Upload
tal-beery
View
476
Download
0
Embed Size (px)
Citation preview
© Tal Be’ery 2013
Web Client Side Security
Tal Be’ery@Verint
2013
© Tal Be’ery 2013
O Web Security Research Team Leader at Imperva
O Holds MSc & BSc degree in CS/EE from TAU
O 10+ years of experience in IS domain O Facebook “white hat”O Speaker at RSA, BlackHat, AusCERTO Columnist for securityweek.com
Presenter: Tal Be’ery, CISSP
© Tal Be’ery 2013
AgendaO The Web: then and now
O HTTP , Javascript (JS), HTML 5O Security
O Javascript Security and the Same Origin Policy (SOP)
O Bypassing SOP script injection O XSS, MITM, Malvertising
O Bypassing SOPO CSRF, MITM, Side channels
O Bypassing SOP: Implemetation bugs
© Tal Be’ery 2013
The World Wide Web Evolution
© Tal Be’ery 2013
GenesisO In the beginning there was
nothingness…O Not even the WWW
© Tal Be’ery 2013
Let there be lightO 1990 - Tim Berners-Lee
specified HTMLO Implemented the first
O Client (browser) O server software
O The project was not formally adopted by CERN
© Tal Be’ery 2013
HTTP + HTML = Truck + Cargo
Cargo: HTML O HyperText Mark-up
LanguageO Language for displaying
annotated textO Implemented by a
browserO Truck: HTTP
O HyperText Transfer Protocol
O Protocol for sending HTML
O Implemented by the server and the browser
© Tal Be’ery 2013
The first web page - 1993
© Tal Be’ery 2013
HTTP 0.9O http://www.w3.org/Protocols/HTTP/AsImplemented.html
O 1 pagerO URL – Unified Resource Locator
O Protocol : // hostname [ : port ] / path [ ? searchwords ]O http://www.example.com/home.html
O Flow:O Client creates a TCP connection to hostO Request
O GET + path. GET /home.html \r\n\r\nO Response
O <HTML>…</HTML>O The server terminates the TCP/IP connection
© Tal Be’ery 2013
HTML 1.0 + HTTP 0.9O HTML 1.0 supports only displaying
annotated textO Document headers, links,etc.
O HTTP 0.9 only supported transmitting annotated text
O Yet, a standard method to share data across machines
© Tal Be’ery 2013
The first widely used browser - 1993
© Tal Be’ery 2013
The first open source server -1995
O APACHE - a patchy server
© Tal Be’ery 2013
From web pages to web application
O What makes an applicationO IPO + S model
O Input O ProccesingO OutputO Storage
© Tal Be’ery 2013
Web application - InputO GET parameters
O POST parameters
© Tal Be’ery 2013
Web application - processingO HTTP server handles HTTP ProtocolO Application server process requests’
parameters
© Tal Be’ery 2013
Web application - storage
O Result – Web application is connected to mission critical servers containing sensitive data
© Tal Be’ery 2013
Web application - output
O HTML 2.0 gives richer experienceO Richer content
O ImageO Interactive
O Forms
© Tal Be’ery 2013
HTTPO Runs over TCP port 80O Stateless - each exchange of
request-response messages is autonomous transaction, may use different TCP connection
© Tal Be’ery 2013
HTTP 1.0O RFC 1945: 1996, 59 pagesO Richer content content meta data
O Implemented as HTTP headersO Interactivity
O More MethodsO Other requirements - such as:
O Response codesO AuthorizationO Character sets
© Tal Be’ery 2013
HTTP 1.1O RFC 2616: 1999, 176 pagesO Improvements (1.1 not 2.0), mostly
to transmission efficiency:O CachingO CompressionO Persistent connectionsO Pipe lining
© Tal Be’ery 2013
HTTPSO SSL provides encrypted authenticate channelO HTTPS is HTTP over SSL
O Port 443O Protect data on transit, not data at rest!O Will be covered in depth later
© Tal Be’ery 2013
HTTP Proxies
Browser
Server
Request
Response
Proxy (on behalf of client) Caching proxy Security proxy
Reverse proxy (on behalf of server) Load balancer Security (WAF)
© Tal Be’ery 2013
HTTP RequestGET /search?q=Introduction+to+XML HTTP/1.1Host: www.google.comUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.7.2) Gecko/20040803Accept:
text/xml,application/xml,application/xhtml+xml, text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: da,en-us;q=0.8,en;q=0.5,sw;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.com/
O A verb indicating HTTP methodO Requested URL -
protocol://hostname[:port]/[path/]file[?param=value] O Path for the requested resourceO An optional query string containing
parameters to that resource (pairs of: parameter name=parameter value)
O Query string indicated by the ? character in the URL
O HTTP versionO Headers – typical:
O Referer : indicates URL from which the request originated
O User-Agent : provides information about browser or client that generated the request
O Host: specifies hostname that appeared in full URL being accessed
O Cookie: additional parameters that the server has issued to the client
Request body (empty here)
© Tal Be’ery 2013
HTTP ResponseO HTTP versionO Numeric status code indicating
result of requestO Textual “reason phrase” further
describing status of responseO Headers – typical:
O Server: used web server software, installed modules, server operating system etc.
