Client sidesec 2013-intro

Web Client Side
Security
Tal Be’ery
@Verint
2013
© Tal Be’ery 2013

O Web Security Research Team Leader at
Imperva
O Holds MSc & BSc degree in CS/EE from TAU
O 10+ years of experience in IS domain
O Facebook “white hat”
O Speaker at RSA, BlackHat, AusCERT
O Columnist for securityweek.com
Presenter: Tal Be’ery, CISSP

Agenda
O The Web: then and now
O HTTP , Javascript (JS), HTML 5
O Security
O Javascript Security and the Same Origin Policy
(SOP)
O Bypassing SOP script injection
O XSS, MITM, Malvertising
O Bypassing SOP
O CSRF, MITM, Side channels
O Bypassing SOP: Implemetation bugs

The World Wide Web
Evolution

Genesis
O In the beginning there was nothingness…
O Not even the WWW

Let there be light
O 1990 - Tim Berners-Lee
specified HTML
O Implemented the first
O Client (browser)
O server software
O The project was not formally
adopted by CERN

HTTP + HTML = Truck +
Cargo
 Cargo: HTML
O HyperText Mark-up
Language
O Language for displaying
annotated text
O Implemented by a browser
O Truck: HTTP
O HyperText Transfer Protocol
O Protocol for sending HTML
O Implemented by the server
and the browser

The first web page - 1993

HTTP 0.9
O http://www.w3.org/Protocols/HTTP/AsImplemented.html
O 1 pager
O URL – Unified Resource Locator
O Protocol : // hostname [ : port ] / path [ ? searchwords ]
O http://www.example.com/home.html
O Flow:
O Client creates a TCP connection to host
O Request
O GET + path. GET /home.html rnrn
O Response
O <HTML>…</HTML>
O The server terminates the TCP/IP connection

HTML 1.0 + HTTP 0.9
O HTML 1.0 supports only displaying
annotated text
O Document headers, links,etc.
O HTTP 0.9 only supported transmitting
annotated text
O Yet, a standard method to share data
across machines

The first widely used browser -
1993

The first open source server -
1995
O APACHE - a patchy server 

From web pages to web
application
O What makes an application
O IPO + S model
O Input
O Proccesing
O Output
O Storage

Web application - Input
O GET parameters
O POST parameters

Web application - processing
O HTTP server handles HTTP Protocol
O Application server process requests’
parameters

Web application - storage
O Result – Web application is connected to
mission critical servers containing
sensitive data

Web application - output
O HTML 2.0 gives richer experience
O Richer content
O Image
O Interactive
O Forms

HTTP
O Runs over TCP port 80
O Stateless - each exchange of request-
response messages is autonomous
transaction, may use different TCP
connection

HTTP 1.0
O RFC 1945: 1996, 59 pages
O Richer content  content meta data
O Implemented as HTTP headers
O Interactivity
O More Methods
O Other requirements - such as:
O Response codes
O Authorization
O Character sets

HTTP 1.1
O RFC 2616: 1999, 176 pages
O Improvements (1.1 not 2.0), mostly to
transmission efficiency:
O Caching
O Compression
O Persistent connections
O Pipe lining

HTTPS
O SSL provides encrypted authenticate channel
O HTTPS is HTTP over SSL
O Port 443
O Protect data on transit, not data at rest!
O Will be covered in depth later

HTTP Proxies
Browse
r
Server
Request
Response
 Proxy (on behalf of client)
 Caching proxy
 Security proxy
 Reverse proxy (on behalf of server)
 Load balancer
 Security (WAF)

HTTP Request
GET /search?q=Introduction+to+XML HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-
US; rv:1.7.2) Gecko/20040803
Accept:
text/xml,application/xml,application/xhtml+x
ml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*
;q=0.5
Accept-Language: da,en-
us;q=0.8,en;q=0.5,sw;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.google.com/
O A verb indicating HTTP method
O Requested URL -
protocol://hostname[:port]/[path/]file[?param=value]
O Path for the requested resource
O An optional query string containing parameters
to that resource (pairs of: parameter
name=parameter value)
O Query string indicated by the ? character in the
URL
O HTTP version
O Headers – typical:
O Referer : indicates URL from which the request
originated
O User-Agent : provides information about
browser or client that generated the request
O Host: specifies hostname that appeared in full
URL being accessed
O Cookie: additional parameters that the server
has issued to the client
Request body (empty here)

HTTP Response
O HTTP version
O Numeric status code indicating
result of request
O Textual “reason phrase” further
describing status of response
O Headers – typical:
O Server: used web server software,
installed modules, server operating system
etc.
O Set-Cookie: issue browser a cookie; will be
submitted back in the Cookie header of
subsequent requests to this server
O Pragma: instruct browser not to store the
response in its cache
O Expires: response content expired in the
past and should not be cached
O Content-Type: type of data in the body of
this message
O Content-Length: length of message body
(bytes)
O Response body (e.g. HTML page)
HTTP/1.1 200 OK
Date: Fri, 17 Sep 2009 07:59:01 GMT
Server: Apache/2.0.50 (Unix) mod_perl/1.99_10
Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d
DAV/2 PHP/4.3.8 mod_bigwig/2.1-3
Last-Modified: Tue, 24 Feb 2009 08:32:26 GMT
ETag: "ec002-afa-fd67ba80"
Accept-Ranges: bytes
Content-Length: 2810
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01 Transitional//EN">
<html>...</html>

HTTP Popular Methods
O GET – show resource
O POST – send data to resource
O HEAD - Asks for the response identical to
the one that would correspond to a GET
request, but without the response body.

