Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C...
Transcript of Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C...
![Page 1: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/1.jpg)
Extending the browser to secure applications Highlights from W3C WebAppSec Group
Deian Stefan
![Page 2: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/2.jpg)
Modern web apps have many moving pieces & parties
• Application code & content itself
• User provided content (e.g., mail, comments)
• 3rd party libraries (e.g., jQuery)
• 3rd party content (e.g., ads, widgets)
• 3rd party hosting (e.g., CDNs)
![Page 3: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/3.jpg)
Hard to secure
(especially if you’re not starting from scratch)
![Page 4: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/4.jpg)
Browsers can helpwhen extended with security mechanisms
v
![Page 5: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/5.jpg)
Some work being done in the W3C WebAppSec group
➤ Secure contexts
➤ Mixed content
➤ Upgrade insecure requests
➤ SRI
➤ Referrer policy
➤ CSP
➤ Suborigins
➤ COWL
➤ Credential mgmnt
➤ UI Security
![Page 6: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/6.jpg)
Moving the web to HTTPS
Secure contexts: definitional
➤ Why? Expose potentially dangerous features (e.g., Service workers) only if context is secure
➤ Nutshell: content is loaded over HTTPS and doesn’t have HTTP opener
![Page 7: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/7.jpg)
Moving the web to HTTPS
Mixed content: making the great again
➤ Goals: Authentication, encryption, data integrity
➤ Nutshell: Disallow loading content via HTTP in secure contexts
Content-Security-Policy: block-all-mixed-content
![Page 8: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/8.jpg)
Moving the web to HTTPS
• Transitioning to HTTPS is painful
➤ Don’t have too much control over 3rd party hosts
➤ Often have hardcoded links in content
• Browsers to the rescue:
➤ Don’t block images, videos or audio by default. Use CSP directives to block (e.g., img-src https:)
➤ Content-Security-Policy: upgrade-insecure-requests
![Page 9: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/9.jpg)
HTTPS is not enough
• Authenticates connection but not content
➤ Protects against (coffee shop) network attacker
• Don’t know if content you’re loading is the one you meant to load
➤ Malicious/compromised CDN can serve bad content
![Page 10: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/10.jpg)
Subresource integrity
• Page author specifies hash of (sub)resource they are loading; browser checks integrity
➤ E.g., integrity for link elements
➤ E.g., integrity for scripts
<link rel="stylesheet" href="https://site53.cdn.net/style.css" integrity="sha256-SDfwewFAE...wefjijfE">
<script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Tw+Y5qFQmYg=">
![Page 11: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/11.jpg)
Subresource integrity• Limitations
➤ Only scripts and stylesheets supported in current version
➤ Roadmap: downloads and other elements
• Challenges
➤ May dynamically load scripts; too expensive to load all hashes ahead of time
➤ Roadmap: support signature-like scheme
![Page 12: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/12.jpg)
Some work being done in the W3C WebAppSec group
➤ CSP
➤ Suborigins
➤ COWL
➤ Credential mgmnt
➤ UI Security
➤ Secure contexts
➤ Mixed content
➤ Upgrade insecure requests
➤ SRI
➤ Referrer policy
![Page 13: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/13.jpg)
CSP: Content Security Policy
• Motivation: prevent or limit damage of XSS
• Idea: restrict resource loading to a white list
➤ Only load content from origins you trust
➤ Only leak data to these origins (in case of XSS)
➤ Limit inline scripts to whitelist via hash/nonce
• Example: allow loads from CDN, but disallow frames and plugins
Content-Security-Policy: default-src https://cdn.example.net; child-src 'none'; object-src 'none'
![Page 14: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/14.jpg)
Example directives
• connect-src: limits the origins you can XHR to
• font-src: where to fetch web fonts form
• form-action: where forms can be submitted
• child-src: where to load frames/workers from
• frame-ancestors: sources that can embed this page
• default-src: default whitelist
![Page 15: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/15.jpg)
CSP: Content Security Policy• Limitations
➤ Leaks via navigation, postMessage, DNS prefetching, etc. are easy
➤ Roadmap: new directives to cover some of these
• Challenges
➤ Hard to know if your CSP policy will break libraries
➤ Roadmap: CSP Embedded Enforcement
➤ Whitelisting origins is too coarse-grained
![Page 16: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/16.jpg)
Why are origins too coarse grained?
