SlideShare a Scribd company logo

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.

Krzysztof Kotowicz
Krzysztof Kotowicz

Krzysztof Kotowicz gave a talk at Hack in Paris in June 2014 about lessons learned from trusting JavaScript cryptography. He discussed the history of skepticism around JS crypto due to language weaknesses like implicit type coercion and lack of exceptions. He then analyzed real-world vulnerabilities in JS crypto libraries like Cryptocat that exploited these issues, as well as web-specific issues like cross-site scripting. Finally, he argued that while the JS language has flaws, developers can still implement crypto securely through practices like strict mode, type checking, and defense-in-depth against web vulnerabilities.

1 of 58
Download to read offline
Biting into the forbidden fruit Lessons from trusting Javascript crypto Krzysztof Kotowicz, Hack in Paris, June 2014
About me • Web security researcher • HTML5 • UI redressing • browser extensions • crypto • I was a Penetration Tester @ Cure53 • Information Security Engineer @ Google Disclaimer: “My opinions are mine. Not Google’s”.
 Disclaimer: All the vulns are fixed or have been publicly disclosed in the past.
Introduction
JS crypto history • Javascript Cryptography Considered Harmful
 http://matasano.com/articles/javascript- cryptography/ • Final post on Javascript crypto
 http://rdist.root.org/2010/11/29/final-post-on- javascript-crypto/
JS crypto history • It’s not needed! • Implicit trust in the server • SSL / TLS required • It’s dangerous! • Any XSS can circumvent the code • It’s hard! • Poor crypto support in the language • Mediocre library quality • JS crypto is doomed to fail!
Doomed to fail? https://www.mailvelope.com/https://crypto.cat/ http://openpgpjs.org/ Multiple crypto primitives libraries, symmetric & asymmetric encryption, TLS implementation, a few OpenPGP implementations, and a lot of user applications built upon them. Plus custom crypto protocols.
Action plan • Look at the code • Find the vulnerabilities • Understand the root cause • Compare to native crypto
JS crypto vulns in the wild • Language issues • Caused by a flaw of the language ! • Web platform issues • “The web is broken”
Language issues
Language issues matter if (you_think_they_dont)! goto fail;! ! goto fail;
Javascript in a glance • a dynamic language • a weakly typed language • with prototypical inheritance • with a global object • and a forgiving parser
It’s a flexible language • Code in 6 characters only! ! ! ! ! • alert(1), obviously [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!! []+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[] +!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+ [])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+ (![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+! +[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]] +(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]] +(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
Bit quirks • All numbers are floats
 http://www.2ality.com/2012/04/number-encoding.html • Bit shifts are tricky ! ! ! • “The right operand should be less than 32, but if not only the low five bits will be used.”
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/ Bitwise_Operators 1 << 31 // -2147483648! 1 << 32 // 1
 1 << 33 // 2! 1 << 31 << 1 // 0! 1 << 31 >> 31 // -1
 1 << 31 >>> 31 // 1. Sigh!
Weak typing • A lot of gotchas & silent type conversions
 ! ! ! • Devs don’t use types. This matters to crypto! // From wtfjs.com! ! true == 'true'! false != 'false'! ! Math.min() > Math.max()! ! typeof null == 'object'! !(null instanceof Object)
Weak typing • Cryptocat adventures with entropy
 http://tobtu.com/decryptocat.php ! ! ! • != 64 random bytes. • Entropy loss - 512 bits => 212 bits // Generate private key (64 random bytes)! var rand = Cryptocat.randomString(64, 0, 0, 1, 0); "7065451732615196458..." // Generates a random string of length `size` characters.! // If `alpha = 1`, random string will contain alpha characters, // and so on.! // If 'hex = 1', all other settings are overridden.! Cryptocat.randomString = function(! size, alpha, uppercase, numeric, hex)
Magic properties • Cryptocat - a multiparty chat application • Check if we don’t yet have the user’s key (=new user). 
 Generate shared secrets (hmac key + encryption key) ! ! • Decrypt incoming message (if you have a secret already) if (!publicKeys[sender]) {! publicKeys[sender] = receivedPublicKey;! multiParty.genSharedSecret(sender);! } if (sharedSecrets[sender]) {! if (message[myName]['hmac'] === HMAC(ciphertext, ! sharedSecrets[sender]['hmac'])) {! message = decryptAES(ct, sharedSecrets[sender]['msg']);! return message;! }
Magic properties • Meet __proto__. Always there ! ! • publicKeys[‘__proto__’] == true, so shared secret is never generated • But sharedSecrets[‘__proto__’] == true, so decryption throws exception • [CVE 2013-4100] Joining chat as __proto__ breaks chat for everyone.
 http://www.2ality.com/2012/01/objects-as-maps.html publicKeys = {one: "1", two: "2"}! publicKeys['__proto__'] // {}! Boolean(publicKeys[‘__proto__’]) // true
Magic properties • Python has them too! • Kill an application by submitting a hash algorithm __delattr__ • http://blog.kotowicz.net/2013/12/breaking-google- appengine-webapp2.html
Silent errors ! ! • Out-of-bounds array access does not throw error • At least it returns harmless undefined
 (I‘m looking at you, C) a = [1];! a[0] // 1! a[1000] // undefined. No error!
Unicode fun • JS strings are unicode, not byte arrays • String.charCodeAt(index) returns the numeric Unicode value of the character • Not a byte value! • https://speakerdeck.com/mathiasbynens/hacking- with-unicode
16 snowmen attack! • Reveals AES key by encrypting Unicode and decrypting the result
 http://vnhacker.blogspot.com/2014/06/why- javascript-crypto-is-useful.html ☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃
AES S-BOX INVERSE S-BOX INVERSE S-BOX S-BOX
Encrypting… function SubBytes(state, Sbox) // state = [9740, 9796, 9743, ...] ! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [undefined, undefined, ...]! }
Implicit type coercion function MixColumns(state) { // [undefined, undefined, ...]! c0 = state[I(0,col)]; // c0 = undefined,...! state[I(0,col)] = aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! return state! }! ! function aes_mul(a, b) { // 2, undefined! var res = 0;! res = res ^ b; // 0 ^ undefined = 0 :)! } aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! undefined ^ undefined ^ 0 ^ 0 // 0
AES 0x00, 0x00 0x00, 0x00
Decrypting… • Decrypt the ciphertext with the same key • In last round: ! ! ! • plaintext = key ⊕ [0x52, 0x52, …] • key = plaintext ⊕ [0x52, 0x52, …] function SubBytes(state, Sbox) // state = [0, 0, …]! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [0x52, 0x52, …]! }
Type coercion CVE-2014-0092 GnuTLS certificate validation bypass
 http://blog.existentialize.com/the-story-of-the-gnutls-bug.html! ! ! ! • C has no exceptions. Errors were reported as negative numbers. But callers treated return value as a boolean:
 
