New Pluralsight Course: Modern Browser Security Reports

Written by Troy Hunt - - Aggregated on Wednesday August 8, 2018
Tags: pluralsight, security

Rounding out a recent spate of new Pluralsight courses is one final one: Modern Browser Security Reports. This time, it's with Scott Helme who for most of my followers, needs no introduction. You may remember Scott from such previous projects as securityheaders.io, Report URI and, as it relates to this course, our collective cleaning up at a couple of recent UK awards nights:

That particular awards night relates to this course because at that particular event, our little Report URI project won the SC Award for Best Emerging Technology and what that project does it precisely what we're talking about in this course. In fact, we recorded this course in London only a few days after that pic was taken (although admittedly in a less well-dressed fashion).

Clearly, Scott and I have a bias when it comes to how awesome we think browser reporting is but bear with me because it is awesome! Many of you would have seen us talk about CSP reporting before and that's a great place to start: create a policy about all the things that are allowed to load into a website and from where then as soon as that policy is violated (for example, when someone finds an XSS vector on your site), you get notified. You can do the same thing with HPKP and Expect-CT plus there's also CAA reporting (although strictly speaking that's a report issued by a CA rather than a browser).

One of my favourite to demo is XSS auditor reporting. Check out that link and you'll see an alert box; dismiss that, open your dev tools, reload the page then have a look at the response headers. See the "x-xss-protection" header? And the "report" directive in the value? Open up your favourite proxy (such as Fiddler) then click on the link in the web page above and watch the requests. See the one that gets sent to https://demo.report-uri.com/r/default/xss/enforce - that's the browser automatically sending a report to let me know that its XSS auditor fired and I may well have a cross site scripting vulnerability on my site. Like the other reporting constructs, it's free, dead simple to implement and could well be the early warning sign I need to identify a major vulnerability in my site.

That's just a very brief intro, there's about an hour's worth of content in this course with Scott and I casually discussing the topic in typical "Play by Play" fashion. I hope you enjoy our course, Modern Browser Security Reports is now live!

Just a little side note: for the first time ever, I had to stop a fellow Pluralsight author during the recording of this course due to an unfortunate language incident. I captured this piece of video after the course which I believe aptly covers the nature of the problem: