SlideShare uma empresa Scribd logo

Writing an (in)secure webapp in 3 easy steps

Transferir como KEY, PDF
Adam Baldwin
Adam Baldwin

jsconf 2011 slidedeck on security in web applications. Track B

Tecnologia
1 de 16
Writing an (in)secure webapp JSCONF 2011 // Adam Baldwin
insecure webapps I lied - There are no “3 easy steps” Writing (in)secure Webapps // JSCONF // MAY 2011
Introduction @adam_baldwin Co-Founder of nGenuity PenTester of webs Curator of evilpacket.net Writing (in)secure Webapps // JSCONF // MAY 2011
Writing (in)secure Webapps // JSCONF // MAY 2011
Stuff to talk about • Writing insecure apps • # Navigation • Output Encoding • Piles of other crap Writing (in)secure Webapps // JSCONF // MAY 2011
Writing Insecure Writing (in)secure Webapps // JSCONF // MAY 2011
Why is it so easy? • Resource constrained • Landscape always changing • Engineering vs innovation Writing (in)secure Webapps // JSCONF // MAY 2011
#! navigation zomg Writing (in)secure Webapps // JSCONF // MAY 2011
# navigation /#http://evilpacket.net/login CORS is awesome Writing (in)secure Webapps // JSCONF // MAY 2011
Cross-Site Scripting fireblog.com Writing (in)secure Webapps // JSCONF // MAY 2011
Context Matters It’s not okay to just encode “><‘& <img src=#{STUFF}/> <img src=a onerror=CODE/> Writing (in)secure Webapps // JSCONF // MAY 2011
ESAPI / jquery-encoder $('#submit-entity-payload').click(function() {     var payload = $('#entity-payload').val();     $('#entity- container').html( $.encoder.encodeForHTML(payload) ); }); Writing (in)secure Webapps // JSCONF // MAY 2011
Content Security Policy * Example 1: A server wants all content to come from its own domain: X-Content-Security-Policy: default-src 'self' Example 2: An auction site wants to allow images from anywhere, plugin content from a list of trusted media providers including a content distribution network, and scripts only from a server under its control hosting sanitized ECMAScript: X-Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com * Firefox 4 only Writing (in)secure Webapps // JSCONF // MAY 2011
Other Crap That Matters • Cross-Site Request Forgery • Clickjacking (X-Frame-Options) • Cookies (HTTPOnly / Secure) • ... Writing (in)secure Webapps // JSCONF // MAY 2011
Questions? info@ngenuity-is.com // ngenuity-is.com
References nGenuity: http://ngenuity-is.com Evilpacket: http://evilpacket.net JavaScript-based ESAPI: An In-Depth Overview: https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdf Content Security Policy: http://people.mozilla.com/~bsterne/content-security-policy/ jQuery Encoder: http://plugins.jquery.com/project/jqencoder http://software.digital-ritual.net/jqencoder/ Writing (in)secure Webapps // JSCONF // MAY 2011

Recomendados

Wordpress accessibility enhancements
Wordpress accessibility enhancementsWordpress accessibility enhancements
Wordpress accessibility enhancementsTed Drake
 
Best of the Web V. VI
Best of the Web V. VIBest of the Web V. VI
Best of the Web V. VIDavid Kapuler
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPressMicah Wood
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress developmentSteve Mortiboy
 
Zero To WordPress Plubish
Zero To WordPress PlubishZero To WordPress Plubish
Zero To WordPress PlubishMichele Butcher-Jones
 
Phone gap
Phone gapPhone gap
Phone gapcaviare
 
5 Things You Shouldn't Do With A WordPress Plugin
5 Things You Shouldn't Do With A WordPress Plugin5 Things You Shouldn't Do With A WordPress Plugin
5 Things You Shouldn't Do With A WordPress PluginKelly Phillips
 
Mobile web-debug
Mobile web-debugMobile web-debug
Mobile web-debugFINN.no
 

Recomendados

Wordpress accessibility enhancements
Wordpress accessibility enhancementsWordpress accessibility enhancements
Wordpress accessibility enhancementsTed Drake
 
Best of the Web V. VI
Best of the Web V. VIBest of the Web V. VI
Best of the Web V. VIDavid Kapuler
 
Using composer with WordPress
Using composer with WordPressUsing composer with WordPress
Using composer with WordPressMicah Wood
 
Getting started with WordPress development
Getting started with WordPress developmentGetting started with WordPress development
Getting started with WordPress developmentSteve Mortiboy
 
Zero To WordPress Plubish
Zero To WordPress PlubishZero To WordPress Plubish
Zero To WordPress PlubishMichele Butcher-Jones
 
Phone gap
Phone gapPhone gap
Phone gapcaviare
 
5 Things You Shouldn't Do With A WordPress Plugin
5 Things You Shouldn't Do With A WordPress Plugin5 Things You Shouldn't Do With A WordPress Plugin
5 Things You Shouldn't Do With A WordPress PluginKelly Phillips
 
Mobile web-debug
Mobile web-debugMobile web-debug
Mobile web-debugFINN.no
 
How To Choose A Theme
How To Choose A ThemeHow To Choose A Theme
How To Choose A ThemeNicky Pink
 
Mix-IT 2015
Mix-IT 2015Mix-IT 2015
Mix-IT 2015Christian Brousseau
 
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress ConferenceSecurity and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress ConferenceMaurizio Pelizzone
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPressJeremy Green
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 
WordPress Hardening
WordPress HardeningWordPress Hardening
WordPress HardeningMaurizio Pelizzone
 
Robust Web APIs with node.js and Express
Robust Web APIs with node.js and ExpressRobust Web APIs with node.js and Express
Robust Web APIs with node.js and ExpressKevin Griffin
 
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014Pippin Williamson
 
Puppet powershell
Puppet powershellPuppet powershell
Puppet powershellPaul Stack
 
Rapid application development for WordPress using AWF
Rapid application development for WordPress using AWFRapid application development for WordPress using AWF
Rapid application development for WordPress using AWFTim Plummer
 
App developer as a Web developer (ROROSyd - Jul 15)
App developer as a Web developer (ROROSyd - Jul 15)App developer as a Web developer (ROROSyd - Jul 15)
App developer as a Web developer (ROROSyd - Jul 15)Sameera Gayan
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and moreYan Shi
 
Web app and more
Web app and moreWeb app and more
Web app and morefaming su
 
HiUED 前端/web 發展和體驗
HiUED 前端/web 發展和體驗HiUED 前端/web 發展和體驗
HiUED 前端/web 發展和體驗Bobby Chen
 
Ionic adventures - Hybrid Mobile App Development rocks
Ionic adventures - Hybrid Mobile App Development rocksIonic adventures - Hybrid Mobile App Development rocks
Ionic adventures - Hybrid Mobile App Development rocksJuarez Filho
 
Apache Flex and the imperfect Web
Apache Flex and the imperfect WebApache Flex and the imperfect Web
Apache Flex and the imperfect Webmasuland
 
Offline of web applications
Offline of web applicationsOffline of web applications
Offline of web applicationsFDConf
 
Offline for web - Frontend Dev Conf Minsk 2014
Offline for web - Frontend Dev Conf Minsk 2014Offline for web - Frontend Dev Conf Minsk 2014
Offline for web - Frontend Dev Conf Minsk 2014Jan Jongboom
 
Web Components: The Future of Web Development is Here
Web Components: The Future of Web Development is HereWeb Components: The Future of Web Development is Here
Web Components: The Future of Web Development is HereJohn Riviello
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
 
Best Practices in Mobile Development: Building Your First jQuery Mobile App
Best Practices in Mobile Development: Building Your First jQuery Mobile AppBest Practices in Mobile Development: Building Your First jQuery Mobile App
Best Practices in Mobile Development: Building Your First jQuery Mobile AppSt. Petersburg College
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 

Mais conteúdo relacionado

Mais procurados

How To Choose A Theme
How To Choose A ThemeHow To Choose A Theme
How To Choose A ThemeNicky Pink
 
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress ConferenceSecurity and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress ConferenceMaurizio Pelizzone
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPressJeremy Green
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 
Robust Web APIs with node.js and Express
Robust Web APIs with node.js and ExpressRobust Web APIs with node.js and Express
Robust Web APIs with node.js and ExpressKevin Griffin
 
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014Pippin Williamson
 
Puppet powershell
Puppet powershellPuppet powershell
Puppet powershellPaul Stack
 
Rapid application development for WordPress using AWF
Rapid application development for WordPress using AWFRapid application development for WordPress using AWF
Rapid application development for WordPress using AWFTim Plummer
 

Mais procurados (10)

How To Choose A Theme
How To Choose A ThemeHow To Choose A Theme
How To Choose A Theme
 
Mix-IT 2015
Mix-IT 2015Mix-IT 2015
Mix-IT 2015
 
Security and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress ConferenceSecurity and Performance - Italian WordPress Conference
Security and Performance - Italian WordPress Conference
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPress
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015
 
WordPress Hardening
WordPress HardeningWordPress Hardening
WordPress Hardening
 
Robust Web APIs with node.js and Express
Robust Web APIs with node.js and ExpressRobust Web APIs with node.js and Express
Robust Web APIs with node.js and Express
 
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014
Writing Your Own WordPress Plugins - WordCamp Kansas City, 2014
 
