Integrity protection for third-party JavaScript

Integrity protection for third-party JavaScript

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

0110e86fdb31486c22dd381326d99de9?s=128

Francois Marier

February 27, 2015
Tweet

Transcript

  1. <script src=”https://ajax. googleapis.com/ajax/libs/j query/1.8.0/jquery.min.js” integrity=”type:text/javas cript sha512-AODL7idgffQeN sYdTzut09nz9AINcjhj4jHD72H cLirsidbC8tz+dof7gceOCQD8W skeuRFfJ9CsgZTHlMiOYg==”><

    /script> Integrity protection for 3rd-party JavaScript François Marier @fmarier mozilla
  2. Firefox Security & Privacy

  3. Web Platform

  4. Web Platform

  5. None
  6. Content Security Policy aka CSP

  7. Content Security Policy aka CSP mechanism for preventing XSS

  8. telling the browser what external content is allowed to load

  9. what does CSP look like?

  10. $ curl --head https://mega.nz HTTP/1.1 200 OK Content-Type: text/html Content-Length:

    1989 Content-Security-Policy: default-src 'self' *.mega.co.nz *.mega.nz http://*.mega.co.nz http://*.mega.nz; script-src 'self' mega.co.nz mega.nz data: blob:; style-src 'self' 'unsafe-inline' *.mega.co.nz *.mega.nz data: blob:; frame-src 'self' mega:; img-src 'self' *.mega.co.nz *.mega.nz data: blob:
  11. Hi you<script> alert('p0wned'); </script>! Tweet! What's on your mind?

  12. (of course, in a real web application, this would never

    be a problem)
  13. (the JS would be filtered out during input sanitisation)

  14. without CSP

  15. Hi you! Freedom Fighter @whaledumper - just moments ago p0wned

    Ok
  16. with CSP

  17. Hi you! Freedom Fighter @whaledumper - just moments ago

  18. Content-Security-Policy: script-src 'self' https://cdn.example.com

  19. inline scripts are blocked unless unsafe-inline is specified

  20. directives: script-src object-src style-src img-src media-src frame-src marquee-src font-src connect-src

  21. directives: script-src object-src style-src img-src media-src frame-src marquee-src font-src connect-src

  22. $ curl --head https://twitter.com HTTP/1.1 200 OK content-length: 58347 content-security-policy:

    … report-uri https://twitter.com/csp_report violation reports:
  23. "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src

    'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/..." }
  24. None
  25. new directives form-action plugin-types

  26. support for inline scripts Content-Security-Policy: script-src 'sha256-YWIzOW...'

  27. https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header

  28. None
  29. HTTP Strict Transport Security aka HSTS

  30. HTTP Strict Transport Security aka HSTS mechanism for preventing HTTPS

    to HTTP downgrades
  31. telling the browser that your site should never be reached

    over HTTP
  32. None
  33. GET asb.co.nz 301 → GET https://asb.co.nz 200 → no HSTS,

    no sslstrip
  34. GET asb.co.nz → 200 no HSTS, with sslstrip

  35. what does HSTS look like?

  36. $ curl -i https://login.xero.com HTTP/1.1 200 OK Cache-Control: private Content-Type:

    text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN
  37. with HSTS, with sslstrip GET https://asb.co.nz 200 →

  38. silent client-side redirects HTTP → HTTPS

  39. no HTTP traffic for sslstrip to tamper with

  40. except for the very first connection

  41. https://hstspreload.appspot.com/

  42. pop quiz! how many .nz sites are on the preload

    list?
  43. $ grep \\.nz force-https.json { "name": "mega.co.nz" }, { "name":

    "api.mega.co.nz" },
  44. http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

  45. None
  46. None
  47. None
  48. wanna know more? https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated

  49. 2015?

  50. no need to add any extra headers

  51. None
  52. None
  53. None
  54. None
  55. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  56. how common is this?

  57. None
  58. what would happen if that server were compromised?

  59. None
  60. Bad Things™ steal sessions leak confidential data redirect to phishing

    sites enlist DDoS zombies
  61. simple solution

  62. <script src=”https://ajax.googleapis.com...”> instead of this:

  63. <script src=”https://ajax.googleapis.com...” integrity=”sha256-1z4uG/+cVbhShP...”> do this:

  64. You owe me $10.00. f4243c12541be6f79c73e539c426e07a f2f6c4ef8794894f4903aee54542586d

  65. You owe me $1000. 1ebd7a8d15a6dab743f0c4d147f731bc fc6b74752afe43afa5389ba8830a2215

  66. guarantee: script won't change or it'll be blocked

  67. limitation: won't work for scripts that change all the time

  68. 3 types of scripts

  69. dynamically-generated script: not a good fit for SRI

  70. https://ajax.googleapis.com /ajax/libs/jquery/1.8.0/ jquery.min.js

  71. immutable scripts: perfect for SRI

  72. what about your own scripts? (they change, but you're the

    one changing them)
  73. scripts under your control: good fit for SRI

  74. can usually add the hashing to your static resource pipeline

  75. #!/bin/sh cat src/*.js > bundle.js HASH=`sha256sum bundle.js |cut -f1 -d'

    '` mv bundle.js public/bundle-${HASH}.js
  76. public/bundle-c2498bc358....js Cache-Control: max-age=∞

  77. <script src=”widgets.js”> <script src=”app.js”> <script src=”menu.js”>

  78. <script src=”bundle-c2498bc....js”>

  79. <script src=”bundle-c2498bc....js” integrity=”sha256-c2498bc...”>

  80. what else?

  81. integrity=” sha256-1z4uG/+cVbhShP... ”

  82. integrity=” type:application/javascript sha256-1z4uG/+cVbhShP... ”

  83. integrity=” type:application/javascript sha512-AODL7idgffQeNs... ”

  84. integrity=” type:application/javascript sha256-1z4uG/+cVbhShP... sha384-RqG7UC/QK2TVRa... sha512-AODL7idgffQeNs... ”

  85. <link rel="stylesheet" href="style.css" integrity="sha256-PgMdguwx/O..."> stylesheet support

  86. violation reports Content-Security-Policy: integrity-policy block

  87. violation reports Content-Security-Policy: integrity-policy report; report-uri https://...

  88. cat file.js | openssl dgst -sha256 -binary | openssl enc

    -base64 -A
  89. SRIhash.org

  90. None
  91. status?

  92. spec is approaching “last call”

  93. (initial implementations)

  94. © 2015 François Marier <francois@mozilla.com> This work is licensed under

    a Creative Commons Attribution-ShareAlike 4.0 License. Questions? feedback: francois@mozilla.com mozilla.dev.security public-webappsec@w3.org
  95. photo credits: bank notes: https://www.flickr.com/photos/epsos/8463683689 web devs: https://www.flickr.com/photos/mbiddulph/238171366 explosion: https://www.flickr.com/photos/-cavin-/2313239884/