O Set-Cookie: issue browser a cookie; will be submitted back in the Cookie header of subsequent requests to this server
O Pragma: instruct browser not to store the response in its cache
O Expires: response content expired in the past and should not be cached
O Content-Type: type of data in the body of this message
O Content-Length: length of message body (bytes)
O Response body (e.g. HTML page)
HTTP/1.1 200 OKDate: Fri, 17 Sep 2009 07:59:01 GMTServer: Apache/2.0.50 (Unix) mod_perl/1.99_10
Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d DAV/2 PHP/4.3.8 mod_bigwig/2.1-3
Last-Modified: Tue, 24 Feb 2009 08:32:26 GMTETag: "ec002-afa-fd67ba80"Accept-Ranges: bytesContent-Length: 2810Content-Type: text/html<!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01 Transitional//EN"><html>...</html>
© Tal Be’ery 2013
HTTP Popular MethodsO GET – show resourceO POST – send data to resourceO HEAD - Asks for the response
identical to the one that would correspond to a GET request, but without the response body.
© Tal Be’ery 2013
HTTP Additional Methods
O PUT – create/overwrite resourceO DELETE - Deletes the resource.O TRACE - Echoes back the received requestO OPTIONS - Returns the HTTP methods that the
server supports for specified URL. O CONNECT - Converts the request connection to
a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy
O PATCH - Is used to apply partial modifications to a resource
© Tal Be’ery 2013
URLO HTTP is text based protocolO Some characters are not allowed
O have special meaning - ?, &, \r\nO Non printableO Null
O Therefore, they need to be decodedO & %26
O http://meyerweb.com/eric/tools/dencoder/
© Tal Be’ery 2013
HTTP HeadersO Provide metadataO Name value pair
O Name: valueO End of header – CRLFO Some headers can take multiple values
O Name:value1, value2.O Or
O Name:value1O Name:value2
O Server should generally ignore headers it doesn’t support
O Non standard headers are usually prefixed “X-…”
© Tal Be’ery 2013
Cookies to Adding StateO Application needs state for flowsO Server sets the cookie
O Set-Cookie: name=valueO The browser attaches the cookie to every request of the
domain O Cookie: name=value
O Persistent cookie O Set-Cookie: name2=value2; Expires=Wed, 09-Jun-
2021 10:18:14 GMTO Session cookie – does not have Expires
O cleared by the browser when its closed
© Tal Be’ery 2013
Cookie additional attributes
O HTTPonly – not accessible by scriptO Secure – should only be used under
SSLO Domain, Path – Cookie scopeO Example:
O Set-Cookie: LSID=DQAAA; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
© Tal Be’ery 2013
Key Drivers for Web Evolution
O Mobile and Cloud apps want native “look and feel”
O The browser is the new OS:O Chrome OSO Firefox OS
O Emerging standards
© Tal Be’ery 2013
Contemporary web page - 2013
© Tal Be’ery 2013
Cloud Apps
© Tal Be’ery 2013
The Browser is The New OS
© Tal Be’ery 2013
To EvolveO Client side needs to be more
independent and interactiveO Client side scripting with Javascript
O Client side needs to more richO HTML 5
© Tal Be’ery 2013
Web evolution – Take I
http://i219.photobucket.com/albums/cc190/listtamaru/Evolution.jpg
© Tal Be’ery 2013
Web Evolution – Take 2 O Baby: cute but passive
O Kid: more active but needs to ask the parents (server)
O Teenager: independent! (sort of)
© Tal Be’ery 2013
Web evolution – Take 3
http://www.evolutionoftheweb.com/img/Evolution_of_the_web.jpg
© Tal Be’ery 2013
HTML 5
© Tal Be’ery 2013
HTML5
http://londonwebstorenight.appspot.com/html5/index.html
© Tal Be’ery 2013
WebStorageO With HTML5, web pages can store data locally
within the user's browser.O Earlier, this was done with cookies. O As opposed to cookies the data is not included
with every server request:O More SecuresO Does not affect the website's performance.