 /* Checks if the issuer of a certificate is a! * Certificate Authority
 * Returns true or false, if the issuer is a CA,! * or not.! */! static int! check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,! unsigned int flags) if (ret == 0) { /*cert invalid, abort */}
Language issues • They are not unique to Javascript • You can overcome them! • ES 5 strict mode
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/ Functions_and_function_scope/Strict_mode • Type enforcing - e.g. Closure Compiler
 https://developers.google.com/closure/compiler/ • Development practices: tests, continuous integration, code reviews
Web platform issues
Web platform • Javascript code runs in a JS engine…
 *Monkey, v8, Nitro, Chakra, SunSpider • In an execution environment…
 browser renderer process, server process • With different APIs available…
 DOM, WebCrypto, browser extension API • With different restriction/isolation policies…
 Same Origin Policy, CSP, iframe sandbox, extension security policies • These conditions are much more important to crypto!
XSS • Web is full of it • Any XSS is RCE equivalent for web • XSS can bypass any crypto code in the same origin • replace a PRNG • exfiltrate the key or plaintext • replace the public key • There are XSSes in crypto code
XSS • Mailvelope - DOM XSS in Gmail by sending encrypted <img onerror=alert(1)> to the victim
XSS • [CVE 2013-2259] Cryptocat used client side filtering of nickname / conversation name. ! ! ! ! • Chrome extension: CSP, only UI Spoofing • Firefox extension: XSS = RCE in the OS
RCE in non-JS crypto • [CVE-2014-3466] A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.
Poor randomness • Math.random() is not good enough • You can recover the state cross-origin
 http://ifsec.blogspot.com/2012/05/cross-domain- mathrandom-prediction.html • Instead, use crypto.getRandomValues() in browsers* and crypto.randomBytes() in node.js. * IE 11 and greater, poor mobile browser support
Poor randomness • OpenPGP.js RSA encryption padding /**! * Create a EME-PKCS1-v1_5 padding! */! encode: function(message, length) {! //...! for (var i = 0; i < length - message.length - 3; i++) {! r += String.fromCharCode(random.getPseudoRandom(1, 255)); ! }! return r;! }! ! random.getPseudoRandom: function(from, to) {! return Math.round(Math.random() * (to - from)) + from; ! }
Poor randomness • [CVE-2013-4102] Cryptocat uses BOSH for XMPP transport.
 “The session identifier (SID) and initial request identifier (RID) are security-critical and therefore MUST be both unpredictable and non-repeating.” ! ! this.rid = Math.floor(Math.random() * 4294967295);
Non-JS randomness fail Debian OpenSSL fiasco (2006-2008)! • OpenSSL used uninitialized memory buffers as entropy sources • Debian maintainer analyzed OpenSSL with Valgrind, asked openssl-dev about the warnings. Group said - go ahead, just remove the calls. • Only process ID remained in the entropy pool • ssh-keygen - only 32K possible keys
 http://research.swtch.com/openssl
Timing side-channels • Timing differences are measurable • Attacks are not remote • same CPU, • same thread (<iframe>) • Demonstrated by Eduardo Vela Nava
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web-application- timing.html
 “It is possible to bruteforce an 18 digit number in about 3 minutes on most machines.” (cross-domain!)
Timing side-channels • OpenPGP.js RSA decryption unpadding ! ! ! ! ! • This needs to be constant time to avoid Bleichenbacher’s attack
 http://archiv.infsec.ethz.ch/education/fs08/secsem/ Bleichenbacher98.pdf /**! * Decodes a EME-PKCS1-v1_5 padding! */! decode: function(message, len) {! if (message.length < len)! message = String.fromCharCode(0) + message; // branching! if (message.length < 12 || message.charCodeAt(0) !== 0 ||! message.charCodeAt(1) != 2) // branching! return -1; // early exit! var i = 2;! return message.substring(i + 1, message.length);! }
Timing side-channels • Similar problem in Java - JSSE (RSA used in TLS)
 http://www-brs.ub.ruhr-uni-bochum.de/netahtml/ HSS/Diss/MeyerChristopher/diss.pdf • [CVE-2012-5081] Different error messages • [CVE-2014-0411] Timing side-channel - random numbers were generated only on invalid padding
Compiler optimisation • JS engine is a blackbox. Even correct constant-time code can be optimised.
 http://stackoverflow.com/questions/18476402/how-to-disable-v8s-optimizing-compiler • Problems are not unique to the web: ! ! ! • Constant-time algorithm meets timing differences in Intel DIV instruction
 https://www.imperialviolet.org/2013/02/04/luckythirteen.html // golang.org/src/pkg/crypto/subtle/constant_time.go! func ConstantTimeByteEq(x, y uint8) int {! z := ^(x ^ y)! z &= z >> 4! z &= z >> 2! z &= z >> 1! return int(z)! }
Direct memory access • Remember Heartbleed? • Not a crypto vulnerability, but it allowed to bypass the encryption by just reading memory • client sends a large payload length + a tiny payload • no bounds check in the server • server replies with leaked memory contents
Direct memory access • Thankfully, JS is a memory-safe language. We have no buffers to overflow…
Direct memory access • Pwn2Own 2014, Firefox 28, Jüri Aedla
 “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the Javascript heap, allowing for arbitrary code execution.”
 https://www.mozilla.org/security/announce/2014/mfsa2014-31.html • Pwnium 4, Chrome 33, geohot (George Hotz)
 https://code.google.com/p/chromium/issues/detail?id=351787
 
 
 
 
 var ab = new ArrayBuffer(SMALL_BUCKET);! ab.__defineGetter__("byteLength",function(){return 0xFFFFFFFC;});! var aaa = new Uint32Array(ab);! // all your base are belong to us
Direct memory access • Browsers are an attack surface as well • network stack • HTML parser • JS engine • Any URL in any tab can trigger an exploit
Browser architecture • Firefox - single process
 http://lwn.net/Articles/576564/ • IE - multiprocess, sandboxed from OS
 http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx • Chrome - multiprocess, sandboxed from other tabs
 http://www.chromium.org/developers/design-documents/sandbox
Malware problem • Any malware can circumvent native crypto software as well. Kernels have vulnerabilities too. • GnuPG was bypassed by the authorities by simply installing a keylogger.
 https://www.gnupg.org/faq/gnupg-faq.html#successful_attacks • For JS crypto - your browser is the OS. Browser security = host security • There is one difference though…
Application delivery • You don’t install websites • Code delivery and execution is transparent (drive- by download) • Huge code execution playground, running code separated by Same Origin Policy only • Roughly half of the users use the browser with any kind of sandbox
Is JS crypto doomed? • Create perfect, XSS-free, constant time JS code • Ensure server will never be compromised • Put it in a website, serve over HTTPS • You’re safe until someone uses: • a browser exploit • a Same Origin Policy bypass • How can we fix this?
Extensions
 to the rescue
Browser extension • Not a plugin (Java, Flash, PDF reader) • A Javascript application running in privileged execution environment • You need to install it
Browser extension • Secure, signed code delivery • Better separation from websites than just Same Origin Policy • Much smaller attack surface • Process isolation in Chrome
 http://www.chromium.org/developers/design- documents/site-isolation
Browser extension • Not a perfect solution! • Your API needs to be secure too • XSS in extension is possible. XSS = native code execution in Firefox
 http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff- attacking-with-google-chrome-extensions • Chrome Extensions can share processes when limits are hit (use Chrome App to be sure)
Recommendations • Use isolated environment (server side, browser extension) • Use compilers to force strict typing • Use CSP to mitigate XSS • Use constant time operations (as much as you can) • Protect the exposed functions • Use request throttling to mitigate side-channel exploitation
Open problems • Timing sidechannels are exploitable and hard to fix
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web- application-timing.html • No mlock() equivalent - secrets can be swapped to disk • No secure store yet (wait for WebCrypto) • Extensions silently auto-update • Lack of full process isolation yet
Summary • JS crypto is way better than it used to be • A lot of perceived “JS crypto flaws” are present in other languages as well • The platform issues are much more difficult to mitigate • in-website crypto has too large attack surface • use extensions only
The end Me:
 http://blog.kotowicz.net, @kkotowicz, krzysztof@kotowicz.net More vulns:
 https://cure53.de/pentest-report_mailvelope.pdf
 https://cure53.de/pentest-report_openpgpjs.pdf
 https://blog.crypto.cat/wp-content/uploads/2012/11/Cryptocat-2-Pentest-Report.pdf Thanks to people who helped and inspired
 (in Math.random() order): 
 Mario Heiderich, Franz Antesberger, Juraj Somorovsky, Ian Beer, Ivan Fratric, Eduardo Vela Nava, Thai Duong, Frederic Braun, Ben Hawkes, Stephan Somogyi, Daniel Bleichenbacher, Adam Langley, Mathias Biennia

Recommended

02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Botnets
BotnetsBotnets
Botnets
Kavisha Miyan
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
The Culture of the FBI.
The Culture of the FBI.The Culture of the FBI.
The Culture of the FBI.
Orion White
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 

Recommended

02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Botnets
BotnetsBotnets
Botnets
Kavisha Miyan
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
The Culture of the FBI.
The Culture of the FBI.The Culture of the FBI.
The Culture of the FBI.
Orion White
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Kali linux os
Kali linux osKali linux os
Kali linux os
Samantha Lawrence
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Jack Shaffer
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
Network Intelligence India
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
idsecconf
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
Beau Bullock
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
Chanchal Dabriya
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Computer Security
Computer SecurityComputer Security
Computer Security
Frederik Questier
 
CyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint ProtectionCyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint Protection
Panji Ramadhan Hadjarati
 
渗透测试思路技术与方法
渗透测试思路技术与方法渗透测试思路技术与方法
渗透测试思路技术与方法
 
Installation of ns2
Installation of ns2Installation of ns2
Installation of ns2
Pradeep Kumar TS
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
Gaurav Ragtah
 
Black hat hackers
Black hat hackersBlack hat hackers
Black hat hackersSantosh Kumar
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 

More Related Content

What's hot

Kali linux os
Kali linux osKali linux os
Kali linux os
Samantha Lawrence
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Jack Shaffer
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
Network Intelligence India
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
idsecconf
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
Beau Bullock
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
Chanchal Dabriya
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Computer Security
Computer SecurityComputer Security
Computer Security
Frederik Questier
 
CyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint ProtectionCyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint Protection
Panji Ramadhan Hadjarati
 
渗透测试思路技术与方法
渗透测试思路技术与方法渗透测试思路技术与方法
渗透测试思路技术与方法
 
Installation of ns2
Installation of ns2Installation of ns2
Installation of ns2
Pradeep Kumar TS
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
Gaurav Ragtah
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 

What's hot (20)

Kali linux os
Kali linux osKali linux os
Kali linux os
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINAL
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
CyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint ProtectionCyberOps Associate Modul 22 Endpoint Protection
CyberOps Associate Modul 22 Endpoint Protection
 
渗透测试思路技术与方法
渗透测试思路技术与方法渗透测试思路技术与方法
渗透测试思路技术与方法
 
Installation of ns2
Installation of ns2Installation of ns2
Installation of ns2
 
Application security
Application securityApplication security
Application security
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
 
Black hat hackers
Black hat hackersBlack hat hackers
Black hat hackers
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 

