Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrity protection for third-party JavaScript

Integrity protection for third-party JavaScript

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

Francois Marier

February 27, 2015
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. googleapis.com/ajax/libs/j<br/>query/1.8.0/jquery.min.js”<br/>integrity=”type:text/javas<br/>cript sha512-AODL7idgffQeN<br/>sYdTzut09nz9AINcjhj4jHD72H<br/>cLirsidbC8tz+dof7gceOCQD8W<br/>skeuRFfJ9CsgZTHlMiOYg==”><<br/>/script><br/>Integrity protection for<br/>3rd-party JavaScript<br/>François Marier @fmarier<br/>mozilla<br/>

    View full-size slide

  2. Firefox
    Security & Privacy

    View full-size slide

  3. Web Platform

    View full-size slide

  4. Web Platform

    View full-size slide

  5. Content Security Policy
    aka CSP

    View full-size slide

  6. Content Security Policy
    aka CSP
    mechanism for preventing XSS

    View full-size slide

  7. telling the browser what external
    content is allowed to load

    View full-size slide

  8. what does CSP look like?

    View full-size slide

  9. $ curl --head https://mega.nz
    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 1989
    Content-Security-Policy:
    default-src 'self' *.mega.co.nz
    *.mega.nz http://*.mega.co.nz
    http://*.mega.nz;
    script-src 'self' mega.co.nz mega.nz
    data: blob:;
    style-src 'self' 'unsafe-inline'
    *.mega.co.nz *.mega.nz data: blob:;
    frame-src 'self' mega:;
    img-src 'self' *.mega.co.nz *.mega.nz
    data: blob:

    View full-size slide

  10. Hi you<br/>alert('p0wned');<br/>!
    Tweet!
    What's on your mind?

    View full-size slide

  11. (of course, in a real web application,
    this would never be a problem)

    View full-size slide

  12. (the JS would be filtered out
    during input sanitisation)

    View full-size slide

  13. Hi you!
    Freedom Fighter @whaledumper - just moments ago
    p0wned
    Ok

    View full-size slide

  14. Hi you!
    Freedom Fighter @whaledumper - just moments ago

    View full-size slide

  15. Content-Security-Policy:
    script-src 'self'
    https://cdn.example.com

    View full-size slide

  16. inline scripts are blocked unless
    unsafe-inline is specified

    View full-size slide

  17. directives:
    script-src
    object-src
    style-src
    img-src
    media-src
    frame-src
    marquee-src
    font-src
    connect-src

    View full-size slide

  18. directives:
    script-src
    object-src
    style-src
    img-src
    media-src
    frame-src
    marquee-src
    font-src
    connect-src

    View full-size slide

  19. $ curl --head https://twitter.com
    HTTP/1.1 200 OK
    content-length: 58347
    content-security-policy: …
    report-uri https://twitter.com/csp_report
    violation reports:

    View full-size slide

  20. "csp-report": {
    "document-uri":
    "http://example.org/page.html",
    "referrer":
    "http://evil.example.com/haxor.html",
    "blocked-uri":
    "http://evil.example.com/image.png",
    "violated-directive":
    "default-src 'self'",
    "effective-directive":
    "img-src",
    "original-policy":
    "default-src 'self';
    report-uri http://example.org/..."
    }

    View full-size slide

  21. new directives
    form-action
    plugin-types

    View full-size slide

  22. support for inline scripts
    Content-Security-Policy:
    script-src 'sha256-YWIzOW...'

    View full-size slide

  23. https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header

    View full-size slide

  24. HTTP Strict
    Transport Security
    aka HSTS

    View full-size slide

  25. HTTP Strict
    Transport Security
    aka HSTS
    mechanism for preventing
    HTTPS to HTTP downgrades

    View full-size slide

  26. telling the browser that your site
    should never be reached over HTTP

    View full-size slide

  27. GET asb.co.nz 301

    GET https://asb.co.nz 200

    no HSTS, no sslstrip

    View full-size slide

  28. GET asb.co.nz → 200
    no HSTS, with sslstrip

    View full-size slide

  29. what does HSTS look like?

    View full-size slide

  30. $ curl -i https://login.xero.com
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Strict-Transport-Security: max-age=31536000
    X-Frame-Options: SAMEORIGIN

    View full-size slide

  31. with HSTS, with sslstrip
    GET https://asb.co.nz 200

    View full-size slide

  32. silent client-side redirects
    HTTP → HTTPS

    View full-size slide

  33. no HTTP traffic for
    sslstrip to tamper with

    View full-size slide

  34. except for the very
    first connection

    View full-size slide

  35. https://hstspreload.appspot.com/

    View full-size slide

  36. pop quiz!
    how many .nz sites are
    on the preload list?

