Scribd Logo
Upload

Welcome to Scribd!

  • Security

    Uploaded by

    Ville Säävuori
    270 views52 pages
    HTML5 Security -- Beyond attack vectors. Slides from my presentation at OWASP meeting in Helsinki Finland, 15 June 2011.

    Original Title

    HTML5 Security

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    HTML5 Security -- Beyond attack vectors. Slides from my presentation at OWASP meeting in Helsinki Finland, 15 June 2011.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    270 views52 pages

    Security

    Uploaded by

    Ville Säävuori
    HTML5 Security -- Beyond attack vectors. Slides from my presentation at OWASP meeting in Helsinki Finland, 15 June 2011.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 52

    <!

    doctype html>

    SECURITY
    OWASP Helsinki 15.6.2011

    beyond the attack vectors

    Ville Svuori

    I AM NOT A SECURITY EXPERT


    (But a Web Developer :)

    <!doctype html>

    html

    API Metering Backups & Snapshots Counters Cloud/Cluster Management Tools


    Distributed Log storage, analysis Graphing HTTP Caching Input/Output Filtering Memory Caching Non-relational Key Stores Rate Limiting Relational Storage Queues Rate Limiting Real-time messaging (XMPP) Search

    Instrumentation/Monitoring Failover Node addition/removal and hashing Auto-scaling for cloud resources

    CSRF/XSS Protection Data Retention/Archival Deployment Tools


    Multiple Devs, Staging, Prod Data model upgrades Rolling deployments Multiple versions (selective beta) Bucket Testing Rollbacks CDN Management

    Ranging Geo

    Sharding Smart Caching

    Dirty-table management

    Distributed File Storage

    http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites

    complex

    http://www.flickr.com/photos/stuckincustoms/5069047950/

    what is it?

    Markup like Guido intended it.

    Markup like Guido Tim intended it.

    Not Just Markup anymore.

    security

    <header> <audio> <video> <canvas> <footer>

    <audio>

    <audio src='foo.mp4' preload='auto'>

    <input type='email' required pattern='.*@syneus\.fi'>

    HTTP/1.1 200 OK Date: Wed, 15 Jun 2011 17:45:00 GMT Server: Nginx/1.0.4 Access-Control-Allow-Origin: http://syneus.fi

    local storage
    localStorage.setItem('name', 'Hello World!');

    Web Forms 2.0

    SVG

    CSS3
    div > p:last-of-type { ... }

    GeoLocation
    navigator.geolocation.getCurrentPosition(show_map);

    <iframe sandbox="allow-scripts">

    in the wild

    http://www.flickr.com/photos/sharkbait/2992242065/

    common issues

    http://www.flickr.com/photos/rainbirder/5068808204/

    XSS
    http://www.flickr.com/photos/rainbirder/5068808204/

    XSRF
    http://www.flickr.com/photos/rainbirder/5068808204/

    SQL Injection
    http://www.flickr.com/photos/rainbirder/5068808204/

    Clickjacking
    http://www.flickr.com/photos/rainbirder/5068808204/

    ways to protect

    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    understand threats

    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    understand threats no, really.


    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    sanitation

    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    test your code

    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    test your code regularly.


    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    test your code often.


    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    stay updated

    http://www.flickr.com/photos/soldiersmediacenter/5285447846/

    The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words insert, delete, drop, update, null, or select.
    Sacramento Credit Union

    http://www.flickr.com/photos/remydwd/48898192/

    Best practices

    http://www.flickr.com/photos/amagill/51806161/

    trust no one

    http://www.flickr.com/photos/furryscalyman/673915993/

    use good tools


    Let frameworks help you.

    but dont trust them blindly


    Again. Understand what youre doing.

    use secure protocols


    HTTPS over HTTP

    outsource
    or

    hire someone
    but at least

    use a checklist

    understand your users


    Mere mortals dont behave like nerds.

    educate them
    Why is it important to have a good password?

    MORE
    html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5

    Kiitos!
    Ville Svuori @uninen

    MORE
    html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5

    You might also like