Viewers also liked

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Using Tai-chi to deal with agility
Using Tai-chi to deal with agilityUsing Tai-chi to deal with agility
Using Tai-chi to deal with agility
Alex Kempkens
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
Year of the X
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain Barrier
Alex Sexton
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
Michele Orru
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application Vulnerabilities
Yuji Kosuga
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
Почему Agile больше не работает
Почему Agile больше не работаетПочему Agile больше не работает
Почему Agile больше не работает
CEE-SEC(R)
 
Agile по русски- как это работает
Agile по русски- как это работаетAgile по русски- как это работает
Agile по русски- как это работает
Alexey Pikulev
 
Zaragoza Turismo 25
Zaragoza Turismo 25Zaragoza Turismo 25
Zaragoza Turismo 25
Saucepolis blog & Hotel Sauce
 
Beer is good!
Beer is good!Beer is good!
Beer is good!
Kirk Teegardin
 
Xotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookersXotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookers
Jeffrey Messud
 
Localized ic ts urban commons
Localized ic ts urban commonsLocalized ic ts urban commons
Localized ic ts urban commons
LabGov
 
Lisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. DurãoLisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. Durãomaditabalnco
 

Viewers also liked (20)

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Using Tai-chi to deal with agility
Using Tai-chi to deal with agilityUsing Tai-chi to deal with agility
Using Tai-chi to deal with agility
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain Barrier
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application Vulnerabilities
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Почему Agile больше не работает
Почему Agile больше не работаетПочему Agile больше не работает
Почему Agile больше не работает
 
Agile по русски- как это работает
Agile по русски- как это работаетAgile по русски- как это работает
Agile по русски- как это работает
 
Zaragoza Turismo 25
Zaragoza Turismo 25Zaragoza Turismo 25
Zaragoza Turismo 25
 
Beer is good!
Beer is good!Beer is good!
Beer is good!
 
Xotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookersXotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookers
 
Localized ic ts urban commons
Localized ic ts urban commonsLocalized ic ts urban commons
Localized ic ts urban commons
 
Lisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. DurãoLisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. Durão
 

Similar to Biting into the forbidden fruit. Lessons from trusting Javascript crypto.

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
Jonathan LeBlanc
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
johnwilander
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
UC San Diego
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
johnwilander
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEMDamien Antipa
 

Similar to Biting into the forbidden fruit. Lessons from trusting Javascript crypto. (20)

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEM
 

More from Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Krzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Krzysztof Kotowicz
 

More from Krzysztof Kotowicz (14)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Recently uploaded

Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
thanhdowork
 
6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)
ClaraZara1
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
Robbie Edward Sayers
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
gerogepatton
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
ydteq
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Teleport Manpower Consultant
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
manasideore6
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
karthi keyan
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
AmarGB2
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
VENKATESHvenky89705
 
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
ssuser7dcef0
 

Recently uploaded (20)

Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
 
6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
 
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...
 

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.

