Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP EEE (Krakow) - It's only about frontend

5,663 views

Published on

Video: https://www.youtube.com/watch?v=nb_pTyX2eAo
Personal page: https://sergeybelove.ru

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OWASP EEE (Krakow) - It's only about frontend

  1. 1. It’s only about frontend Sergey Belov Digital Security OWASP EEE. 6th of October 2015. Poland
  2. 2. $ whoami • @ Digital Security – Penteser – ZeroNights team • Bug hunting (Yandex, Google, CloudFlare ...) • Speaker – OWASP RU, BlackHat 2014, HiP 2014, ZeroNights • Like all web related security :]
  3. 3. What we're talking about Frontend security ≠ client side attacks Example – CSRF is client side attack but depend on server side
  4. 4. What we're talking about Some techniques are well known but some are not
  5. 5. What we're talking about SOP Same Origin Policy scheme://domain:port + hardening
  6. 6. Cross Site Scripting DOM
  7. 7. DOM XSS document.write("Site is at: " + document.location.href); http://victim.com/action#<script>alert('xss')</script>
  8. 8. DOM XSS Sources  document.URL  location  document.referrer  window.name  localStorage  cookies  …
  9. 9. DOM XSS Sinks  eval  document.write  (element).innerHTML  (element).src  setTimeout / setInterval  execScript  … https://code.google.com/p/domxsswiki/
  10. 10. DOM XSS
  11. 11. Information leaks
  12. 12. Information leaks Javascript examples testServer = host.match(/[^.]+.((?:f|my.XXX)d*).YYY.com/) devServer = host.match(/^.+.dev.YYY.com$/), isXXX = testServer && testServer[1].indexOf('my.XXX') == 0, ... internalDevHOST = '172.16.22.2'; internalProdHOST = '172.16.22.5'; ... var admin_url = '/secretArea/'
  13. 13. Information leaks CSS examples file:///applications/hackerone/releases/20140221175929/app /assets/stylesheets/application/browser-not-supported.scss file:///applications/hackerone/releases/20140221175929/app /assets/stylesheets/application/modules/add-category.scss file:///applications/hackerone/releases/20140221175929/app /assets/stylesheets/application/modules/alias-preview.scss
  14. 14. MVC Frameworks
  15. 15. MVC Frameworks
  16. 16. MVC Frameworks - Templates - New elements <rockyou></rockyou> - Bindings
  17. 17. MVC Frameworks Logic-less templates <ul> <li ng-repeat="phone in phones"> <span>{{phone.name}}</span> <p>{{phone.snippet}}</p> </li> </ul>
  18. 18. MVC Frameworks Сurly braces <ul> <li ng-repeat="phone in phones"> <span>{{phone.name}}</span> <p>{{phone.snippet}}</p> </li> </ul>
  19. 19. MVC Frameworks Logic-less templates. http://mustache.github.io/
  20. 20. MVC Frameworks Mustache Security • VueJS • AngularJS • CanJS • Underscore.js • KnockoutJS • Ember.js • Polymer • Ractive.js • jQuery • JsRender • Kendo UI https://code.google.com/p/mustache-security/
  21. 21. MVC Frameworks AngularJS (1.1.5) – access to window <div class="ng-app"> {{constructor.constructor('alert(1)' )()}} </div>
  22. 22. MVC Frameworks AngularJS (1.2.18) – access to window, after fix {{ (_=''.sub).call.call({}[$='constructor'] .getOwnPropertyDescriptor(_.__proto__,$) .value,0,'alert(1)')() }}
  23. 23. MVC Frameworks Frameworks updating is important for security!
  24. 24. Flash
  25. 25. Flash A typical example <cross-domain-policy> <allow-access-from domain="*" to-ports="80"/> </cross-domain-policy>
  26. 26. Flash A non-typical example <cross-domain-policy> ... multiple domains (some unregistered)... </cross-domain-policy> Real bugbounty report - $$$
  27. 27. Flash A non-typical example <cross-domain-policy> ...domains from social networks (apps)... </cross-domain-policy> Real bugbounty report - $$$
  28. 28. Flash XSS via Flash getURL(_root.URI,'_targetFrame'); and many other cases https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008)
  29. 29. Flash CVE-2011-2461 IS BACK! 1) Vulnerable verson of Adobe Flex 2) Full SOP bypass https://github.com/ikkisoft/ParrotNG/ http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html
  30. 30. JSONP
  31. 31. JSONP Typical case <script src="http://vuln/getInfo?c=parseResponse"> </script>
  32. 32. JSONP No sensetive data? But Content-Type is: • text/javascript • application/javascript • application/x-javascript Try ?cb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)// And get client side RCE (IE only / SE is required)
  33. 33. JSONP http://www.youtube.com/watch?v=T0vwLsHUing
  34. 34. HTML5 security
  35. 35. HTML5 Security otherWindow.postMessage(message, targetOrigin); Window.postMessage() window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... } Domain A Domain B
  36. 36. HTML5 Security Window.postMessage() if(message.orgin.indexOf(".example.com")!=-1) { /* ... */ } Wrong! example.com.attacker.com
  37. 37. HTML5 Security otherWindow.postMessage(message, targetOrigin); Window.postMessage() Iframe https://accounts.google.com/b/0/ListAccounts?listPages=0&mo=1&origin=https%3A%2F%2F1 23123.google.com window.parent.postMessage( “... Sensetive data / user login etc...", "https:x2Fx2F123123.google.com");
  38. 38. HTML5 security HTTP access control (CORS) 1) Modern 2) Secure by default 3) Very hard to make a mistake 
  39. 39. HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: *
  40. 40. HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
  41. 41. HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: * is not compatible with Access-Control-Allow-Credentials: true
  42. 42. HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: $origin;
  43. 43. HTML5 security WebSockets 1) No authorization and/or authentication 2) WSS:// - for sensetive data 3) Validation 4) Check origin 5) …
  44. 44. HTML5 security Example with websockets (Agar.IO – HTML5 game) 1) Visit Agar.IO 2) Get new server (/findServer response, some random IP) 3) Connect (ws://) to some random IP Random IP handles only requests with valid origin (like agar.io). It can prevent custom clients (exclude cases with full proxy on server side) https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
  45. 45. Content Security Policy
  46. 46. Content Security Policy X-Content-Security-Policy: script-src js.example.com
  47. 47. Content Security Policy
  48. 48. Content Security Policy Last Firefox: security csp command
  49. 49. Content Security Policy @cure53 challenge – CSP bypass • CDN with AngularJS is allowed ajax.googleapis.com ng-app"ng-csp ng- click=$event.view.alert(1337)> <script src= //ajax.googleapis.com/ajax/libs/angularjs /1.0.8/angular.js> </script> https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22
  50. 50. Extensions / SmartTV
  51. 51. Extensions / SmarTV - JS/HTML/CSS - Interaction with DOM - XHR qureies - Extended API
  52. 52. For dessert
  53. 53. For dessert <a href=“http://external.com”>Go!</a> In headers will be Referer: http://yoursite.com/ What about images, js, css files?
  54. 54. For dessert http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics.com/password.jpg> ... Owner of comics.com Can see all secret tokens https://github.com/cure53/HTTPLeaks
  55. 55. Anything else? Yes: • X-Frame-Options • Iframe protection via JS – bypassing (iframe sandboxing / race conditions) • Switching to HTTPS (HSTS) • DOM Clobbering (XSS - http://www.slideshare.net/x00mario/in-the-dom-no- one-will-hear-you-scream) • Cookies (flags, domains – IE case) • ...?
  56. 56. Thanks! Any questions? @sergeybelove

×