XSS, CSRF, CSP, JWT, WTF? IDK ¯\_( ツ)_/¯ Dominik Kundel - @dkundel Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

XSS, CSRF, CSP, JWT, WTF? IDK ¯\_( ツ)_/¯ Dominik Kundel - @dkundel Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Introduction to WEB SECURITY Dominik Kundel - @dkundel Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

⁇ XSS ⁇ ⁇ CSRF ⁇ ⁇ CSP ⁇ ⁇ JWT ⁇ Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Hi! I'm Dominik Kundel! Developer Evangelist at github/dkundel @dkundel dkundel@twilio.com Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

#onesiejs Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

SECURITY! SECURITY! SECURITY! Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

I THOUGHT OF EVERYTHING Only HTTPS powered by Let's Encrypt It even uses HSTS (HTTP Strict Transport Security) no mixed content Sanitized HTML No room for SQL injections Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

NO REAL DATABASE NO REAL DATABASE INJECTIONS Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

BOB ALLISON Security Expert Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

https://onesie.life Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

USE HttpOnly COOKIES // Make cookies HTTP only res.cookie('authToken', jwt, { httpOnly: true, signed: true, secure: true }); Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

USE SAFE JWT IMPLEMENTATIONS const jwt = require('jsonwebtoken'); jwt.verify(token, secret, { algorithms: ['HS256'] }, (err, payload) => { if (err) { console.log('Invalid token!'); return; } console.log('Valid token!'); }); Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Don't be the next Equifax Stay up-to-date! Image: Michael Nagle/Bloomberg via Getty Images Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

LET'S POST SOMETHING! onesie.life Feed Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

CROSS SITE REQUEST FORGERY hack-onesie.glitch.me/xsrf Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

WHAT HAPPENED? Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

window.opener window.opener.location = 'http://my-evil-website.com'; Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

USE "noopener" Dangerous Link Saf e Link Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

USE CSRF TOKENS const csrf = require('csurf')({ cookie: true }); app.get('/post', csrf, (req, res, next) => { // pass csrf to front-end via _csrf cookie or // req.csrfToken() in template }); app.post('/post', csrf, (req, res, next) => { // only valid if one of these is the same as the cookie: // req.body._csrf // req.query._csrf // req.headers['csrf-token'] // req.headers['xsrf-token'] // req.headers['x-csrf-token'] // req.headers['x-xsrf-token'] }); Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Little Bobby Tables Young Brother Samy '"src="javascript:alert(1); XSS Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

https://xkcd.com/327/ Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

MYSPACE WORM Samy worm / JS.Spacehero worm Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

TRICKS USED BY SAMY // avoid blacklisted words like innerHTML through string concat alert(eval('document.body.inne' + 'rHTML')); eval('xmlhttp.onread' + 'ystatechange = callback'); samy.pl/popular/tech.html Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

OBSTRUSIVE JAVASCRIPT // Different ways to eval new Function(CODE)() // or setTimeout(CODE, 0) // or []["filter"]["constructor"]( CODE )() // or [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[]) [+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![ ]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+ !+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[ ]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[]) [+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!! []+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![ Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

BLOCKING XSS IS NOT TRIVIAL onesie.life Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

ENCODING CAN BE dangerous! Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

CSS CAN BE DANGEROUS! twitter.com/jaffathecake/status/968500192210227202 Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

JSONP JSON with Padding function gotPosts(data) { console.log(data); } Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

XSS + POOR JSONP = onesie.life Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Content-Security-Policy Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

CSP DEMO onesie.life/secure/home Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

CSP EXAMPLE HEADER Content-Security-Policy: default-src 'self'; script-src 'nonce-NWo2+pmewRLPWqpsgv6J2w=='; style-src 'nonce-NWo2+pmewRLPWqpsgv6J2w=='; object-src 'none'; img-src 'self' api.adorable.io; font-src 'self' fonts.gstatic.com; block-all-mixed-content; report-uri /csp-report; Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

CSP IS NOT YOUR SECURITY STRATEGY! CSP is a Safety Net! Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

OTHER THINGS TO LOOK OUT FOR Avoid clickjacking by disallowing framing using X-Frame-Options: deny Check out libraries like helmet for essential HTTP headers. Don't show versions of front-end libs or server Check for types of input(Can cause NoSQL injections) Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

OTHER THINGS TO DO Consider Security Audits Stay up to date with versions (Greenkeeper) Use tools to detect security vulnerabilites (NSP, Snyk) Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Summary Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

USE SIGNED HttpOnly COOKIES Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

BE SCEPTICAL OF JWTS Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

rel="noopener noreferrer" Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

USE CSRF TOKENS Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

BLOCKING XSS ISN'T TRIVIAL Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

BE AWARE OF ENCODING Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

BE CAREFUL WITH JSONP Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

USE CSP AS A SAFETY NET Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

STAY UP-TO-DATE Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

d-k.im/sec-ngoslo Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

bit.ly/onesie-life Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec

Dominik Kundel Thank you! d-k.im/sec-ngoslo github/dkundel @dkundel dkundel@twilio.com Dominik Kundel | @dkundel | #angularoslo #ndcoslo #websec