O A web page can only access data stored by itself.
© Tal Be’ery 2013
WebStorage Demo
http://www.codeproject.com/Articles/162783/HTML5-Web-Storage-in-Essence
© Tal Be’ery 2013
GeoLocationO The HTML5 Geolocation API is used
to get the geographical position of a user.
O Since this can compromise user privacy, the position is not available unless the user approves it.
© Tal Be’ery 2013
GeoLocation Demo
http://www.w3schools.com/html/html5_geolocation.asp
© Tal Be’ery 2013
WebSocketO HTTP uses the Client/Server
paradigmO WebSocket is FULL DUPLEX
communication protocolO Ideal for real time web applicationsO WebSocket is a tunnel over HTTP
© Tal Be’ery 2013
WebSocket Explained
© Tal Be’ery 2013
Media CaptureO getUserMedia() functionO Prompts the user for permission to
use a media device such as a camera or microphone.
© Tal Be’ery 2013
WebWorkersO Scripting is not single threaded
anymoreO To avoid concurrency problem the
DOM is not accessible from a WebWorker context
http://devfiles.myopera.com/articles/2452/web-workers-explained.png
© Tal Be’ery 2013
WebRTCO Web Real Time CommunicationO Enables browser-to-browser
applications for voice calling, video chat, and P2P file sharing without plugins.
© Tal Be’ery 2013
WebRTC Demo
https://www.webrtc-experiment.com/meeting/
© Tal Be’ery 2013
Cross Origin Resource Sharing (CORS)
O Javascript can create HTTP requests without navigation
O In the past it was limited by the browser to same origin only
O To allow “mesh-up”s, it was changed:O The browser allows a request to other
destinationsO For some actions, a “pre-flight” OPTIONS request
is sent (see http://www.html5rocks.com/en/tutorials/cors/)
O The destination tells the browser if it allows CORS by specifying the CORS header
© Tal Be’ery 2013
CORS Demo
http://ie.microsoft.com/testdrive/html5/corsupload/
© Tal Be’ery 2013
Mobile RelatedO Touch eventsO Device MotionO Device Orientation
http://www.html5rocks.com/en/tutorials/device/orientation/
© Tal Be’ery 2013
Browser CompatabilityO http://caniuse.com/
© Tal Be’ery 2013
Javascript
© Tal Be’ery 2013
The 3D Web Page
© Tal Be’ery 2013
HTMLO HyperText Markup Language
(HTML) is the main markup language for creating web pages and other information that can be displayed in a web browser. (Wikipedia)
© Tal Be’ery 2013
CSSO Cascading Style Sheets (CSS) is a
style sheet language used for describing the presentation semantics (the look and formatting) of a document written in a markup language (Wikipedia)
© Tal Be’ery 2013
Browser’s HTML processingO Simplified
O Real world (Web Gecko)
http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/
© Tal Be’ery 2013
The DOMO Document Object ModelO The DOM is a programming API for
documentsO Javascript can query and change the
document (“Web page”) through the DOM
© Tal Be’ery 2013
The DOM IllustratedO The DOM on an object structure that
closely resembles the structure of the documents it models
© Tal Be’ery 2013
DOM Access Example
© Tal Be’ery 2013
Javascript in a nutshellO Javascript is a general purpose
languageO functions, loops, conditionsO Object basedO InterpretedO Dynamic typing: types are associated
with values, not with variables
© Tal Be’ery 2013
Javascript: Not Just for Browsers
O Application servers: O Node.js
O Embedded scripting language:O Adobe readerO Browser extensions
© Tal Be’ery 2013
Javascript: What can it do?
