Friday, March 10, 2017

nz.js(con): Your browser wants you to be secure

Today I had the pleasure of speaking at the first nz.js(con) in Wellington - a Javascript conference held over March 9 & 10, 2017. The conference has been a great mix of different javascript (and related) topics, and I really recommend that anyone involved in web application development attends future iterations of the conference.

My talk was titled "Your browser wants you to be secure". The idea was to rapidly present in a short 30 minute presentation all the cool work that browser vendors are doing to help make our web apps more secure. Browsers have really focussed heavily on technology to make the web a safer place for people to browse, and I thought it was a good time to step back and look at all the changes and how they affect our apps.

A friendly red superhero named "PoolDead" has some ideas of how you can stop the evil baddies. Look out for for a red face next to things you should do.

You can view the talk slides on Google Slides, or download a 3mb PDF of the slide deck.

Or here's a video of the talk (30 minutes):


The talk was heavy on URLs with additional reading and details of things to look at. A lot of the links go to Google Chrome resources, because that's currently my favourite browser. Most browsers have comparable features and enhancements.

Also, I've heavily linked to Scott Helme's blog. He has a lot of useful, well written posts on HTTP headers, and also runs a useful service called The NZ branch of the Open Web Application Security Project. We run regular meetups in Wellington, Christchurch and Auckland, and an annual (free) conference. 1992 definitions of HTML tags - Michal Zalewski's really cool book that talks about the history and current state of browser security. This is probably my favourite security book. The original Chrome comic published when Chrome launched back in 2008.

Microsoft and Google's commitment to browser security extends to financial rewards:

XSS protection links:


"AWS Only" Chrome Extension:

(send me feedback to @kirkj)

Certificate Transparency:

Facebook Certificate Transparency monitoring tool


SHA-1 is considered broken:

SSL Labs’ Server Test

Strict Transport Security:

Public Key Pinning:

Browser Security Messages:

Referrer Policy:

Sub-Resource Integrity:

Mixed Content:

Clear site data:



People to follow:

Adrienne Porter Felt @__apf__ Chrome Usable Security
Eric Lawrence @ericlaw Creator of Fiddler, IE team, now Chrome
Mike West @mikewest Chrome / Blink, Content Security Policy and other standards
Scott Helme @scott_helme Creator of @reporturi and @securityheaders

Risky Business podcast:

Friday, September 4, 2015

Ignite 2015: Hack-Ed: Building a secure

At Microsoft Ignite 2015 (formerly TechEd NZ), Kirk and Felix gave a talk titled "TBuilding a secure".

Social networks are a special breed of website, where small security issues can quickly multiply to cause a very large scale issue. Many of these security issues apply to regular (anti-social) websites too!
Join Kirk and Felix as they build up a social networking site that will rival the likes of MyBook and FaceSpace. Along the way, discover some of the traps that come with building a secure site for scale, as they discuss some of the security issues that can affect a popular website, and hack their way to an impressive friend list.
The video recording of the talk is available on Channel 9:

Thursday, September 3, 2015

Ignite 2015 - Hack-Ed: The Internet of Hackable Things

At Microsoft Ignite 2015 (formerly TechEd NZ), Kirk and Felix gave a talk titled "The Internet of Hackable Things".

This talk discussed the proliferation of devices that now connect to the internet, security mistakes seen in the industry and in our own research, and gave some advice on how to build more secure IoT devices.
Internet connected devices are all around us, listening to us sleep and watching our movements in our home. Windows 10 will even allow us to build better and smarter IoT applications on small platforms such as the Raspberry Pi 2. As we build applications on a new platform, we're experiencing new security issues. Come along to our talk to discuss the mistakes of the past, some tips for the future, and watch us "Hack all the things!!"
The video recording of the talk is available on Channel 9:

Friday, February 27, 2015

OWASP NZ Day 2015 - OWASP Top 10 and ASP.NET MVC

In the opening talk for the OWASP NZ Day, Kirk introduced the OWASP Top 10 by zipping through each of the 10 issues and briefly explained them.

We also covered some of the protections that are either built in to ASP.NET MVC or available as options that help to combat these common attacks.

Download slides: 2015-02-27-OWASPMVC-print.pdf (PDF, 6mb)

Thursday, September 11, 2014

TechEd 2014 - Hack-Ed: Threat Modeling your software to design for security

At TechEd 2014, Andy and Kirk gave a talk titled "Hack-Ed: Threat Modeling your software to design for security".

The talk covered the new Microsoft Threat Modeling Tool 2014 (a free download), and used the diagramming technique and threat generation as motivation for uncovering and remediating attacks against a sample web application.

