Client sidesec 2013-intro
- 2. O Web Security Research Team Leader at
Imperva
O Holds MSc & BSc degree in CS/EE from TAU
O 10+ years of experience in IS domain
O Facebook “white hat”
O Speaker at RSA, BlackHat, AusCERT
O Columnist for securityweek.com
Presenter: Tal Be’ery, CISSP
© Tal Be’ery 2013
- 3. Agenda
O The Web: then and now
O HTTP , Javascript (JS), HTML 5
O Security
O Javascript Security and the Same Origin Policy
(SOP)
O Bypassing SOP script injection
O XSS, MITM, Malvertising
O Bypassing SOP
O CSRF, MITM, Side channels
O Bypassing SOP: Implemetation bugs
© Tal Be’ery 2013
- 5. Genesis
O In the beginning there was nothingness…
O Not even the WWW
© Tal Be’ery 2013
- 6. Let there be light
O 1990 - Tim Berners-Lee
specified HTML
O Implemented the first
O Client (browser)
O server software
O The project was not formally
adopted by CERN
© Tal Be’ery 2013
- 7. HTTP + HTML = Truck +
Cargo
Cargo: HTML
O HyperText Mark-up
Language
O Language for displaying
annotated text
O Implemented by a browser
O Truck: HTTP
O HyperText Transfer Protocol
O Protocol for sending HTML
O Implemented by the server
and the browser
© Tal Be’ery 2013
- 9. HTTP 0.9
O http://www.w3.org/Protocols/HTTP/AsImplemented.html
O 1 pager
O URL – Unified Resource Locator
O Protocol : // hostname [ : port ] / path [ ? searchwords ]
O http://www.example.com/home.html
O Flow:
O Client creates a TCP connection to host
O Request
O GET + path. GET /home.html rnrn
O Response
O <HTML>…</HTML>
O The server terminates the TCP/IP connection
© Tal Be’ery 2013
- 10. HTML 1.0 + HTTP 0.9
O HTML 1.0 supports only displaying
annotated text
O Document headers, links,etc.
O HTTP 0.9 only supported transmitting
annotated text
O Yet, a standard method to share data
across machines
© Tal Be’ery 2013
- 12. The first open source server -
1995
O APACHE - a patchy server
© Tal Be’ery 2013
- 13. From web pages to web
application
O What makes an application
O IPO + S model
O Input
O Proccesing
O Output
O Storage
© Tal Be’ery 2013
- 15. Web application - processing
O HTTP server handles HTTP Protocol
O Application server process requests’
parameters
© Tal Be’ery 2013
- 16. Web application - storage
O Result – Web application is connected to
mission critical servers containing
sensitive data
© Tal Be’ery 2013
- 17. Web application - output
O HTML 2.0 gives richer experience
O Richer content
O Image
O Interactive
O Forms
© Tal Be’ery 2013
- 18. HTTP
O Runs over TCP port 80
O Stateless - each exchange of request-
response messages is autonomous
transaction, may use different TCP
connection
© Tal Be’ery 2013
- 19. HTTP 1.0
O RFC 1945: 1996, 59 pages
O Richer content content meta data
O Implemented as HTTP headers
O Interactivity
O More Methods
O Other requirements - such as:
O Response codes
O Authorization
O Character sets
© Tal Be’ery 2013
- 20. HTTP 1.1
O RFC 2616: 1999, 176 pages
O Improvements (1.1 not 2.0), mostly to
transmission efficiency:
O Caching
O Compression
O Persistent connections
O Pipe lining
© Tal Be’ery 2013
- 21. HTTPS
O SSL provides encrypted authenticate channel
O HTTPS is HTTP over SSL
O Port 443
O Protect data on transit, not data at rest!
