1. Securing Web Applications

3. IE 7 significantly reduced attack surface against the browser and local machine…

4. …but Social Engineering and exploitation of add-ons continues to grow. WebApp attacks (CSRF, XSS, ClickJacking, splitting) may be the next big vector. And the next generation of attackers is coming out of grade school.

5. Worst of all, it turns out that crime does pay after all.

6. Why is browser security so elusive?

8. The security architecture of the current web platform was largely an afterthought.

9. Maybe there’s a shortcut?

10. We could block nearly 100% of exploits by removing one component from the system…

12. Or, we could block a majority of exploits by removing a different component from the system…

14. So, if we re-architect everything, or get rid of the users, or get rid of the network, then security might be easy. FAIL

15. Making the correct tradeoffs is hard.

16. IE8 Security Vision

17. Social Engineering Web App Vulnerabilities Browser & Add-on Vulnerabilities Address the evolving threat landscape IE8 Security Investments

18. What’s the best way to develop secure, performant, and reliable C/C++ code?

19. Don’t.

20. Non-Binary Extensibility

24. Lots of other investments

25. The Weakest Link

26. Sometimes, threats are obvious…

27. …but bad guys are getting smarter…

28. Fake codecs and add-ons

29. Fake antivirus scanners & utilities

32. A more effective warning?

33. SmartScreen Download Block

34. SmartScreen Block Page

35. Domain Highlighting

36. HTTPS - Extended Validation

37. HTTPS Mistakes

38. Insecure Login Form

39. Certificate Mismatch

40. Mixed Content - Prompt

41. Mixed Content Blocked

42. Mixed Content shown – No lock

43. Mixed Content - Troubleshooting

44. Preventing XSS

45. XSS Threats Researcher Bryan Sullivan: “XSS is the new buffer overflow.”

46. XSS Statistics Source: WhiteHat Security, August 2008

47. IE8 XSS Filter

48. Comprehensive XSS Protection

49. Securing Mashups

50. How are mashups built today?

51. XDomainRequest

52. HTML5 postMessage()

53. postMessage – Sending // Find target frame var oFrame = document.getElementsByTagName('iframe')[0]; // postMessage will only deliver the 'Hello’ // message if the frame is currently // at the expected target site oFrame.contentWindow.postMessage('Hello', 'http://recipient.example.com');

54. postMessage – Listening // Listen for the event. For non-IE, use // addEventListener instead. document.attachEvent('onmessage', function(e){ if (e.domain == 'expected.com') { // e.data contains the string // We can use it here. But how? } });

55. JavaScript Object Notation {"Weather": { "City": "Seattle", "Zip": 98052, "Forecast": { "Today": "Sunny", "Tonight": "Dark", "Tomorrow": "Sunny" } }}

56. JavaScript Object Notation

57. Native JSON Support

58. window.toStaticHTML() window.toStaticHTML( "This is some HTML with embedded script following... alert('bang!'); !“ ); returns: This is some HTML with embedded script following... !

59. Putting it all together… if (window.XDomainRequest){ var xdr = new XDomainRequest(); xdr.onload = function(){ var objWeather = JSON.parse(xdr.responseText); var oSpan = window.document.getElementById("spnWeather"); oSpan.innerHTML = window.toStaticHTML( "Tonight it will be " + objWeather.Weather.Forecast.Tonight + " in " + objWeather.Weather.City + "." ); }; xdr.open("POST", "http://evil.example.com/getweather.aspx"); xdr.send("98052"); }

60. Best Practices

61. ClickJacking

62. Hosting unsafe files

63. MIME-Sniffing

64. Privacy

65. File Upload Control Server no longer gets full filename: Content-Disposition: form-data; name="file1"; filename="File.zip“ Local JavaScript sees a fixed path for compatibility: file1.value == “C:\fakepath\File.zip”

66. Enhanced Cleanup

67. InPrivate™

68. InPrivate™ Browsing Bonus: Helps mitigate CSS “Visited Links” History theft vector

69. Background on 3 rd Party Aggregation User Visits Unique Sites 3 4141 2 5 1 6 7 8 1 Contoso.comTailspin.comWoodgrovebank.com Example.com Farbrican.comSouthridge1-1.comLitware-final.comadventureworks.com Prosware-sol.com 3 rd party Syndicator Web server

70. http://websecuritytool.codeplex.com/

73. ericlaw@microsoft.com

74. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.