook- pluginSteve Gill
 
Phonegap facebook plugin - Seoul & Tokyo
Phonegap facebook plugin - Seoul & TokyoPhonegap facebook plugin - Seoul & Tokyo
Phonegap facebook plugin - Seoul & TokyoSteve Gill
 
PhoneGap Slides from HTML5 Next and Now
PhoneGap Slides from HTML5 Next and NowPhoneGap Slides from HTML5 Next and Now
PhoneGap Slides from HTML5 Next and NowSteve Gill
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
Exploring web apps with Fiddler and Chrome Dev Tools
Exploring web apps with Fiddler and Chrome Dev ToolsExploring web apps with Fiddler and Chrome Dev Tools
Exploring web apps with Fiddler and Chrome Dev ToolsCristian Satnic
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
How you can become an Accessibility Superhero
How you can become an Accessibility SuperheroHow you can become an Accessibility Superhero
How you can become an Accessibility Superherorobzonenet
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Steve Souders
 
Getting Your Hooks into Cordova
Getting Your Hooks into CordovaGetting Your Hooks into Cordova
Getting Your Hooks into CordovaColdFusionConference
 
Mobile Web High Performance
Mobile Web High PerformanceMobile Web High Performance
Mobile Web High PerformanceMaximiliano Firtman
 
Why HTML5 is getting on my nerves…
Why HTML5 is getting on my nerves…Why HTML5 is getting on my nerves…
Why HTML5 is getting on my nerves…Avenga Germany GmbH
 
Augmented Reality (AR) - The Future of Mobile Applications?
Augmented Reality (AR) - The Future of Mobile Applications? Augmented Reality (AR) - The Future of Mobile Applications?
Augmented Reality (AR) - The Future of Mobile Applications? Carin Campanario
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...MilanAryal
 
Mobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMaximiliano Firtman
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?Casey Ellis
 
I Phone Developer Introduction By Eschipul
I Phone Developer Introduction By EschipulI Phone Developer Introduction By Eschipul
I Phone Developer Introduction By EschipulEd Schipul
 
Basic Scary DNS
Basic Scary DNSBasic Scary DNS
Basic Scary DNSevilsquelch
 
Web Based Mobile Linux World
Web Based Mobile Linux WorldWeb Based Mobile Linux World
Web Based Mobile Linux WorldOytun Eren Sengul
 
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...Casey Ellis
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Matt Lacey
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 

More Related Content

What's hot

Exploring web apps with Fiddler and Chrome Dev Tools
Exploring web apps with Fiddler and Chrome Dev ToolsExploring web apps with Fiddler and Chrome Dev Tools
Exploring web apps with Fiddler and Chrome Dev ToolsCristian Satnic
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
How you can become an Accessibility Superhero
How you can become an Accessibility SuperheroHow you can become an Accessibility Superhero
How you can become an Accessibility Superherorobzonenet
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Steve Souders
 
Why HTML5 is getting on my nerves…
Why HTML5 is getting on my nerves…Why HTML5 is getting on my nerves…
Why HTML5 is getting on my nerves…Avenga Germany GmbH
 
Augmented Reality (AR) - The Future of Mobile Applications?
Augmented Reality (AR) - The Future of Mobile Applications? Augmented Reality (AR) - The Future of Mobile Applications?
Augmented Reality (AR) - The Future of Mobile Applications? Carin Campanario
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...MilanAryal
 
Mobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMaximiliano Firtman
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?Casey Ellis
 
I Phone Developer Introduction By Eschipul
I Phone Developer Introduction By EschipulI Phone Developer Introduction By Eschipul
I Phone Developer Introduction By EschipulEd Schipul
 
Web Based Mobile Linux World
Web Based Mobile Linux WorldWeb Based Mobile Linux World
Web Based Mobile Linux WorldOytun Eren Sengul
 
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...Casey Ellis
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 

What's hot (20)

Exploring web apps with Fiddler and Chrome Dev Tools
Exploring web apps with Fiddler and Chrome Dev ToolsExploring web apps with Fiddler and Chrome Dev Tools
Exploring web apps with Fiddler and Chrome Dev Tools
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
How you can become an Accessibility Superhero
How you can become an Accessibility SuperheroHow you can become an Accessibility Superhero
How you can become an Accessibility Superhero
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013
 
Getting Your Hooks into Cordova
Getting Your Hooks into CordovaGetting Your Hooks into Cordova
Getting Your Hooks into Cordova
 
Mobile Web High Performance
Mobile Web High PerformanceMobile Web High Performance
Mobile Web High Performance
 
Why HTML5 is getting on my nerves…
Why HTML5 is getting on my nerves…Why HTML5 is getting on my nerves…
Why HTML5 is getting on my nerves…
 
Augmented Reality (AR) - The Future of Mobile Applications?
Augmented Reality (AR) - The Future of Mobile Applications? Augmented Reality (AR) - The Future of Mobile Applications?
Augmented Reality (AR) - The Future of Mobile Applications?
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...
 
Mobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance OptimizationMobile Web & HTML5 Performance Optimization
Mobile Web & HTML5 Performance Optimization
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
 
I Phone Developer Introduction By Eschipul
I Phone Developer Introduction By EschipulI Phone Developer Introduction By Eschipul
I Phone Developer Introduction By Eschipul
 
Basic Scary DNS
Basic Scary DNSBasic Scary DNS
Basic Scary DNS
 
Web Based Mobile Linux World
Web Based Mobile Linux WorldWeb Based Mobile Linux World
Web Based Mobile Linux World
 
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 

Similar to PGDAY EU 2016 workshop - privacy and security

Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Matt Lacey
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainJames Wickett
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
Car Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface ScenariosCar Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface ScenariosJay Turla
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designPatrick Walsh
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Ethical Hacking from inside – Step 1: Code Review
Ethical Hacking from inside – Step 1: Code ReviewEthical Hacking from inside – Step 1: Code Review
Ethical Hacking from inside – Step 1: Code ReviewSandro Zaccarini
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfcyberhacker7
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 

Similar to PGDAY EU 2016 workshop - privacy and security (20)

Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh Smith
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
Putting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
Car Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface ScenariosCar Infotainment Hacking Methodology and Attack Surface Scenarios
Car Infotainment Hacking Methodology and Attack Surface Scenarios
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by design
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Ethical Hacking from inside – Step 1: Code Review
Ethical Hacking from inside – Step 1: Code ReviewEthical Hacking from inside – Step 1: Code Review
Ethical Hacking from inside – Step 1: Code Review
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
bh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdfbh-usa-07-grossman-WP.pdf
bh-usa-07-grossman-WP.pdf
 
What is being exposed from IoT Devices
What is being exposed from IoT DevicesWhat is being exposed from IoT Devices
What is being exposed from IoT Devices
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
Asynchronicity
AsynchronicityAsynchronicity
Asynchronicity
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 

Recently uploaded

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»QADay
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 

Recently uploaded (20)

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 

PGDAY EU 2016 workshop - privacy and security

  • 1. PRIVACY AND SECURITY PHONEGAP PHONEGAP DAY EU - MAY 20, 2016 1
  • 2. WHO AM I? STEVE GILL ▸ Computer Scientist at Adobe ▸ @stevesgill ▸ https://github.com/stevengill ▸ stevengill97@gmail.com 2
  • 3. TEXT DISCLAIMER ▸ This Workshop was written and performed by Tommy Williams (@devgeeks) at PhoneGap Day US.
  • 4. What is the difference between “Security” and “Privacy”? 4
  • 5. WHAT IS THEIR RELATIONSHIP? SECURITY AND PRIVACY GO HAND IN HAND 👬 ▸ One does not always guarantee the other ▸ Good security does not always keep data private ▸ Privacy is also a security issue (attack vectors, etc) 5
  • 6. WHAT IS THEIR RELATIONSHIP? STRONG PRIVACY NEEDS SECURITY ▸ Without good security, Privacy cannot be protected from those with malicious intent 6
  • 7. “HACK YOURSELF FIRST” TO QUOTE TROY HUNT (VIA JEREMIAH GROSSMAN): Fun resource: http://hackyourselffirst.troyhunt.com 7 https://www.webdirections.org/resources/hack-yourself-first-troy-hunt/
  • 8. WHAT KINDS OF ATTACKS MIGHT BE MOUNTED AGAINST A PHONEGAP APP? PRETTY MUCH THE SAME AS THOSE USED TO ATTACK BROWSER APPS ▸ Direct API or Server Access ▸ Cross Site Scripting (XSS) ▸ Cross Site Request Forgery (CSRF) ▸ SQL Injection ▸ MitM ▸ Broken Auth and Session Management ▸ User Exploitation (Phishing, etc) ▸ Etc… 8
  • 9. IS HACKING HARD? DOES IT TAKE MAD SKILLZ? 9
  • 10. WHO ARE YOU CALLING A DORK… YA DORK? NOT GOING TO BOTHER DEMOING THIS, YOU GET THE IDEA GOOGLE DORKS 10
  • 12. PIXFOR (THE VULNERABLE EDITION) OK, SO WHAT ARE WE GOING TO HACK ON TODAY? 12
  • 13. GETTING STARTED RUNNING THE APP ▸ $ git clone https://github.com/devgeeks/pixfor-vulnerable ▸ $ cd pixfor-vulnerable ▸ $ npm install ▸ $ phonegap serve (and use the PhoneGap Developer App), or ▸ $ phonegap run [ios|android] [--device] ~ or ~ ▸ Open the PhoneGap Developer App and point it at:
 http://take.pixfor.me:8888 13
  • 14. ‘ OR 1=1; -- SQL INJECTION 14
  • 15. ROBERT’; DROP TABLE STUDENTS; -- LITTLE BOBBY TABLES 15
  • 17. WHAT CAN WE DO? SQL INJECTION 17
  • 18. SQL INJECTION IF NOTHING ELSE ‣ Avoid SQL injection by use of parameterization ‣ This keeps untrusted input from breaking out of the parameter context ‣ And of course, listen to Bobby’s mom and sanitize your inputs 18
  • 21. XSS TWO PRIMARY CONCERNS ▸ What are the sources of input? ▸ Where is this data going (the target)? 21
  • 22. XSS TYPES OF SOURCES ▸ Location and URL Sources ▸ Cookies ▸ Referrer (less so in a PhoneGap app) ▸ Window Name ▸ Indirect Sources (Client side db such as sqlite/pouch/etc) ▸ Other Objects (Post Message/Intents/etc) 22
  • 23. XSS TYPES OF TARGETS ▸ Execution Target ▸ HTML Element Target ▸ Set Location Target ▸ Control Flow Target ▸ …and more 23
  • 24. XSS EXECUTION TARGET ▸ eval() ▸ onclick, onsubmit, … ▸ Function() ▸ script.src ▸ setTimeout() ▸ script.text ▸ setInterval() ▸ script.textContent ▸ setImmediate() ▸ script.innerText ▸ etc… 24
  • 25. XSS HTML ELEMENT TARGET ▸ document.write ▸ document.writeln ▸ element.innerHTML ▸ element.insertAdjacentHTML ▸ Range.createContextualFragment ▸ HTMLButton.value ▸ etc… 25
  • 26. XSS SET LOCATION TARGET ▸ window.location 26
  • 27. XSS CONTROL FLOW TARGET ▸ this[foo](bar)
 