HTTP Additional Methods
O PUT – create/overwrite resource
O DELETE - Deletes the resource.
O TRACE - Echoes back the received request
O OPTIONS - Returns the HTTP methods that
the server supports for specified URL.
O CONNECT - Converts the request connection
to a transparent TCP/IP tunnel, usually to
facilitate SSL-encrypted communication
(HTTPS) through an unencrypted HTTP proxy
O PATCH - Is used to apply partial modifications
to a resource

URL
O HTTP is text based protocol
O Some characters are not allowed
O have special meaning - ?, &, rn
O Non printable
O Null
O Therefore, they need to be decoded
O &  %26
O http://meyerweb.com/eric/tools/dencoder/

HTTP Headers
O Provide metadata
O Name value pair
O Name: value
O End of header – CRLF
O Some headers can take multiple values
O Name:value1, value2.
O Or
O Name:value1
O Name:value2
O Server should generally ignore headers it doesn’t
support
O Non standard headers are usually prefixed “X-…”

Cookies to Adding State
O Application needs state for flows
O Server sets the cookie
O Set-Cookie: name=value
O The browser attaches the cookie to every request of the
domain
O Cookie: name=value
O Persistent cookie
O Set-Cookie: name2=value2; Expires=Wed, 09-Jun-
2021 10:18:14 GMT
O Session cookie – does not have Expires
O cleared by the browser when its closed

Cookie additional attributes
O HTTPonly – not accessible by script
O Secure – should only be used under SSL
O Domain, Path – Cookie scope
O Example:
O Set-Cookie:
LSID=DQAAA; Domain=docs.foo.com;
Path=/accounts; Expires=Wed, 13-Jan-
2021 22:23:01 GMT; Secure; HttpOnly

Key Drivers for Web Evolution
O Mobile and Cloud apps
want native “look and
feel”
O The browser is the new
OS:
O Chrome OS
O Firefox OS
O Emerging standards

Contemporary web page - 2013

Cloud Apps

The Browser is The New OS

To Evolve
O Client side needs to be more independent
and interactive
O Client side scripting with Javascript
O Client side needs to more rich
O HTML 5

Web evolution – Take I
http://i219.photobucket.com/albums/cc190/listtamaru/Evolution.jpg

Web Evolution – Take 2
O Baby: cute but passive
O Kid: more active but needs to ask
the parents (server)
O Teenager: independent! (sort of)

Web evolution – Take 3
http://www.evolutionoftheweb.com/img/Evolution_of_the_web.jpg

HTML5
http://londonwebstorenight.appspot.com/html5/index.html

WebStorage
O With HTML5, web pages can store data
locally within the user's browser.
O Earlier, this was done with cookies.
O As opposed to cookies the data is not
included with every server request:
O More Secures
O Does not affect the website's performance.
O A web page can only access data stored by
itself.

WebStorage Demo
http://www.codeproject.com/Articles/162783/HTML5-Web-Storage-in-Essence

GeoLocation
O The HTML5 Geolocation API is used to
get the geographical position of a user.
O Since this can compromise user privacy,
the position is not available unless the
user approves it.

GeoLocation Demo
http://www.w3schools.com/html/html5_geolocation.asp

WebSocket
O HTTP uses the Client/Server paradigm
O WebSocket is FULL DUPLEX
communication protocol
O Ideal for real time web applications
O WebSocket is a tunnel over HTTP

WebSocket Explained

WebSocket Demo
http://browserquest.mozilla.org/

Media Capture
O getUserMedia() function
O Prompts the user for permission to use a
media device such as a camera or
microphone.

Camera Demo
http://www.html5camera.com/

WebWorkers
O Scripting is not single threaded anymore
O To avoid concurrency problem the DOM is
not accessible from a WebWorker context
http://devfiles.myopera.com/articles/2452/web-workers-explained.png

WebWorkers Demo
http://html5demos.com/worker

WebRTC
O Web Real Time Communication
O Enables browser-to-browser applications
for voice calling, video chat, and P2P file
sharing without plugins.

