Subresource Integrity
-
Upload
philippe-de-ryck -
Category
Technology
-
view
136 -
download
0
Transcript of Subresource Integrity
![Page 1: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/1.jpg)
Subresource IntegrityPhilippe De Ryck
@PhilippeDeRyck
![Page 2: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/2.jpg)
Who Uses Code Like This?
2
<script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" >
https://blog.jquery.com/2014/01/14/jquerys-content-delivery-network-you-got-served/
![Page 3: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/3.jpg)
Maybe It Also Puts You to Shame?
3http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syrian-electronic-army/
![Page 4: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/4.jpg)
And If You Thought That Was Bad …
4
![Page 5: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/5.jpg)
And If You Thought That Was Bad …
5http://www.cbc.ca/news/trending/anonymous-rickrolls-isis-on-twitter-after-losing-cyber-war-1.3331934
![Page 6: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/6.jpg)
And the Problem Is Much Worse …
6https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/
![Page 7: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/7.jpg)
But Not So Easy To Comprehend
7https://xkcd.com/932/
![Page 8: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/8.jpg)
Remote Content Inclusion Is Dangerous
8
§ You give third party content full control over your context§ Governed by the Same-Origin Policy of the browser§ No separation between your code and external code§ Access to same privileges, data, code …
§ External scripts can§ Read and manipulate your DOM§ Access JS APIs with the privileges granted to your origin§ Send requests to your origin without limitations§ Send requests to other origins on behalf of your origin
![Page 9: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/9.jpg)
Large-scale Study of Remote JS Inclusions
9
“88.45% of the Alexa top 10,000 web sites included at least one remote
JavaScript library”
https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf
![Page 10: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/10.jpg)
Large-scale Study of Remote JS Inclusions
10https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf
![Page 11: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/11.jpg)
Subresource Integrity
11
§ There is nothing you can do against these attacks§ Either you trust a CDN, or you host it yourself
§ Welcome Subresource Integrity (SRI)§ W3C Candidate Recommendation since November 12, 2015
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
![Page 12: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/12.jpg)
Subresource Integrity
12
§ Allows you to specify a hash of an external resource§ Using the integrity attribute on script or link tags
§ Browsers verify this hash before loading the file§ Refuse to load the file if the hash does not match
§ SRI supports the specification of multiple hashes§ The strongest one available will be used by the browser
<script src=”myapplication.js” integrity=“sha256-… sha512-… ”>
</script>
<link href=“myapp.css” type=“text/css”integrity=“sha384-… sha512-…” />
![Page 13: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/13.jpg)
Unfortunately, SRI Enables Data Leakage
13
§ You can check the presence of specific external resources§ Requests from the user’s browser, with credentials
<script src=https://some-shop.com/accountbalance integrity=“…”></script>
{“balance”: 1234.00} dPdFnnWdXY6eHXiK+3O/OSi3OeLFHlLch1qZ3iqD3MGNXck+Oz4LETv8lnsoNyFI
{“balance”: 1235.00} RasWnvVTFAiT+6NeqIJFRDDDSklMaljV0FxUQysJqUB65TGm/lFqKJkrGif2wzYj
{“balance”: 1236.00} uSCKm1yloPZ7VexjyLQ+sUvakZKycl3CsblGH/9XpGV09ymyf1nKAzU5tXTFH5oi
{“balance”: 1237.00} 4SI2gcfIFhX2NRE5KPbeXR87PaiCSAan6PL2mxKWndBp8wvE2Dfcn7HenpNXD0oJ
![Page 14: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/14.jpg)
SRI Prevents Data Leakage with CORS
14
§ Not needed for resources from your own origin§ The browser allows access to these anyway
§ The crossorigin attribute controls CORS behavior§ Anonymous does not attach cookies to the request§ Use-credentials means that that cookies will be present
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
![Page 15: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/15.jpg)
Simple CORS Example
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin: http://www.example.com
![Page 16: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/16.jpg)
CORS Protects Legacy Servers by Design
16
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
No CORS headers present
![Page 17: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/17.jpg)
Handling Credentials
17
§ Requests can be anonymous or authenticated§ By default, credentials (i.e. cookies) are not sent§ Can be enabled by setting the withCredentials flag
§ When credentials are used, the server must acknowledge this§ By sending the Access-Control-Allow-Credentials response header
§ Aim is to prevent illegitimate use of the user’s credentials§ Not intended to protect the server from malicious requests
![Page 18: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/18.jpg)
Simple CORS Example with Credentials
18
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.comCookie: PHPSESSID=1a2b3c4d5e6f
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Credentials: true
var xhr = new XMLHttpRequest();xhr.open('GET', 'http://www.websec.be/profile', false);xhr.withCredentials = true;xhr.send();
![Page 19: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/19.jpg)
Subresource Integrity with CORS
Load page
Include script with integrity check
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin: http://www.example.com
![Page 20: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/20.jpg)
SRI Prevents Data Leakage with CORS
20
§ CORS protects legacy servers§ CORS response headers need to be present§ If they are missing, the resource will not be loaded
§ The only reason is the integrity check§ Simply including the script without integrity check would still work
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
![Page 21: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/21.jpg)
SRI Error Recovery
21
§ Failure to load a resource triggers an error event§ Clean way to load an alternative resource yourself
§ Last-resort recovery from an integrity error§ Host a backup version of the script on your own server§ Load when the main version was not loaded
<script>window.jQuery|| document.write('<script src="/jquery.min.js"><\/script>');</script>
![Page 22: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/22.jpg)
Subresource Integrity in Practice
22http://caniuse.com/#search=subres
![Page 23: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/23.jpg)
Subresource Integrity in Practice
23
openssl dgst -sha384 -binary bootstrap.min.css| openssl enc -base64 -A
https://www.srihash.org/
![Page 24: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/24.jpg)
Subresource Integrity in Practice
24https://www.bootstrapcdn.com/
![Page 25: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/25.jpg)
EmberJS and Subresource Integrity
25
§ Ember-cli-sri enables SRI for your application files§ Hashes are automatically added during production build process§ Included by default for a few months already
§ Assumes your application serves files from the same origin§ Can be configured to use a different origin or domain
![Page 26: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/26.jpg)
Conclusion
26
§ SRI gives you more control over what you include§ Of course this only makes sense over an HTTPS channel§ But you should be running everything over HTTPS anyway
§ If you host public libraries, enable CORS for them§ This allows other people to use SRI for these files
§ If you build apps with external resources§ Include an integrity attribute if CORS is supported§ Bug the admins if CORS is not supported J
![Page 27: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/27.jpg)
About Me – Philippe De Ryck§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ Focus on (client-side) Web security
§ Responsible for the Web Security training program§ Dissemination of knowledge and research results§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security§ 7 attacker models, broken down in 10 capabilities§ 13 attacks and their countermeasures§ Overview of security best practices
![Page 28: Subresource Integrity](https://reader031.fdocuments.in/reader031/viewer/2022021813/5871a1901a28ab044e8b6f13/html5/thumbnails/28.jpg)
Subresource IntegrityPhilippe De Ryck
/in/philippederyck
https://distrinet.cs.kuleuven.be/events/websecurity/
@PhilippeDeRyck