html5 security
DESCRIPTION
HTML5 Security -- Beyond attack vectors. Slides from my presentation at OWASP meeting in Helsinki Finland, 15 June 2011.TRANSCRIPT
SECURITY<!doctype html>
Ville Säävuori · · OWASP Helsinki · 15.6.2011
beyond the attack vectors
I AM NOT A SECURITY EXPERT(But a Web Developer :)
<!doctype html>
html
• API Metering
• Backups & Snapshots
• Counters
• Cloud/Cluster Management Tools
• Instrumentation/Monitoring
• Failover
• Node addition/removal and hashing
• Auto-scaling for cloud resources
• CSRF/XSS Protection
• Data Retention/Archival
• Deployment Tools
• Multiple Devs, Staging, Prod
• Data model upgrades
• Rolling deployments
• Multiple versions (selective beta)
• Bucket Testing
• Rollbacks
• CDN Management
• Distributed File Storage
• Distributed Log storage, analysis
• Graphing
• HTTP Caching
• Input/Output Filtering
• Memory Caching
• Non-relational Key Stores
• Rate Limiting
• Relational Storage
• Queues
• Rate Limiting
• Real-time messaging (XMPP)
• Search
• Ranging
• Geo
• Sharding
• Smart Caching
• Dirty-table management
http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites
complex
http://www.flickr.com/photos/stuckincustoms/5069047950/
what is it?
Markup likeGuido
intended it.
Markup likeGuido Tim
intended it.
Not Just Markup
anymore.
security
<audio> <video>
<footer>
<header>
<canvas>
<audio>
<audio src='foo.mp4'
preload='auto'>
<input type='email' required pattern='.*@syneus\.fi'>
HTTP/1.1 200 OKDate: Wed, 15 Jun 2011 17:45:00 GMTServer: Nginx/1.0.4Access-Control-Allow-Origin: http://syneus.fi
local storagelocalStorage.setItem('name', 'Hello World!');
Web Forms 2.0
SVG
CSS3div > p:last-of-type { ... }
GeoLocationnavigator.geolocation.getCurrentPosition(show_map);
<iframe sandbox="allow-scripts">
in the wild
http://www.flickr.com/photos/sharkbait/2992242065/
http://www.flickr.com/photos/rainbirder/5068808204/
common issues
XSShttp://www.flickr.com/photos/rainbirder/5068808204/
XSRFhttp://www.flickr.com/photos/rainbirder/5068808204/
SQL Injectionhttp://www.flickr.com/photos/rainbirder/5068808204/
Clickjackinghttp://www.flickr.com/photos/rainbirder/5068808204/
ways to protect
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
understand threats
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
understand threats
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
no, really.
sanitation
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
test your code
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
test your code
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
regularly.
test your code
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
often.
stay updated
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe,
or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
— Sacramento Credit Union
?
http://www.flickr.com/photos/remydwd/48898192/
http://www.flickr.com/photos/amagill/51806161/
Best practices
trust no one
http://www.flickr.com/photos/furryscalyman/673915993/
use good toolsLet frameworks help you.
but don’t trust them blindlyAgain. Understand what you’re doing.
use secure protocols
HTTPS over HTTP
outsource
hire someone
use a checklist
or
but at least
understand your users
Mere mortals don’t behave like nerds.
educate themWhy is it important to have a good password?
www.syneus.fi/aiheet/html5
html5sec.org
lyh.fi/web_security
MORE
Kiitos!Ville Säävuori
@uninen
www.syneus.fi/aiheet/html5
html5sec.org
lyh.fi/web_security
MORE