Abusing Bleeding Edge Web Standards for AppSec Glory

Black Hat USA 2016

Presented by: Ryan Lester, Bryant Zadegan
Date: Wednesday August 03, 2016
Time: 10:20 - 11:10
Location: Lagoon K

Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.

In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day).

Bryant Zadegan

Bryant Zadegan directs the Application Security practice at The Advisory BoardCompany, a member-focused healthcare and education firm. When not drivingdevelopers to embrace AppSec in continuous integration, Bryant either mentorsstartups at the Mach37 cybersecurity accelerator, tells film scriptwriters hownot to hack, or punches holes in Amazon, Google, and Reddit. On days when he'drather not touch computers, he's usually nowhere to be found near DC.

Ryan Lester

Ryan Lester is the CEO and chief software architect for Cyph, a web-based one-click end-to-end-encrypted communications service funded in part by Mach37,Virginia's Center for Innovative Technology, and the Goel Fund. Sincedeparting SpaceX, Ryan has dedicated the better part of a year and a half tothe vision of accessible encrypted communication. Unsurprisingly, when heisn't working on building the logic for Cyph, he's usually looking for ways tobreak it.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats