DWX 2018 - XSS, CSRF, CSP, JWT, WTF? IDK ¯\_(ツ)_/¯

DWX 2018 - XSS, CSRF, CSP, JWT, WTF? IDK ¯\_(ツ)_/¯

Introduction to Web Security talk. More info at: https://github.com/dkundel/intro-web-security and https://github.com/dkundel/onesie-life

0722ad084c65f6177d80cf793cfbd013?s=128

Dominik Kundel

June 26, 2018
Tweet

Transcript

  1. XSS, CSRF, CSP, JWT, WTF? IDK ¯\_( ツ)_/¯ Dominik Kundel

    - @dkundel Dominik Kundel | @dkundel | #dwx2018 #websec
  2. Dominik Kundel | @dkundel | #dwx2018 #websec

  3. XSS, CSRF, CSP, JWT, WTF? IDK ¯\_( ツ)_/¯ Dominik Kundel

    - @dkundel Dominik Kundel | @dkundel | #dwx2018 #websec
  4. Introduction to WEB SECURITY Dominik Kundel - @dkundel Dominik Kundel

    | @dkundel | #dwx2018 #websec
  5. ⁇ XSS ⁇ ⁇ CSRF ⁇ ⁇ CSP ⁇ ⁇

    JWT ⁇ Dominik Kundel | @dkundel | #dwx2018 #websec
  6. Hi! I'm Dominik Kundel! Developer Evangelist at github/dkundel @dkundel dkundel@twilio.com

    Dominik Kundel | @dkundel | #dwx2018 #websec
  7. Dominik Kundel | @dkundel | #dwx2018 #websec

  8. #onesiejs Dominik Kundel | @dkundel | #dwx2018 #websec

  9. Dominik Kundel | @dkundel | #dwx2018 #websec

  10. Dominik Kundel | @dkundel | #dwx2018 #websec

  11. SECURITY! SECURITY! SECURITY! Dominik Kundel | @dkundel | #dwx2018 #websec

  12. I THOUGHT OF EVERYTHING Only HTTPS powered by Let's Encrypt

    It even uses HSTS (HTTP Strict Transport Security) no mixed content Sanitized HTML No room for SQL injections Dominik Kundel | @dkundel | #dwx2018 #websec
  13. NO REAL DATABASE NO REAL DATABASE INJECTIONS Dominik Kundel |

    @dkundel | #dwx2018 #websec
  14. Dominik Kundel | @dkundel | #dwx2018 #websec

  15. BOB ALLISON Security Expert Dominik Kundel | @dkundel | #dwx2018

    #websec
  16. https://onesie.life Dominik Kundel | @dkundel | #dwx2018 #websec

  17. USE HttpOnly COOKIES // Make cookies HTTP only res.cookie('authToken', jwt,

    { httpOnly: true, signed: true, secure: true }); Dominik Kundel | @dkundel | #dwx2018 #websec
  18. USE SAFE JWT IMPLEMENTATIONS const jwt = require('jsonwebtoken'); jwt.verify(token, secret,

    { algorithms: ['HS256'] }, (err, payload) => { if (err) { console.log('Invalid token!'); return; } console.log('Valid token!'); }); Dominik Kundel | @dkundel | #dwx2018 #websec
  19. Don't be the next Equifax Stay up-to-date! Image: Michael Nagle/Bloomberg

    via Getty Images Dominik Kundel | @dkundel | #dwx2018 #websec
  20. LET'S POST SOMETHING! onesie.life Feed Dominik Kundel | @dkundel |

    #dwx2018 #websec
  21. CROSS SITE REQUEST FORGERY hack-onesie.glitch.me/xsrf Dominik Kundel | @dkundel |

    #dwx2018 #websec
  22. WHAT HAPPENED? Dominik Kundel | @dkundel | #dwx2018 #websec

  23. window.opener window.opener.location = 'http://my-evil-website.com'; Dominik Kundel | @dkundel | #dwx2018

    #websec
  24. USE "noopener" <!-- Target page has access to window.opener -->

    <a href="http://example.com/" target="_blank">Dangerous Link</a> <!-- Target page does NOT have access to window.opener --> <a href="http://example.com" target="_blank" rel="noopener noreferrer">Saf e Link</a> Dominik Kundel | @dkundel | #dwx2018 #websec
  25. USE CSRF TOKENS const csrf = require('csurf')({ cookie: true });

    app.get('/post', csrf, (req, res, next) => { // pass csrf to front-end via _csrf cookie or // req.csrfToken() in template }); app.post('/post', csrf, (req, res, next) => { // only valid if one of these is the same as the cookie: // req.body._csrf // req.query._csrf // req.headers['csrf-token'] // req.headers['xsrf-token'] // req.headers['x-csrf-token'] // req.headers['x-xsrf-token'] }); Dominik Kundel | @dkundel | #dwx2018 #websec
  26. WHAT ABOUT CLICKJACKING? Dominik Kundel | @dkundel | #dwx2018 #websec

