View
242
Download
1
Category
Preview:
Citation preview
It’s only about frontend
Sergey Belov
Digital Security
OWASP EEE. 6th of October 2015. Poland
$ whoami
• @ Digital Security
– Penteser
– ZeroNights team
• Bug hunting (Yandex, Google, CloudFlare ...)
• Speaker – OWASP RU, BlackHat 2014, HiP 2014, ZeroNights
• Like all web related security :]
What we're talking about
Frontend security
≠ client side attacks
Example – CSRF is client side attack but depend on server side
What we're talking about
Some techniques are well known
but some are not
What we're talking about
SOP Same Origin Policy
scheme://domain:port + hardening
Cross Site Scripting
DOM
DOM XSS
document.write("Site is at: " + document.location.href);
http://victim.com/action#<script>alert('xss')</script>
DOM XSS
Sources document.URL location document.referrer window.name localStorage cookies …
DOM XSS
Sinks eval document.write (element).innerHTML (element).src setTimeout / setInterval execScript …
https://code.google.com/p/domxsswiki/
DOM XSS
Information leaks
Information leaks
Javascript examples testServer = host.match(/[^.]+\.((?:f|my\.XXX)\d*)\.YYY\.com/)
devServer = host.match(/^.+\.dev\.YYY\.com$/),
isXXX = testServer && testServer[1].indexOf('my.XXX') == 0,
...
internalDevHOST = '172.16.22.2';
internalProdHOST = '172.16.22.5';
...
var admin_url = '/secretArea/'
Information leaks
CSS examples
file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\
/assets\/stylesheets\/application\/browser-not-supported\.scss
file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\
/assets\/stylesheets\/application\/modules\/add-category\.scss
file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\
/assets\/stylesheets\/application\/modules\/alias-preview\.scss
MVC Frameworks
MVC Frameworks
MVC Frameworks
- Templates
- New elements <rockyou></rockyou>
- Bindings
MVC Frameworks
Logic-less templates
<ul>
<li ng-repeat="phone in phones">
<span>{{phone.name}}</span>
<p>{{phone.snippet}}</p>
</li>
</ul>
MVC Frameworks
Сurly braces
<ul>
<li ng-repeat="phone in phones">
<span>{{phone.name}}</span>
<p>{{phone.snippet}}</p>
</li>
</ul>
MVC Frameworks Mustache Security • VueJS
• AngularJS
• CanJS
• Underscore.js
• KnockoutJS
• Ember.js
• Polymer
• Ractive.js
• jQuery
• JsRender
• Kendo UI
https://code.google.com/p/mustache-security/
MVC Frameworks
AngularJS (1.1.5) – access to window
<div class="ng-app">
{{constructor.constructor('alert(1)'
)()}}
</div>
MVC Frameworks
AngularJS (1.2.18) – access to window, after fix {{
(_=''.sub).call.call({}[$='constructor']
.getOwnPropertyDescriptor(_.__proto__,$)
.value,0,'alert(1)')()
}}
MVC Frameworks
Frameworks updating is important for security!
Flash
Flash
A typical example
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80"/>
</cross-domain-policy>
Flash
A non-typical example
<cross-domain-policy>
... multiple domains (some unregistered)...
</cross-domain-policy>
Real bugbounty report - $$$
Flash
A non-typical example
<cross-domain-policy>
...domains from social networks (apps)...
</cross-domain-policy>
Real bugbounty report - $$$
Flash
XSS via Flash
getURL(_root.URI,'_targetFrame');
and many other cases
https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008)
Flash
CVE-2011-2461 IS BACK!
1) Vulnerable verson of Adobe Flex
2) Full SOP bypass
https://github.com/ikkisoft/ParrotNG/
http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html
JSONP
JSONP
Typical case <script
src="http://vuln/getInfo?c=parseResponse">
</script>
JSONP
No sensetive data? But Content-Type is:
• text/javascript
• application/javascript
• application/x-javascript
Try ?cb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)//
And get client side RCE (IE only / SE is required)
JSONP
http://www.youtube.com/watch?v=T0vwLsHUing
HTML5 security
HTML5 Security
otherWindow.postMessage(message, targetOrigin);
Window.postMessage()
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
{
if (event.origin !== "http://example.org:8080")
return;
// ...
}
Domain A
Domain B
HTML5 Security
Window.postMessage()
if(message.orgin.indexOf(".example.com")!=-1)
{
/* ... */
}
Wrong!
example.com.attacker.com
HTML5 Security
otherWindow.postMessage(message, targetOrigin);
Window.postMessage()
Iframe https://accounts.google.com/b/0/ListAccounts?listPages=0&mo=1&origin=https%3A%2F%2F123123.google.com window.parent.postMessage( “... Sensetive data / user login etc...", "https:\x2F\x2F123123.google.com");
HTML5 security
HTTP access control (CORS)
1) Modern
2) Secure by default
3) Very hard to make a mistake
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
is not compatible with
Access-Control-Allow-Credentials: true
HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: $origin;
HTML5 security
WebSockets
1) No authorization and/or authentication
2) WSS:// - for sensetive data
3) Validation
4) Check origin
5) …
HTML5 security
Example with websockets (Agar.IO – HTML5 game) 1) Visit Agar.IO 2) Get new server (/findServer response, some random IP) 3) Connect (ws://) to some random IP
Random IP handles only requests with valid origin (like agar.io). It can
prevent custom clients (exclude cases with full proxy on server side)
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
Content Security Policy
Content Security Policy
X-Content-Security-Policy:
script-src js.example.com
Content Security Policy
Content Security Policy
Last Firefox: security csp command
Content Security Policy
@cure53 challenge – CSP bypass
• CDN with AngularJS is allowed ajax.googleapis.com
ng-app"ng-csp ng-
click=$event.view.alert(1337)>
<script src=
//ajax.googleapis.com/ajax/libs/angularjs
/1.0.8/angular.js>
</script>
https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22
Extensions / SmartTV
Extensions / SmarTV
- JS/HTML/CSS
- Interaction with DOM
- XHR qureies
- Extended API
For dessert
For dessert
<a href=“http://external.com”>Go!</a>
In headers will be
Referer: http://yoursite.com/
What about images, js, css files?
For dessert
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics.com/password.jpg>
...
Owner of
comics.com Can see all secret tokens
https://github.com/cure53/HTTPLeaks
Anything else?
Yes: • X-Frame-Options
• Iframe protection via JS – bypassing (iframe sandboxing / race conditions)
• Switching to HTTPS (HSTS)
• DOM Clobbering (XSS - http://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream)
• Cookies (flags, domains – IE case)
• ...?
Thanks!
Any questions?
@sergeybelove
Recommended