O Will be covered in depth later
© Tal Be’ery 2013
- 23. HTTP Request
GET /search?q=Introduction+to+XML HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-
US; rv:1.7.2) Gecko/20040803
Accept:
text/xml,application/xml,application/xhtml+x
ml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*
;q=0.5
Accept-Language: da,en-
us;q=0.8,en;q=0.5,sw;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.google.com/
O A verb indicating HTTP method
O Requested URL -
protocol://hostname[:port]/[path/]file[?param=value]
O Path for the requested resource
O An optional query string containing parameters
to that resource (pairs of: parameter
name=parameter value)
O Query string indicated by the ? character in the
URL
O HTTP version
O Headers – typical:
O Referer : indicates URL from which the request
originated
O User-Agent : provides information about
browser or client that generated the request
O Host: specifies hostname that appeared in full
URL being accessed
O Cookie: additional parameters that the server
has issued to the client
Request body (empty here)
© Tal Be’ery 2013
- 24. HTTP Response
O HTTP version
O Numeric status code indicating
result of request
O Textual “reason phrase” further
describing status of response
O Headers – typical:
O Server: used web server software,
installed modules, server operating system
etc.
O Set-Cookie: issue browser a cookie; will be
submitted back in the Cookie header of
subsequent requests to this server
O Pragma: instruct browser not to store the
response in its cache
O Expires: response content expired in the
past and should not be cached
O Content-Type: type of data in the body of
this message
O Content-Length: length of message body
(bytes)
O Response body (e.g. HTML page)
HTTP/1.1 200 OK
Date: Fri, 17 Sep 2009 07:59:01 GMT
Server: Apache/2.0.50 (Unix) mod_perl/1.99_10
Perl/v5.8.4 mod_ssl/2.0.50 OpenSSL/0.9.7d
DAV/2 PHP/4.3.8 mod_bigwig/2.1-3
Last-Modified: Tue, 24 Feb 2009 08:32:26 GMT
ETag: "ec002-afa-fd67ba80"
Accept-Ranges: bytes
Content-Length: 2810
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01 Transitional//EN">
<html>...</html>
© Tal Be’ery 2013
- 25. HTTP Popular Methods
O GET – show resource
O POST – send data to resource
O HEAD - Asks for the response identical to
the one that would correspond to a GET
request, but without the response body.
© Tal Be’ery 2013
- 26. HTTP Additional Methods
O PUT – create/overwrite resource
O DELETE - Deletes the resource.
O TRACE - Echoes back the received request
O OPTIONS - Returns the HTTP methods that
the server supports for specified URL.
O CONNECT - Converts the request connection
to a transparent TCP/IP tunnel, usually to
facilitate SSL-encrypted communication
(HTTPS) through an unencrypted HTTP proxy
O PATCH - Is used to apply partial modifications
to a resource
© Tal Be’ery 2013
- 27. URL
O HTTP is text based protocol
O Some characters are not allowed
O have special meaning - ?, &, rn
O Non printable
O Null
O Therefore, they need to be decoded
O & %26
O http://meyerweb.com/eric/tools/dencoder/
© Tal Be’ery 2013
- 28. HTTP Headers
O Provide metadata
O Name value pair
O Name: value
O End of header – CRLF
O Some headers can take multiple values
O Name:value1, value2.
