Isolation: The next web application security frontier
Nov 6, 2020
Speakers
Artur Janc
Speaker · 0 followers
About
Application security engineers frequently grapple with the fact that web origins are only incidentally separated from one another; web security rules permit a surprising number of interactions which can be used to modify or infer the state of unrelated applications. The resulting attack surface is -- sadly -- one of the defining characteristics of the web security model, enabling multiple classes of hard-to-fix information leaks. In recent years, the lack of true web isolation has led to problems on three main fronts. First, vulnerabilities exploitable via malicious cross-site interactions, such as CSRF and XSSI have continued to plague major applications. Second, XS-Leaks research has identified practical new attacks that exploit both legacy and new web platform behaviors, and resulted in new avenues to leak cross-origin data. Finally, transient execution vulnerabilities such as Spectre and Meltdown broke the illusion that the web is immune to CPU-level bugs, demonstrating tractable cross-site attacks based on leaking data in the address space of the attacking origin's web renderer process. In response, web browsers have proposed and implemented major security mechanisms that give application developers the ability to lock down their applications from unwanted cross-origin interactions. In this talk, we'll delve into the details of these features, focusing on Fetch Metadata Request Headers and Cross-Origin Opener Policy as means to isolate an application from the rest of the web. We'll use examples from production rollouts of these features at Google to review deployment strategies and potential pitfalls. Finally, we'll brainstorm the types of attacks that may be possible even in light of these restrictions, and discuss application patterns that developers will need to change to more comprehensively defend their sites.Application security engineers frequently grapple with the fact that web origins are only incidentally separated from one another; web security rules permit a surprising number of interactions which can be used to modify or infer the state of unrelated applications. The resulting attack surface is -- sadly -- one of the defining characteristics of the web security model, enabling multiple classes of hard-to-fix information leaks. In recent years, the lack of true web isolation has led to proble…
Organizer
Loco Moco Security Conference
Account · 98 followers
Categories
Web Development & UX/UI
Category · 1.2k presentations
Software & Programming
Category · 1k presentations
App & Game Development
Category · 954 presentations
About Loco Moco Security Conference
Inclusive product security conference that attracts builders and defenders from around the world.
Like the format? Trust SlidesLive to capture your next event!
Professional recording and live streaming, delivered globally.
Sharing
Recommended Videos
Presentations on similar topic, category or speaker
Survive Your Security Incident 🔪 ...and Thrive Again
Watch later
Total of 0 viewers voted for saving the presentation to eternal vault which is 0.0%
Going Beyond Grep: Scaling Vulnerability Discovery
Watch later
Total of 0 viewers voted for saving the presentation to eternal vault which is 0.0%
Keeping up with the Dependencies
Watch later
Total of 0 viewers voted for saving the presentation to eternal vault which is 0.0%
Day 2 Welcome
Watch later
Total of 0 viewers voted for saving the presentation to eternal vault which is 0.0%
Product Security Lessons from Incident Response
Watch later
Total of 0 viewers voted for saving the presentation to eternal vault which is 0.0%
Day 1 Welcome
Watch later
Total of 0 viewers voted for saving the presentation to eternal vault which is 0.0%