Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Subresource Integrity
Philippe De Ryck
@PhilippeDeRyck
Who Uses Code Like This?
2
<script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" >
https://blog.jquery.com/2014/01/14/jquerys-content-delivery-network-you-got-served/
Maybe It Also Puts You to Shame?
3http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syrian-electronic-army/
And If You Thought That Was Bad …
4
And If You Thought That Was Bad …
5http://www.cbc.ca/news/trending/anonymous-rickrolls-isis-on-twitter-after-losing-cyber-war-1.3331934
And the Problem Is Much Worse …
6https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/
But Not So Easy To Comprehend
7https://xkcd.com/932/
Remote Content Inclusion Is Dangerous
8
§ You give third party content full control over your context
§ Governed by the Same-Origin Policy of the browser
§ No separation between your code and external code
§ Access to same privileges, data, code …
§ External scripts can
§ Read and manipulate your DOM
§ Access JS APIs with the privileges granted to your origin
§ Send requests to your origin without limitations
§ Send requests to other origins on behalf of your origin
Large-scale Study of Remote JS Inclusions
9
“88.45% of the Alexa top 10,000 web sites included at least one remote
JavaScript library”
https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf
Large-scale Study of Remote JS Inclusions
10https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf
Subresource Integrity
11
§ There is nothing you can do against these attacks
§ Either you trust a CDN, or you host it yourself
§ Welcome Subresource Integrity (SRI)§ W3C Candidate Recommendation since November 12, 2015
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
Subresource Integrity
12
§ Allows you to specify a hash of an external resource
§ Using the integrity attribute on script or link tags
§ Browsers verify this hash before loading the file
§ Refuse to load the file if the hash does not match
§ SRI supports the specification of multiple hashes
§ The strongest one available will be used by the browser
<script src=”myapplication.js” integrity=“sha256-… sha512-… ”>
</script>
<link href=“myapp.css” type=“text/css”integrity=“sha384-… sha512-…” />
Unfortunately, SRI Enables Data Leakage
13
§ You can check the presence of specific external resources
§ Requests from the user’s browser, with credentials
<script src=https://some-shop.com/accountbalance integrity=“…”></script>
{“balance”: 1234.00} dPdFnnWdXY6eHXiK+3O/OSi3OeLFHlLch1qZ3iqD3MGNXck+Oz4LETv8lnsoNyFI
{“balance”: 1235.00} RasWnvVTFAiT+6NeqIJFRDDDSklMaljV0FxUQysJqUB65TGm/lFqKJkrGif2wzYj
{“balance”: 1236.00} uSCKm1yloPZ7VexjyLQ+sUvakZKycl3CsblGH/9XpGV09ymyf1nKAzU5tXTFH5oi
{“balance”: 1237.00} 4SI2gcfIFhX2NRE5KPbeXR87PaiCSAan6PL2mxKWndBp8wvE2Dfcn7HenpNXD0oJ
SRI Prevents Data Leakage with CORS
14
§ Not needed for resources from your own origin
§ The browser allows access to these anyway
§ The crossorigin attribute controls CORS behavior
§ Anonymous does not attach cookies to the request
§ Use-credentials means that that cookies will be present
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
Simple CORS Example
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin: http://www.example.com
CORS Protects Legacy Servers by Design
16
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.com
No CORS headers present
Handling Credentials
17
§ Requests can be anonymous or authenticated
§ By default, credentials (i.e. cookies) are not sent
§ Can be enabled by setting the withCredentials flag
§ When credentials are used, the server must acknowledge this
§ By sending the Access-Control-Allow-Credentials response header
§ Aim is to prevent illegitimate use of the user’s credentials
§ Not intended to protect the server from malicious requests
Simple CORS Example with Credentials
18
Load page
XHR: load user’s profile from websec.be
www.example.com
www.websec.be
Origin: http://www.example.comCookie: PHPSESSID=1a2b3c4d5e6f
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Credentials: true
var xhr = new XMLHttpRequest();xhr.open('GET', 'http://www.websec.be/profile', false);xhr.withCredentials = true;xhr.send();
Subresource Integrity with CORS
Load page
Include script with integrity check
www.example.com
www.websec.be
Origin: http://www.example.com
Access-Control-Allow-Origin: http://www.example.com
SRI Prevents Data Leakage with CORS
20
§ CORS protects legacy servers§ CORS response headers need to be present
§ If they are missing, the resource will not be loaded
§ The only reason is the integrity check§ Simply including the script without integrity check would still work
<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>
SRI Error Recovery
21
§ Failure to load a resource triggers an error event
§ Clean way to load an alternative resource yourself
§ Last-resort recovery from an integrity error
§ Host a backup version of the script on your own server
§ Load when the main version was not loaded
<script>window.jQuery|| document.write('<script src="/jquery.min.js"><\/script>');</script>
Subresource Integrity in Practice
22http://caniuse.com/#search=subres
Subresource Integrity in Practice
23
openssl dgst -sha384 -binary bootstrap.min.css| openssl enc -base64 -A
https://www.srihash.org/
Subresource Integrity in Practice
24https://www.bootstrapcdn.com/
EmberJS and Subresource Integrity
25
§ Ember-cli-sri enables SRI for your application files§ Hashes are automatically added during production build process
§ Included by default for a few months already
§ Assumes your application serves files from the same origin§ Can be configured to use a different origin or domain
Conclusion
26
§ SRI gives you more control over what you include
§ Of course this only makes sense over an HTTPS channel
§ But you should be running everything over HTTPS anyway
§ If you host public libraries, enable CORS for them
§ This allows other people to use SRI for these files
§ If you build apps with external resources
§ Include an integrity attribute if CORS is supported
§ Bug the admins if CORS is not supported J
About Me – Philippe De Ryck
§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ Focus on (client-side) Web security
§ Responsible for the Web Security training program
§ Dissemination of knowledge and research results
§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security§ 7 attacker models, broken down in 10 capabilities
§ 13 attacks and their countermeasures
§ Overview of security best practices
Subresource Integrity
Philippe De Ryck
/in/philippederyck
https://distrinet.cs.kuleuven.be/events/websecurity/
@PhilippeDeRyck