Slide 1
Slide 1 text
counter-spells
KEEPING YOUR APPLICATION SAFE
and the art of
Slide 2
Slide 2 text
ENGINEER
@ingridepure
Hi!
@ingride
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
IN WHICH I REALLY WISH
I DON’T DIE
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
story time
Slide 7
Slide 7 text
2008: first-ever Android device
Google releases Chrome
HTML 5 is introduced
GIFAR attack - someone discovers a way to
hide an executable jar in a GIF
Slide 8
Slide 8 text
2012: IMA(G)JS - hide executable code in JPEG
images
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
attacker script runs under Same-Origin
browser permits scripts to access user
data ( cookies )
Slide 11
Slide 11 text
yes, cats are planning to kill you
or at least steal your identity
and your money
Slide 12
Slide 12 text
[ the first rule of web security is to
never ( ever! ) trust user-submitted data ]
Slide 13
Slide 13 text
moar story
Slide 14
Slide 14 text
37 authors
190 commits to master
220 commits to all branches
March 13, 2017 - March 20, 2017
892 file changes
5816 additions / 15584 deletions
shipping to prod > 100times a day
Slide 15
Slide 15 text
Jun 2016: Ingrid starts working with Ember
Ingrid has to fix an image uploading / real
time preview issue without introducing an
XSS vulnerability.
Sep 2016:
Ingrid has a backend and infra background,
so she goes and decides to look
more into it.
Slide 16
Slide 16 text
prepare for battle
Slide 17
Slide 17 text
[ know your enemy. ]
Slide 18
Slide 18 text
TL;DR
USER INPUT
SAME ORIGIN POLICY
BROWSER SECURITY FEATURES
CONTENT SECURITY POLICY
HTML AS INPUT IN EMBER
Slide 19
Slide 19 text
GET http://myapp.com/list/all?search_term=coffee
Results for coffee
HTML
HTTP
Slide 20
Slide 20 text
GET http://myapp.com/list/all?search_term=![]()
alert("mwahaha")">
GET http://myapp.com/list/all?search_term=![]()
document.cookie">
reflected XSS
Slide 21
Slide 21 text
[ prepare your spells. ]
Slide 22
Slide 22 text
Ember
HTML ESCAPING
CONTENT SECURITY POLICY
Slide 23
Slide 23 text
Html Escaping
Hypertextescaptus
(hyper-text-ESC-aptus )
By default Ember's rendering layer
escapes HTML
H
Use for protection against XSS
Slide 24
Slide 24 text
.js
.hbs
.html
Slide 25
Slide 25 text
https://gist.github.com/ingride
Slide 26
Slide 26 text
Content Security Policy
SecuritasContentus
(SECUR-itas-kontent-us )
New browser feature for mitigating
XSS and data-injection attacks
CSP
Use to whitelist "safe" script hosts
ember-cli-content-security-policy
Slide 27
Slide 27 text
Content-Security-Policy: script-src 'self' static.mysite.com
HTTP
Refused to load the script ‘http://pure-evil.com/evil.js' because
it violates the following Content Security Policy directive:
"script-src 'self' static.mysite.com”.
HTML
Slide 28
Slide 28 text
https://github.com/rwjblue/ember-cli-content-security-policy
use CSP v2 and V3 only
hash-source and nonce-source for inline
script support
https://content-security-policy.com/
Slide 29
Slide 29 text
Controllers &
Components
htmlSafe()
GOOD HELPERS
Slide 30
Slide 30 text
Avoid htmlSafe
htmlTutusExpellus
(html-tutus-expellus)
S
Never use directly on user input
Use only with proper sanitization
Your controller should not html
Power up: contextual components
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
application.hbs
card-component.hbs
application.js
Slide 33
Slide 33 text
https://embermap.com/topics/contextual-
components
Slide 34
Slide 34 text
application.hbs
Slide 35
Slide 35 text
application.hbs
super-card-component.hbs
Slide 36
Slide 36 text
super-card-title-component.hbs
super-card-body-component.hbs
Slide 37
Slide 37 text
application.hbs
Slide 38
Slide 38 text
Good Helpers
BonumAuxilium
(bonum-auxilium)
GH
Prefer updating the DOM over
returning HTML
Slide 39
Slide 39 text
Em.Handlebars.Utils.escapeExpression
(params[0]);
sanitize user input:
use htmlSafe to tell Ember it’s ok to display as HTML
Slide 40
Slide 40 text
use the DOM to create a text node
set style attributes
append the anchor child element
return the the node
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
Templates
{{{ HTML ESCAPING }}}
target=‘_blank’
Slide 43
Slide 43 text
Avoid Triple Curlies
TripliciCrispusExpellus
(Tri-pli-ci-crispus )
using on direct user input can
introduce vulnerabilities
{{{
htmlSafe() for templates
Mark HTML code as safe to execute
Slide 44
Slide 44 text
[ be deliberate and mindful
about what you vouch for. ]
Slide 45
Slide 45 text
good helpers
+
contextual components
=
♥
Slide 46
Slide 46 text
Thou Shall Noopen
NoopenerNoreferrerExpellus
(apertus-tour-expellus)
N
always use noopener AND noreferrer
with target=‘_blank’
Slide 47
Slide 47 text
partial access to the linking page via the
window.opener object.
newly opened tab can change the
window.opener.location to a phishing page
some of the permissions are automatically negated
by cross-domain restrictions, but
window.location is fair game
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
https://github.com/rwjblue/ember-template-lint
available in the latest
version
Slide 50
Slide 50 text
Static analysers
esLint
regexp are evil
watermarks are ♥
Slide 51
Slide 51 text
story time
Slide 52
Slide 52 text
[ before esLint there was…
grep]
Slide 53
Slide 53 text
postBuild hook to get real-time feedback
find + grep + regexp + wc to get the count
compare the count against a static limit
fail the build if numbers don’t match
Slide 54
Slide 54 text
[ regexp are like black magic. They're
powerful & get the job done, but you
also fear them and might have to sell
your soul in the process ]
[ regexp rage by ingride ]
Slide 55
Slide 55 text
EsLint
BonumLintum
(bonum-LINT-um)
EL
Introduce a line in the sand
for blacklisted methods
Use linters for real-time feedback
in dev
Slide 56
Slide 56 text
esLint plugin with a custom rule that
checks for blacklisted methods
Slide 57
Slide 57 text
No content
Slide 58
Slide 58 text
esLint CLI + custom rule to get the count
fail the build if errorCount > max allowed
enable esLint cache for increased performance
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
from ♥
with
[ blacklist methods addon coming soon]
Slide 61
Slide 61 text
[ consult with other wizards. ]
Slide 62
Slide 62 text
OWASP TOP 10
CROSS SITE SCRIPTING (XSS)
Sensitive Data Exposure
Information Disclosure
Broken Authentication
& Session Management
Slide 63
Slide 63 text
Bug Bounties
BugBeneficentia
(BUGUS-eneficentia)
B
Great way to get experts to test your app
Slide 64
Slide 64 text
[ thank you. ]
@ingridepure