O Everything!O At least everything C can do..
© Tal Be’ery 2013
EmscriptenO LLVM to JavaScript compiler. O Takes LLVM bytecode (can be
generated from C/C++ using Clang) and compiles that into JavaScript.
O https://github.com/kripken/emscripten/wiki
© Tal Be’ery 2013
Javascript App demo – Python
O Python interpreter http://repl.it/
© Tal Be’ery 2013
Javascript App demo: PDF.JSO A faithful and efficient Portable
Document Format (PDF) renderer without native code assistance.
http://mozilla.github.io/pdf.js/web/viewer.html
© Tal Be’ery 2013
Javascript App demo: UnrealO http://www.unrealengine.com/html5/
© Tal Be’ery 2013
Javascript Performance (1)
O Improves over the years
© Tal Be’ery 2013
Javascript Performance (2)
O Getting close to native code
http://arstechnica.com/information-technology/2013/05/native-level-performance-on-the-web-a-brief-examination-of-asm-js/2/
© Tal Be’ery 2013
Javascript-Browser Interaction(1)
O The page invokes Javascript through HTML directives
© Tal Be’ery 2013
Javascript-Browser Interaction(2)
O Script can query and manipulate the page through the DOM
© Tal Be’ery 2013
Javascript InvocationO DirectO Event handlersO Pseudo protocol
© Tal Be’ery 2013
Direct Invocation
© Tal Be’ery 2013
Invocation with Event handlers
http://www.w3schools.com/tags/ref_eventattributes.asp
© Tal Be’ery 2013
Invocation with Pseudo Protocol
O Javascript invocation can be invoked from any HTML element that expects an URL by using the “javascript” pseudo protocol.
O E.g. <a href="javascript:myFunc();">
© Tal Be’ery 2013
Same Origin Policy (SOP)
O “The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin.”
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
© Tal Be’ery 2013
What’s Origin?O Origin
O Protocol – e.g. HTTP, HTTPS, FTP etc.O Port – e.g. 80,443, etc.O Host – e.g. “www.example.com”
© Tal Be’ery 2013
SOP Threat Model
Com
mun
ica
tion
Custom Code
Acco
unts
Fina
nce
Adm
inis
trat
ion
Tran
sact
ion
s Know
ledg
e M
gmt
E- Com
mer
ceBu
s.
Func
tion
s
Victim Application
3Vulnerable site sees legitimate request from victim performs the action requestedAnd sends a response
Attacker sets the trap on some website on the internet
1
2 While logged into vulnerable site,victim views attacker site
Victim site interaction
Some interaction with victim site
© Tal Be’ery 2013
Same Origin DrillO Is
‘http://store.company.com/dir/page.html’ in the same origin?
URL Outcome Reason
http://store.company.com/dir2/other.html
Success
http://store.company.com/dir/inner/another.html
Success
https://store.company.com/secure.html Failure Different protocolhttp://store.company.com:81/dir/etc.html
Failure Different port
http://news.company.com/dir/other.html
Failure Different host
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
© Tal Be’ery 2013
Working Around SOPImplementation Bugs
O Breaking out of sandbox with an exploitO Bugs in SOPO Universal XSS
© Tal Be’ery 2013
Working Around SOPScript Injection
O Creating Script in the target’s origin O XSSO MalvertisingO Breaking into site/ Watering hole
attackO MITM
© Tal Be’ery 2013
Working Around SOPNon Javascript Leakage
O SOP usually allows the transaction, just blocks Javascript access to response dataO CSRFO Eavesdropping
O Side channelsO Human
O UI Redressing (“Clickjacking”)O Interactive attacks
O Technical O TimingO Other