We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Abusing Bleeding Edge Web Standards for AppSec Glory

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
7
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Zadegan, Bryant Lester, Ryan

Formal Metadata

Title
Abusing Bleeding Edge Web Standards for AppSec Glory
Title of Series
Number of Parts
93
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose. In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day). Bio: Bryant Zadegan is an application security advisor and mentor at Mach37, a security accelerator focused on pouring substantial dollars into new security technologies. When not driving developers to embrace AppSec in continuous integration, Bryant punches holes in Amazon, Google, Reddit, etc. On days when he'd rather not touch computers, he's usually nowhere to be found near DC. Ryan Lester is the CEO and chief software architect for Cyph, a web-based one-click end-to-end-encrypted communications service funded in part by Mach37, Virginia's Center for Innovative Technology, and the Goel Fund. Since departing SpaceX, Ryan has dedicated the better part of a year and a half to the vision of accessible encrypted communication. Unsurprisingly, when he isn't working on building the logic for Cyph, he's usually looking for ways to break it.
00:00
Configuration spaceInternetworkingWebsiteConnectivity (graph theory)CASE <Informatik>Error messageMoment (mathematics)Domain nameMereologyMobile appWeb 2.0Computer animation
01:04
Information securityCodierung <Programmierung>TelecommunicationFactory (trading post)Copyright infringementWordCopyright infringementPoint (geometry)Software developerSpeech synthesisEncryptionLevel (video gaming)Public-key cryptographyMultiplication signWeb 2.0Information securityCartesian coordinate systemFactory (trading post)CASE <Informatik>NapsterHacker (term)Digital rights managementWeb browserMeta elementMobile appTurbo-CodeLebesgue integrationTelecommunicationNumberClassical physicsTerm (mathematics)Software engineeringArchitecturePersonal identification numberTheory of relativityComputer animation
04:14
Product (business)BitGraphical user interfaceWeb browserCASE <Informatik>ImplementationWeb 2.0TrailRight angleComputer animationMeeting/Interview
05:31
Coma BerenicesScripting languageCodeData integrityLebesgue integrationBitSource codeContent delivery networkTime zoneComputer animation
06:05
Canonical ensembleSource codeSoftware developerData integrityEvent horizonComa BerenicesScripting languageCodeDemo (music)CuboidScripting languageEvent horizonAttribute grammarSource codeHash functionLink (knot theory)Slide ruleMultiplication signTouchscreenGraphical user interfaceDemo (music)Computer animation
07:13
Revision controlGraphical user interfaceCASE <Informatik>Cache (computing)Scripting languageMultiplication sign2 (number)Software testingWeb 2.0Computer animation
07:48
Information securityContent (media)Software testingHash functionScripting languageScripting languageHash functionDemo (music)MereologyRevision controlMultiplication signError messageCASE <Informatik>Computer animation
08:25
Meta elementLogicEmailFrame problemDemo (music)Information securityCodeBlogSoftware testingElement (mathematics)Content (media)InformationDemo (music)Uniform resource locatorDigital rights managementWeb pageEquivalence relationOcean currentFile formatRight angleEvent horizonMeta elementEmailCASE <Informatik>Scripting languageFrame problemVector potentialSet (mathematics)CodeStructural loadComputer wormLogicInfinityCategory of beingWebsiteElement (mathematics)Rule of inferenceAreaVideo game consoleBitContent (media)Error messageComputer animation
11:03
Content (media)Dependent and independent variablesStructural loadMeta elementAerodynamicsDigital rights managementWebsiteWeb browserContent (media)Web pageSingle-precision floating-point formatRule of inferencePoint (geometry)EmailStructural loadCartesian coordinate systemServer (computing)Fluid staticsWeb 2.0Meta elementDependent and independent variablesMobile appComplex (psychology)Multiplication signRoutingQuicksortInformation securitySoftware developerEntire functionCASE <Informatik>Term (mathematics)Asynchronous Transfer ModeUser interfaceComputer animation
13:52
Coma BerenicesExplosionGraphical user interfaceGoodness of fitTraffic reportingImplementationPoint (geometry)Personal identification numberAsynchronous Transfer ModeSampling (statistics)Key (cryptography)Hash functionMaxima and minimaDomain nameControl flowWebsiteEmailComputer animation
15:08
RotationControl flowContent (media)TrailMach's principleWeb browserServer (computing)Web serviceService (economics)Web 2.0Server (computing)EmailPublic key certificateCache (computing)Mobile appWebsiteLetterpress printingLevel (video gaming)Connected spaceCASE <Informatik>Front and back endsEncryptionTotal S.A.Content (media)Client (computing)Numbering schemePersonal identification numberSign (mathematics)Key (cryptography)Public-key cryptographyInformation securityFilter <Stochastik>Multiplication signCodeGateway (telecommunications)MathematicsEntire functionCausalityWeb browserFunctional (mathematics)SequenceError messageLogicDomain nameTerm (mathematics)Cartesian coordinate systemEvent horizonSequence diagramRight angleQuicksortMoment (mathematics)Computer animationDiagram
19:01
