Angular Connect '17 - Intro to Web Security

0722ad084c65f6177d80cf793cfbd013?s=47 Dominik Kundel
November 07, 2017
Programming
0
540

Angular Connect '17 - Intro to Web Security

This talk has been presented at Angular Connect '17 and is giving an overview of different web security related things you should be aware of. The source code of the slides can be found here: https://github.com/dkundel/intro-web-security

0722ad084c65f6177d80cf793cfbd013?s=128

Dominik Kundel

November 07, 2017
Tweet

More Decks by Dominik Kundel

See All by Dominik Kundel
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
0
72
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
0
20
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
0
33
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
0
98
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
1
32
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
0
54
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
0
91
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
0
93
0722ad084c65f6177d80cf793cfbd013?s=48 dkundel
2
110

Other Decks in Programming

See All in Programming
5c097a7b75c8802b073774faa7276503?s=48 optim
5
350
3e31ffe1dc0eccbe2f30b99de11246cf?s=48 oikawat
0
100
4131d2f57a0db2a2b4d9a62bd389fd44?s=48 tarcieri
0
260
354271902cd8ba2762d05b251dfa0f84?s=48 pluu
0
280
C302e84057a922dce0ecbe80207e3fcc?s=48 mu_zaru
0
290
Fc96157614ee73039c4a575906167979?s=48 fukumura
0
260
B7caf463b7dbc6c305ba290ec3c16521?s=48 eroispaziali
0
300
35e08efcf39d692f540047fb756eb4e3?s=48 konifar
1
950
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
0
190
933291444e456bfb511a66a2fa9c6929?s=48 j5ik2o
7
1.3k
D12a80cab206033a820ccff8319f957b?s=48 s_uryu
4
2k
1a18bf1e50d7d2bdfe52a6c9fceec244?s=48 saiya_moebius
7
1.5k

Featured

See All Featured
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
236
9.7k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
366
42k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
436
28k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
17
1.2k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
12
430
11c84dff30266b907714802088852677?s=48 jasonvnalue
80
7.8k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
83
3.8k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
110
24k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
50
3.9k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
391
60k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
190
8.6k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
325
34k

Transcript

  1. XSS, CSRF, CSP, JWT, WTF? IDK Dominik Kundel - @dkundel

    Dominik Kundel | @dkundel | #angularconnect

  2. Introduction to WEB SECURITY Dominik Kundel - @dkundel Dominik Kundel

    | @dkundel | #angularconnect

  3. Hi! I'm Dominik Kundel! Developer Evangelist at github/dkundel @dkundel dkundel@twilio.com

    Dominik Kundel | @dkundel | #angularconnect

  4. // Sending an SMS using the Twilio API // Twilio

    Credentials const accountSid = 'ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; const authToken = 'your_auth_token'; // require the Twilio module and create a REST client const client = require('twilio')(accountSid, authToken); client.messages .create({ to: '+16518675309', from: '+14158141829', body: 'The Force will be with you. Always.' }) .then(message => console.log(message.sid)); Add messaging, voice, video and authentication in your apps with the language you already use Dominik Kundel | @dkundel | #angularconnect

  5. Dominik Kundel | @dkundel | #angularconnect

  6. #onesiejs Dominik Kundel | @dkundel | #angularconnect

  7. Dominik Kundel | @dkundel | #angularconnect

  8. Dominik Kundel | @dkundel | #angularconnect

  9. SECURITY! SECURITY! SECURITY! Dominik Kundel | @dkundel | #angularconnect

  10. I THOUGHT OF EVERYTHING Only HTTPS powered by Let's Encrypt

    It even uses HSTS (HTTP Strict Transport Security) no mixed content Sanitized HTML No room for SQL injections Dominik Kundel | @dkundel | #angularconnect

  11. NO REAL DATABASE NO REAL DATABASE INJECTIONS Dominik Kundel |

    @dkundel | #angularconnect

  12. Dominik Kundel | @dkundel | #angularconnect

  13. BOB ALLISON Security Expert Dominik Kundel | @dkundel | #angularconnect

  14. https://onesie.life Dominik Kundel | @dkundel | #angularconnect

  15. USE COOKIES // Make cookies HTTP only res.cookie('authToken', jwt, {

    httpOnly: true, signed: true, secure: true }); Dominik Kundel | @dkundel | #angularconnect

  16. USE SAFE IMPLEMENTATIONS const jwt = require('jsonwebtoken'); jwt.verify(token, secret, {

    algorithms: ['HS256'] }, (err, payload) => { if (err) { console.log('Invalid token!'); return; } console.log('Valid token!'); }); Dominik Kundel | @dkundel | #angularconnect

  17. LET'S POST SOMETHING! onesie.life Feed Dominik Kundel | @dkundel |

    #angularconnect

  18. CROSS SITE REQUEST FORGERY hack-onesie.glitch.me/xsrf Dominik Kundel | @dkundel |

    #angularconnect

  19. WHAT HAPPENED? Dominik Kundel | @dkundel | #angularconnect

  20. window.opener.location = 'http://my-evil-website.com'; Dominik Kundel | @dkundel | #angularconnect

