Upload File

defending your frontend

19
Defending Your Frontend http://www.flickr.com/photos/8164746@N05/2329405200/

Upload: bishan-singh

Post on 26-May-2015

302 views

Category:

Technology


0 download

Report

Tags:

TRANSCRIPT

Page 1: Defending Your Frontend

Defending Your Frontend

http://www.flickr.com/photos/8164746@N05/2329405200/

Page 2: Defending Your Frontend

http://www.flickr.com/photos/52137170@N00/56206868/

Page 3: Defending Your Frontend

Step 1: Victim Clicks Attack Payload

Step 2: Victim sees a friendly error message

Web Defacement!

Page 4: Defending Your Frontend

Step 1: Attacker inserts exploit

Step 2: Wait for victim to visit this book

Web Defacement: Insert Exploit

Page 5: Defending Your Frontend

Step 1: Clear current page Step 2: Create a fake page

Web Defacement: Exploit Analysis

Page 6: Defending Your Frontend

Stealing Session Cookies

Step 1: Victim Clicks Attack Payload

Step 2: Cookie is sent to Attacker

Step 3: Attacker hijacks Victim’s session by adding stolen cookie to the browser

Page 7: Defending Your Frontend

Steal Passwords

Step 1: Victim Clicks Attack Payload

Step 2: Victim is forced to re-login

Step 3: Malicious payload sends username and password to Attacker

Page 8: Defending Your Frontend

Steal Passwords: Exploit Analysis

Step 1: Create fake login

Step 2: Publish fake login

Page 9: Defending Your Frontend

DB Compromise :(

Step 1: Attacker shuts DBStep 2: Victim can’t do anything on the website. DB is down

Page 10: Defending Your Frontend

What’s the biggest app security issue?

Cross Site Scripting?SQL / Command Injection?Malicious URL Redirection?

Malicious File Execution?

Answer: It is temporal. And this approach, not appropriate

http://www.flickr.com/photos/34838158@N00/3370167184/

Page 11: Defending Your Frontend

OK. Let’s try again.

A better approach. What’s that single biggest solution?

http://www.flickr.com/photos/14318462@N00/66012169/

Page 12: Defending Your Frontend

Context-sensitive Auto Sanitization&

Defensive Coding

What’s that single biggest solution?

http://www.flickr.com/photos/55046645@N00/3933514241/

Page 13: Defending Your Frontend

(includes validation and encoding) Sanitization

http://www.flickr.com/photos/37386206@N08/4056667699/

Page 14: Defending Your Frontend

(Use Platforms with) Auto (Sanitization)

http://www.flickr.com/photos/73344134@N00/2366984016/

Page 15: Defending Your Frontend

Context-Sensitive

Click. You can fire XSS with JS URI.. So use solution below

Page 16: Defending Your Frontend

But Evolution Doesn’t stop

Misuse cases

Web 2.0 DOM

Ajax/JSON/ XML

http://www.flickr.com/photos/88442983@N00/1541378785/

No prod auto solution yet.

Encode Manually

But that’s highly error prone.

Page 17: Defending Your Frontend

Defensive Coding• Evolution Theory• E.g. quality code/capability– document.getElementById('

myAnchor').innerHTML=url; – YUI().use('node', function

(Y) {var node = Y.one('#myanchor'); node.set('text',url);});

• But why do so– Murphy’s Law– Mr. Einstein said as well

http://www.flickr.com/photos/diavolo/5870934960/

Page 18: Defending Your Frontend

Yes, takes 2 to tango..

http://www.flickr.com/photos/9737768@N04/3537843322/

Page 19: Defending Your Frontend

Thanks Again….

[email protected] /

yukinying

bish

@ro

ute1

3.in

/ b1

shan

mailto:[email protected]
mailto:[email protected]

Start your personal #Frontend Portfolio with 3 Apps

Frontend Development - Supercharge your frontend development with little languages and smart tools

Defending Your "Gold"

DEFENDING YOUR HOME

Architecting your Frontend

Optimizing Your Frontend Performance

Surviving your frontend (WIP - Sneak Peak)

Defending Your Network

Defending Your Brand- Importance and Tips

Defending your design

DEFENDING YOUR TITLE

Understanding & Defending Your Immune Systemblog.naturessunshine.com/wp-content/uploads/2015/09/understanding... · Understanding & Defending Your Immune System The 14-point Essential

Cyber Security: Defending Your Enterprise - GDIT · RELIABLE, REPEATABLE MEASURABLE, AFFORDABLE Cyber Security: Defending Your Enterprise

Guide to Defending Your Florida Foreclosure 2009

Cyber-security - Defending your company against cyber attacks

Defending Your Faith

Android Security: Defending Your Users

Defending Your Brand on Facebook

A Consumer’s Guide to Defending Florida Foreclosuresricardolaw.com/downloads/Defending-Your-Florida-Foreclosure-2012.pdf · A Consumer’s Guide to Defending Florida Foreclosures

Defending Your Rights : Family Plan of Action

Defending Your Software Supply Chain

Definitions (Defensive) Defending territory Defending citizens Defending values Defending allies Defending preferred world order

804 - Defending a Patent Infringement Case: Guiding Your

Defending your Rights

Defending Your Tennessee DUI Charges

Make your OpenStack Cloud Self-Defending with VESPA!

Defending Your Work: Bulletproof Expert Testimony with

High street law - defending your independence

Cyber Security - Dell€¦ · Cyber Security: Defending your digital business . 2 Cyber Security: Defending your digital business Your business relies on its technology – but lurking

Managing frontend libs in your Symfony project

Defending Your Google Brand Reputation and Analytics Reports

Rapidly scaffold your frontend with yeoman

Forsake Your Moneymaker: Defining and Defending the True

Defending Your Decision to Homeschool

Writing, Submitting and Defending your Thesis