Client sidesec 2013-intro

© Tal Be’ery 2013

Web Client Side Security

Tal Be’ery@Verint

2013


O Web Security Research Team Leader at Imperva

O Holds MSc & BSc degree in CS/EE from TAU

O 10+ years of experience in IS domain O Facebook “white hat”O Speaker at RSA, BlackHat, AusCERTO Columnist for securityweek.com

Presenter: Tal Be’ery, CISSP


AgendaO The Web: then and now

O HTTP , Javascript (JS), HTML 5O Security

O Javascript Security and the Same Origin Policy (SOP)

O Bypassing SOP script injection O XSS, MITM, Malvertising

O Bypassing SOPO CSRF, MITM, Side channels

O Bypassing SOP: Implemetation bugs


The World Wide Web Evolution


GenesisO In the beginning there was

nothingness…O Not even the WWW


Let there be lightO 1990 - Tim Berners-Lee

specified HTMLO Implemented the first

O Client (browser) O server software

O The project was not formally adopted by CERN


HTTP + HTML = Truck + Cargo

Cargo: HTML O HyperText Mark-up

LanguageO Language for displaying

annotated textO Implemented by a

browserO Truck: HTTP

O HyperText Transfer Protocol

O Protocol for sending HTML

O Implemented by the server and the browser


The first web page - 1993


HTTP 0.9O http://www.w3.org/Protocols/HTTP/AsImplemented.html

O 1 pagerO URL – Unified Resource Locator

O Protocol : // hostname [ : port ] / path [ ? searchwords ]O http://www.example.com/home.html

O Flow:O Client creates a TCP connection to hostO Request

O GET + path. GET /home.html \r\n\r\nO Response

O <HTML>…</HTML>O The server terminates the TCP/IP connection

http://www.w3.org/Protocols/HTTP/AsImplemented.html

http://www.example.com/home.html


HTML 1.0 + HTTP 0.9O HTML 1.0 supports only displaying

annotated textO Document headers, links,etc.

O HTTP 0.9 only supported transmitting annotated text

O Yet, a standard method to share data across machines


The first widely used browser - 1993


The first open source server -1995

O APACHE - a patchy server


From web pages to web application

O What makes an applicationO IPO + S model

O Input O ProccesingO OutputO Storage


Web application - InputO GET parameters

O POST parameters


Web application - processingO HTTP server handles HTTP ProtocolO Application server process requests’

parameters


Web application - storage

O Result – Web application is connected to mission critical servers containing sensitive data


Web application - output

O HTML 2.0 gives richer experienceO Richer content

O ImageO Interactive

O Forms


HTTPO Runs over TCP port 80O Stateless - each exchange of

request-response messages is autonomous transaction, may use different TCP connection


HTTP 1.0O RFC 1945: 1996, 59 pagesO Richer content content meta data

O Implemented as HTTP headersO Interactivity

O More MethodsO Other requirements - such as:

O Response codesO AuthorizationO Character sets


HTTP 1.1O RFC 2616: 1999, 176 pagesO Improvements (1.1 not 2.0), mostly

to transmission efficiency:O CachingO CompressionO Persistent connectionsO Pipe lining


HTTPSO SSL provides encrypted authenticate channelO HTTPS is HTTP over SSL

O Port 443O Protect data on transit, not data at rest!O Will be covered in depth later


HTTP Proxies

Browser

Server

Request

Response

Proxy (on behalf of client) Caching proxy Security proxy

Reverse proxy (on behalf of server) Load balancer Security (WAF)


HTTP RequestGET /search?q=Introduction+to+XML HTTP/1.1Host: www.google.comUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;

rv:1.7.2) Gecko/20040803Accept:

text/xml,application/xml,application/xhtml+xml, text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: da,en-us;q=0.8,en;q=0.5,sw;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.com/

O A verb indicating HTTP methodO Requested URL -

protocol://hostname[:port]/[path/]file[?param=value] O Path for the requested resourceO An optional query string containing

parameters to that resource (pairs of: parameter name=parameter value)

O Query string indicated by the ? character in the URL

O HTTP versionO Headers – typical:

O Referer : indicates URL from which the request originated

O User-Agent : provides information about browser or client that generated the request

O Host: specifies hostname that appeared in full URL being accessed

O Cookie: additional parameters that the server has issued to the client

Request body (empty here)


HTTP ResponseO HTTP versionO Numeric status code indicating

result of requestO Textual “reason phrase” further

describing status of responseO Headers – typical:

O Server: used web server software, installed modules, server operating system etc.

