To see the techniques discussed (including in-browser code signing) implemented in production, check out Cyph.

Slides: us-16-Zadegan-Abusing-Bleeding-Edge-Web-Standards-For-AppSec-Glory.pdf

Video: youtu.be/fFdGnJc0EbM

Demo links:

• heisenberg.co/srifallbackdemo

• heisenberg.co/sridemo/sameorigin

• heisenberg.co/metacspdemo

• redskins.io

• cyph.wang (more specifically, *.cyph.wang as a demo HPKP-Supercookie server)

• isis.io

Source code links:

• github.com/cyph/sri-fallback

• github.com/cyph/hpkp-supercookie

• github.com/cyph/ransompkp

---

Edit: After the Black Hat version of our talk on 2016-08-03, it was conveyed to us by Blue Coat that their cert has a path length of 0, thus preventing its use in any sort of wide-ranged HPKP Suicide attack as we'd suggested on stage. We haven't yet thoroughly investigated the implications of path length 0, so feel free to investigate on your own and pass on any findings.