2018 Orlando Devs - Application Security
- 1. A Boy, A Sugar Glider and the TSA Brian Clark @_clarkio Credit: https://www.flickr.com/photos/pitmanra/
- 6. Browser http://insecureheroes.com Server http://insecureheroes.com
- 7. Browser http://insecureheroes.com Server http://insecureheroes.com
- 8. Browser http://insecureheroes.com Server http://insecureheroes.com
- 13. An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
- 14. Synchronizer Token Pattern Random token Unique to user and session Part of the request header Validated server-side
- 23. An attack that injects malicious code into a trusted web site such that it may be executed unintendedly by other users Cross-site Scripting (XSS)
- 24. Prevention Content Security PolicyInput Handling Control what resources the browser is allowed to load Ensure data is aligned with the expectations for its intended use
- 25. Input Handling
- 26. Input Handling
- 28. Sanitization EscapingValidation Ensure the data is legit Invalid EmailResult:
- 29. Validation EscapingSanitization Clean the bad data BCResult:
- 30. SanitizationValidation Escaping Encode the bad data B<script>alert(1);</script>CResult:
- 31. Do not trust user input
- 32. Where should we apply input handlers?
- 33. Where should we apply input handlers? Client? Server?
- 34. Browser http://insecureheroes.com Server http://insecureheroes.com
- 38. Both
- 39. ?
- 43. ?
- 46. Summary Access Control Malicious Input Sugar Gliders Faking Requests