Attacks covered Wifi sniffing and interception using Karma and the Wifi Pineapple, XSS via EXIF data embedded in JPEG files, and a couple of other techniques.

The slides for the talk are available here:

2014-ARC307-ProwJackson-HackEdThreatModeling (34mb PDF)

The video recording of the talk is available on Channel9:

Fun wifi analysis:

There were 261 devices in the Skycity Theatre probing for 485 different wifi networks.

Congratulations to the two folk with 26 stored wifi networks on their phones, you made the record books :)
(Although you might want to disassociate / remove some of those free wifi networks from your phones if you value your privacy)

A little unexpectedly, the probes for wifi networks were very diverse. 149 devices were probing for 'TECHED2014-SC', but there were no other networks in common with more than 7 people.

In comparison, the device sat upon my hotel windowsill while I was downstairs for breakfast this morning. 868 devices went past, probing for 1173 different networks.

Hotspot Number of People
Telecom WiFi 70
CP Public Wireless 66
TECHED2014-SC 62
Spark WiFi 34
Auckland WiFi 17
Callplus Public Hotspot 15
Airport_Hotspot 9

You can see how profitable it could be to masquerade as one of these access points - something like 8% of devices will automatically join to your network!

While we demonstrated capturing network traffic, we didn't actually capture anyone's network traffic during our demos. You'll have to trust us :)


Wednesday, September 10, 2014

TechEd 2014 - Hack-Ed: A day in the life of an Advanced Persistent Threatener

At TechEd 2014, Kirk and Andy gave a talk titled "Hack-Ed: A day in the life of an Advanced Persistent Threatener".

This talk covered the motivations of an "Advanced Persistent Threat" actor, and the cycle they go through when infiltrating your network.

The slides for the talk are available here:

2014-ARC304-Hack-Ed-APT-ProwJackson (41mb PDF file)

The video recording of the talk is now available in several formats:

Wednesday, September 11, 2013

TechEd 2013 - Hack-Ed: Application-Level Denial of Service

In our talks at TechEd 2013, we discussed application-level denial of service attacks, and included a couple of demo's of how easily you can open your ASP.NET site up to attack by just validating strings using regular expressions, or parsing XML.

Regular Expression DoS:

Regular expressions process input using a remarkably complex non-deterministic finite automaton, which repeatedly processes the input until it makes a match, following different paths through the regular expression and back-tracking where necessary.

In our talk we showed a simple regular expression that could take up 100% of the CPU on your server with only a short input string:


This Bryan Sullivan article covers the hows and whys of ReDoS, and a possible approach for testing a regular expression for the pathological worst case.

We forgot to mention that .NET 4.5 now supports a MatchTimeout property on regular expressions, which means that you can limit the CPU time of regex processing.


Any parsing of untrusted / user submitted files is complicated, and so receiving file uploads is fraught with danger.

In our talks we showed two XML attacks that could happen with just a simple .NET XmlDocument usage:

            XmlDocument xmlDoc = new XmlDocument();

            XmlPreviewLabel.Text = xmlDoc.DocumentElement.LastChild.InnerText;

The XmlDocument parser in .NET does not safely handle doc types or user-defined entities by default. This can lead to the "Billion Laughs" denial of service attack which chews up CPU and RAM, or to XML external entities reading files from off of disk.

Nazim's Security Blog shows a couple of examples where things can go awry, and gives a list of the .NET API's that are unsafe by default:

  • System.Xml.XmlDocument
    • Load and LoadXml UNSAFE unless you pass a safe XmlReader (DTD disabled) into it during initialization.
    • InnerXml is NEVER SAFE.
  • System.Xml.XmlTextReader
    • UNSAFE by default in .NET 3.5 and below.
      • You need to set ProhibitDtd=true to make this safe.
    • .NET 4.0 and above are safe be default.
  • System.Xml.Xsl.XslTransform
    • UNSAFE as it supports both entities and XSL script.
  • System.Xml.Xsl.XslCompiledTransform
    • Safe for XSL script since this is blocked by default.
    • UNSAFE for entity expansion unless a secure resolver is specified.
      • Pass an instance of XmlSecureResolver or null
  • System.Web.UI.WebControls.XmlDataSource
    • NEVER SAFE – supports both entities and XSL script.

Thursday, September 5, 2013

TechEd 2013 - Hack-Ed: Develop your Web-Security Spidey-Senses

Kirk and Andy presented at Microsoft's TechEd 2013 titled "HackEd: Develop your Web-Security Spidey-Senses".