  • 1. Biting into the forbidden fruit Lessons from trusting Javascript crypto Krzysztof Kotowicz, Hack in Paris, June 2014
  • 2. About me • Web security researcher • HTML5 • UI redressing • browser extensions • crypto • I was a Penetration Tester @ Cure53 • Information Security Engineer @ Google Disclaimer: “My opinions are mine. Not Google’s”.
 Disclaimer: All the vulns are fixed or have been publicly disclosed in the past.
  • 4. JS crypto history • Javascript Cryptography Considered Harmful
 http://matasano.com/articles/javascript- cryptography/ • Final post on Javascript crypto
 http://rdist.root.org/2010/11/29/final-post-on- javascript-crypto/
  • 5. JS crypto history • It’s not needed! • Implicit trust in the server • SSL / TLS required • It’s dangerous! • Any XSS can circumvent the code • It’s hard! • Poor crypto support in the language • Mediocre library quality • JS crypto is doomed to fail!
  • 6. Doomed to fail? https://www.mailvelope.com/https://crypto.cat/ http://openpgpjs.org/ Multiple crypto primitives libraries, symmetric & asymmetric encryption, TLS implementation, a few OpenPGP implementations, and a lot of user applications built upon them. Plus custom crypto protocols.
  • 7. Action plan • Look at the code • Find the vulnerabilities • Understand the root cause • Compare to native crypto
  • 8. JS crypto vulns in the wild • Language issues • Caused by a flaw of the language ! • Web platform issues • “The web is broken”
  • 10. Language issues matter if (you_think_they_dont)! goto fail;! ! goto fail;
  • 11. Javascript in a glance • a dynamic language • a weakly typed language • with prototypical inheritance • with a global object • and a forgiving parser
  • 12. It’s a flexible language • Code in 6 characters only! ! ! ! ! • alert(1), obviously [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!! []+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[] +!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+ [])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+ (![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+! +[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]] +(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]] +(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
  • 13. Bit quirks • All numbers are floats
 http://www.2ality.com/2012/04/number-encoding.html • Bit shifts are tricky ! ! ! • “The right operand should be less than 32, but if not only the low five bits will be used.”
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/ Bitwise_Operators 1 << 31 // -2147483648! 1 << 32 // 1
 1 << 33 // 2! 1 << 31 << 1 // 0! 1 << 31 >> 31 // -1
 1 << 31 >>> 31 // 1. Sigh!
  • 14. Weak typing • A lot of gotchas & silent type conversions
 ! ! ! • Devs don’t use types. This matters to crypto! // From wtfjs.com! ! true == 'true'! false != 'false'! ! Math.min() > Math.max()! ! typeof null == 'object'! !(null instanceof Object)
  • 15. Weak typing • Cryptocat adventures with entropy
 http://tobtu.com/decryptocat.php ! ! ! • != 64 random bytes. • Entropy loss - 512 bits => 212 bits // Generate private key (64 random bytes)! var rand = Cryptocat.randomString(64, 0, 0, 1, 0); "7065451732615196458..." // Generates a random string of length `size` characters.! // If `alpha = 1`, random string will contain alpha characters, // and so on.! // If 'hex = 1', all other settings are overridden.! Cryptocat.randomString = function(! size, alpha, uppercase, numeric, hex)
  • 16. Magic properties • Cryptocat - a multiparty chat application • Check if we don’t yet have the user’s key (=new user). 
 Generate shared secrets (hmac key + encryption key) ! ! • Decrypt incoming message (if you have a secret already) if (!publicKeys[sender]) {! publicKeys[sender] = receivedPublicKey;! multiParty.genSharedSecret(sender);! } if (sharedSecrets[sender]) {! if (message[myName]['hmac'] === HMAC(ciphertext, ! sharedSecrets[sender]['hmac'])) {! message = decryptAES(ct, sharedSecrets[sender]['msg']);! return message;! }
  • 17. Magic properties • Meet __proto__. Always there ! ! • publicKeys[‘__proto__’] == true, so shared secret is never generated • But sharedSecrets[‘__proto__’] == true, so decryption throws exception • [CVE 2013-4100] Joining chat as __proto__ breaks chat for everyone.
 http://www.2ality.com/2012/01/objects-as-maps.html publicKeys = {one: "1", two: "2"}! publicKeys['__proto__'] // {}! Boolean(publicKeys[‘__proto__’]) // true
  • 18. Magic properties • Python has them too! • Kill an application by submitting a hash algorithm __delattr__ • http://blog.kotowicz.net/2013/12/breaking-google- appengine-webapp2.html
  • 19. Silent errors ! ! • Out-of-bounds array access does not throw error • At least it returns harmless undefined
 (I‘m looking at you, C) a = [1];! a[0] // 1! a[1000] // undefined. No error!
  • 20. Unicode fun • JS strings are unicode, not byte arrays • String.charCodeAt(index) returns the numeric Unicode value of the character • Not a byte value! • https://speakerdeck.com/mathiasbynens/hacking- with-unicode
  • 21. 16 snowmen attack! • Reveals AES key by encrypting Unicode and decrypting the result
 http://vnhacker.blogspot.com/2014/06/why- javascript-crypto-is-useful.html ☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃
  • 23. Encrypting… function SubBytes(state, Sbox) // state = [9740, 9796, 9743, ...] ! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [undefined, undefined, ...]! }
  • 24. Implicit type coercion function MixColumns(state) { // [undefined, undefined, ...]! c0 = state[I(0,col)]; // c0 = undefined,...! state[I(0,col)] = aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! return state! }! ! function aes_mul(a, b) { // 2, undefined! var res = 0;! res = res ^ b; // 0 ^ undefined = 0 :)! } aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! undefined ^ undefined ^ 0 ^ 0 // 0
  • 26. Decrypting… • Decrypt the ciphertext with the same key • In last round: ! ! ! • plaintext = key ⊕ [0x52, 0x52, …] • key = plaintext ⊕ [0x52, 0x52, …] function SubBytes(state, Sbox) // state = [0, 0, …]! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [0x52, 0x52, …]! }
  • 27. Type coercion CVE-2014-0092 GnuTLS certificate validation bypass
 http://blog.existentialize.com/the-story-of-the-gnutls-bug.html! ! ! ! • C has no exceptions. Errors were reported as negative numbers. But callers treated return value as a boolean:
 
