Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

When the CDN goes bananas

510 views

Published on

How to protect your website assets with Subresource Integrity

The slides were first presented on the SecTalks Sydney Meetup: http://www.meetup.com/SecTalks/events/228854146/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

When the CDN goes bananas

  1. 1. WHEN THE CDN GOES BANANAS SUBRESOURCE INTEGRITY
  2. 2. WHEN THE CDN GOES BANANAS me_irl • Gabor Szathmari • Information Security Professional Hacker Freelancer • Privacy Advocate
  3. 3. WHEN THE CDN GOES BANANAS I WILL BE TALKING ABOUT • JavaScript hosted by third-parties • Some scary bits • The Solution: Subresource Integrity ‣ What it does ‣ Tooling
  4. 4. THIRD-PARTY CODE ON MODERN WEBSITES
  5. 5. ANALYTICS
  6. 6. A/B TESTING
  7. 7. HEATMAPS
  8. 8. TAG MANAGERS
  9. 9. PRIVATE CDN
  10. 10. PUBLIC CDN
  11. 11. WHEN THE CDN GOES BANANAS MODERN WEBSITES • Third-party JavaScript
 (heatmaps, user tracking, analytics …) • Public CDNs
 (jsDelivr, ajax.googleapis.com, ajax.aspnetcdn.com …) • Private CDNs
 (S3, Akamai, CloudFront, Fastly …)
  12. 12. “YOU KNOW WHAT THEY SAY: LOVE* IS BLIND”* <script src=“”>
  13. 13. WHAT CAN GO WRONG?
  14. 14. WHEN THE CDN GOES BANANAS MODERN WEBSITES • Third-party JavaScript
 (heatmaps, user tracking, analytics …) • Public CDNs
 (jsDelivr, ajax.googleapis.com, ajax.aspnetcdn.com …) • Private CDNs
 (S3, Akamai, CloudFront, Fastly …) HACKED
  15. 15. window.location.href =
 "https://www.reddit.com/ r/badmemes"
  16. 16. WHEN THE CDN GOES BANANAS 🙀 🙀 🙀 • https://www.maxcdn.com/blog/bootstrapcdn-security-post-mortem/ • https://blog.pagefair.com/2015/halloween-security-breach/ • https://citizenlab.org/2015/04/chinas-great-cannon/ • http://securityaffairs.co/wordpress/31480/cyber-crime/afghanistan- cdn-network-hacked.html • https://medium.com/@FredericJacobs/the-reuters-compromise-by- the-syrian-electronic-army-6bf570e1a85b
  17. 17. REUTERS.COM SEA.SY
  18. 18. HTTP://CDN.TABOOLA.COM/LIBTRC/ REUTERS-NETWORK/LOADER.JS
  19. 19. WHEN THE CDN GOES BANANAS WHAT IS THE DAMAGE? • Unwanted redirection • Website defacement • Click fraud • Exploit kits (ransomware) • Cookie stealing, session hijacking • Keylogging • UI redressing (password stealing, OTP stealing)
  20. 20. WHAT CAN WE DO?
  21. 21. SUBRESOURCE INTEGRITY
 AKA. SRI
  22. 22. PROTECTS
 JAVASCRIPT
 INTEGRITY
  23. 23. PROTECTS
 CSS
 INTEGRITY
  24. 24. <script src="https:// cdn.jsdelivr.net/jquery/2.1.4/ jquery.min.js"
 integrity="sha256-ImQv...=" crossorigin="anonymous"
 ></script>
  25. 25. "TRUST, BUT VERIFY”
  26. 26. “Я НЕМНОГО ЧАЙНИКА”
  27. 27. <SCRIPT SRC=“HTTPS:// MAXCDN.BOOTSTRAPCDN.COM/.. ./BOOTSTRAP.MIN.JS” INTEGRITY=“SHA512-I3A1A…”
  28. 28. WHEN THE CDN GOES BANANAS BROWSER SUPPORT
  29. 29. WHEN THE CDN GOES BANANAS
  30. 30. TOOLING
  31. 31. MANUAL HASHING
  32. 32. WHEN THE CDN GOES BANANAS OPENSSL • openssl dgst -sha256 -binary jquery.min.js | openssl base64 -A • openssl dgst -sha384 -binary jquery.min.js | openssl base64 -A • openssl dgst -sha512 -binary jquery.min.js | openssl base64 -A
  33. 33. WHEN THE CDN GOES BANANAS OPENSSL • $ curl -s
 https://code.jquery.com/jquery-2.2.3.min.js |
 openssl dgst -sha512 -binary |
 openssl base64 -A
 
 SFaNb3xC08k/Wf6CRM1J+O/vv4YWyrPBSdy0o+1nqKzf +uLrIBnaeo8aYoAAOd31nMNHwX8zwVwTMbbCJjA8Kg==
 • <script src=“https://code.jquery.com/jquery-2.2.3.min.js” integrity=“sha512-SFaNb3xC08k/Wf…” […]
  34. 34. HOSTED TOOLS
  35. 35. SRIHASH.ORG REPORT-URI.IO JSDELIVR.COM
  36. 36. CMS
  37. 37. WHEN THE CDN GOES BANANAS PLUGINS • WordPress
 https://wordpress.org/plugins/wp-sri/ • Drupal
 https://www.drupal.org/project/advagg
  38. 38. WORKFLOW INTEGRATION
  39. 39. WHEN THE CDN GOES BANANAS WORKFLOW INTEGRATION
  40. 40. WHEN THE CDN GOES BANANAS WORKFLOW INTEGRATION
  41. 41. SCAN YOUR WEBSITE FOR SRI USAGE
  42. 42. SRITEST.IO
  43. 43. SRITEST.IO
  44. 44. WHEN THE CDN GOES BANANAS TOOLING • Manual • Hosted • CMS Plugins • Workflow Integration • sritest.io
  45. 45. WHEN THE CDN GOES BANANAS SUMMARY • Modern websites rely on JS/CSS • Hosted on CDNs / at third-parties • SRI protects from unexpected JS/CSS changes • Tooling is available
  46. 46. WHEN THE CDN GOES BANANAS FURTHER READING • https://www.owasp.org/index.php/ 3rd_Party_Javascript_Management_Cheat_Sheet • http://j.mp/cdn-goes-bananas • http://j.mp/new-sri2-features ‣ Enforce SRI with CSP ‣ Violation Reporting
  47. 47. WHEN THE CDN GOES BANANAS THANK YOU• @gszathmari • PGP: keybase.io/gszathmari

×