Securing Single Page Applications

Transcript

1. Securing Single Page Applications By Zakiullah Khan Mohammed @khan_io

2. Disclaimer I’m not a Security Expert.

3. #ngHYD Twitter Hash Tag

4. About Me Technical Manager @ Fission Labs http://www.khanio.com

5. Agenda AppSec - OWASP - JWT

6. Single Page Applications (SPAs) Currently trending ...

7. None
8. None

9. Application Security Who knows it all in your team ?

10. OWASP Open Web Application Security Project

11. OWASP Online community dedicated to web application security

12. OWASP Identify Vulnerabilities Recommend Solutions Document Best Practices

13. OWASP 2013 Top 10 http://j.mp/OWASP-2013-Top10

14. OWASP 2013 Top 10 A1 - Injection A2 - Broken

    Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards

15. OWASP 2013 Top 10 A1 - Injection A2 - Broken

    Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards

16. A2 Broken Authentication and Session management Credentials - Session -

    Browser Caching - Trust

17. Defence Encrypt session data ( SSL + HMAC + Salt)

    Timeout idle sessions No plaintext anywhere Authenticate for sensitive data

18. Cookie vs Token Does it matter ?

19. None
20. None
21. None

22. A3 Cross-Site Scripting (XSS) Malicious content delivered to user using

    Javascript
23. None

24. Defence Always validate user input Escape out URLs, JS data

    and Error pages Rely on program data, not user data

25. Content Security Policy Whitelisting sources within browser

26. Content Security Policy Content-Security-Policy: script-src ‘self’ https://api.example.com

27. Content Security Policy connect-src - font-src - frame-src - img-src

    - media-src - object-src style-src

28. ngCSP Content Security Policy within AngularJS

29. A8 Cross-Site Request Forgery (XSRF) Tricks user in submitting data

    to evil endpoint
30. None

31. Defence Map HTTP methods rightly Forms authentication token Never rely

    on session

32. $http XSRF protection within AngularJS using X-XSRF-TOKEN

33. How to fix all three ? Let’s talk about JWT

34. JSON Web Token (JWT) Pronounced as JOT

35. JSON Web Token (JWT) Compact URL-safe means of representing claims

    to be transferred between two parties. The claims in JWT are encoded as JSON object that is digitally signed using JWS.

36. JSON Web Token (JWT) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts

37. JSON Web Token (JWT) <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>

38. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }

39. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ {"sub": 1234567890, "name": "John Doe", "admin": true}

40. eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(claims), secret_key)

41. JSON Web Token (JWT) NO CSRF - NO XSS

42. angular-jwt https://github.com/auth0/angular-jwt

43. Thank You Q&A