Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrity protection for third-party JavaScript

Integrity protection for third-party JavaScript

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

Francois Marier

February 27, 2015
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. googleapis.com/ajax/libs/j<br/>query/1.8.0/jquery.min.js”<br/>integrity=”type:text/javas<br/>cript sha512-AODL7idgffQeN<br/>sYdTzut09nz9AINcjhj4jHD72H<br/>cLirsidbC8tz+dof7gceOCQD8W<br/>skeuRFfJ9CsgZTHlMiOYg==”><<br/>/script><br/>Integrity protection for<br/>3rd-party JavaScript<br/>François Marier @fmarier<br/>mozilla<br/>

    View Slide

  2. Firefox
    Security & Privacy

    View Slide

  3. Web Platform

    View Slide

  4. Web Platform

    View Slide

  5. View Slide

  6. Content Security Policy
    aka CSP

    View Slide

  7. Content Security Policy
    aka CSP
    mechanism for preventing XSS

    View Slide

  8. telling the browser what external
    content is allowed to load

    View Slide

  9. what does CSP look like?

    View Slide

  10. $ curl --head https://mega.nz
    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 1989
    Content-Security-Policy:
    default-src 'self' *.mega.co.nz
    *.mega.nz http://*.mega.co.nz
    http://*.mega.nz;
    script-src 'self' mega.co.nz mega.nz
    data: blob:;
    style-src 'self' 'unsafe-inline'
    *.mega.co.nz *.mega.nz data: blob:;
    frame-src 'self' mega:;
    img-src 'self' *.mega.co.nz *.mega.nz
    data: blob:

    View Slide

  11. Hi you<br/>alert('p0wned');<br/>!
    Tweet!
    What's on your mind?

    View Slide

  12. (of course, in a real web application,
    this would never be a problem)

    View Slide

  13. (the JS would be filtered out
    during input sanitisation)

    View Slide

  14. without CSP

    View Slide

  15. Hi you!
    Freedom Fighter @whaledumper - just moments ago
    p0wned
    Ok

    View Slide

  16. with CSP

    View Slide

  17. Hi you!
    Freedom Fighter @whaledumper - just moments ago

    View Slide

  18. Content-Security-Policy:
    script-src 'self'
    https://cdn.example.com

    View Slide

  19. inline scripts are blocked unless
    unsafe-inline is specified

    View Slide

  20. directives:
    script-src
    object-src
    style-src
    img-src
    media-src
    frame-src
    marquee-src
    font-src
    connect-src

    View Slide

  21. directives:
    script-src
    object-src
    style-src
    img-src
    media-src
    frame-src
    marquee-src
    font-src
    connect-src

    View Slide

  22. $ curl --head https://twitter.com
    HTTP/1.1 200 OK
    content-length: 58347
    content-security-policy: …
    report-uri https://twitter.com/csp_report
    violation reports:

    View Slide

  23. "csp-report": {
    "document-uri":
    "http://example.org/page.html",
    "referrer":
    "http://evil.example.com/haxor.html",
    "blocked-uri":
    "http://evil.example.com/image.png",
    "violated-directive":
    "default-src 'self'",
    "effective-directive":
    "img-src",
    "original-policy":
    "default-src 'self';
    report-uri http://example.org/..."
    }

    View Slide

  24. View Slide

  25. new directives
    form-action
    plugin-types

    View Slide

  26. support for inline scripts
    Content-Security-Policy:
    script-src 'sha256-YWIzOW...'

    View Slide

  27. https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header

    View Slide

  28. View Slide

  29. HTTP Strict
    Transport Security
    aka HSTS

    View Slide

  30. HTTP Strict
    Transport Security
    aka HSTS
    mechanism for preventing
    HTTPS to HTTP downgrades

    View Slide

  31. telling the browser that your site
    should never be reached over HTTP

    View Slide

  32. View Slide

  33. GET asb.co.nz 301

    GET https://asb.co.nz 200

    no HSTS, no sslstrip

    View Slide

  34. GET asb.co.nz → 200
    no HSTS, with sslstrip

    View Slide

  35. what does HSTS look like?

    View Slide

  36. $ curl -i https://login.xero.com
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Strict-Transport-Security: max-age=31536000
    X-Frame-Options: SAMEORIGIN

    View Slide

  37. with HSTS, with sslstrip
    GET https://asb.co.nz 200

    View Slide

  38. silent client-side redirects
    HTTP → HTTPS

    View Slide

  39. no HTTP traffic for
    sslstrip to tamper with

    View Slide

  40. except for the very
    first connection

    View Slide

  41. https://hstspreload.appspot.com/

    View Slide

  42. pop quiz!
    how many .nz sites are
    on the preload list?

