Welcome to Uppsala.js
Saving a dane
or "How to detect malware, get scared and improve your JS security"
Disclaimer: I'm not a security expert.
Once upon a time...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925040/pasted-from-clipboard.png)
"Unexpected token <"
"Can't find variable: webpackJsonp"
"Syntax error"
"null is not an object"
"_0x37f2x1[_0x86f3[70]][_0x86f3[69]] is not a function"
"Exception invoking info"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925031/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925073/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925074/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925076/pasted-from-clipboard.png)
Technical Debt
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925084/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925091/pasted-from-clipboard.png)
Error handling, plan for the worst
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4926089/Cthulhu_by_disse86-d9tq84i.jpg)
Are we h4cked?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4926161/tumblr_mtrds1QXuE1scvcaso1_500.gif)
Are we h4cked?
No. Probably not.
Improving Security
- Victims browser was compromised
- Our source code is compromised
- We got MITM
- A dependency got compromised
Scan your dependencies
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925102/wordmark-symbol__horizontal_2x.png)
$ snyk test
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925108/pasted-from-clipboard.png)
$ npm audit
npm, .net, java, scala, php, python etc...
Lock down your site with CSP
Content-Security-Policy: default-src 'self'
or
<meta http-equiv="Content-Security-Policy" content="default-src 'self';">
Benefits of CSP
- Browser feature - Makes XSS attacks a lot harder (almost 100%)
- Whitelisting: In control of running code / make outbound requests
- Force HTTPS on all resources
- Helps Mixed-Content warnings when moving to HTTPS (perfect for CMS's)
- ReportOnly: Test before you enforce
Making XSS harder
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925908/pasted-from-clipboard.png)
default-src 'self' cloud.caspeco.se cdn.caspeco.se
script-src cdn.raygun.io ... sha256-xxxxx
connect-src api.raygun.io ...
report-uri https://report-uri.com
Report (Only)
Content-Security-Policy-Report-Only: default-src 'self'
![](https://s3.amazonaws.com/media-p.slid.es/uploads/766805/images/4925926/report-uri-report.png)
Helping with HTTPS
Content-Security-Policy:
upgrade-insecure-requests;
When you can't transform urls to use relative protocol, e.g: "//mydomain.com"
http://foo.bar -> https://foo.bar
Final links
It's almost a silver bullet
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
What is a CSP?
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Supported by all modern browsers
https://caniuse.com/#search=CSP
Great tooling: report-uri.com
Thanks for listening!
(We're hiring!)
anders@caspeco.se - @andersaberg
deck
By abergs
deck
- 453