• Consider whitelisting your CDN
➤ Attacker can put malicious script on CDN and escalate simple XSS to arbitrary code
• New extension to CSP: strict-dynamic (WIP)
➤ Idea: use nonce and hash to whitelist scripts, ignore origins
Content-Security-Policy: script-src 'nonce-abcdefg' 'strict-dynamic'
![Page 17: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/17.jpg)
CSP is not enough• Multiple web apps are hosted on same physical
origin
➤ E.g., google.com/maps and google.com/mail
➤ XSS on one logical site can easily affect the other (own maps, you own mail)
• Solution: maps.google.com mail.google.com
➤ Actually hard to deploy
• Solution: suborigins
![Page 18: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/18.jpg)
Suborigins
• Goal: provide simple, backwards-compatible privilege separation mechanism
• Idea: extend notion of origin to (origin, namespace)
➤ E.g., (google.com, maps)
➤ Treat suborigin different from origin: as if diff origin
![Page 19: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/19.jpg)
• Deployment challenges
➤ Can’t access cookie jar of origin
➤ postMessage origin comparison is suborigin unaware
• Roadmap: unsafe-* directives to make it easier to deploy suborigins on existing sites
Suborigins
![Page 20: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/20.jpg)
Still not enough
• Can’t actually drop privileges, so scripts in suborigin have the privileges of that origin
➤ E.g., may want to load page and then drop privileges so XSS won’t leak/corrupt user data
• Even when combined with CSP: have no control of what code can do with sensitive data
![Page 21: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/21.jpg)
COWL: Confinement with Origin Web Labels
• Goals:
➤ Allow developers to privilege separate their app
➤ Allow developers to run their own code with least privilege
➤ Allow developers to confine 3rd party code by restricting what it can do with data it shares
![Page 22: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/22.jpg)
COWL framework
• Policy specification
➤ Labels: generalization of origin to conjunctions and disjunctions of origins and tags
➤ Privileges: makes authority of pages explicit with labels
• Policy enforcement
➤ Enforcement of policy end-to-end via confinement
![Page 23: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/23.jpg)
Labels
• Specifying policy in the browser
➤ Labels are associated with contexts
➤ Labels can be associated with clonable objects (use with postMessage and XHR)
• Specifying policy server-side
➤ Labels can be associated with XHR responses
![Page 24: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/24.jpg)
Privileges
• Explicit control over page privilege with JS
➤ Page has default privilege = its origin
• Controlling default page privilege
➤ E.g., to ensure page doesn’t have authority of origin
![Page 25: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/25.jpg)
Confinement enforcement
• In browser and browser-server communication
➤ Restrict postMessage and requrest to prevent leaking browser data
➤ Restrict responses if label of response is more sensitive than context label (non labeled-json request)
![Page 26: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/26.jpg)
COWL use cases
• Confining untrusted third-party services
• Sharing data with third-party mashups
• Content isolation (via privilege separation)
➤ Similar to suborigin use case
• Running content with least privileges
![Page 27: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/27.jpg)
COWL limitations & challenges
• Limitations
➤ Similar to suborigins: COWL-confined iframe doesn’t have access to storage
➤ Disallowed APIs: web sockets, service workers
➤ Roadmap: add labeled storage and enable other APIs
• Challenges
➤ Need to compartmentalize app into many least-privileged iframes to get most out of confinement
![Page 28: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/28.jpg)
Stepping back
➤ CSP
➤ Suborigins
➤ COWL
➤ Credential mgmnt
➤ UI Security
➤ Secure contexts
➤ Mixed content
➤ Upgrade insecure requests
➤ SRI
➤ Referrer policy
![Page 29: Highlights from W3C WebAppSec Groupdstefan/talks/stanford-webappsec2016.pdfHighlights from W3C WebAppSec Group Deian Stefan. ... (e.g., jQuery) • 3rd party content (e.g., ads, ...](https://reader031.fdocuments.in/reader031/viewer/2022030622/5ae9375f7f8b9acc26912d00/html5/thumbnails/29.jpg)
Stepping back
New mechanisms can make it easier to secure new and existing web apps: hack the browser!