Hacking Front-End Apps

Transcript

1. Hacking Front-End Apps
   Alex Sexton
   

   View Slide

2. I work at .
   

   View Slide

3. which is in .
   California
   

   View Slide

4. but…
   

   View Slide

5. I live in .
   Texas
   

   View Slide

6. The web has a lot in
   common with Texas.
   

   View Slide

7. “The wild west.”
   

   View Slide

8. In 1985, Texas had a problem.
   

   View Slide

9. View Slide

10. Littering
    

    View Slide

11. Some Texans defended their
    “God-given right to litter.”
    

    View Slide

12. ಠ_ಠ
    

    View Slide

13. There were fines for littering.
    

    View Slide

14. photo by Curtis Gregory Perry
    

    View Slide

15. But no one seemed to care.
    

    View Slide

16. The state tried some slogans.
    

    View Slide

17. View Slide

18. But these slogans apparently
    did not resonate with
    the core offenders
    

    View Slide

19. Males 18-24
    “Bubbas in Pickup Trucks”
    

    View Slide

20. In 1985 Texas tried
    a new campaign:
    

    View Slide

21. View Slide

22. The campaign reduced litter
    on Texas highways
    !
    72%
    !
    from 1986 to 1990.
    

    View Slide

23. My point is…
    

    View Slide

24. “Hey everyone, you should make your
    websites more secure because it’s important.”
    !
    Probably isn’t going to do the trick.
    

    View Slide

25. DON’T!
    MESS!
    WITH!
    XSS
    Also probably
    won’t work.
    

    View Slide

26. Web developers,
    not security researchers,
    are the core audience.
    

    View Slide

27. Web security is hard.
    

    View Slide

28. “All you have to do is never
    make a single mistake.”
    - I Think Mike West
    

    View Slide

29. “I discount the probability
    of perfection.”
    - Alex Russell
    

    View Slide

30. Content Injection
    

    View Slide

31. View Slide

32. View Slide

33. View Slide

34. Everyone has a friend that
    always seems to pick
    “alert(‘hacked!’);”  
    as their username.
    

    View Slide

35. My User Agent
    

    View Slide

36. My Friend, Mike Taylor’s User Agent
    Mozilla/5.0  (Macintosh;  Intel  Mac  OS  X  10.9;  
    rv:25.0)  alert(‘lol’);  Gecko/20100101  
    Firefox/25.0
    

    View Slide

37. My Friend, Mike Taylor’s User Agent
    Mozilla/5.0  (Macintosh;  Intel  Mac  OS  X  10.9;  
    rv:25.0)  alert(‘lol’);  Gecko/20100101  
    Firefox/25.0
    

    View Slide

38. ಠ_ಠ
    

    View Slide

39. Samy
    

    View Slide

40. View Slide

41. View Slide

42. View Slide

43. ಠ_ಠ
    

    View Slide

44. So let’s just detect
    malicious scripts!
    

    View Slide

45. View Slide

46. alert(1)
    

    View Slide

47. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    

    View Slide

48. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    Malicious Code
    

    View Slide

49. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    tab
    tab tab
    space space
    

    View Slide

50. The Billy Hoffman
    Whitespace Attack
     <br/>!<br/>
    1
    1 1
    0 0
    

    View Slide

51. You cannot detect
    malicious code.
    

    View Slide

52. output.replace(//, ‘’);<br/>

    View Slide

53. CSS Hacks
    

    View Slide

54. Old School
    

    View Slide

55. View Slide

56. Link Visited Link
    getComputedStyle( getComputedStyle( )
    ) ===
    \o\|o|/o/
    Pretty much
    People Celebrating
    (or screaming on fire)
    

    View Slide

57. Timing Attacks
    

    View Slide

58. Security by Inaccuracy
    

    View Slide

59. requestAnimationFrame + :visited = ಠ_ಠ
    

    View Slide

60. requestAnimationFrame + :visited = ಠ_ಠ
    

    View Slide

61. requestAnimationFrame + :visited = ಠ_ಠ
    

    View Slide

62. Link Visited Link
    

    View Slide

63. Link Visited Link
    <16ms
    >60ms
    Time to render
    

    View Slide

64. JSON-P
    

    View Slide

65. MORE LIKE
    JSON-Pretty-Insecure
    

    View Slide

66. “I’d really like it if someone could run
    arbitrary dynamic scripts on my page”
    - JSONP Users
    

    View Slide

67. You wouldn’t do this.
    

    View Slide

68. So don’t do this.
    

    View Slide

69. A Leak In The Response
    

    View Slide

70. YouProbablyShouldUseCORS.tumblr.com
    

    View Slide

71. enable-cors.org
    

    View Slide

72. Try to say
    CROSS SITE!
    REQUEST FORGERY
    5 times fast.
    

    View Slide

73. Set-Cookie ‘csrf=0003’
    

    View Slide

74. Set-Cookie ‘csrf=0003’
    

    View Slide

75. View Slide

76. View Slide

77. View Slide

78. It gets worse.
    

    View Slide

79. Contextis White Paper
    

    View Slide

80. Cross-Domain Data Snooping
    via SVG Filters and OCR
    

    View Slide

81. View Slide

82. ಠ_ಠ
    

    View Slide

83. We need a new approach.
    

    View Slide

84. Content
    Security
    Policy
    

    View Slide

85. View Slide

86. Disallow Inline JS, CSS
    By Default!
    

    View Slide

87. Disallow eval
    By Default!
    

    View Slide

88. Disallow Cross Domain
    JS, CSS, IMG, Fonts
    

    View Slide

89. Report Violations!
    

    View Slide

90. View Slide

91. A White List
    That’s the key!
    

    View Slide

92. Good Security Goes
    Beyond Content Injection
    

    View Slide

93. 
    

    View Slide

94. HTTPS Everywhere
    

    View Slide

95. HTTPS Everywhere
    

    View Slide

96. HTTPS Only
    

    View Slide

97. 301 Redirect
    http
    

    View Slide

98. https
    HSTS
    

    View Slide

99. Frame Busting
    

    View Slide

100. Disallow as
     an iFrame
     X-Frame-Options
     

     View Slide

101. It’s “security by default.”
     At least much
     closer…
     

     View Slide

102. You can rely a little less on
     being perfect.
     

     View Slide

103. it only matters if
     everyone buys in.
     But
     

     View Slide

104. We need our own slogan.
     

     View Slide

105. We need developers to
     take pride in making
     secure applications.
     

     View Slide

106. Don’t Mess With The Web
     

     View Slide

107. ಠ_ಠ
     

     View Slide

108. Let’s do something about
     it together.
     

     View Slide

109. Thanks!
     @SlexAxton
     Special Thanks To:
     Mike West * 1000
     Adam Baldwin
     Contextis
     MDN
     

     View Slide