Angular Connect '17 - Intro to Web Security

Slide 1

Slide 1 text

XSS, CSRF, CSP, JWT, WTF? IDK Dominik Kundel - @dkundel Dominik Kundel | @dkundel | #angularconnect

Slide 2

Slide 2 text

Introduction to WEB SECURITY Dominik Kundel - @dkundel Dominik Kundel | @dkundel | #angularconnect

Slide 3

Slide 3 text

Hi! I'm Dominik Kundel! Developer Evangelist at github/dkundel @dkundel dkundel@twilio.com Dominik Kundel | @dkundel | #angularconnect

Slide 4

Slide 4 text

// Sending an SMS using the Twilio API // Twilio Credentials const accountSid = 'ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; const authToken = 'your_auth_token'; // require the Twilio module and create a REST client const client = require('twilio')(accountSid, authToken); client.messages .create({ to: '+16518675309', from: '+14158141829', body: 'The Force will be with you. Always.' }) .then(message => console.log(message.sid)); Add messaging, voice, video and authentication in your apps with the language you already use Dominik Kundel | @dkundel | #angularconnect

Slide 5

Slide 5 text

Dominik Kundel | @dkundel | #angularconnect

Slide 6

Slide 6 text

#onesiejs Dominik Kundel | @dkundel | #angularconnect

Slide 7

Slide 7 text

Dominik Kundel | @dkundel | #angularconnect

Slide 8

Slide 8 text

Dominik Kundel | @dkundel | #angularconnect

Slide 9

Slide 9 text

SECURITY! SECURITY! SECURITY! Dominik Kundel | @dkundel | #angularconnect

Slide 10

Slide 10 text

I THOUGHT OF EVERYTHING Only HTTPS powered by Let's Encrypt It even uses HSTS (HTTP Strict Transport Security) no mixed content Sanitized HTML No room for SQL injections Dominik Kundel | @dkundel | #angularconnect

Slide 11

Slide 11 text

NO REAL DATABASE NO REAL DATABASE INJECTIONS Dominik Kundel | @dkundel | #angularconnect

Slide 12

Slide 12 text

Dominik Kundel | @dkundel | #angularconnect

Slide 13

Slide 13 text

BOB ALLISON Security Expert Dominik Kundel | @dkundel | #angularconnect

Slide 14

Slide 14 text

https://onesie.life Dominik Kundel | @dkundel | #angularconnect

Slide 15

Slide 15 text

USE COOKIES // Make cookies HTTP only res.cookie('authToken', jwt, { httpOnly: true, signed: true, secure: true }); Dominik Kundel | @dkundel | #angularconnect

Slide 16

Slide 16 text

USE SAFE IMPLEMENTATIONS const jwt = require('jsonwebtoken'); jwt.verify(token, secret, { algorithms: ['HS256'] }, (err, payload) => { if (err) { console.log('Invalid token!'); return; } console.log('Valid token!'); }); Dominik Kundel | @dkundel | #angularconnect

Slide 17

Slide 17 text

LET'S POST SOMETHING! onesie.life Feed Dominik Kundel | @dkundel | #angularconnect

Slide 18

Slide 18 text

CROSS SITE REQUEST FORGERY hack-onesie.glitch.me/xsrf Dominik Kundel | @dkundel | #angularconnect

Slide 19

Slide 19 text

WHAT HAPPENED? Dominik Kundel | @dkundel | #angularconnect

Slide 20

Slide 20 text

window.opener.location = 'http://my-evil-website.com'; Dominik Kundel | @dkundel | #angularconnect

Slide 21

Slide 21 text

USE Dangerous Link Saf e Link Dominik Kundel | @dkundel | #angularconnect

Slide 22

Slide 22 text

USE TOKENS const csrf = require('csurf')({ cookie: true }); app.get('/post', csrf, (req, res, next) => { // pass csrf to front-end via _csrf cookie or // req.csrfToken() in template }); app.post('/post', csrf, (req, res, next) => { // only valid if one of these is the same as the cookie: // req.body._csrf // req.query._csrf // req.headers['csrf-token'] // req.headers['xsrf-token'] // req.headers['x-csrf-token'] // req.headers['x-xsrf-token'] }); Dominik Kundel | @dkundel | #angularconnect

Slide 23

Slide 23 text

Little Bobby Tables Young Brother Dominik Kundel | @dkundel | #angularconnect

Slide 24

Slide 24 text

https://xkcd.com/327/ Dominik Kundel | @dkundel | #angularconnect

Slide 25

Slide 25 text

Dominik Kundel | @dkundel | #angularconnect

Slide 26

Slide 26 text

MYSPACE WORM Samy worm / JS.Spacehero worm Dominik Kundel | @dkundel | #angularconnect

