Subresource Integrity

Philippe De Ryck

@PhilippeDeRyck

Who Uses Code Like This?

2

<script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>

<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" >

https://blog.jquery.com/2014/01/14/jquerys-content-delivery-network-you-got-served/

Maybe It Also Puts You to Shame?

3http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syrian-electronic-army/

And If You Thought That Was Bad …

4

And If You Thought That Was Bad …

5http://www.cbc.ca/news/trending/anonymous-rickrolls-isis-on-twitter-after-losing-cyber-war-1.3331934

And the Problem Is Much Worse …

6https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/

But Not So Easy To Comprehend

7https://xkcd.com/932/

Remote Content Inclusion Is Dangerous

8

§ You give third party content full control over your context

§ Governed by the Same-Origin Policy of the browser

§ No separation between your code and external code

§ Access to same privileges, data, code …

§ External scripts can

§ Read and manipulate your DOM

§ Access JS APIs with the privileges granted to your origin

§ Send requests to your origin without limitations

§ Send requests to other origins on behalf of your origin

Large-scale Study of Remote JS Inclusions

9

“88.45% of the Alexa top 10,000 web sites included at least one remote

JavaScript library”

https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf

Large-scale Study of Remote JS Inclusions

10https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf

Subresource Integrity

11

§ There is nothing you can do against these attacks

§ Either you trust a CDN, or you host it yourself

§ Welcome Subresource Integrity (SRI)§ W3C Candidate Recommendation since November 12, 2015

<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>

Subresource Integrity

12

§ Allows you to specify a hash of an external resource

§ Using the integrity attribute on script or link tags

§ Browsers verify this hash before loading the file

§ Refuse to load the file if the hash does not match

§ SRI supports the specification of multiple hashes

§ The strongest one available will be used by the browser

<script src=”myapplication.js” integrity=“sha256-… sha512-… ”>

</script>

<link href=“myapp.css” type=“text/css”integrity=“sha384-… sha512-…” />

Unfortunately, SRI Enables Data Leakage

13

§ You can check the presence of specific external resources

§ Requests from the user’s browser, with credentials

<script src=https://some-shop.com/accountbalance integrity=“…”></script>

{“balance”: 1234.00} dPdFnnWdXY6eHXiK+3O/OSi3OeLFHlLch1qZ3iqD3MGNXck+Oz4LETv8lnsoNyFI

{“balance”: 1235.00} RasWnvVTFAiT+6NeqIJFRDDDSklMaljV0FxUQysJqUB65TGm/lFqKJkrGif2wzYj

{“balance”: 1236.00} uSCKm1yloPZ7VexjyLQ+sUvakZKycl3CsblGH/9XpGV09ymyf1nKAzU5tXTFH5oi

{“balance”: 1237.00} 4SI2gcfIFhX2NRE5KPbeXR87PaiCSAan6PL2mxKWndBp8wvE2Dfcn7HenpNXD0oJ

SRI Prevents Data Leakage with CORS

14

§ Not needed for resources from your own origin

§ The browser allows access to these anyway

§ The crossorigin attribute controls CORS behavior

§ Anonymous does not attach cookies to the request

§ Use-credentials means that that cookies will be present

<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>

Simple CORS Example

Load page

XHR: load user’s profile from websec.be

www.example.com

www.websec.be

Origin: http://www.example.com

Access-Control-Allow-Origin: http://www.example.com

CORS Protects Legacy Servers by Design

16

Load page

XHR: load user’s profile from websec.be

www.example.com

www.websec.be

Origin: http://www.example.com

No CORS headers present

Handling Credentials

17

§ Requests can be anonymous or authenticated

§ By default, credentials (i.e. cookies) are not sent

§ Can be enabled by setting the withCredentials flag

§ When credentials are used, the server must acknowledge this

§ By sending the Access-Control-Allow-Credentials response header

§ Aim is to prevent illegitimate use of the user’s credentials

§ Not intended to protect the server from malicious requests

Simple CORS Example with Credentials

18

Load page

XHR: load user’s profile from websec.be

www.example.com

www.websec.be

Origin: http://www.example.comCookie: PHPSESSID=1a2b3c4d5e6f

Access-Control-Allow-Origin: http://www.example.com

Access-Control-Allow-Credentials: true

var xhr = new XMLHttpRequest();xhr.open('GET', 'http://www.websec.be/profile', false);xhr.withCredentials = true;xhr.send();

Subresource Integrity with CORS

Load page

Include script with integrity check

www.example.com

www.websec.be

Origin: http://www.example.com

Access-Control-Allow-Origin: http://www.example.com

SRI Prevents Data Leakage with CORS

20

§ CORS protects legacy servers§ CORS response headers need to be present

§ If they are missing, the resource will not be loaded

§ The only reason is the integrity check§ Simply including the script without integrity check would still work

<script src="https://code.jquery.com/jquery-2.1.3.min.js"integrity=“sha256-TXuiaAJuML3…uMLTXuiaAJ3”crossorigin=“anonymous”></script>

SRI Error Recovery

21

§ Failure to load a resource triggers an error event

§ Clean way to load an alternative resource yourself

§ Last-resort recovery from an integrity error

§ Host a backup version of the script on your own server

§ Load when the main version was not loaded

<script>window.jQuery|| document.write('<script src="/jquery.min.js"><\/script>');</script>

Subresource Integrity in Practice

22http://caniuse.com/#search=subres

Subresource Integrity in Practice

23

openssl dgst -sha384 -binary bootstrap.min.css| openssl enc -base64 -A

https://www.srihash.org/

Subresource Integrity in Practice

24https://www.bootstrapcdn.com/

EmberJS and Subresource Integrity

25

§ Ember-cli-sri enables SRI for your application files§ Hashes are automatically added during production build process

§ Included by default for a few months already

§ Assumes your application serves files from the same origin§ Can be configured to use a different origin or domain

Conclusion

26

§ SRI gives you more control over what you include

§ Of course this only makes sense over an HTTPS channel

§ But you should be running everything over HTTPS anyway

§ If you host public libraries, enable CORS for them

§ This allows other people to use SRI for these files

§ If you build apps with external resources

§ Include an integrity attribute if CORS is supported

§ Bug the admins if CORS is not supported J

About Me – Philippe De Ryck

§ Postdoctoral Researcher @ DistriNet (KU Leuven)

§ Focus on (client-side) Web security

§ Responsible for the Web Security training program

§ Dissemination of knowledge and research results

§ Target audiences include industry and researchers

§ Main author of the Primer on Client-Side Web Security§ 7 attacker models, broken down in 10 capabilities

§ 13 attacks and their countermeasures

§ Overview of security best practices

Subresource Integrity

Philippe De Ryck

philippe.deryck@cs.kuleuven.be

/in/philippederyck

https://distrinet.cs.kuleuven.be/events/websecurity/

@PhilippeDeRyck