[Poland] It's only about frontend
- 1. It’s only about frontend
Sergey Belov
Digital Security
OWASP EEE. 6th of October 2015. Poland
- 2. $ whoami
• @ Digital Security
– Penteser
– ZeroNights team
• Bug hunting (Yandex, Google, CloudFlare ...)
• Speaker – OWASP RU, BlackHat 2014, HiP 2014, ZeroNights
• Like all web related security :]
- 3. What we're talking about
Frontend security
≠
client side attacks
Example – CSRF is client side attack but depend on server side
- 9. DOM XSS
Sinks
eval
document.write
(element).innerHTML
(element).src
setTimeout / setInterval
execScript
…
https://code.google.com/p/domxsswiki/
- 12. Information leaks
Javascript examples
testServer = host.match(/[^.]+.((?:f|my.XXX)d*).YYY.com/)
devServer = host.match(/^.+.dev.YYY.com$/),
isXXX = testServer && testServer[1].indexOf('my.XXX') == 0,
...
internalDevHOST = '172.16.22.2';
internalProdHOST = '172.16.22.5';
...
var admin_url = '/secretArea/'
- 20. MVC Frameworks
Mustache Security
• VueJS
• AngularJS
• CanJS
• Underscore.js
• KnockoutJS
• Ember.js
• Polymer
• Ractive.js
• jQuery
• JsRender
• Kendo UI
https://code.google.com/p/mustache-security/
- 22. MVC Frameworks
AngularJS (1.2.18) – access to window, after fix
{{
(_=''.sub).call.call({}[$='constructor']
.getOwnPropertyDescriptor(_.__proto__,$)
.value,0,'alert(1)')()
}}
- 29. Flash
CVE-2011-2461 IS BACK!
1) Vulnerable verson of Adobe Flex
2) Full SOP bypass
https://github.com/ikkisoft/ParrotNG/
http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html
- 32. JSONP
No sensetive data? But Content-Type is:
• text/javascript
• application/javascript
• application/x-javascript
Try ?cb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)//
And get client side RCE (IE only / SE is required)
- 41. HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
is not compatible with
Access-Control-Allow-Credentials: true
- 44. HTML5 security
Example with websockets (Agar.IO – HTML5 game)
1) Visit Agar.IO
2) Get new server (/findServer response, some random IP)
3) Connect (ws://) to some random IP
Random IP handles only requests with valid origin (like agar.io). It can
prevent custom clients (exclude cases with full proxy on server side)
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
- 49. Content Security Policy
@cure53 challenge – CSP bypass
• CDN with AngularJS is allowed ajax.googleapis.com
ng-app"ng-csp ng-
click=$event.view.alert(1337)>
<script src=
//ajax.googleapis.com/ajax/libs/angularjs
/1.0.8/angular.js>
</script>
https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22
- 55. Anything else?
Yes:
• X-Frame-Options
• Iframe protection via JS – bypassing (iframe sandboxing / race conditions)
• Switching to HTTPS (HSTS)
• DOM Clobbering (XSS - http://www.slideshare.net/x00mario/in-the-dom-no-
one-will-hear-you-scream)
• Cookies (flags, domains – IE case)
• ...?