Who am I?

• Work as a developer
• Leader of the Security Competency group at BEKK
• OWASP Norway Chapter lead
• Member of Norwegian Honeynet Project

But first...

OWASP Top 10

A1

Injection

A2

Cross Site Scripting (XSS)

A3

Broken Authentication and Session Management

A4

Insecure Direct Object Reference

A5

Cross Site Request Forgery (CSRF)

A6

Security Misconfiguration

A7

Insecure Cryptographic Storage

A8

Failure to Restrict URL Access

A9

Insufficient Transport Layer Protection

A10

Unvalidated Redirects and Forwards

A10 - Unvalidated Redirects and Forwards

http://example.com/redirect?url=http://evil.com

http://example.com/login?url=http://evil.com

Twitter september 2010

(function(q) {
  var a = location.href.split("#!")[1];
  if (a) {
    g.location = a;
  }
})

Fixing Unvalidated Redirects and Forwards

• Sanitize or white-list your redirect locations
• Do it properly

A9 - Insufficient Transport Layer Protection

• If your application has private data - always use https:
• Lock down your SSL/TLS config - SSL Server Test

• If your login page is delivered over http...
... it may not matter if the forms submits to https
• sslstrip

A8 - Failure to restrict URL access /
A4 - Insecure Direct Object Reference

• Vertical access control - roles
• Horisontal access control - data access

• Client side access control is no substitute for server side access control

A7 - Insecure Cryptographic Storage

• Browser storage
  • Deleted on logout?
  • Deleted when closing browser?
• localStorage - stored untill deleted
• sessionStorage - deleted on browser exit/restart
• Cache/Offlinerising (Hello @jaffathecake)

• Does it matter?

Server side crypto

• TM; NT
• See the OWASP Cryptographic Storage Cheat Sheet

A6 - Security Misconfiguration

• CORS:

  Access-Control-Allow-From: *
  Access-Control-Allow-Credentials: true

• Crossdomain.xml

  <?xml version="1.0" encoding="UTF-8"?>
  <cross-domain-policy>
    <allow-access-from domain="*" />
  </cross-domain-policy>

Open crossdomain.xmls

Alexa top 100 local domains:

	26
	30
	29

What about Access-control-Allow-* ?

• Access-Control-Allow-From: *
  • Allow browser to read response regardles of origin
• Access-Control-Allow-Credentials: true
  • Allow browser to include credentials in request
• Let's Shodan it

And now...

A5 - Cross Domain Request Forgery

Does your server know if the request originated from a page or javascript delivered by itself?

CSRF - Is it really a problem?

• @homakov posted a blog post with CSRF vulnerabilities in:
  • github
  • slideshare
  • vimeo
  • bitbucket
  • heroku
• Heroku bug:

  <img src=xxx/update?site_name[name]=yyy>

• ... rename site from xxx.heroku.com to yyy.heroku.com

CSRF + Cross Domain XHR

function fileUpload(url, fileData, fileName) {
 var fileSize = fileData.length;
 var boundary = "xxxxxxxxx";
 var xhr = new XMLHttpRequest();
 xhr.open("POST", url, true);
 xhr.setRequestHeader("Content-Type", 
   "multipart/form-data, boundary="+boundary);
 xhr.setRequestHeader("Content-Length", fileSize);
 var body = "--" + boundary + "\r\n";
 body += 'Content-Disposition: form-data; name="contents"; filename="'
   + fileName + '"\r\n';
 body += "Content-Type: application/octet-stream\r\n\r\n";
 body += fileData + "\r\n";
 body += "--" + boundary + "--";
 xhr.send(body);
 return true;
}

Use anti forgery tokens

$("body").bind("ajaxSend", function(elm, xhr, s){
  if (s.type === "POST") {
    xhr.setRequestHeader('X-CSRF-Token', authentication.csrf_token);
  }
});

A3 - Broken Authentication and Session Management

• How is my session terminated on log out?
  • Client-side only?
  • Server-side?
• What is left behind in Web Storage?
• How does the client know who is logged in?

• Let's not lose track of the current session policies
• Sessions should time out
• Return a 401 and handle it from JS on the client

Reflected Cross Site Scripting

Stored Cross Site Scripting

DOM-based Cross Site Scripting

DOM-based - XSS

• Occurs in javascript
• Not necessarily visible at the server

http://ex.fm/#!/explore/<script>alert("@vlycser");</script>

• Insecure handling of input in javascript

Unsafe javascript functions

• eval(string)
• setTimeout(string, delay)
• setInterval(string, delay)
• new Function(string)

Unsafe jQuery functions

• $.after()
• $.append()
• $.appendTo()
• $.before()
• $.html()
• $.insertAfter()
• $.insertBefore()
• $.prepend()
• $.prependTo()
• $.replaceAll()
• $.replaceWith()
• $.unwrap()
• $.wrap()
• $.wrapAll()
• $.wrapInner()
• $.prepend()

Safe jQuery functions

• $.text()
• $.attr() - unless attr is JS event handler

• $.encoder.canonicalize()
• $.encoder.encodeForCSS()
• $.encoder.encodeForHTML()
• $.encoder.encodeForHTMLAttribute()
• $.encoder.encodeForJavaScript()
• $.encoder.encodeForURL()

Templates?