O Or
O Name:value1
O Name:value2
O Server should generally ignore headers it doesn’t
support
O Non standard headers are usually prefixed “X-…”
© Tal Be’ery 2013
- 29. Cookies to Adding State
O Application needs state for flows
O Server sets the cookie
O Set-Cookie: name=value
O The browser attaches the cookie to every request of the
domain
O Cookie: name=value
O Persistent cookie
O Set-Cookie: name2=value2; Expires=Wed, 09-Jun-
2021 10:18:14 GMT
O Session cookie – does not have Expires
O cleared by the browser when its closed
© Tal Be’ery 2013
- 30. Cookie additional attributes
O HTTPonly – not accessible by script
O Secure – should only be used under SSL
O Domain, Path – Cookie scope
O Example:
O Set-Cookie:
LSID=DQAAA; Domain=docs.foo.com;
Path=/accounts; Expires=Wed, 13-Jan-
2021 22:23:01 GMT; Secure; HttpOnly
© Tal Be’ery 2013
- 31. Key Drivers for Web Evolution
O Mobile and Cloud apps
want native “look and
feel”
O The browser is the new
OS:
O Chrome OS
O Firefox OS
O Emerging standards
© Tal Be’ery 2013
- 35. To Evolve
O Client side needs to be more independent
and interactive
O Client side scripting with Javascript
O Client side needs to more rich
O HTML 5
© Tal Be’ery 2013
- 36. Web evolution – Take I
http://i219.photobucket.com/albums/cc190/listtamaru/Evolution.jpg
© Tal Be’ery 2013
- 37. Web Evolution – Take 2
O Baby: cute but passive
O Kid: more active but needs to ask
the parents (server)
O Teenager: independent! (sort of)
© Tal Be’ery 2013
- 38. Web evolution – Take 3
http://www.evolutionoftheweb.com/img/Evolution_of_the_web.jpg
© Tal Be’ery 2013
- 41. WebStorage
O With HTML5, web pages can store data
locally within the user's browser.
O Earlier, this was done with cookies.
O As opposed to cookies the data is not
included with every server request:
O More Secures
O Does not affect the website's performance.
O A web page can only access data stored by
itself.
© Tal Be’ery 2013
- 43. GeoLocation
O The HTML5 Geolocation API is used to
get the geographical position of a user.
O Since this can compromise user privacy,
the position is not available unless the
user approves it.
© Tal Be’ery 2013
- 45. WebSocket
O HTTP uses the Client/Server paradigm
O WebSocket is FULL DUPLEX
communication protocol
O Ideal for real time web applications
O WebSocket is a tunnel over HTTP
© Tal Be’ery 2013
- 50. WebWorkers
O Scripting is not single threaded anymore
O To avoid concurrency problem the DOM is
not accessible from a WebWorker context
http://devfiles.myopera.com/articles/2452/web-workers-explained.png
© Tal Be’ery 2013
- 52. WebRTC
O Web Real Time Communication
O Enables browser-to-browser applications
for voice calling, video chat, and P2P file
sharing without plugins.
© Tal Be’ery 2013
- 54. Cross Origin Resource Sharing
(CORS)
O Javascript can create HTTP requests without
navigation
O In the past it was limited by the browser to
same origin only
O To allow “mesh-up”s, it was changed:
O The browser allows a request to other
destinations
O For some actions, a “pre-flight” OPTIONS
request is sent (see
http://www.html5rocks.com/en/tutorials/cors/)
O The destination tells the browser if it allows
CORS by specifying the CORS header
© Tal Be’ery 2013
- 56. Mobile Related
O Touch events
O Device Motion
O Device Orientation
http://www.html5rocks.com/en/tutorials/device/orientation/
© Tal Be’ery 2013
- 60. HTML
O HyperText Markup Language (HTML) is
the main markup language for creating
web pages and other information that can
be displayed in a web browser.
(Wikipedia)
© Tal Be’ery 2013
- 61. CSS
O Cascading Style Sheets (CSS) is a style
sheet language used for describing the
presentation semantics (the look and
formatting) of a document written in a
markup language (Wikipedia)
© Tal Be’ery 2013
- 62. Browser’s HTML processing
O Simplified
O Real world (Web Gecko)
http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/
© Tal Be’ery 2013
- 63. The DOM
O Document Object Model
O The DOM is a programming API for
documents
O Javascript can query and change the
document (“Web page”) through the DOM
© Tal Be’ery 2013
- 64. The DOM Illustrated
O The DOM on an object structure that
closely resembles the structure of the
documents it models
© Tal Be’ery 2013
- 66. Javascript in a nutshell
O Javascript is a general purpose language
O functions, loops, conditions
O Object based
O Interpreted
O Dynamic typing: types are associated with
values, not with variables
© Tal Be’ery 2013
- 67. Javascript: Not Just for
Browsers
O Application servers:
O Node.js
O Embedded scripting language:
O Adobe reader
O Browser extensions
© Tal Be’ery 2013
- 69. Emscripten
O LLVM to JavaScript compiler.