  21. USE <!-- Target page has access to window.opener --> <a

    href="http://example.com/" target="_blank">Dangerous Link</a> <!-- Target page does NOT have access to window.opener --> <a href="http://example.com" target="_blank" rel="noopener noreferrer">Saf e Link</a> Dominik Kundel | @dkundel | #angularconnect

  22. USE TOKENS const csrf = require('csurf')({ cookie: true }); app.get('/post',

    csrf, (req, res, next) => { // pass csrf to front-end via _csrf cookie or // req.csrfToken() in template }); app.post('/post', csrf, (req, res, next) => { // only valid if one of these is the same as the cookie: // req.body._csrf // req.query._csrf // req.headers['csrf-token'] // req.headers['xsrf-token'] // req.headers['x-csrf-token'] // req.headers['x-xsrf-token'] }); Dominik Kundel | @dkundel | #angularconnect

  23. Little Bobby Tables Young Brother Dominik Kundel | @dkundel |

    #angularconnect

  24. https://xkcd.com/327/ Dominik Kundel | @dkundel | #angularconnect

  25. Dominik Kundel | @dkundel | #angularconnect

  26. MYSPACE WORM Samy worm / JS.Spacehero worm Dominik Kundel |

    @dkundel | #angularconnect

  27. TRICKS USED BY SAMY <!-- Use JavaScript in CSS and

    move code into HTML attribute --> <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')" ></div> // avoid blacklisted words like innerHTML through string concat alert(eval('document.body.inne' + 'rHTML')); eval('xmlhttp.onread' + 'ystatechange = callback'); samy.pl/popular/tech.html Dominik Kundel | @dkundel | #angularconnect

  28. OBSTRUSIVE JAVASCRIPT // Different ways to eval new Function(CODE)() //

    or setTimeout(CODE, 0) // or []["filter"]["constructor"]( CODE )() // or [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[]) [+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![ ]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+ !+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[ ]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[]) [+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!! []+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![ Dominik Kundel | @dkundel | #angularconnect

  29. BLOCKING XSS IS NOT TRIVIAL onesie.life Dominik Kundel | @dkundel

    | #angularconnect

  30. ENCODING CAN BE dangerous! Dominik Kundel | @dkundel | #angularconnect

  31. JSONP JSON with Padding <script> function gotPosts(data) { console.log(data); }

    </script> <script src="https://onesie.life/post?callback=gotPosts"></script> Dominik Kundel | @dkundel | #angularconnect

  32. XSS + POOR JSONP = onesie.life Dominik Kundel | @dkundel

    | #angularconnect

  33. Dominik Kundel | @dkundel | #angularconnect

  34. CSP DEMO onesie.life/secure/home Dominik Kundel | @dkundel | #angularconnect

  35. CSP EXAMPLE HEADER Content-Security-Policy: default-src 'self'; script-src 'nonce-NWo2+pmewRLPWqpsgv6J2w=='; style-src 'nonce-NWo2+pmewRLPWqpsgv6J2w==';

    object-src 'none'; img-src 'self' api.adorable.io; font-src 'self' fonts.gstatic.com; block-all-mixed-content; report-uri /csp-report; Dominik Kundel | @dkundel | #angularconnect

  36. CSP IS NOT YOUR SECURITY STRATEGY! CSP is a Safety

    Net! Dominik Kundel | @dkundel | #angularconnect

  37. OTHER THINGS TO LOOK OUT FOR Avoid clickjacking by disallowing

    framing using Don't show versions of front-end libs or server Check for types of input(Can cause NoSQL injections) Dominik Kundel | @dkundel | #angularconnect

  38. OTHER THINGS TO DO Consider Security Audits Stay up to

    date with versions (Greenkeeper) Use tools to detect security vulnerabilites (Snyk) Dominik Kundel | @dkundel | #angularconnect

  39. Summary Dominik Kundel | @dkundel | #angularconnect

  40. USE SIGNED COOKIES Dominik Kundel | @dkundel | #angularconnect

  41. BE SCEPTICAL OF S Dominik Kundel | @dkundel | #angularconnect

  42. Dominik Kundel | @dkundel | #angularconnect

  43. USE TOKENS Dominik Kundel | @dkundel | #angularconnect

  44. BLOCKING ISN'T TRIVIAL Dominik Kundel | @dkundel | #angularconnect

  45. BE AWARE OF ENCODING Dominik Kundel | @dkundel | #angularconnect

  46. BE CAREFUL WITH Dominik Kundel | @dkundel | #angularconnect

  47. USE AS A SAFETY NET Dominik Kundel | @dkundel |

    #angularconnect

  48. STAY UP TO DATE Dominik Kundel | @dkundel | #angularconnect

  49. bit.ly/sec-angularconnect Dominik Kundel | @dkundel | #angularconnect

  50. bit.ly/onesie-life Dominik Kundel | @dkundel | #angularconnect

  51. Dominik Kundel Thank You! bit.ly/sec-angularconnect github/dkundel @dkundel dkundel@twilio.com Dominik Kundel

    | @dkundel | #angularconnect