Slide 27

Slide 27 text

TRICKS USED BY SAMY

// avoid blacklisted words like innerHTML through string concat alert(eval('document.body.inne' + 'rHTML')); eval('xmlhttp.onread' + 'ystatechange = callback'); samy.pl/popular/tech.html Dominik Kundel | @dkundel | #angularconnect

Slide 28

Slide 28 text

OBSTRUSIVE JAVASCRIPT // Different ways to eval new Function(CODE)() // or setTimeout(CODE, 0) // or []["filter"]["constructor"]( CODE )() // or [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[]) [+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]] +[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+ []+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![ ]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+ !+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[ ]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[]) [+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!! []+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![ Dominik Kundel | @dkundel | #angularconnect

Slide 29

Slide 29 text

BLOCKING XSS IS NOT TRIVIAL onesie.life Dominik Kundel | @dkundel | #angularconnect

Slide 30

Slide 30 text

ENCODING CAN BE dangerous! Dominik Kundel | @dkundel | #angularconnect

Slide 31

Slide 31 text

JSONP JSON with Padding function gotPosts(data) { console.log(data); } Dominik Kundel | @dkundel | #angularconnect

Slide 32

Slide 32 text

XSS + POOR JSONP = onesie.life Dominik Kundel | @dkundel | #angularconnect

Slide 33

Slide 33 text

Dominik Kundel | @dkundel | #angularconnect

Slide 34

Slide 34 text

CSP DEMO onesie.life/secure/home Dominik Kundel | @dkundel | #angularconnect

Slide 35

Slide 35 text

CSP EXAMPLE HEADER Content-Security-Policy: default-src 'self'; script-src 'nonce-NWo2+pmewRLPWqpsgv6J2w=='; style-src 'nonce-NWo2+pmewRLPWqpsgv6J2w=='; object-src 'none'; img-src 'self' api.adorable.io; font-src 'self' fonts.gstatic.com; block-all-mixed-content; report-uri /csp-report; Dominik Kundel | @dkundel | #angularconnect

Slide 36

Slide 36 text

CSP IS NOT YOUR SECURITY STRATEGY! CSP is a Safety Net! Dominik Kundel | @dkundel | #angularconnect

Slide 37

Slide 37 text

OTHER THINGS TO LOOK OUT FOR Avoid clickjacking by disallowing framing using Don't show versions of front-end libs or server Check for types of input(Can cause NoSQL injections) Dominik Kundel | @dkundel | #angularconnect

Slide 38

Slide 38 text

OTHER THINGS TO DO Consider Security Audits Stay up to date with versions (Greenkeeper) Use tools to detect security vulnerabilites (Snyk) Dominik Kundel | @dkundel | #angularconnect

Slide 39

Slide 39 text

Summary Dominik Kundel | @dkundel | #angularconnect

Slide 40

Slide 40 text

USE SIGNED COOKIES Dominik Kundel | @dkundel | #angularconnect

Slide 41

Slide 41 text

BE SCEPTICAL OF S Dominik Kundel | @dkundel | #angularconnect

Slide 42

Slide 42 text

Dominik Kundel | @dkundel | #angularconnect

Slide 43

Slide 43 text

USE TOKENS Dominik Kundel | @dkundel | #angularconnect

Slide 44

Slide 44 text

BLOCKING ISN'T TRIVIAL Dominik Kundel | @dkundel | #angularconnect

Slide 45

Slide 45 text

BE AWARE OF ENCODING Dominik Kundel | @dkundel | #angularconnect

Slide 46

Slide 46 text

BE CAREFUL WITH Dominik Kundel | @dkundel | #angularconnect

Slide 47

Slide 47 text

USE AS A SAFETY NET Dominik Kundel | @dkundel | #angularconnect

Slide 48

Slide 48 text

STAY UP TO DATE Dominik Kundel | @dkundel | #angularconnect

Slide 49

Slide 49 text

bit.ly/sec-angularconnect Dominik Kundel | @dkundel | #angularconnect

Slide 50

Slide 50 text

bit.ly/onesie-life Dominik Kundel | @dkundel | #angularconnect

Slide 51

Slide 51 text

Dominik Kundel Thank You! bit.ly/sec-angularconnect github/dkundel @dkundel dkundel@twilio.com Dominik Kundel | @dkundel | #angularconnect