O Takes LLVM bytecode (can be generated
from C/C++ using Clang) and compiles
that into JavaScript.
O https://github.com/kripken/emscripten/wiki
© Tal Be’ery 2013
- 71. Javascript App demo: PDF.JS
O A faithful and efficient Portable Document
Format (PDF) renderer without native
code assistance.
http://mozilla.github.io/pdf.js/web/viewer.html
© Tal Be’ery 2013
- 74. Javascript Performance (2)
O Getting close to native code
http://arstechnica.com/information-technology/2013/05/native-level-performance-on-the-web-a-brief-examination-of-asm-js/2/
© Tal Be’ery 2013
- 80. Invocation with Pseudo
Protocol
O Javascript invocation can be invoked from
any HTML element that expects an URL
by using the “javascript” pseudo protocol.
O E.g. <a href="javascript:myFunc();">
© Tal Be’ery 2013
- 81. Same Origin Policy (SOP)
O “The same-origin policy restricts how a
document or script loaded from one origin
can interact with a resource from another
origin.”
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
© Tal Be’ery 2013
- 82. What’s Origin?
O Origin
O Protocol – e.g. HTTP, HTTPS, FTP etc.
O Port – e.g. 80,443, etc.
O Host – e.g. “www.example.com”
© Tal Be’ery 2013
- 83. SOP Threat Model
Communicati
on
Custom Code
Accounts
Finance
Administratio
n
Transactions
Knowledge
Mgmt
E-Commerce
Bus.
Functions
Victim Application
3
Vulnerable site sees
legitimate request
from victim
performs the action
requested
And sends a
response
Attacker sets the trap on some website on the internet1
2
While logged into vulnerable site,
victim views attacker site
Victim site interaction
Some interaction
with victim site
© Tal Be’ery 2013
- 84. Same Origin Drill
O Is ‘http://store.company.com/dir/page.html’
in the same origin?
URL
Outcom
e
Reason
http://store.company.com/dir2/other.html Success
http://store.company.com/dir/inner/another.ht
ml
Success
https://store.company.com/secure.html Failure Different protocol
http://store.company.com:81/dir/etc.html Failure Different port
http://news.company.com/dir/other.html Failure Different host
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
© Tal Be’ery 2013
- 86. Working Around SOP
Script Injection
O Creating Script in the target’s origin
O XSS
O Malvertising
O Breaking into site/ Watering hole attack
O MITM
© Tal Be’ery 2013
- 87. Working Around SOP
Non Javascript Leakage
O SOP usually allows the transaction, just
blocks Javascript access to response data
O CSRF
O Eavesdropping
O Side channels
O Human
O UI Redressing (“Clickjacking”)
O Interactive attacks
O Technical
O Timing
O Other
© Tal Be’ery 2013
Editor's Notes
- http://www.w3.org/History/19921103-hypertext/hypertext/WWW/TheProject.html
- http://www.w3.org/Addressing/HTTPAddressing.html
http://www.w3.org/Protocols/HTTP/AsImplemented.html
- http://www.w3.org/Protocols/HTTP/AsImplemented.html
- http://tools.ietf.org/html/rfc1866
- http://www.ietf.org/rfc/rfc1945.txt
- http://www.ietf.org/rfc/rfc1945.txt
- http://www.evolutionoftheweb.com/
- http://www.codeproject.com/Articles/162783/HTML5-Web-Storage-in-Essence
- http://browserquest.mozilla.org/
- http://en.wikipedia.org/wiki/HTML
- http://en.wikipedia.org/wiki/Cascading_Style_Sheets
- http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/
- http://mozilla.github.io/pdf.js/web/viewer.html
- http://www.zdnet.com/the-big-browser-benchmark-january-2013-edition-7000009776/
- http://arstechnica.com/information-technology/2013/05/native-level-performance-on-the-web-a-brief-examination-of-asm-js/2/
- http://www.w3schools.com/tags/ref_eventattributes.asp
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript