Securing JavaScript Web Applications

A5b424d4146905962a24acd6815aeb84?s=47 Stephen Thomas
June 17, 2013
Technology
4
360

Securing JavaScript Web Applications

A5b424d4146905962a24acd6815aeb84?s=128

Stephen Thomas

June 17, 2013
Tweet

More Decks by Stephen Thomas

See All by Stephen Thomas
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
17
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
77
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
2.1k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
1
2.3k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
2.1k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
5
2.3k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
8
640
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
2
280

Other Decks in Technology

See All in Technology
8a84268593355816432ceaf78777d585?s=48 dena_tech
0
300
5c772b62f1974e9da3a88fbb4ef02696?s=48 hariby
1
120
Fccb5974b63d64636a7c90faf3bab51f?s=48 kikuzo
11
1.7k
B2a04c1ec959edba430bcb38ca6ffc81?s=48 corestate55
0
260
Cc8a208e174943d1da814783841abd50?s=48 shinodogg
2
240
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
190
1e8c5eaf563f965d3ba48b0054b1d955?s=48 shoichiron
8
3.6k
380bcd2ab751f5838abd8219df53e5fe?s=48 tomoki10
0
1.1k
D5554c0703d71b3f813e658020267954?s=48 masudas75
1
320
74cec195bfb6cb5165256d88cb7fcf0f?s=48 miu_crescent
2
260
Baaa72bd2671a244ba9211e015f72d28?s=48 eliasnogueira
0
210
98234c645fe8c935edc0fec0186d28b8?s=48 garethr
1
710

Featured

See All Featured
78b475797a14c84799063c7cd073962f?s=48 holman
448
130k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
770
190k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
5
380
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
435
28k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1348
190k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
87
3.2k
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
236
9.8k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
408
57k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
15
530
Eb8975af8e49e19e3dd6b6b84a542e26?s=48 qrush
283
18k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
119
7.7k
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
80
4k

Transcript

  1. stephen@sathomas.me icon-comment icon-comment-alt icon-comments icon-comments-alt icon-credit-card icon-dashboard icon-download icon-download-alt icon-edit

    icon-envelope icon-envelope-alt icon-key icon-leaf icon-legal icon-lemon icon-lock icon-unlock icon-magic icon-magnet icon-map-marker icon-minus icon-minus-sign icon-resize-horiz icon-resize-verti icon-retweet icon-road icon-rss icon-screenshot icon-search icon-share icon-share-alt icon-shopping-c http://speakerdeck.com/sathomas icon-paper-clip icon-indent-right icon-tab Directional Icons icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow-up icon-chevron-down icon-circle-arrow-down icon-circle-arrow-left icon-circle-arrow-right icon-circle-arrow-up icon-chevron-left icon-car icon-car icon-car icon-car icon-ch Video Player Icons icon-play-circle icon-play icon-step-backward icon-fast-backward icon-fas icon-ste Securing JavaScript Web Applications Stephen Thomas

  2. Most Common Attacks on Web Applications 1. Cross Site Scripting

    (XSS) 2. Cross Site Request Forgery (CSRF) (both are based on JavaScript) Source: Computer Weekly (quoting FireHost)

  3. Cross Site Scripting (What you think) your.web.app.com victim great content

  4. your.web.app.com victim great content + attack script evil.web.site.com 1 2

    Cross Site Scripting (Reality)

  5. The Vulnerability: User Supplied Content I like your post. Comment:

    Submit

  6. Naively Collect Content var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = this.$('input[name=comment]').val(); this.model.save({newComment: newComment}); }, ... });

  7. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  8. The Attack I like your post. <script src="http://evil.web.site.com.badscript.js"> </script> Comment:

    Submit

  9. Naively Collect Content (including the script tag) var NewCommentView =

    Backbone.View.extend({ ... events: { "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = this.$('input[name=comment]').val(); this.model.save({newComment: newComment}); }, ... });

  10. Deliver the Content your.web.app.com victim great content + attack script

    1

  11. Naively Render Content (including the script tag) var CommentView =

    Backbone.View.extend({ ... template: _.template('<p><%= comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  12. your.web.app.com victim great content + attack script evil.web.site.com 1 2

    Cross Site Scripting

  13. The Fix: Turn Bad Content I like your post! <script

    src="http://evil.web.site.com/badscript.js"> </script>

  14. The Fix: Into Safe Content I like your post! &lt;script

    src=&quot;http://evil.web.site.com/ badscript.js&quot;&gt; &lt;/script&gt;

  15. Escape on Input var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = _.escape( this.$('input[name=comment]').val() ); this.model.save({newComment: newComment}); }, ... });

  16. Escape on Input var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = _.escape( this.$('input[name=comment]').val() ); this.model.save({newComment: newComment}); }, ... });

  17. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  18. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  19. Safely Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.text(this.template(this.model.toJSON())); }, ... });

  20. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  21. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  22. Safely Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%-

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  23. Cross Site Request Forgery (What you think) your.web.app.com suspicious.web.site.com

  24. your.web.app.com suspicious.web.site.com Cross Site Request Forgery (Reality)

  25. • JavaScript code loaded from suspicious.web.site.com can issue AJAX requests

    to your.web.app.com • If the user has a tab or window open to your.web.app.com, those AJAX requests will include your session authorization cookies. • Your server will think they’re legitimate requests and respond accordingly. The Vulnerability: AJAX Requests

  26. The Fix: Synchronization Tokens <?php setcookie("X-CSRF-Token", sha1(rand())); echo file_get_contents( "index.html"

    ); ?> • Server sends an additional cookie that is set to a random value.

  27. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; }

  28. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; } • Client reads the value of this special cookie.

  29. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; } • Client returns the value as a custom HTTP header.

  30. The Fix: Synchronization Tokens <?php if ($_SERVER['HTTP_X_CSRF_TOKEN'] != $_COOKIE['X-CSRF-Token']) {

    header('Status: 403 Forbidden'); exit(); } /* process request normally */ ?> • Server makes sure custom HTTP header is present and matches the cookie.

  31. Why Do Synchronization Tokens Work? Even though AJAX requests that

    suspicious.web.site.com makes to your.web.app.com will include your cookies, Javascript code from suspicious.web.site.com cannot read the values of those cookies. It cannot, therefore, set the custom HTTP header values for which your server is checking.

  32. Single Page Web Apps • Don’t re-learn old lessons the

    hard way. • Protect against JavaScript-based attacks such as XSS and CSRF. • Oh yeah, protect against other attacks (SQL Injection) also.