O Set-Cookie: issue browser a cookie; will be submitted back in the Cookie header of subsequent requests to this server

O Pragma: instruct browser not to store the response in its cache

O Expires: response content expired in the past and should not be cached

O Content-Type: type of data in the body of this message

O Content-Length: length of message body (bytes)

O Response body (e.g. HTML page)

HTTP/1.1 200 OKDate: Fri, 17 Sep 2009 07:59:01 GMTServer: Apache/2.0.50 (Unix) mod_perl/1.99_10

Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d DAV/2 PHP/4.3.8 mod_bigwig/2.1-3

Last-Modified: Tue, 24 Feb 2009 08:32:26 GMTETag: "ec002-afa-fd67ba80"Accept-Ranges: bytesContent-Length: 2810Content-Type: text/html<!DOCTYPE HTML PUBLIC "-//W3C//DTD

HTML 4.01 Transitional//EN"><html>...</html>


HTTP Popular MethodsO GET – show resourceO POST – send data to resourceO HEAD - Asks for the response

identical to the one that would correspond to a GET request, but without the response body.


HTTP Additional Methods

O PUT – create/overwrite resourceO DELETE - Deletes the resource.O TRACE - Echoes back the received requestO OPTIONS - Returns the HTTP methods that the

server supports for specified URL. O CONNECT - Converts the request connection to

a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy

O PATCH - Is used to apply partial modifications to a resource


URLO HTTP is text based protocolO Some characters are not allowed

O have special meaning - ?, &, \r\nO Non printableO Null

O Therefore, they need to be decodedO & %26

O http://meyerweb.com/eric/tools/dencoder/

http://meyerweb.com/eric/tools/dencoder/

http://meyerweb.com/eric/tools/dencoder/


HTTP HeadersO Provide metadataO Name value pair

O Name: valueO End of header – CRLFO Some headers can take multiple values

O Name:value1, value2.O Or

O Name:value1O Name:value2

O Server should generally ignore headers it doesn’t support

O Non standard headers are usually prefixed “X-…”


Cookies to Adding StateO Application needs state for flowsO Server sets the cookie

O Set-Cookie: name=valueO The browser attaches the cookie to every request of the

domain O Cookie: name=value

O Persistent cookie O Set-Cookie: name2=value2; Expires=Wed, 09-Jun-

2021 10:18:14 GMTO Session cookie – does not have Expires

O cleared by the browser when its closed


Cookie additional attributes

O HTTPonly – not accessible by scriptO Secure – should only be used under

SSLO Domain, Path – Cookie scopeO Example:

O Set-Cookie: LSID=DQAAA; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly


Key Drivers for Web Evolution

O Mobile and Cloud apps want native “look and feel”

O The browser is the new OS:O Chrome OSO Firefox OS

O Emerging standards


Contemporary web page - 2013


Cloud Apps


The Browser is The New OS


To EvolveO Client side needs to be more

independent and interactiveO Client side scripting with Javascript

O Client side needs to more richO HTML 5


Web evolution – Take I

http://i219.photobucket.com/albums/cc190/listtamaru/Evolution.jpg




Web Evolution – Take 2 O Baby: cute but passive

O Kid: more active but needs to ask the parents (server)

O Teenager: independent! (sort of)


Web evolution – Take 3

http://www.evolutionoftheweb.com/img/Evolution_of_the_web.jpg




HTML 5


HTML5

http://londonwebstorenight.appspot.com/html5/index.html




WebStorageO With HTML5, web pages can store data locally

within the user's browser.O Earlier, this was done with cookies. O As opposed to cookies the data is not included

with every server request:O More SecuresO Does not affect the website's performance.

O A web page can only access data stored by itself.


WebStorage Demo

http://www.codeproject.com/Articles/162783/HTML5-Web-Storage-in-Essence




GeoLocationO The HTML5 Geolocation API is used

to get the geographical position of a user.

O Since this can compromise user privacy, the position is not available unless the user approves it.


GeoLocation Demo

http://www.w3schools.com/html/html5_geolocation.asp

http://www.w3schools.com/html/html5_geolocation.asp


WebSocketO HTTP uses the Client/Server

paradigmO WebSocket is FULL DUPLEX

communication protocolO Ideal for real time web applicationsO WebSocket is a tunnel over HTTP


WebSocket Explained


WebSocket Demo

http://browserquest.mozilla.org/

http://browserquest.mozilla.org/


Media CaptureO getUserMedia() functionO Prompts the user for permission to

use a media device such as a camera or microphone.


Camera Demo

http://www.html5camera.com/

http://www.html5camera.com/


WebWorkersO Scripting is not single threaded

anymoreO To avoid concurrency problem the

DOM is not accessible from a WebWorker context

http://devfiles.myopera.com/articles/2452/web-workers-explained.png




WebWorkers Demo

http://html5demos.com/worker

http://html5demos.com/worker


WebRTCO Web Real Time CommunicationO Enables browser-to-browser

applications for voice calling, video chat, and P2P file sharing without plugins.