  27. CLICKJACKING Source: www.owasp.org Dominik Kundel | @dkundel | #dwx2018 #websec

  28. DISALLOW IFRAMING res.headers('X-Frame-Options', 'DENY'); res.headers('X-Frame-Options', 'SAMEORIGIN'); Dominik Kundel | @dkundel

    | #dwx2018 #websec
  29. Little Bobby Tables Young Brother Samy '"src="javascript:alert(1); XSS Dominik Kundel

    | @dkundel | #dwx2018 #websec
  30. https://xkcd.com/327/ Dominik Kundel | @dkundel | #dwx2018 #websec

  31. Dominik Kundel | @dkundel | #dwx2018 #websec

  32. MYSPACE WORM Samy worm / JS.Spacehero worm Dominik Kundel |

    @dkundel | #dwx2018 #websec
  33. TRICKS USED BY SAMY <!-- Use JavaScript in CSS and

    move code into HTML attribute --> <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')" ></div> // avoid blacklisted words like innerHTML through string concat alert(eval('document.body.inne' + 'rHTML')); eval('xmlhttp.onread' + 'ystatechange = callback'); samy.pl/popular/tech.html Dominik Kundel | @dkundel | #dwx2018 #websec
  34. OBSTRUSIVE JAVASCRIPT // Different ways to eval new Function(CODE)() //

    or setTimeout(CODE, 0) // or []["filter"]["constructor"]( CODE )() // or [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[]) [+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![ ]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+ !+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[ ]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[]) [+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!! []+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![ Dominik Kundel | @dkundel | #dwx2018 #websec
  35. BLOCKING XSS IS NOT TRIVIAL onesie.life Dominik Kundel | @dkundel

    | #dwx2018 #websec
  36. ENCODING CAN BE dangerous! Dominik Kundel | @dkundel | #dwx2018

    #websec
  37. CSS CAN BE DANGEROUS! twitter.com/jaffathecake/status/968500192210227202 Dominik Kundel | @dkundel |

    #dwx2018 #websec
  38. Never trust THE BODY OR QUERY! Dominik Kundel | @dkundel

    | #dwx2018 #websec
  39. Demo Dominik Kundel | @dkundel | #dwx2018 #websec

  40. JSONP JSON with Padding <script> function gotPosts(data) { console.log(data); }

    </script> <script src="https://onesie.life/post?callback=gotPosts"></script> Dominik Kundel | @dkundel | #dwx2018 #websec
  41. XSS + POOR JSONP = onesie.life Dominik Kundel | @dkundel

    | #dwx2018 #websec
  42. Content-Security-Policy Dominik Kundel | @dkundel | #dwx2018 #websec

  43. CSP DEMO onesie.life/secure/home Dominik Kundel | @dkundel | #dwx2018 #websec

  44. CSP EXAMPLE HEADER Content-Security-Policy: default-src 'self'; script-src 'nonce-NWo2+pmewRLPWqpsgv6J2w=='; style-src 'nonce-NWo2+pmewRLPWqpsgv6J2w==';

    object-src 'none'; img-src 'self' api.adorable.io; font-src 'self' fonts.gstatic.com; block-all-mixed-content; report-uri /csp-report; Dominik Kundel | @dkundel | #dwx2018 #websec
  45. CSP IS NOT YOUR SECURITY STRATEGY! CSP is a Safety

    Net! Dominik Kundel | @dkundel | #dwx2018 #websec
  46. OTHER THINGS TO LOOK OUT FOR Check out libraries like

    helmet for essential HTTP headers. Don't show versions of front-end libs or server Dominik Kundel | @dkundel | #dwx2018 #websec
  47. OTHER THINGS TO DO Consider Security Audits Stay up to

    date with versions (Greenkeeper) Use tools to detect security vulnerabilites (NSP, Snyk) Dominik Kundel | @dkundel | #dwx2018 #websec
  48. Summary Dominik Kundel | @dkundel | #dwx2018 #websec

  49. USE SIGNED HttpOnly COOKIES Dominik Kundel | @dkundel | #dwx2018

    #websec
  50. BE SCEPTICAL OF JWTS Dominik Kundel | @dkundel | #dwx2018

    #websec
  51. rel="noopener noreferrer" Dominik Kundel | @dkundel | #dwx2018 #websec

  52. USE CSRF TOKENS Dominik Kundel | @dkundel | #dwx2018 #websec

  53. BLOCKING XSS ISN'T TRIVIAL Dominik Kundel | @dkundel | #dwx2018

    #websec
  54. BE AWARE OF ENCODING Dominik Kundel | @dkundel | #dwx2018

    #websec
  55. DON'T TRUST THE REQUEST QUERY/BODY Dominik Kundel | @dkundel |

    #dwx2018 #websec
  56. CHECK INPUT TYPES Dominik Kundel | @dkundel | #dwx2018 #websec

  57. BE CAREFUL WITH JSONP Dominik Kundel | @dkundel | #dwx2018

    #websec
  58. USE CSP AS A SAFETY NET Dominik Kundel | @dkundel

    | #dwx2018 #websec
  59. STAY UP-TO-DATE Dominik Kundel | @dkundel | #dwx2018 #websec

  60. d-k.im/sec-dwx Dominik Kundel | @dkundel | #dwx2018 #websec

  61. bit.ly/onesie-life Dominik Kundel | @dkundel | #dwx2018 #websec

  62. Dominik Kundel Thank you! d-k.im/sec-dwx github/dkundel @dkundel dkundel@twilio.com Dominik Kundel

    | @dkundel | #dwx2018 #websec