 /* Checks if the issuer of a certificate is a! * Certificate Authority
 * Returns true or false, if the issuer is a CA,! * or not.! */! static int! check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,! unsigned int flags) if (ret == 0) { /*cert invalid, abort */}
  • 28. Language issues • They are not unique to Javascript • You can overcome them! • ES 5 strict mode
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/ Functions_and_function_scope/Strict_mode • Type enforcing - e.g. Closure Compiler
 https://developers.google.com/closure/compiler/ • Development practices: tests, continuous integration, code reviews
  • 30. Web platform • Javascript code runs in a JS engine…
 *Monkey, v8, Nitro, Chakra, SunSpider • In an execution environment…
 browser renderer process, server process • With different APIs available…
 DOM, WebCrypto, browser extension API • With different restriction/isolation policies…
 Same Origin Policy, CSP, iframe sandbox, extension security policies • These conditions are much more important to crypto!
  • 31. XSS • Web is full of it • Any XSS is RCE equivalent for web • XSS can bypass any crypto code in the same origin • replace a PRNG • exfiltrate the key or plaintext • replace the public key • There are XSSes in crypto code
  • 32. XSS • Mailvelope - DOM XSS in Gmail by sending encrypted <img onerror=alert(1)> to the victim
  • 33. XSS • [CVE 2013-2259] Cryptocat used client side filtering of nickname / conversation name. ! ! ! ! • Chrome extension: CSP, only UI Spoofing • Firefox extension: XSS = RCE in the OS
  • 34. RCE in non-JS crypto • [CVE-2014-3466] A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.
  • 35. Poor randomness • Math.random() is not good enough • You can recover the state cross-origin
 http://ifsec.blogspot.com/2012/05/cross-domain- mathrandom-prediction.html • Instead, use crypto.getRandomValues() in browsers* and crypto.randomBytes() in node.js. * IE 11 and greater, poor mobile browser support
  • 36. Poor randomness • OpenPGP.js RSA encryption padding /**! * Create a EME-PKCS1-v1_5 padding! */! encode: function(message, length) {! //...! for (var i = 0; i < length - message.length - 3; i++) {! r += String.fromCharCode(random.getPseudoRandom(1, 255)); ! }! return r;! }! ! random.getPseudoRandom: function(from, to) {! return Math.round(Math.random() * (to - from)) + from; ! }
  • 37. Poor randomness • [CVE-2013-4102] Cryptocat uses BOSH for XMPP transport.
 “The session identifier (SID) and initial request identifier (RID) are security-critical and therefore MUST be both unpredictable and non-repeating.” ! ! this.rid = Math.floor(Math.random() * 4294967295);
  • 38. Non-JS randomness fail Debian OpenSSL fiasco (2006-2008)! • OpenSSL used uninitialized memory buffers as entropy sources • Debian maintainer analyzed OpenSSL with Valgrind, asked openssl-dev about the warnings. Group said - go ahead, just remove the calls. • Only process ID remained in the entropy pool • ssh-keygen - only 32K possible keys
 http://research.swtch.com/openssl
  • 39. Timing side-channels • Timing differences are measurable • Attacks are not remote • same CPU, • same thread (<iframe>) • Demonstrated by Eduardo Vela Nava
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web-application- timing.html
 “It is possible to bruteforce an 18 digit number in about 3 minutes on most machines.” (cross-domain!)
  • 40. Timing side-channels • OpenPGP.js RSA decryption unpadding ! ! ! ! ! • This needs to be constant time to avoid Bleichenbacher’s attack
 http://archiv.infsec.ethz.ch/education/fs08/secsem/ Bleichenbacher98.pdf /**! * Decodes a EME-PKCS1-v1_5 padding! */! decode: function(message, len) {! if (message.length < len)! message = String.fromCharCode(0) + message; // branching! if (message.length < 12 || message.charCodeAt(0) !== 0 ||! message.charCodeAt(1) != 2) // branching! return -1; // early exit! var i = 2;! return message.substring(i + 1, message.length);! }
  • 41. Timing side-channels • Similar problem in Java - JSSE (RSA used in TLS)
 http://www-brs.ub.ruhr-uni-bochum.de/netahtml/ HSS/Diss/MeyerChristopher/diss.pdf • [CVE-2012-5081] Different error messages • [CVE-2014-0411] Timing side-channel - random numbers were generated only on invalid padding
  • 42. Compiler optimisation • JS engine is a blackbox. Even correct constant-time code can be optimised.
 http://stackoverflow.com/questions/18476402/how-to-disable-v8s-optimizing-compiler • Problems are not unique to the web: ! ! ! • Constant-time algorithm meets timing differences in Intel DIV instruction
 https://www.imperialviolet.org/2013/02/04/luckythirteen.html // golang.org/src/pkg/crypto/subtle/constant_time.go! func ConstantTimeByteEq(x, y uint8) int {! z := ^(x ^ y)! z &= z >> 4! z &= z >> 2! z &= z >> 1! return int(z)! }
  • 43. Direct memory access • Remember Heartbleed? • Not a crypto vulnerability, but it allowed to bypass the encryption by just reading memory • client sends a large payload length + a tiny payload • no bounds check in the server • server replies with leaked memory contents
  • 44. Direct memory access • Thankfully, JS is a memory-safe language. We have no buffers to overflow…
  • 45. Direct memory access • Pwn2Own 2014, Firefox 28, Jüri Aedla
 “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the Javascript heap, allowing for arbitrary code execution.”
 https://www.mozilla.org/security/announce/2014/mfsa2014-31.html • Pwnium 4, Chrome 33, geohot (George Hotz)
 https://code.google.com/p/chromium/issues/detail?id=351787
 