WebRTC Demo
https://www.webrtc-experiment.com/meeting/

Cross Origin Resource Sharing
(CORS)
O Javascript can create HTTP requests without
navigation
O In the past it was limited by the browser to
same origin only
O To allow “mesh-up”s, it was changed:
O The browser allows a request to other
destinations
O For some actions, a “pre-flight” OPTIONS
request is sent (see
http://www.html5rocks.com/en/tutorials/cors/)
O The destination tells the browser if it allows
CORS by specifying the CORS header

CORS Demo
http://ie.microsoft.com/testdrive/html5/corsupload/

Mobile Related
O Touch events
O Device Motion
O Device Orientation
http://www.html5rocks.com/en/tutorials/device/orientation/

Browser Compatability
O http://caniuse.com/

Javascript

The 3D Web Page

HTML
O HyperText Markup Language (HTML) is
the main markup language for creating
web pages and other information that can
be displayed in a web browser.
(Wikipedia)

CSS
O Cascading Style Sheets (CSS) is a style
sheet language used for describing the
presentation semantics (the look and
formatting) of a document written in a
markup language (Wikipedia)

Browser’s HTML processing
O Simplified
O Real world (Web Gecko)
http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/

The DOM
O Document Object Model
O The DOM is a programming API for
documents
O Javascript can query and change the
document (“Web page”) through the DOM

The DOM Illustrated
O The DOM on an object structure that
closely resembles the structure of the
documents it models

DOM Access Example

Javascript in a nutshell
O Javascript is a general purpose language
O functions, loops, conditions
O Object based
O Interpreted
O Dynamic typing: types are associated with
values, not with variables

Javascript: Not Just for
Browsers
O Application servers:
O Node.js
O Embedded scripting language:
O Adobe reader
O Browser extensions

Javascript: What can it do?
O Everything!
O At least everything C can do..

Emscripten
O LLVM to JavaScript compiler.
O Takes LLVM bytecode (can be generated
from C/C++ using Clang) and compiles
that into JavaScript.
O https://github.com/kripken/emscripten/wiki

Javascript App demo – Python
O Python interpreter http://repl.it/

Javascript App demo: PDF.JS
O A faithful and efficient Portable Document
Format (PDF) renderer without native
code assistance.
http://mozilla.github.io/pdf.js/web/viewer.html

Javascript App demo: Unreal
O http://www.unrealengine.com/html5/

Javascript Performance (1)
O Improves over the years

Javascript Performance (2)
O Getting close to native code
http://arstechnica.com/information-technology/2013/05/native-level-performance-on-the-web-a-brief-examination-of-asm-js/2/

Javascript-Browser
Interaction(1)
O The page invokes Javascript through
HTML directives

Javascript-Browser
Interaction(2)
O Script can query and manipulate the page
through the DOM

Javascript Invocation
O Direct
O Event handlers
O Pseudo protocol

Direct Invocation

Invocation with Event
handlers
http://www.w3schools.com/tags/ref_eventattributes.asp

Invocation with Pseudo
Protocol
O Javascript invocation can be invoked from
any HTML element that expects an URL
by using the “javascript” pseudo protocol.
O E.g. <a href="javascript:myFunc();">

Same Origin Policy (SOP)
O “The same-origin policy restricts how a
document or script loaded from one origin
can interact with a resource from another
origin.”
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript

What’s Origin?
O Origin
O Protocol – e.g. HTTP, HTTPS, FTP etc.
O Port – e.g. 80,443, etc.
O Host – e.g. “www.example.com”

SOP Threat Model
Communicati
on
Custom Code
Accounts
Finance
Administratio
n
Transactions
Knowledge
Mgmt
E-Commerce
Bus.
Functions
Victim Application
3
Vulnerable site sees
legitimate request
from victim
performs the action
requested
And sends a
response
Attacker sets the trap on some website on the internet1
2
While logged into vulnerable site,
victim views attacker site
Victim site interaction
Some interaction
with victim site

Same Origin Drill
O Is ‘http://store.company.com/dir/page.html’
in the same origin?
URL
Outcom
e
Reason
http://store.company.com/dir2/other.html Success
http://store.company.com/dir/inner/another.ht
ml
Success
https://store.company.com/secure.html Failure Different protocol
http://store.company.com:81/dir/etc.html Failure Different port
http://news.company.com/dir/other.html Failure Different host
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript

Working Around SOP
Implementation Bugs
O Breaking out of sandbox with an exploit
O Bugs in SOP
O Universal XSS

Working Around SOP
Script Injection
O Creating Script in the target’s origin
O XSS
O Malvertising
O Breaking into site/ Watering hole attack
O MITM

Working Around SOP
Non Javascript Leakage
O SOP usually allows the transaction, just
blocks Javascript access to response data
O CSRF
O Eavesdropping
O Side channels
O Human
O UI Redressing (“Clickjacking”)
O Interactive attacks
O Technical
O Timing
O Other

Client sidesec 2013-intro

Related slideshows

More Related Content

Client sidesec 2013-intro

Editor's Notes