    View full-size slide

  37. $ grep \\.nz force-https.json
    { "name": "mega.co.nz" },
    { "name": "api.mega.co.nz" },

    View full-size slide

  38. http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

    View full-size slide

  39. wanna know more?
    https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated

    View full-size slide

  40. no need to add
    any extra headers

    View full-size slide

  41. https://ajax.googleapis.com
    /ajax/libs/jquery/1.8.0/
    jquery.min.js

    View full-size slide

  42. how common is this?

    View full-size slide

  43. what would happen if that
    server were compromised?

    View full-size slide

  44. Bad Things™
    steal sessions
    leak confidential data
    redirect to phishing sites
    enlist DDoS zombies

    View full-size slide

  45. simple solution

    View full-size slide

  46. src=”https://ajax.googleapis.com...”>
    instead of this:

    View full-size slide

  47. src=”https://ajax.googleapis.com...”
    integrity=”sha256-1z4uG/+cVbhShP...”>
    do this:

    View full-size slide

  48. You owe me $10.00.
    f4243c12541be6f79c73e539c426e07a
    f2f6c4ef8794894f4903aee54542586d

    View full-size slide

  49. You owe me $1000.
    1ebd7a8d15a6dab743f0c4d147f731bc
    fc6b74752afe43afa5389ba8830a2215

    View full-size slide

  50. guarantee:
    script won't change
    or it'll be blocked

    View full-size slide

  51. limitation:
    won't work for scripts
    that change all the time

    View full-size slide

  52. 3 types of scripts

    View full-size slide

  53. dynamically-generated script:
    not a good fit for SRI

    View full-size slide

  54. https://ajax.googleapis.com
    /ajax/libs/jquery/1.8.0/
    jquery.min.js

    View full-size slide

  55. immutable scripts:
    perfect for SRI

    View full-size slide

  56. what about your own scripts?
    (they change, but you're
    the one changing them)

    View full-size slide

  57. scripts under your control:
    good fit for SRI

    View full-size slide

  58. can usually add the hashing to
    your static resource pipeline

    View full-size slide

  59. #!/bin/sh
    cat src/*.js > bundle.js
    HASH=`sha256sum bundle.js |cut -f1 -d' '`
    mv bundle.js public/bundle-${HASH}.js

    View full-size slide

  60. public/bundle-c2498bc358....js
    Cache-Control: max-age=∞

    View full-size slide

  61. <br/><script src=”app.js”><br/><script src=”menu.js”><br/>

    View full-size slide

  62. integrity=”sha256-c2498bc...”><br/>

    View full-size slide

  63. integrity=”
    sha256-1z4uG/+cVbhShP...

    View full-size slide

  64. integrity=”
    type:application/javascript
    sha256-1z4uG/+cVbhShP...

    View full-size slide

  65. integrity=”
    type:application/javascript
    sha512-AODL7idgffQeNs...

    View full-size slide

  66. integrity=”
    type:application/javascript
    sha256-1z4uG/+cVbhShP...
    sha384-RqG7UC/QK2TVRa...
    sha512-AODL7idgffQeNs...

    View full-size slide

  67. href="style.css"
    integrity="sha256-PgMdguwx/O...">
    stylesheet support

    View full-size slide

  68. violation reports
    Content-Security-Policy:
    integrity-policy block

    View full-size slide

  69. violation reports
    Content-Security-Policy:
    integrity-policy report;
    report-uri https://...

    View full-size slide

  70. cat file.js
    | openssl dgst -sha256 -binary
    | openssl enc -base64 -A

    View full-size slide

  71. spec is approaching
    “last call”

    View full-size slide

  72. (initial implementations)

    View full-size slide

  73. © 2015 François Marier
    This work is licensed under a
    Creative Commons Attribution-ShareAlike 4.0 License.
    Questions?
    feedback:
    [email protected]
    mozilla.dev.security
    [email protected]

    View full-size slide

  74. photo credits:
    bank notes: https://www.flickr.com/photos/epsos/8463683689
    web devs: https://www.flickr.com/photos/mbiddulph/238171366
    explosion: https://www.flickr.com/photos/-cavin-/2313239884/

    View full-size slide