Puppet powershell
Puppet powershellPuppet powershell
Puppet powershell
 
Rapid application development for WordPress using AWF
Rapid application development for WordPress using AWFRapid application development for WordPress using AWF
Rapid application development for WordPress using AWF
 

Semelhante a Writing an (in)secure webapp in 3 easy steps

App developer as a Web developer (ROROSyd - Jul 15)
App developer as a Web developer (ROROSyd - Jul 15)App developer as a Web developer (ROROSyd - Jul 15)
App developer as a Web developer (ROROSyd - Jul 15)Sameera Gayan
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and moreYan Shi
 
Web app and more
Web app and moreWeb app and more
Web app and morefaming su
 
HiUED 前端/web 發展和體驗
HiUED 前端/web 發展和體驗HiUED 前端/web 發展和體驗
HiUED 前端/web 發展和體驗Bobby Chen
 
Ionic adventures - Hybrid Mobile App Development rocks
Ionic adventures - Hybrid Mobile App Development rocksIonic adventures - Hybrid Mobile App Development rocks
Ionic adventures - Hybrid Mobile App Development rocksJuarez Filho
 
Apache Flex and the imperfect Web
Apache Flex and the imperfect WebApache Flex and the imperfect Web
Apache Flex and the imperfect Webmasuland
 
Offline of web applications
Offline of web applicationsOffline of web applications
Offline of web applicationsFDConf
 
Offline for web - Frontend Dev Conf Minsk 2014
Offline for web - Frontend Dev Conf Minsk 2014Offline for web - Frontend Dev Conf Minsk 2014
Offline for web - Frontend Dev Conf Minsk 2014Jan Jongboom
 
Web Components: The Future of Web Development is Here
Web Components: The Future of Web Development is HereWeb Components: The Future of Web Development is Here
Web Components: The Future of Web Development is HereJohn Riviello
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
 
Best Practices in Mobile Development: Building Your First jQuery Mobile App
Best Practices in Mobile Development: Building Your First jQuery Mobile AppBest Practices in Mobile Development: Building Your First jQuery Mobile App
Best Practices in Mobile Development: Building Your First jQuery Mobile AppSt. Petersburg College
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaChristian Heilmann
 
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Heiko Behrens
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
Building great mobile apps: Somethings you might want to know
Building great mobile apps: Somethings you might want to knowBuilding great mobile apps: Somethings you might want to know
Building great mobile apps: Somethings you might want to knowshwetank
 
State ofappdevelopment
State ofappdevelopmentState ofappdevelopment
State ofappdevelopmentgillygize
 
Dependency Injection in Silverlight
Dependency Injection in SilverlightDependency Injection in Silverlight
Dependency Injection in SilverlightCaleb Jenkins
 

Semelhante a Writing an (in)secure webapp in 3 easy steps (20)

App developer as a Web developer (ROROSyd - Jul 15)
App developer as a Web developer (ROROSyd - Jul 15)App developer as a Web developer (ROROSyd - Jul 15)
App developer as a Web developer (ROROSyd - Jul 15)
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and more
 
Web app and more
Web app and moreWeb app and more
Web app and more
 
HiUED 前端/web 發展和體驗
HiUED 前端/web 發展和體驗HiUED 前端/web 發展和體驗
HiUED 前端/web 發展和體驗
 
Ionic adventures - Hybrid Mobile App Development rocks
Ionic adventures - Hybrid Mobile App Development rocksIonic adventures - Hybrid Mobile App Development rocks
Ionic adventures - Hybrid Mobile App Development rocks
 
Apache Flex and the imperfect Web
Apache Flex and the imperfect WebApache Flex and the imperfect Web
Apache Flex and the imperfect Web
 
Offline of web applications
Offline of web applicationsOffline of web applications
Offline of web applications
 
Offline for web - Frontend Dev Conf Minsk 2014
Offline for web - Frontend Dev Conf Minsk 2014Offline for web - Frontend Dev Conf Minsk 2014
Offline for web - Frontend Dev Conf Minsk 2014
 
Web Components: The Future of Web Development is Here
Web Components: The Future of Web Development is HereWeb Components: The Future of Web Development is Here
Web Components: The Future of Web Development is Here
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
 
Best Practices in Mobile Development: Building Your First jQuery Mobile App
Best Practices in Mobile Development: Building Your First jQuery Mobile AppBest Practices in Mobile Development: Building Your First jQuery Mobile App
Best Practices in Mobile Development: Building Your First jQuery Mobile App
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Future of web_apps
Future of web_appsFuture of web_apps
Future of web_apps
 
Fixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World RomaniaFixing the mobile web - Internet World Romania
Fixing the mobile web - Internet World Romania
 
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
Plattformübergreifende App-Entwicklung (ein Vergleich) - MobileTechCon 2010
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do That
 
Building great mobile apps: Somethings you might want to know
Building great mobile apps: Somethings you might want to knowBuilding great mobile apps: Somethings you might want to know
Building great mobile apps: Somethings you might want to know
 
State ofappdevelopment
State ofappdevelopmentState ofappdevelopment
State ofappdevelopment
 
Dependency Injection in Silverlight
Dependency Injection in SilverlightDependency Injection in Silverlight
Dependency Injection in Silverlight
 
PhoneGap/Cordova
PhoneGap/CordovaPhoneGap/Cordova
PhoneGap/Cordova
 

Mais de Adam Baldwin

Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resourcesAdam Baldwin
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain SecurityAdam Baldwin
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItAdam Baldwin
 
Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitAdam Baldwin
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Adam Baldwin
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecurityAdam Baldwin
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
Node Security Project - LXJS 2013
Node Security Project - LXJS 2013Node Security Project - LXJS 2013
Node Security Project - LXJS 2013Adam Baldwin
 
Security First - Adam Baldwin
Security First - Adam BaldwinSecurity First - Adam Baldwin
Security First - Adam BaldwinAdam Baldwin
 
JSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersJSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersAdam Baldwin
 
EV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of LuaEV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of LuaAdam Baldwin
 
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Adam Baldwin
 

Mais de Adam Baldwin (14)

Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resources
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into It
 
Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummit
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
 
Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
 
Node Security Project - LXJS 2013
Node Security Project - LXJS 2013Node Security Project - LXJS 2013
Node Security Project - LXJS 2013
 
Security First - Adam Baldwin
Security First - Adam BaldwinSecurity First - Adam Baldwin
Security First - Adam Baldwin
 
JSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersJSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs Breakers
 
EV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of LuaEV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of Lua
 
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
 

Último

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Writing an (in)secure webapp in 3 easy steps

  • 1. Writing an (in)secure webapp JSCONF 2011 // Adam Baldwin
  • 2. insecure webapps I lied - There are no “3 easy steps” Writing (in)secure Webapps // JSCONF // MAY 2011
  • 3. Introduction @adam_baldwin Co-Founder of nGenuity PenTester of webs Curator of evilpacket.net Writing (in)secure Webapps // JSCONF // MAY 2011
  • 4. Writing (in)secure Webapps // JSCONF // MAY 2011
  • 5. Stuff to talk about • Writing insecure apps • # Navigation • Output Encoding • Piles of other crap Writing (in)secure Webapps // JSCONF // MAY 2011
  • 6. Writing Insecure Writing (in)secure Webapps // JSCONF // MAY 2011
  • 7. Why is it so easy? • Resource constrained • Landscape always changing • Engineering vs innovation Writing (in)secure Webapps // JSCONF // MAY 2011
  • 8. #! navigation zomg Writing (in)secure Webapps // JSCONF // MAY 2011
  • 9. # navigation /#http://evilpacket.net/login CORS is awesome Writing (in)secure Webapps // JSCONF // MAY 2011
  • 10. Cross-Site Scripting fireblog.com Writing (in)secure Webapps // JSCONF // MAY 2011
  • 11. Context Matters It’s not okay to just encode “><‘& <img src=#{STUFF}/> <img src=a onerror=CODE/> Writing (in)secure Webapps // JSCONF // MAY 2011
  • 12. ESAPI / jquery-encoder $('#submit-entity-payload').click(function() {     var payload = $('#entity-payload').val();     $('#entity- container').html( $.encoder.encodeForHTML(payload) ); }); Writing (in)secure Webapps // JSCONF // MAY 2011
  • 13. Content Security Policy * Example 1: A server wants all content to come from its own domain: X-Content-Security-Policy: default-src 'self' Example 2: An auction site wants to allow images from anywhere, plugin content from a list of trusted media providers including a content distribution network, and scripts only from a server under its control hosting sanitized ECMAScript: X-Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com *.cdn.example.com; script-src trustedscripts.example.com * Firefox 4 only Writing (in)secure Webapps // JSCONF // MAY 2011
  • 14. Other Crap That Matters • Cross-Site Request Forgery • Clickjacking (X-Frame-Options) • Cookies (HTTPOnly / Secure) • ... Writing (in)secure Webapps // JSCONF // MAY 2011
  • 16. References nGenuity: http://ngenuity-is.com Evilpacket: http://evilpacket.net JavaScript-based ESAPI: An In-Depth Overview: https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdf Content Security Policy: http://people.mozilla.com/~bsterne/content-security-policy/ jQuery Encoder: http://plugins.jquery.com/project/jqencoder http://software.digital-ritual.net/jqencoder/ Writing (in)secure Webapps // JSCONF // MAY 2011

Notas do Editor

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n