Post on 08-Jan-2017
Subresource IntegrityPhilippe De Ryck
@PhilippeDeRyck
Who Uses Code Like This?
2
<script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" >
https://blog.jquery.com/2014/01/14/jquerys-content-delivery-network-you-got-served/
Maybe It Also Puts You to Shame?
3http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syrian-electronic-army/
And If You Thought That Was Bad …
4
And If You Thought That Was Bad …
5http://www.cbc.ca/news/trending/anonymous-rickrolls-isis-on-twitter-after-losing-cyber-war-1.3331934
And the Problem Is Much Worse …
6https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/
But Not So Easy To Comprehend
7https://xkcd.com/932/
Remote Content Inclusion Is Dangerous
8
§ You give third party content full control over your context§ Governed by the Same-Origin Policy of the browser§ No separation between your code and external code§ Access to same privileges, data, code …
§ External scripts can§ Read and manipulate your DOM§ Access JS APIs with the privileges granted to your origin§ Send requests to your origin without limitations§ Send requests to other origins on behalf of your origin
Large-scale Study of Remote JS Inclusions
9
“88.45% of the Alexa top 10,000 web sites included at least one remote
JavaScript library”
https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf
Large-scale Study of Remote JS Inclusions
10https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf
Subresource Integrity
11
§ There is nothing you can do against these attacks§ Either you trust a CDN, or you host it yourself
§ Welcome Subresource Integrity (SRI)§ W3C Candidate Recommendation since November 12, 2015
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
Subresource Integrity
12
§ Allows you to specify a hash of an external resource§ Using the integrity attribute on script or link tags
§ Browsers verify this hash before loading the file§ Refuse to load the file if the hash does not match
§ SRI supports the specification of multiple hashes§ The strongest one available will be used by the browser
<script src=”myapplication.js” integrity=“sha256-… sha512-… ”>
</script>
<link href=“myapp.css” type=“text/css”integrity=“sha384-… sha512-…” />
Unfortunately, SRI Enables Data Leakage
13
§ You can check the presence of specific external resources§ Requests from the user’s browser, with credentials
<script src=https://some-shop.com/accountbalance integrity=“…”></script>
{“balance”: 1234.00} dPdFnnWdXY6eHXiK+3O/OSi3OeLFHlLch1qZ3iqD3MGNXck+Oz4LETv8lnsoNyFI
{“balance”: 1235.00} RasWnvVTFAiT+6NeqIJFRDDDSklMaljV0FxUQysJqUB65TGm/lFqKJkrGif2wzYj
{“balance”: 1236.00} uSCKm1yloPZ7VexjyLQ+sUvakZKycl3CsblGH/9XpGV09ymyf1nKAzU5tXTFH5oi
{“balance”: 1237.00} 4SI2gcfIFhX2NRE5KPbeXR87PaiCSAan6PL2mxKWndBp8wvE2Dfcn7HenpNXD0oJ
SRI Prevents Data Leakage with CORS
14
§ Not needed for resources from your own origin§ The browser allows access to these anyway
§ The crossorigin attribute controls CORS behavior§ Anonymous does not attach cookies to the request§ Use-credentials means that that cookies will be present
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
Simple CORS Example
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin: http://www.example.com
CORS Protects Legacy Servers by Design
16
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
No CORS headers present
Handling Credentials
17
§ Requests can be anonymous or authenticated§ By default, credentials (i.e. cookies) are not sent§ Can be enabled by setting the withCredentials flag
§ When credentials are used, the server must acknowledge this§ By sending the Access-Control-Allow-Credentials response header
§ Aim is to prevent illegitimate use of the user’s credentials§ Not intended to protect the server from malicious requests
Simple CORS Example with Credentials
18
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.comCookie: PHPSESSID=1a2b3c4d5e6f
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Credentials: true
var xhr = new XMLHttpRequest();xhr.open('GET', 'http://www.websec.be/profile', false);xhr.withCredentials = true;xhr.send();
Subresource Integrity with CORS
Load page
Include script with integrity check
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin: http://www.example.com
SRI Prevents Data Leakage with CORS
20
§ CORS protects legacy servers§ CORS response headers need to be present§ If they are missing, the resource will not be loaded
§ The only reason is the integrity check§ Simply including the script without integrity check would still work
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
SRI Error Recovery
21
§ Failure to load a resource triggers an error event§ Clean way to load an alternative resource yourself
§ Last-resort recovery from an integrity error§ Host a backup version of the script on your own server§ Load when the main version was not loaded
<script>window.jQuery|| document.write('<script src="/jquery.min.js"><\/script>');</script>
Subresource Integrity in Practice
22http://caniuse.com/#search=subres
Subresource Integrity in Practice
23
openssl dgst -sha384 -binary bootstrap.min.css| openssl enc -base64 -A
https://www.srihash.org/
Subresource Integrity in Practice
24https://www.bootstrapcdn.com/
EmberJS and Subresource Integrity
25
§ Ember-cli-sri enables SRI for your application files§ Hashes are automatically added during production build process§ Included by default for a few months already
§ Assumes your application serves files from the same origin§ Can be configured to use a different origin or domain
Conclusion
26
§ SRI gives you more control over what you include§ Of course this only makes sense over an HTTPS channel§ But you should be running everything over HTTPS anyway
§ If you host public libraries, enable CORS for them§ This allows other people to use SRI for these files
§ If you build apps with external resources§ Include an integrity attribute if CORS is supported§ Bug the admins if CORS is not supported J
About Me – Philippe De Ryck§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ Focus on (client-side) Web security
§ Responsible for the Web Security training program§ Dissemination of knowledge and research results§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security§ 7 attacker models, broken down in 10 capabilities§ 13 attacks and their countermeasures§ Overview of security best practices
Subresource IntegrityPhilippe De Ryck
philippe.deryck@cs.kuleuven.be
/in/philippederyck
https://distrinet.cs.kuleuven.be/events/websecurity/
@PhilippeDeRyck