SlideShare a Scribd company logo

[Poland] It's only about frontend

OWASP EEE
OWASP EEE

This document summarizes techniques for attacking the frontend security of websites. It discusses DOM-based cross-site scripting using sinks like document.write and sources like document.URL. It also covers information leaks through JavaScript, CSS, and framework templates. Other topics include JSONP, Flash, HTML5 features like postMessage, and mitigations like content security policy. The presentation encourages keeping frameworks updated and checking for newer attacks on older vulnerabilities. It provides examples of complex cross-domain policy and JSONP attacks.

Related slideshows

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
HTML5 Web Messaging
HTML5 Web MessagingHTML5 Web Messaging
HTML5 Web Messaging
 
1 of 56
Download to read offline
It’s only about frontend Sergey Belov Digital Security OWASP EEE. 6th of October 2015. Poland
$ whoami • @ Digital Security – Penteser – ZeroNights team • Bug hunting (Yandex, Google, CloudFlare ...) • Speaker – OWASP RU, BlackHat 2014, HiP 2014, ZeroNights • Like all web related security :]
What we're talking about Frontend security ≠ client side attacks Example – CSRF is client side attack but depend on server side
What we're talking about Some techniques are well known but some are not
What we're talking about SOP Same Origin Policy scheme://domain:port + hardening
Cross Site Scripting DOM
DOM XSS document.write("Site is at: " + document.location.href); http://victim.com/action#<script>alert('xss')</script>
DOM XSS Sources  document.URL  location  document.referrer  window.name  localStorage  cookies  …
DOM XSS Sinks  eval  document.write  (element).innerHTML  (element).src  setTimeout / setInterval  execScript  … https://code.google.com/p/domxsswiki/
DOM XSS
Information leaks
Information leaks Javascript examples testServer = host.match(/[^.]+.((?:f|my.XXX)d*).YYY.com/) devServer = host.match(/^.+.dev.YYY.com$/), isXXX = testServer && testServer[1].indexOf('my.XXX') == 0, ... internalDevHOST = '172.16.22.2'; internalProdHOST = '172.16.22.5'; ... var admin_url = '/secretArea/'
Information leaks CSS examples file:///applications/hackerone/releases/20140221175929/app /assets/stylesheets/application/browser-not-supported.scss file:///applications/hackerone/releases/20140221175929/app /assets/stylesheets/application/modules/add-category.scss file:///applications/hackerone/releases/20140221175929/app /assets/stylesheets/application/modules/alias-preview.scss
MVC Frameworks
MVC Frameworks
MVC Frameworks - Templates - New elements <rockyou></rockyou> - Bindings
MVC Frameworks Logic-less templates <ul> <li ng-repeat="phone in phones"> <span>{{phone.name}}</span> <p>{{phone.snippet}}</p> </li> </ul>
MVC Frameworks Сurly braces <ul> <li ng-repeat="phone in phones"> <span>{{phone.name}}</span> <p>{{phone.snippet}}</p> </li> </ul>
MVC Frameworks Logic-less templates. http://mustache.github.io/
MVC Frameworks Mustache Security • VueJS • AngularJS • CanJS • Underscore.js • KnockoutJS • Ember.js • Polymer • Ractive.js • jQuery • JsRender • Kendo UI https://code.google.com/p/mustache-security/
MVC Frameworks AngularJS (1.1.5) – access to window <div class="ng-app"> {{constructor.constructor('alert(1)' )()}} </div>
MVC Frameworks AngularJS (1.2.18) – access to window, after fix {{ (_=''.sub).call.call({}[$='constructor'] .getOwnPropertyDescriptor(_.__proto__,$) .value,0,'alert(1)')() }}
MVC Frameworks Frameworks updating is important for security!
Flash
Flash A typical example <cross-domain-policy> <allow-access-from domain="*" to-ports="80"/> </cross-domain-policy>
Flash A non-typical example <cross-domain-policy> ... multiple domains (some unregistered)... </cross-domain-policy> Real bugbounty report - $$$
Flash A non-typical example <cross-domain-policy> ...domains from social networks (apps)... </cross-domain-policy> Real bugbounty report - $$$
Flash XSS via Flash getURL(_root.URI,'_targetFrame'); and many other cases https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008)
Flash CVE-2011-2461 IS BACK! 1) Vulnerable verson of Adobe Flex 2) Full SOP bypass https://github.com/ikkisoft/ParrotNG/ http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html
JSONP
JSONP Typical case <script src="http://vuln/getInfo?c=parseResponse"> </script>
JSONP No sensetive data? But Content-Type is: • text/javascript • application/javascript • application/x-javascript Try ?cb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)// And get client side RCE (IE only / SE is required)
JSONP http://www.youtube.com/watch?v=T0vwLsHUing
HTML5 security
HTML5 Security otherWindow.postMessage(message, targetOrigin); Window.postMessage() window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... } Domain A Domain B
HTML5 Security Window.postMessage() if(message.orgin.indexOf(".example.com")!=-1) { /* ... */ } Wrong! example.com.attacker.com
HTML5 Security otherWindow.postMessage(message, targetOrigin); Window.postMessage() Iframe https://accounts.google.com/b/0/ListAccounts?listPages=0&mo=1&origin=https%3A%2F%2F1 23123.google.com window.parent.postMessage( “... Sensetive data / user login etc...", "https:x2Fx2F123123.google.com");
HTML5 security HTTP access control (CORS) 1) Modern 2) Secure by default 3) Very hard to make a mistake 
HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: *
HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: * is not compatible with Access-Control-Allow-Credentials: true
HTML5 security HTTP access control (CORS) Access-Control-Allow-Origin: $origin;
HTML5 security WebSockets 1) No authorization and/or authentication 2) WSS:// - for sensetive data 3) Validation 4) Check origin 5) …
HTML5 security Example with websockets (Agar.IO – HTML5 game) 1) Visit Agar.IO 2) Get new server (/findServer response, some random IP) 3) Connect (ws://) to some random IP Random IP handles only requests with valid origin (like agar.io). It can prevent custom clients (exclude cases with full proxy on server side) https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
Content Security Policy
Content Security Policy X-Content-Security-Policy: script-src js.example.com
Content Security Policy
Content Security Policy Last Firefox: security csp command
Content Security Policy @cure53 challenge – CSP bypass • CDN with AngularJS is allowed ajax.googleapis.com ng-app"ng-csp ng- click=$event.view.alert(1337)> <script src= //ajax.googleapis.com/ajax/libs/angularjs /1.0.8/angular.js> </script> https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22
Extensions / SmartTV
Extensions / SmarTV - JS/HTML/CSS - Interaction with DOM - XHR qureies - Extended API
For dessert
For dessert <a href=“http://external.com”>Go!</a> In headers will be Referer: http://yoursite.com/ What about images, js, css files?
For dessert http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics.com/password.jpg> ... Owner of comics.com Can see all secret tokens https://github.com/cure53/HTTPLeaks
Anything else? Yes: • X-Frame-Options • Iframe protection via JS – bypassing (iframe sandboxing / race conditions) • Switching to HTTPS (HSTS) • DOM Clobbering (XSS - http://www.slideshare.net/x00mario/in-the-dom-no- one-will-hear-you-scream) • Cookies (flags, domains – IE case) • ...?
Thanks! Any questions? @sergeybelove

More Related Content

[Poland] It's only about frontend