 (seems contrived, but allows arbitrary script execution if input `foo` is untrusted) 27
  • 30. XSS FRAMEWORKS - JQUERY ▸ jQuery is practically a target in and of itself (mostly fixed) ▸ be aware that old versions might be targets ▸ Choc-full of HTML element targets:
 element.add(userContent)
 element.append(userContent)
 element.after(userContent)
 element.html(userContent)
 etc… 30
  • 31. XSS FRAMEWORKS - ANGULAR ▸ Old versions should be avoided and updated ▸ 1.1.5?
 <div class=“ng-app">
 {{constructor.constructor('alert(1)')()}}
 </div> ▸ Fixed now, but beware older versions 31
  • 32. XSS FRAMEWORKS - REACT ▸ Gives a clue in the function name: dangerouslySetInnerHTML(), but devs still use it (static site generators, etc) ▸ Not using it also doesn’t alleviate the need to sanitize your inputs 32
  • 33. XSS PROBLEMS WITH FRAMEWORKS ▸ Add complexity ▸ Abstract away targets (innerHTML, etc) ▸ Add syntactic sugar ▸ Add loopholes to browser security controls ‣ The frameworks and practices you use should (attempt to) be secure by default ‣ If your frameworks add syntactic sugar, be aware of the implications 33
  • 34. XSS STAY. UP. TO. DATE. ▸ This applies to PhoneGap/Cordova and its plugins as much as your front-end JavaScript frameworks 34
  • 35. WHAT CAN WE DO? XSS 35
  • 36. XSS MINIMISE ATTACK SURFACE ▸ Avoid converting strings to scripts ▸ Avoid innerHTML wherever possible! ▸ Don't write your own HTML sanitizer (srsly) ▸ Whitelist* ▸ Content Security Policy (CSP)* * we’ll get to these in a bit 36
  • 37. XSS AVOID CONVERTING STRINGS TO SCRIPTS ▸ eval, Function.apply, setTimeout("string"), etc ▸ inline event handlers like onclick="string", etc 37
  • 38. XSS AVOID INNERHTML WHEREVER POSSIBLE! ▸ .textContent ▸ $(el).text() ▸ document.createElement/setAttribute ▸ Use a template system with escaping ▸ HOWEVER!! location targets are not as protected
 i.e.: <a href="{{value}}">...</a> 38
  • 39. XSS DON'T WRITE YOUR OWN HTML SANITIZER If you MUST… ▸ Whitelist, NOT blacklist ▸ fail conservatively, better to fail to display nicely than to be insecure ▸ instead consider: DOMPurify, Angular's $sanitize, Bleach,js (for workers?), etc… 39
  • 40. XSS TL;DR ‣ Avoid eval & innerHTML ‣ Use a template lang* with escaping, but be careful with attributes ‣ filter HTML input conservatively ‣ Whitelist / CSP * However, a lot of the tempting langs don’t play well CSP, but we’ll get to that… 40
  • 41. YOU ARE AWAKE NEXT, MAYBE SOME FUN TO MAKE SURE 41
  • 42. DO YOU RECOGNISE ANY OF THESE? #SFO FREE WIFI, 13WestMyrtle, 2WIRE012, 5099251212, @Hyatt-WiFi, @yvrairport, ACU, ADBEEmp2014, ADO, ATT2yrd6rC, AccessDenied, Admirals_Club, AdobeCorp, AdobeGuest, Aer_Lingus_WIFI, Amanda's iPhone, AmtrakConnect, AndroidAP, Avatar Hotel, Avcenter, BDLpublic, BELL647, BELL_WIFI, BERNIES CAFE, BWW-PUBLIC, Best Western Park Place, BestBuy, Boingo Hotspot, Boyd's iPhone 6 Plus, Bycen, CAFE ZUPAS, CORTECH_Guest, CSWireless5ghz, Cafe 300, CapNet, CenturyLink1499, Cl-Wireless, CoJPublic, CoxWiFi, D&B_Guest, DIMTER, DIRECT-6bM2020 Series, DVG-N5402SP-212017, Detroit Airport Wi-Fi, DevMountain, DevMountainApt7, Douglas Guest, DrupalCon, ETS, El Mexsal, EmployeeHotspot, Engedi, EuropaCoffeehouse, FairPublic, Fly-Fi, FourSeasons Guest, Frahmbo's iPhone, Free PHX Boingo WiFi, FullCircle, Fusion-IO Guest, Google Starbucks, GoogleGuest, HI Express Richfield, HI Express Richfield , HOME-6CF2, HOME-C4C8, Handlery_San_Francisco, Happy Campers, HarborLink - Buffalo Wild Wings, Hope Alliance, Hyatt, IMEG-GUEST, ITGUEST, Jerk Grill, Joss, Kimpton, KingMaint, LYNDA-GUEST, Learntoprogram, MATHIS, MATHIS2, MH_Network, MMM_WiFi_Guest, MPLS, MiFi4620L Jetpack B472 Secure, MokiGuest, Mothership-guest, NETGEAR-Guest, NETGEAR53, NETGEAR82, NS FCCLA, OMA-Free-WiFi, OPTUSDN368CFC, OceanWiFi Very Hotspot, Ocho, Oscars, PCMC_Ice_Free_Wifi, PDI-Guest, PIGS, PPS, Park City Ice Patron Wifi, PhoneGap, Public, Quality, Quantum, Rain-Guest, Rangle.io