WebRTC Demo

https://www.webrtc-experiment.com/meeting/




Cross Origin Resource Sharing (CORS)

O Javascript can create HTTP requests without navigation

O In the past it was limited by the browser to same origin only

O To allow “mesh-up”s, it was changed:O The browser allows a request to other

destinationsO For some actions, a “pre-flight” OPTIONS request

is sent (see http://www.html5rocks.com/en/tutorials/cors/)

O The destination tells the browser if it allows CORS by specifying the CORS header

http://www.html5rocks.com/en/tutorials/cors/

http://www.html5rocks.com/en/tutorials/cors/


CORS Demo

http://ie.microsoft.com/testdrive/html5/corsupload/

http://ie.microsoft.com/testdrive/html5/corsupload/


Mobile RelatedO Touch eventsO Device MotionO Device Orientation

http://www.html5rocks.com/en/tutorials/device/orientation/




Browser CompatabilityO http://caniuse.com/

http://caniuse.com/

http://caniuse.com/


Javascript


The 3D Web Page


HTMLO HyperText Markup Language

(HTML) is the main markup language for creating web pages and other information that can be displayed in a web browser. (Wikipedia)


CSSO Cascading Style Sheets (CSS) is a

style sheet language used for describing the presentation semantics (the look and formatting) of a document written in a markup language (Wikipedia)


Browser’s HTML processingO Simplified

O Real world (Web Gecko)

http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/




The DOMO Document Object ModelO The DOM is a programming API for

documentsO Javascript can query and change the

document (“Web page”) through the DOM


The DOM IllustratedO The DOM on an object structure that

closely resembles the structure of the documents it models


DOM Access Example


Javascript in a nutshellO Javascript is a general purpose

languageO functions, loops, conditionsO Object basedO InterpretedO Dynamic typing: types are associated

with values, not with variables


Javascript: Not Just for Browsers

O Application servers: O Node.js

O Embedded scripting language:O Adobe readerO Browser extensions


Javascript: What can it do?

O Everything!O At least everything C can do..


EmscriptenO LLVM to JavaScript compiler. O Takes LLVM bytecode (can be

generated from C/C++ using Clang) and compiles that into JavaScript.

O https://github.com/kripken/emscripten/wiki

https://github.com/kripken/emscripten/wiki

https://github.com/kripken/emscripten/wiki


Javascript App demo – Python

O Python interpreter http://repl.it/

http://repl.it/

http://repl.it/


Javascript App demo: PDF.JSO A faithful and efficient Portable

Document Format (PDF) renderer without native code assistance.

http://mozilla.github.io/pdf.js/web/viewer.html

http://mozilla.github.io/pdf.js/web/viewer.html


Javascript App demo: UnrealO http://www.unrealengine.com/html5/

http://www.unrealengine.com/html5/

http://www.unrealengine.com/html5/


Javascript Performance (1)

O Improves over the years


Javascript Performance (2)

O Getting close to native code

http://arstechnica.com/information-technology/2013/05/native-level-performance-on-the-web-a-brief-examination-of-asm-js/2/




Javascript-Browser Interaction(1)

O The page invokes Javascript through HTML directives


Javascript-Browser Interaction(2)

O Script can query and manipulate the page through the DOM


Javascript InvocationO DirectO Event handlersO Pseudo protocol


Direct Invocation


Invocation with Event handlers

http://www.w3schools.com/tags/ref_eventattributes.asp

http://www.w3schools.com/tags/ref_eventattributes.asp


Invocation with Pseudo Protocol

O Javascript invocation can be invoked from any HTML element that expects an URL by using the “javascript” pseudo protocol.

O E.g. <a href="javascript:myFunc();">


Same Origin Policy (SOP)

O “The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin.”

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript



What’s Origin?O Origin

O Protocol – e.g. HTTP, HTTPS, FTP etc.O Port – e.g. 80,443, etc.O Host – e.g. “www.example.com”


SOP Threat Model

Com

mun

ica

tion

Custom Code

Acco

unts

Fina

nce

Adm

inis

trat

ion

Tran

sact

ion

s Know

ledg

e M

gmt

E- Com

mer

ceBu

s.

Func

tion

s

Victim Application

3Vulnerable site sees legitimate request from victim performs the action requestedAnd sends a response

Attacker sets the trap on some website on the internet

1

2 While logged into vulnerable site,victim views attacker site

Victim site interaction

Some interaction with victim site


Same Origin DrillO Is

‘http://store.company.com/dir/page.html’ in the same origin?

URL Outcome Reason

http://store.company.com/dir2/other.html

Success

http://store.company.com/dir/inner/another.html

Success

https://store.company.com/secure.html Failure Different protocolhttp://store.company.com:81/dir/etc.html

Failure Different port

http://news.company.com/dir/other.html

Failure Different host




Working Around SOPImplementation Bugs

O Breaking out of sandbox with an exploitO Bugs in SOPO Universal XSS


Working Around SOPScript Injection

O Creating Script in the target’s origin O XSSO MalvertisingO Breaking into site/ Watering hole

attackO MITM


Working Around SOPNon Javascript Leakage

O SOP usually allows the transaction, just blocks Javascript access to response dataO CSRFO Eavesdropping

O Side channelsO Human

O UI Redressing (“Clickjacking”)O Interactive attacks

O Technical O TimingO Other

Internet

Client sidesec 2013-intro