The talk was accompanied by the following cheat-sheet:
WebSecuritySpideySense.pdf (228kb)

Saturday, September 15, 2012

in2securITy - Secure Software Development

in2securITy is a non-profit educational group run by security folk in NZ, with the aim of helping those new to the security profession get enthusiastic and gain the skills to find a job.

Kirk spoke at the Wellington leg of the in2securITy national tour on the topic of Secure Software Development.

This was a 30 minute talk discussing the typical software development lifecycle, and different security tasks and discussions that could fit in along the way. He also advocated the role of "Security Champion" within project teams, and encouraged folks to speak up when they security issues in the making.

Download the slides here: 2012-09-08-in2securITy.pdf (5mb)

The Microsoft Security Development Lifecycle is a well regarded process used by large companies such as Microsoft and Adobe to add security into their software product lifecyle.

Friday, September 7, 2012

TechEd 2012 - Hack-Ed: Mobile Security

Andy Prow and Kirk Jackson presented at Microsoft TechEd NZ. The third talk was titled: Hack-Ed - Mobile Security
With millions of devices with more features, and more apps with more functions, and more users with more needs, and more developers with more ideas, and more tools with more power, and more hackers with more to gain... we need to make sure we get mobile app security nailed! Come along and see what security is being provided for you, and what things you need to take care of!
Download the PDF: 2012-SIA302-MobileSecurity-AndyProw-KirkJackson.pdf (20.6mb)

Thursday, September 6, 2012

TechEd 2012 - Hack-Ed: Design for Attack

Andy Prow and Kirk Jackson presented at Microsoft TechEd NZ. The second talk was titled: Hack-Ed - Design for Attack
Whether mobile, web, Windows client or server app; whether banking software or social app; whether internal corporate users only or open to all on the internet; your apps will be attacked. So, how do you design and architect the applications from the ground up to stop attacks, log and monitor attacks, and alert those who need to know? This session will ensure you're correctly considering all components so you can confidently know if you've been compromised, when, by whom, and what they did.
Download the PDF: 2012-ARC401-DesignForAttack-AndyProw-KirkJackson.pdf (18.7mb)

Wednesday, September 5, 2012

TechEd 2012 - Hack-Ed: From the Trenches

Andy Prow and Kirk Jackson presented at Microsoft TechEd NZ. The first talk was titled: Hack-Ed - From the Trenches

We all know that we need to make sure our apps are secure. We all hear about hacks in the news, whether privacy breaches, denial-of-service attacks or credit card fraud. But often those stories are a little detached from the day-to-day development that we do. This session will uncover some stories from the trenches to try and highlight the real attacks that go on in the real world, and why none of our systems are immune. It will also uncover some very real mistakes we see people making in the wild!

2012 Speakers - Day 1

Download the over-sized PDF: 2012-SIA201-FromTheTrenches-AndyProw-KirkJackson.pdf (20.5mb)

Friday, August 31, 2012

OWASP NZ - Down to the Wire

Presented by Mark Haworth and Kirk Jackson at the OWASP NZ Day 2012, on 31 August 2012.
You've built the flashiest web app your cow-orkers have ever seen. Your boss loves you, and nominates you for a promotion next financial year. You've leveraged the latest hip web framework, and have jaxed your ajax to the max. But have you done everything you can to make your application secure? Are you perhaps, in fact, doing a little _too much_? A common issue we've come across in the past few years is applications that share too much information over the wire, or trust too much of what they receive. In this talk we'll look at some common pitfalls and techniques to counter them in modern web applications. Let's go down to the wire.
PDF (5.2mb)

Sunday, November 6, 2011

Kiwicon 5 - X-Excess

Mike Haworth and Kirk Jackson presented a talk at Kiwicon 5 titled "X-Excess":
Mobile applications are the new hotness and it seems everyone wants to build one. Unfortunately you have to build new app for each platform, so frameworks are popping up to bridge that gap. We look at some abuses of one framework and the implication for your shiny new gadget. Surely we can't bug a phone using XSS? Seems also there is a little known crowd out of Washington that have been swept up in the enthusiasm of exposing JavaScript APIs so now the same issues apply to your desktop too.
Download the presentation here: x-excess_v1.1.pdf (1mb)

Sunday, August 28, 2011

Code Camp Auckland 2011 - Web Security: The latest 'n' greatest

In this talk at Code Camp Auckland, Kirk discussed the latest protections that have been added to web browsers to combat the common threats to your web applications.

He covered Content Security Policy (CSP), HTTP Strict Transport Security (HSTS) and the X-Frame-Options headers, as well as discussing how to safely host user-generated files for download.

View the slides here: CC2011-KirkJackson.pdf (6mb)