CodeWeb browserExtension (kinesiology)TheoryNumbering schemeImplementationLogicFreewareContent (media)TheoryCartesian coordinate systemCodeNumbering schemeSlide ruleCASE <Informatik>Sign (mathematics)LogicImplementationWeb 2.0Sound effectComputer animation
20:01
Control engineeringData storage deviceCountingRight angleService (economics)Differenz <Mathematik>Maxima and minimaMultiplication signLebesgue integrationCASE <Informatik>Content (media)Hash functionCartesian coordinate systemScripting languageWeb browserCodeResultantSign (mathematics)Connected spaceWebsitePoint (geometry)Sound effectKey (cryptography)Domain nameNumbering schemeEmailProduct (business)Sinc functionPersonal identification numberOrder (biology)Revision controlMobile appTerm (mathematics)Different (Kate Ryan album)QuicksortComputer animation
22:13
Control flowContent (media)Hash functionServer (computing)1 (number)Server (computing)Front and back endsInformation securityGame controllerHash functionWebsiteWeb 2.0Event horizonContent (media)MereologyTerm (mathematics)Web pageDomain nameBitDecision theoryMultiplication signService (economics)Computer animation
22:56
Web pageSingle-precision floating-point formatDistribution (mathematics)System callStructural loadMobile appMultiplication signBitWeb pageWeb serviceDecision theorySingle-precision floating-point formatInterior (topology)WebsiteEmailContent (media)Distribution (mathematics)Web browserPersonal identification numberDemo (music)Computer animation
23:45
Demo (music)Gateway (telecommunications)Content (media)Computer networkQuicksortConnected spaceRight angleBitEmailDatabase transactionMetropolitan area networkContent (media)Web 2.0Key (cryptography)Instance (computer science)MultiplicationWebsitePersonal identification numberGateway (telecommunications)AuthorizationPublic key certificateFlagGoodness of fitLaptopInternetworkingMereologyDomain nameComa BerenicesSoftware1 (number)2 (number)TrailJSONXMLUMLComputer animation
26:03
Video trackingSet (mathematics)TrailWeb browserRotationEncryptionTrailRotationWeb browserNumberQuicksortCausalityCoroutine2 (number)Theory of everythingComputer animationXML
26:48
Web browserRotationEncryptionHTTP cookieInheritance (object-oriented programming)Server (computing)EmailCodeDomain nameClient (computing)SubsetRandom numberVideo game consoleScripting languageGoogolDemo (music)Server (computing)Pattern languageMachine visionMultiplication signVideo game consoleGoogolHTTP cookieFreewareTransport Layer SecurityWeb 2.0EncryptionDomain nameConfiguration spaceBasis <Mathematik>CASE <Informatik>Open setEmailKey (cryptography)Set (mathematics)Computer animation
28:46
BlogMessage passingVideo game consoleElement (mathematics)InformationComputer networkLogarithmInformation securitySource codeMotion captureDependent and independent variablesNumerical digitIntegerBitHTTP cookieWindowCASE <Informatik>NumberLoop (music)WebsiteXMLComputer animation
29:40
HTTP cookieInheritance (object-oriented programming)Time domainData modelDomain namePattern languageSource codeCASE <Informatik>WebsiteRevision controlClient (computing)Mobile appRight angleTotal S.A.Link (knot theory)Asynchronous Transfer ModeChannel capacityInsertion lossScripting languageTraffic reportingPattern languageDomain nameMereologySource codeMultiplication signTrailWeb browserService (economics)ImplementationInformation privacyVector potentialHTTP cookieInformation securitySound effectEmailComputer animation
32:57
Gastropod shellEncryptionFreewareData recoveryPublic-key cryptographyGodScripting languageServer (computing)Public-key cryptographyWordGame controllerDigital mediaRobotDependent and independent variablesRoundness (object)Vulnerability (computing)Pattern languageSelf-organizationWeb 2.0Hacker (term)CuboidWebsiteKey (cryptography)Right angleFreewareBitComputer animation
35:04
Public-key cryptographyCuboidPublic-key cryptographyKey (cryptography)LaptopWordWebsiteMultiplication signHash functionEmailNumberDemo (music)GodComputer animation
36:43
Information systemsHill differential equationAndroid (robot)Key (cryptography)CuboidZoom lensServer (computing)WebsiteWeb 2.0ChainInstance (computer science)Multiplication signError messagePublic-key cryptographyPattern languageEndliche ModelltheorieEncryptionRight angleLevel (video gaming)
38:11
EncryptionBit rateLimit (category theory)Graphical user interfaceDirect numerical simulationRevision controlDomain nameRight angleRow (database)Order (biology)Graphical user interfaceProduct (business)Maxima and minimaDirect numerical simulationAuthorizationEncryptionPublic key certificateService (economics)Constraint (mathematics)Key (cryptography)MathematicsCuboidMultiplication signControl flowFlow separationLimit (category theory)Bit rateElectronic mailing listWordDefault (computer science)WebsitePersonal identification numberComputer animation
41:21
Partial derivativeDirect numerical simulationConfiguration spaceCache (computing)Information securityEmailWebsiteLevel (video gaming)Software testingGraphical user interfaceEmailKey (cryptography)Configuration spaceMathematicsMultiplication signVulnerability (computing)WeightMaxima and minimaCache (computing)
42:40
Source codeLarge eddy simulationOpen sourceProcess (computing)Source codeRight angleComputer animation
43:16
Group actionComa BerenicesEncryptionTwitterDemo (music)Information securityProduct (business)Goodness of fitSlide ruleVideo gameMobile appComputer animation
Transcript: English(auto-generated)