 
 
 
 var ab = new ArrayBuffer(SMALL_BUCKET);! ab.__defineGetter__("byteLength",function(){return 0xFFFFFFFC;});! var aaa = new Uint32Array(ab);! // all your base are belong to us
  • 46. Direct memory access • Browsers are an attack surface as well • network stack • HTML parser • JS engine • Any URL in any tab can trigger an exploit
  • 47. Browser architecture • Firefox - single process
 http://lwn.net/Articles/576564/ • IE - multiprocess, sandboxed from OS
 http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx • Chrome - multiprocess, sandboxed from other tabs
 http://www.chromium.org/developers/design-documents/sandbox
  • 48. Malware problem • Any malware can circumvent native crypto software as well. Kernels have vulnerabilities too. • GnuPG was bypassed by the authorities by simply installing a keylogger.
 https://www.gnupg.org/faq/gnupg-faq.html#successful_attacks • For JS crypto - your browser is the OS. Browser security = host security • There is one difference though…
  • 49. Application delivery • You don’t install websites • Code delivery and execution is transparent (drive- by download) • Huge code execution playground, running code separated by Same Origin Policy only • Roughly half of the users use the browser with any kind of sandbox
  • 50. Is JS crypto doomed? • Create perfect, XSS-free, constant time JS code • Ensure server will never be compromised • Put it in a website, serve over HTTPS • You’re safe until someone uses: • a browser exploit • a Same Origin Policy bypass • How can we fix this?
  • 52. Browser extension • Not a plugin (Java, Flash, PDF reader) • A Javascript application running in privileged execution environment • You need to install it
  • 53. Browser extension • Secure, signed code delivery • Better separation from websites than just Same Origin Policy • Much smaller attack surface • Process isolation in Chrome
 http://www.chromium.org/developers/design- documents/site-isolation
  • 54. Browser extension • Not a perfect solution! • Your API needs to be secure too • XSS in extension is possible. XSS = native code execution in Firefox
 http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff- attacking-with-google-chrome-extensions • Chrome Extensions can share processes when limits are hit (use Chrome App to be sure)
  • 55. Recommendations • Use isolated environment (server side, browser extension) • Use compilers to force strict typing • Use CSP to mitigate XSS • Use constant time operations (as much as you can) • Protect the exposed functions • Use request throttling to mitigate side-channel exploitation
  • 56. Open problems • Timing sidechannels are exploitable and hard to fix
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web- application-timing.html • No mlock() equivalent - secrets can be swapped to disk • No secure store yet (wait for WebCrypto) • Extensions silently auto-update • Lack of full process isolation yet
  • 57. Summary • JS crypto is way better than it used to be • A lot of perceived “JS crypto flaws” are present in other languages as well • The platform issues are much more difficult to mitigate • in-website crypto has too large attack surface • use extensions only
  • 58. The end Me:
 http://blog.kotowicz.net, @kkotowicz, krzysztof@kotowicz.net More vulns:
 https://cure53.de/pentest-report_mailvelope.pdf
 https://cure53.de/pentest-report_openpgpjs.pdf
 https://blog.crypto.cat/wp-content/uploads/2012/11/Cryptocat-2-Pentest-Report.pdf Thanks to people who helped and inspired
 (in Math.random() order): 
 Mario Heiderich, Franz Antesberger, Juraj Somorovsky, Ian Beer, Ivan Fratric, Eduardo Vela Nava, Thai Duong, Frederic Braun, Ben Hawkes, Stephan Somogyi, Daniel Bleichenbacher, Adam Langley, Mathias Biennia