WiFi, ReactWeek, Reclaim_EC, Redtail, Rogers, SDC2014, SEATAC-FREE-WIFI, SFUNET-SECURE, SGMC, SIN, SKYHARBOR PUBLIC WLAN, Seabay, Selnate, Shazron's iPhone 5, Shopify Guests, Solid Attendees, SouthwestWiFi, SpencerWireless, SpringOne2GX, Starbucks WiFi, Stratus018222, Streamyx Mobility, T-Mobile Broadband 67, TJR 008, TPCG0, Taco Bell, The Hotel Collection Guest WiFi, Two Jacks Pizza, U Street Cafe Wifi, UConnect, UNITE-295E, Virgin Hotels, WL, WebsterRec, Willowcreek, Wolverine-WiFi, WorkbarGuest, activehit, appigo47, attwifi, attwifibn, bPhone, baker, bycen, cabinsusa, dd-wrt, dlink, doraemon, duece, elive, ethostream, fazidin2, gogoinflight, hhonors, hhonors lobby, hhonors_lobby, hills, houseofnuts, iPhone (2), indiapalace, intermountain_guest, iviejuicebar, jexus, jucienjava, juicenjava, lhm-open, loganwifi, mikes, mywifi, nortel-wlan, qds_office, rangleio Extension, raspberry-pi, reSETguest, rogers, silvermtnsuites6, surveillance vehicle 2, testnet, video2g, wguest, xfinitywifi, zulkefley13@unifi 42
  • 43. CONSTANTLY PROBING YOUR DEVICES ARE ALWAYS LOOKING FOR WIFI THEY KNOW ▸ These are called “Probe Requests” ▸ If the WiFi was unencrypted (no WEP/WPA, etc), then another device could see these probe requests and simply pretend to be that WiFi (i.e.: A WiFi Pineapple, etc) ▸ Most devices would then happily join and start sending traffic through the malicious WiFi spot ▸ Even easier is a “honey pot” like a WiFi called “FREE WIFI”, etc. Everyone likes free WiFi. 43
  • 44. MAN IN THE MIDDLE (MITM) THESE ARE JUST SOME OF THE MANY WAYS TO BECOME A: "→☠←$ 44
  • 45. DEMO I THINK THIS CALLS FOR ANOTHER 45
  • 46. WHAT CAN WE DO? MITM 46
  • 48. LET’S ENCRYPT! TOO HARD? TOO EXPENSIVE? 48
  • 50. CSP CSP IS AWESOME ▸ What is it? ▸ It’s a whitelist of content sources ▸ http://www.html5rocks.com/en/tutorials/security/ content-security-policy ▸ Cordova / PhoneGap “hello World” templates include a CSP 50
  • 51. CSP HELLO WORLD <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> 51
  • 54. WHITELIST READ AND UNDERSTAND THE WHITELIST GUIDE ‣ http://cordova.apache.org/docs/en/latest/guide/appdev/ whitelist/index.html ‣ <access origin=“https://*.mydomain.com" /> ‣ On iOS: ‣ Application Transport Security (ATS) ‣ <access origin="https://*.mydomain.com" minimum-tls- version="TLSv1.1" requires-forward-secrecy="false" /> 54
  • 56. THE PROBLEM WITH IFRAMES ACCESS TO THE “BRIDGE” ‣ If content is served in an iframe from a whitelisted domain, that domain will have access to the native Cordova bridge ‣ This means that if you whitelist a third-party advertising network and serve those ads through an iframe, it is possible that a malicious ad will be able to break out of the iframe and perform malicious actions ‣ Be careful what you whitelist 56
  • 58. CERTIFICATE PINNING (LIMITED) OPTIONS FOR CERT PINNING ‣ Cordova does not support true certificate pinning ‣ There are ways to approximate certificate pinning ‣ TOFU (yum) ‣ EddyVerbruggen/SSLCertificateChecker-PhoneGap- Plugin ‣ True certificate pinning for some platforms ‣ wymsee/cordova-HTTP 58
  • 60. MORE… SOME MORE ADVICE FROM THE SECURITY GUIDE ‣ Do not use Android Gingerbread (2.3)! ‣ Use InAppBrowser for outside links ‣ Validate all user input (worth repeating) ‣ Do not cache sensitive data ‣ Don't use eval() unless you know what you're doing ‣ Do not assume that your source code is secure 60
  • 61. RESOURCES A FEW RESOURCES AS YOU GO FORWARD ‣ OWASP Top 10 - http://www.veracode.com/directory/owasp- top-10 ‣ SQL Injection Myths and Fallacies - http://www.slideshare.net/ billkarwin/sql-injection-myths-and-fallacies ‣ PhoneGap Platform Security wiki - https://github.com/phonegap/ phonegap/wiki/Platform-Security ‣ Online Security Confs - http://www.tunnelsup.com/online- security-conferences ‣ HTML4 Security Cheat Sheet - https://html5sec.org/ 61
  • 62. LET’S STAY SAFE OUT THERE THANKS, AND 62 💖