• What kinds of coding/output-possibilites does it have?
• Does it escape input?
• What kinds of escaping?
• Is the escaping context based?

Templating example - Underscore.js

• Tags:
  • <%  %> - evaluate code
  • <%= %> - output
  • <%- %> - HTML-escaped output
• Escaping

  _.escape = function(string) {
    return (''+string).replace(/&/g, '&').
                       replace(/</g, '&lt;').
                       replace(/>/g, '&gt;').
                       replace(/"/g, '&quot;').
                       replace(/'/g, '&#x27;').
                       replace(/\//g,'&#x2F;');
  };

This is all well and good as long as...

• ... you are not outputing inside javascript event handlers.

<button onclick="return confirm('Really delete <%- model.title %>')">Delete</button>

<button onclick="return confirm('Really delete &#x27;);alert(&x27;XSS')">Delete</button>

• ... you are not using quote-less attributes:

  <img title=<%- model.title %>  ... >

  <img title=monkey onmouseover=alert(/XSS/.source) ... >

• ... you are not outputting data inside style attributes or tags
• ... you are not outputting data inside script tags

Meanwhile - elsewhere in Norway

<script language="JavaScript" type="text/javascript">
  var qs = location.search.substring(1);
  var nv = qs.split('&');
  var url = new Object();
  for(i = 0; i < nv.length; i++)
  {
    eq = nv[i].indexOf('=');
    url[nv[i].substring(0,eq).toLowerCase()] 
    	= unescape(nv[i].substring(eq + 1));
  }
</script>
<script LANGUAGE="JavaScript">
	document.write('<SCRIPT LANGUAGE="JavaScript" ' +
	 'SRC="'+url['source']+'?"\></SCRIPT\>');
</script>
	

Content Security Policy

• Upcoming standard
• Fits well with single page web apps
• Server instructs browser through header.

  Content-Security-Policy: default-src 'self'; script-src 'self' *.googleapis.com

• By default disallows the unsafe versions of eval/setTimeout/setInterval/new Function
• By default disallows inline CSS and JavaScript
• Allows developers to specify which domains scripts, images, videos etc. can be loaded from
• Supported in Chrome and Firefox (rumored in IE10)

Client Side Injections

• URL-injection - creating URLs in an unsafe way:
Search
http://example.com/search/frog/../../logout http://example.com/?search=frog&otherParam=123
• JSON-injection - creating JSON in an unsafe way:
{"value1": "something","value2":"something evil"}

Server Side Injections

• SQL-injection can of course still be a problem on the server side
• So can NoSQL-injection

• But what about JSON APIs and JS-based backends?

node.js

var http = require('http');
http.createServer(function (request, response) {
  if (request.method === 'POST') {
    var data = '';
    request.addListener('data', function(chunk) { data += chunk; });
    request.addListener('end', function() {
      var stockQuery = eval("(" + data + ")");
      var price = getStockPrice(stockQuery.symbol);
      …
});

while(1);

node.js server side eval

• DOS
• Attack other servers
• Read local files
• Grab entire database (Hello SQL injection)
• Upload arbitrary file and execute on server

• This is NOT a node.js bug - it's unsafe use of javascript

Mass assignment / overposting

• Are we still in control of our model?

• Altered timestamp for when an object was created
• Added his own SSH key to the Rails project and made a commit to master

And finally

alert(1)

XEE - XML Entity Expansions

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [ 
	<!ENTITY a "1234567890" > 
	<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > 
	<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > 
	<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > 
	<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > 
	<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > 
	<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > 
	<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > 
	<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > 
	<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > 
	<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > 
	<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > 
	<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > 
]> 
<foo>&m;</foo>

Memory exhaustion - a pile of foo

<?xml version="1.0" encoding="utf-8"?>
<foo>
 <foo>
  <foo>
   <foo>
    <foo>
     <foo>
      ...1 million foos later...
       <foo>
        Hola el mundo
       </foo>
      ...there and back again...
  </foo>
 </foo>
</foo>

		

XXE - XML eXternal Entity Attacks

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM "/etc/passwd">
]>
<foo>&xxe;</foo>

Some final advice...

• Build robust JSON services with clearly defined transformations covered by automated tests
• Remember the evil test cases - e.g. what should NOT be possible
• Seek frameworks with secure defaults - should default to HTML escaping etc.
• As a developer, default to the secure functions - it's better to err on that side
• You're testing your javascript, right? Why not also test your templates?

Remember...