who am i
play

Who am I? Valentinas Bakaitis Security consultant at Aura - PowerPoint PPT Presentation

Nov 25, 2022 •247 likes •435 views

Who am I? Valentinas Bakaitis Security consultant at Aura Information Security @vbakaitis on twitter What is XSS? User Supplied Text: <script>alert(xss);</ script> Image with user supplied title <img

  2. Who am I? • Valentinas Bakaitis • Security consultant at Aura Information Security • @vbakaitis on twitter

  3. What is XSS? • User Supplied Text: <script>alert(‘xss’);</ script> • Image with user supplied title <img title=‘<>’ onerror=‘alert(‘xss’);’ /> • User supplied URL: <img src=‘javascript:alert(“xss”)’ /> • User input passed to eval: <script>eval(‘userParam= 1; alert(“xxx”); ’)</ script>

  4. Preventing XSS: • Escape <> • Escape ‘ or “ in attributes (depending on which one is used). • Escape space if the attribute is not quoted. • Also \ should be escaped as it can double-escape \” to \\” which will defeat escaping. • Check that URLs are using HTTP or HTTPS schema and not javascript:. • Don’t pass user input to eval or SetTimeout • Don’t allow users to upload html files to the same domain • When returning any user controllable resource (e.g. json, image, files, etc) ensure that an appropriate content type is set (don’t use text/html) • OWASP describes over 80 different common XSS vectors

  7. CSP to the rescue! • Content Security Policy is a security standard introduced to prevent XSS. • It allows the browser to restrict where scripts can originate from.

  8. Enabling CSP • CSP is enabled by returning Content-Security Policy header. • nginx.conf add_header • apache .htaccess mod_headers • IIS web.config <customHeaders> • Or return it programmatically • E.g.: Content-Security-Policy: default-src ‘none’

  9. Configuring CSP • Start with default-src ‘none’; • or default-src ‘self’ • Specify other rules to make your web application work: script-src, style-src, other attributes as necessary. • CSP encourages you to avoid inline JS and eval() - unsafe-inline and unsafe-eval • Specify report-uri for reports

  10. Deploying CSP • Deploy as Content-Security-Policy-Report-Only first • Review reports, refine it, deploy as Content- Security-Policy • Make is stricter, keeping your old Content- Security-Policy deploy the new rules under Content-Security-Policy-Report-Only to test it.

  11. This slide is for non devs • BAs / Prod Owners: make CSP a requirement • Testers: suggest CSP as improvement • DevOps: apply CSP to your staging environment and watch people flip out

  12. CSP 2.0 • Frame-ancestors (X-Frame-Options) • Form-action • Plugin-types • Nonces + Hashes

  13. Nonces + Hashes • CSP: script-src ‘nonce-d41d8cd98’ 'sha256-1DCfk1NYWuHM8DgTqlkOta97gzK +oBDDv4s7woGaPIY=' • <script nonce=‘d41d8cd98’>alert(‘1’)</ script>

  14. Browser support

  15. Browser support

  16. Important note • CSP is not a replacement for data validation/ escaping • It is a defence-in-depth mechanism

  17. Questions?

  18. Links • http://www.cspplayground.com/ • https://www.owasp.org/index.php/ XSS_Filter_Evasion_Cheat_Sheet • https://www.w3.org/TR/2012/CR-CSP-20121115/ • https://www.w3.org/TR/CSP2/ • https://w3c.github.io/webappsec-csp/ • http://tobias.lauinger.name/papers/csp-raid2014.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based

Formal Security Analysis and Improvement of a hash-based NFC M-coupon Protocol Ali Alshehri and Steve Schneider Agenda Introduc?on. Approach

498 views • 25 slides
Outline CSP definition Backtracking search for CSPs Constraint Satisfaction Problems

Outline CSP definition Backtracking search for CSPs Constraint Satisfaction Problems

Outline CSP definition Backtracking search for CSPs Constraint Satisfaction Problems Constraint propagation by Stuart Russell Problem structure and problem decomposition modified by Jacek Malec for LTH lectures Local search

724 views • 13 slides
The complexity of general-valued CSPs seen from the other side Clement Carbonnel, Miguel Romero ,

The complexity of general-valued CSPs seen from the other side Clement Carbonnel, Miguel Romero ,

The complexity of general-valued CSPs seen from the other side Clement Carbonnel, Miguel Romero , Stanislav Zivny University of Oxford IEEE Symposium on Foundations of Computer Science 7 October 2018, Paris, France General-valued Constraint

854 views • 25 slides
Planning as X X {SAT, CSP, ILP, } Jos Luis Ambite* [* Some slides are taken from

Planning as X X {SAT, CSP, ILP, } Jos Luis Ambite* [* Some slides are taken from

Planning as X X {SAT, CSP, ILP, } Jos Luis Ambite* [* Some slides are taken from presentations by Kautz, Selman, Weld, and Kambhampati. Please visit their websites: http://www.cs.washington.edu/homes/kautz/

631 views • 39 slides
Constraint Satisfaction Problems Chapter 5 Chapter 5 1 Outline CSP examples

Constraint Satisfaction Problems Chapter 5 Chapter 5 1 Outline CSP examples

Constraint Satisfaction Problems Chapter 5 Chapter 5 1 Outline CSP examples Backtracking search for CSPs Problem structure and problem decomposition Local search for CSPs Chapter 5 2 Constraint satisfaction problems (CSPs)

851 views • 42 slides
CSCI 446: Artificial Intelligence Constraint Satisfaction Problems Instructor: Michele Van Dyne

CSCI 446: Artificial Intelligence Constraint Satisfaction Problems Instructor: Michele Van Dyne

CSCI 446: Artificial Intelligence Constraint Satisfaction Problems Instructor: Michele Van Dyne [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188 materials are available at

751 views • 38 slides
CSP: Communicating Sequential Processes Overview Computation model and CSP primitives

CSP: Communicating Sequential Processes Overview Computation model and CSP primitives

CSP: Communicating Sequential Processes Overview Computation model and CSP primitives Refinement and trace semantics Automaton view Refinement checking algorithm Failures Semantics 2 CSP Communicating Sequential Processes,

735 views • 57 slides
Constraint Satisfaction Problems Chapter 5 Chapter 5 1 Outline CSP examples

Constraint Satisfaction Problems Chapter 5 Chapter 5 1 Outline CSP examples

Revised by Hankui Zhuo, March 14, 2018 Constraint Satisfaction Problems Chapter 5 Chapter 5 1 Outline CSP examples Backtracking search for CSPs Problem structure and problem decomposition Local search for CSPs Chapter 5 2

706 views • 39 slides
Optimal Constant-Time Approximation Algorithms and (Unconditional) Inapproximability Results for

Optimal Constant-Time Approximation Algorithms and (Unconditional) Inapproximability Results for

Optimal Constant-Time Approximation Algorithms and (Unconditional) Inapproximability Results for Every Bounded-Degree CSP Yuichi Yoshida Kyoto Univ. &amp; Preferred Infrastructure 2011 5 26 Polynomial-Time Approximation

633 views • 37 slides
CHAPTER 7: CONSTRAINT SATISFACTION CHAPTER 7: CONSTRAINT SATISFACTION PROBLEMS PROBLEMS

CHAPTER 7: CONSTRAINT SATISFACTION CHAPTER 7: CONSTRAINT SATISFACTION PROBLEMS PROBLEMS

DIT411/TIN175, Artificial Intelligence Chapter 7: Constraint satisfaction problems CHAPTER 7: CONSTRAINT SATISFACTION CHAPTER 7: CONSTRAINT SATISFACTION PROBLEMS PROBLEMS DIT411/TIN175, Artificial Intelligence Peter Ljunglf 30 January,

592 views • 42 slides
CSS Rule Selector body { font-family: Tahoma, Arial, sans-serif; Declaration color: black;

CSS Rule Selector body { font-family: Tahoma, Arial, sans-serif; Declaration color: black;

CSS Rule Selector body { font-family: Tahoma, Arial, sans-serif; Declaration color: black; background: white; Block margin: 8px; } Value Attribute Name CS 142 Lecture Notes: CSS Slide 1 CSS Selectors CSS HTML Tag h1 {

83 views • 7 slides
CSS Custom Properties (variables) Joan Boone jpboone@email.unc.edu Slide 1 When CSS Custom

CSS Custom Properties (variables) Joan Boone jpboone@email.unc.edu Slide 1 When CSS Custom

INLS 572 Web Development CSS Custom Properties (variables) Joan Boone jpboone@email.unc.edu Slide 1 When CSS Custom Properties can be useful Purple, gold, red, dark teal, and green are used throughout the Weaver Street Market website

222 views • 5 slides
OmniUpdate Training Tuesday CSS in OU Campus WebEx Event # 809 452 667 Audio will be heard on

OmniUpdate Training Tuesday CSS in OU Campus WebEx Event # 809 452 667 Audio will be heard on

OmniUpdate Training Tuesday CSS in OU Campus WebEx Event # 809 452 667 Audio will be heard on your computer speakers. If you do not have working computer speakers, call 1-408-792-6300. Enter event number and attendee ID or press # if no

384 views • 14 slides
Fi Final Ex Exam m Review No screens Say your name Prof. Lydia Chilton COMS 4170 30 April

Fi Final Ex Exam m Review No screens Say your name Prof. Lydia Chilton COMS 4170 30 April

Fi Final Ex Exam m Review No screens Say your name Prof. Lydia Chilton COMS 4170 30 April 2018 1 Users interact with a system to accomplish a goal Buy a book Get to events on time Get a directions 2 User Interfaces should be designed

740 views • 45 slides
Web Browser History Detection Artur Janc, ukasz Olejnik What the Internet Knows About You W2SP

Web Browser History Detection Artur Janc, ukasz Olejnik What the Internet Knows About You W2SP

Feasibility and Real-world Implications of Web Browser History Detection Artur Janc, ukasz Olejnik What the Internet Knows About You W2SP 2010 Outline A ttacks on privacy using CSS :visited to inspect users Web browsing histories 1.

248 views • 23 slides
Rich custom GUI with Glade and CSS by Juan Pablo Ugarte GU ADEC 2013 Brno, Czech Republic

Rich custom GUI with Glade and CSS by Juan Pablo Ugarte GU ADEC 2013 Brno, Czech Republic

Rich custom GUI with Glade and CSS by Juan Pablo Ugarte GU ADEC 2013 Brno, Czech Republic August 1 - 8 TM Conference The GNOME GUADEC Graphical User Intefaces Graphical User Intefaces GNOME 2.10 screenshot showing Rhythmbox,

1.32k views • 18 slides
Political opinions of us and them and the influence of digital media usage Laura Burbach Opinion

Political opinions of us and them and the influence of digital media usage Laura Burbach Opinion

Political opinions of us and them and the influence of digital media usage Laura Burbach Opinion polarization How does media usage influence the perception of polarization? Evaluating opinions - Results Conclusion People do perceive

182 views • 4 slides
LET'S MAKE A KNOWLEDGE GRAPH! A HANDS-ON, INTERACTIVE, LINKED DATA WORKSHOP PHUSE CSS 2019

LET'S MAKE A KNOWLEDGE GRAPH! A HANDS-ON, INTERACTIVE, LINKED DATA WORKSHOP PHUSE CSS 2019

LET'S MAKE A KNOWLEDGE GRAPH! A HANDS-ON, INTERACTIVE, LINKED DATA WORKSHOP PHUSE CSS 2019 Silver Spring, MD 2019-06-09 1 INSTRUCTOR Tim Williams Principal Statistical Solutions Analyst UCB BioSciences tim.williams@PhUSE.eu Assisted by:

857 views • 42 slides
E4 Spies and tools 29 October 2014 I - OPCoach I OPCoach About me Olivier Prouvost

E4 Spies and tools 29 October 2014 I - OPCoach I OPCoach About me Olivier Prouvost

E4 Spies and tools 29 October 2014 I - OPCoach I OPCoach About me Olivier Prouvost Eclipse expert trainer and committer (E4 Tools) olivier.prouvost@opcoach.com @OPCoach_Eclipse About OPCoach Company

376 views • 24 slides
CS101 Lecture 09: Intermediate HTML: Frames and CSS Aaron Stevens 7 February 2011 1 What

CS101 Lecture 09: Intermediate HTML: Frames and CSS Aaron Stevens 7 February 2011 1 What

CS101 Lecture 09: Intermediate HTML: Frames and CSS Aaron Stevens 7 February 2011 1 What Youll Learn Today How to make a web page look decent - formatting the website. How to have the same look-and-feel across many web pages. 2

354 views • 8 slides
Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

June 17, 2014 Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach to transportation facility design and engineering that involves all stakeholders in the process of developing a solution that is

193 views • 3 slides
Front End Development Roadmap for Today HTML The foundation of any web page CSS

Front End Development Roadmap for Today HTML The foundation of any web page CSS

Front End Development Roadmap for Today HTML The foundation of any web page CSS Adding style to the page HTML HTML H yper T ext M arkup L anguage Hyper Text : Text that can contain links to other resources Markup Language :

419 views • 23 slides
BUILD YOUR OWN custom field Joomladay NL 2018 #jd18nl I AM EliSa Twitter: @elisasophia HOW

BUILD YOUR OWN custom field Joomladay NL 2018 #jd18nl I AM EliSa Twitter: @elisasophia HOW

BUILD YOUR OWN custom field Joomladay NL 2018 #jd18nl I AM EliSa Twitter: @elisasophia HOW CAN I CONTROL THE OUTPUT? 1. CREATE AN OVERRIDE OF A VIEW OR LAYOUT 2. CREATE AN OVERRIDE OF A FIELDS PLUGIN 3. MEDIA OVERRIDES 4.

451 views • 29 slides
Web Style Sheets Style sheets for the Web Aims An Introduction to CSS describing how elements

Web Style Sheets Style sheets for the Web Aims An Introduction to CSS describing how elements

Web Style Sheets Style sheets for the Web Aims An Introduction to CSS describing how elements in a document must be presented on different media types, as paper print, video, audio, Prof. Ing. Andrea Omicini medium for people with

160 views • 3 slides

More recommend