Embed Size (px)
Citation preview
Web SecurityA Primer for Web App DevelopersJune 21, 2017
Mike NorthFluent Conf
© 2017, Mike Works, Inc. All Rights Reserved
Web Security MICHAEL L NORTH
Addepar Apple Buffer
Checkmate Dollar Shave
Club Ericsson
Facebook Freshbooks
Github Google Heroku
Intercom Iora Health
LinkedIn Microsoft
Netflix Pagerduty Pivotshare
Practice Fusion Thoughtbot
Ticketfly Travis-CI Tumblr Twitch Yahoo
Zenefits
Teaching developers from…
Web Security MICHAEL L NORTH
We have a BIG problem• Features & Deadlines vs. Security
• Web Developers have fallen behind
• Attacks are escalating in severity
• Barriers to staging an attack are lower than ever
Web Security MICHAEL L NORTH
Our Strawman
Strawbank [email protected]
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
http://strawbank.com • Cookie-based "session" authentication
• List of accounts
• Ability to lookup other accounts & transfer funds
Web Security MICHAEL L NORTH
The HacksNETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Starbucks WiFi
HTTP HTTP
Web Security
ATTACK
MICHAEL L NORTH
Man in the middlePublic WiFi: Trusted forever by default
Web Security
ATTACK
MICHAEL L NORTH
Man in the middleWiFi Devices broadcast what they're looking for
Web Security
ATTACK
MICHAEL L NORTH
Man in the middleRouter as DNS
Web Security
ATTACK
MICHAEL L NORTH
DNS Hijacking
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Starbucks WiFi
Airport Free WiFi
💥💥💥
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
WiFi Pineapple• Linux • 2x Wifi Cards • High gain antennas • "App store"
2000mw WiFi
9dB antenna
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Web Security MICHAEL L NORTH
Let's say you've locked down WiFi
Web Security
ATTACK
MICHAEL L NORTH
Femtocell
📱
📱
📱
📱
Web Security
DEFENSE
MICHAEL L NORTH
Man in the middle
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
https://strawbank.com🔒
• TLS not SSL
• Private key needed to read or alter request/response
• Getting a cert requires "Domain Validation"
Web Security MICHAEL L NORTH
~56% of the web uses HTTPS
% of page loads over
HTTPS
Time
Web Security
ATTACK
MICHAEL L NORTH
Man in the Middle II
Web Security MICHAEL L NORTH
[1] https://arstechnica.com/security/2009/07/benign-security-warnings-have-trained-users-to-ignore-them/ [2] https://adrifelt.github.io/sslinterstitial-chi.pdf [3] http://lorrie.cranor.org/pubs/bridging-gap-warnings.pdf
After extensive data-driven improvement to Chrome warning messages, 42% of users ignore
them instead of over 70% [2]
42%
51%Over 50% of users don't understand
eavesdropping vs. malware risk factors [3]
44%"...at least 44 percent of the top 382,860 SSL-enabled websites had certificates that
would trigger warnings" [1]
Web Security
ATTACK
MICHAEL L NORTH
SSLStrip
🔒 HTTPS 🔒 HTTPS
🔒 HTTPSHTTPStrawbank
Begins with downgrade to HTTP
Web Security
ATTACK
MICHAEL L NORTH
SSLStrip
🔒 HTTPS
🔒 HTTPSHTTPStrawbank
Client continues with HTTP, Server is unaware
HTTP
Web Security
DEFENSE
MICHAEL L NORTH
HTTP Strict Transport Security
Strict-Transport-Security: max-age=31536000; includeSubDomains
Do not allow plain HTTP
• Failure to include subdomains permits a broad range of cookie-related attacks
• There's still the issue of the first request
Web Security
DEFENSE
MICHAEL L NORTH
HSTS Preload
Web Security
DEFENSE
MICHAEL L NORTH
HSTS WARNINGDEFENSE
Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!
Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!
Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!
Web Security MICHAEL L NORTH
The HacksNETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Scripting (XSS)
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
Lisa's Savings
<select> <option value="1"> Mike's Checking !</option> <option value="2"> Lisa's Savings !</option> <option value="3"> Elliot's Checking <script src="https:"//""...totally-fine.js">!</script> !</option> !</select>
Web Security
ATTACK
MICHAEL L NORTH
Cross Site Scripting (XSS)
Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Scripting (XSS)
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
<script src="http:
• Escape all user input
• Use a view layer that has thorough built-in XSS protection
• Don't forget about styles too!<img src="javascript:alert('XSS!')"!/>
Web Security
WARNING
MICHAEL L NORTH
Cross-Site Scripting (XSS)
• How confident are you in the XSS protection of your OSS libraries?
• How carefully do people scrutinize browser plugins?
• If XSS happens, what's your exposure?
Web Security
ATTACK
MICHAEL L NORTH
Embedded Malware
Web Security
ATTACK
MICHAEL L NORTH
Embedded Malware
Web Security
DEFENSE
MICHAEL L NORTH
Embedded MalwareNever trust user-generated content
• Optimize all images (nearly always drops non-visual content)
• Avoid spreading "raw" attachments
• Limit file types for uploads
• Don't permit arbitrary HTML input
• Whitelist content that can be embedded
Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery
Strawbank [email protected]
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
Lisa's Savings
<form name="badform" method="post" action="https:"//strawbank.com/api/transfer"> <input type="hidden" name="destination" value="2" !/> <input type="hidden" name="amount" value="8500" !/> !</form>
<script type="text/javascript"> document.badform.submit(); !</script>
Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery• Exclusively targets state-changing requests
• Exploits browser "automatically" sending credentials
• A good reason to conform to RESTful HTTP verbs
• POST requests are also susceptible
<img src="https:"//strawbank.com/api/transfer?amount=8500&destination=12345">
Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Request Forgery
• Only Basic or cookie authentication schemes are vulnerable
• Exception: "Client side cookie"
• CSRF Token - non-predictable and per-request
• Ensure CORS headers are appropriately restrictive
Web Security
ATTACK
MICHAEL L NORTH
Clickjacking https://strawbank.com-securebank.cc?tok=108...🔒
Proceed
StrawCard
You're approved!Strawbank [email protected]
ACCOUNTS TRANSFERS
From AcctTo Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com?amount=8500&dest=185...🔒
Lisa's Savings
Web Security
DEFENSE
MICHAEL L NORTH
Clickjacking
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https:"//strawbank.com/
Web Security MICHAEL L NORTH
The HacksNETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
Web Security MICHAEL L NORTH
But Wait""...There's more.• SQL Injection
• Timing attacks
• Resource depletion attacks
• Session hijacking
• Execution after redirect
• Log Injection attacks
• Content Security Policy (CSP)
• Cache Poisoning
• Subresource Integrity (SRI)
• Sandboxing untrusted content
• Preventing attack escalation
• Encryption at rest: best practices
Web Security MICHAEL L NORTH
Thanks!
Want to know more? Ask me about a
security workshop