    View Slide

  43. $ grep \\.nz force-https.json
    { "name": "mega.co.nz" },
    { "name": "api.mega.co.nz" },

    View Slide

  44. http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

    View Slide

  45. View Slide

  46. View Slide

  47. View Slide

  48. wanna know more?
    https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated

    View Slide

  49. 2015?

    View Slide

  50. no need to add
    any extra headers

    View Slide

  51. View Slide

  52. View Slide

  53. View Slide

  54. View Slide

  55. https://ajax.googleapis.com
    /ajax/libs/jquery/1.8.0/
    jquery.min.js

    View Slide

  56. how common is this?

    View Slide

  57. View Slide

  58. what would happen if that
    server were compromised?

    View Slide

  59. View Slide

  60. Bad Things™
    steal sessions
    leak confidential data
    redirect to phishing sites
    enlist DDoS zombies

    View Slide

  61. simple solution

    View Slide

  62. src=”https://ajax.googleapis.com...”>
    instead of this:

    View Slide

  63. src=”https://ajax.googleapis.com...”
    integrity=”sha256-1z4uG/+cVbhShP...”>
    do this:

    View Slide

  64. You owe me $10.00.
    f4243c12541be6f79c73e539c426e07a
    f2f6c4ef8794894f4903aee54542586d

    View Slide

  65. You owe me $1000.
    1ebd7a8d15a6dab743f0c4d147f731bc
    fc6b74752afe43afa5389ba8830a2215

    View Slide

  66. guarantee:
    script won't change
    or it'll be blocked

    View Slide

  67. limitation:
    won't work for scripts
    that change all the time

    View Slide

  68. 3 types of scripts

    View Slide

  69. dynamically-generated script:
    not a good fit for SRI

    View Slide

  70. https://ajax.googleapis.com
    /ajax/libs/jquery/1.8.0/
    jquery.min.js

    View Slide

  71. immutable scripts:
    perfect for SRI

    View Slide

  72. what about your own scripts?
    (they change, but you're
    the one changing them)

    View Slide

  73. scripts under your control:
    good fit for SRI

    View Slide

  74. can usually add the hashing to
    your static resource pipeline

    View Slide

  75. #!/bin/sh
    cat src/*.js > bundle.js
    HASH=`sha256sum bundle.js |cut -f1 -d' '`
    mv bundle.js public/bundle-${HASH}.js

    View Slide

  76. public/bundle-c2498bc358....js
    Cache-Control: max-age=∞

    View Slide

  77. <br/><script src=”app.js”><br/><script src=”menu.js”><br/>

    View Slide

  78. <br/>

    View Slide

  79. integrity=”sha256-c2498bc...”><br/>

    View Slide

  80. what else?

    View Slide

  81. integrity=”
    sha256-1z4uG/+cVbhShP...

    View Slide

  82. integrity=”
    type:application/javascript
    sha256-1z4uG/+cVbhShP...

    View Slide

  83. integrity=”
    type:application/javascript
    sha512-AODL7idgffQeNs...

    View Slide

  84. integrity=”
    type:application/javascript
    sha256-1z4uG/+cVbhShP...
    sha384-RqG7UC/QK2TVRa...
    sha512-AODL7idgffQeNs...

    View Slide

  85. href="style.css"
    integrity="sha256-PgMdguwx/O...">
    stylesheet support

    View Slide

  86. violation reports
    Content-Security-Policy:
    integrity-policy block

    View Slide

  87. violation reports
    Content-Security-Policy:
    integrity-policy report;
    report-uri https://...

    View Slide

  88. cat file.js
    | openssl dgst -sha256 -binary
    | openssl enc -base64 -A

    View Slide

  89. SRIhash.org

    View Slide

  90. View Slide

  91. status?

    View Slide

  92. spec is approaching
    “last call”

    View Slide

  93. (initial implementations)

    View Slide

  94. © 2015 François Marier
    This work is licensed under a
    Creative Commons Attribution-ShareAlike 4.0 License.
    Questions?
    feedback:
    [email protected]
    mozilla.dev.security
    [email protected]

    View Slide

  95. photo credits:
    bank notes: https://www.flickr.com/photos/epsos/8463683689
    web devs: https://www.flickr.com/photos/mbiddulph/238171366
    explosion: https://www.flickr.com/photos/-cavin-/2313239884/

    View Slide