tostatichtml() for Everyone!

Similar documents
How to Improve Your Campaign Conversion Rates

Outline Key Management CS 239 Computer Security February 9, 2004

P1_L3 Operating Systems Security Page 1

Activity Guide - Public Key Cryptography

In our first lecture on sets and set theory, we introduced a bunch of new symbols and terminology.

RKN 2015 Application Layer Short Summary

Does Windows 10 Have Privacy Issues? February 11, Joel Ewing

CS 161 Computer Security

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Cryptography III Want to make a billion dollars? Just factor this one number!

Modern Cookie Stuffing

Cryptography (Overview)

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Evaluating the Security Risks of Static vs. Dynamic Websites

UKNova s Getting Connectable Guide

Stanko Tadić

The name of our class will be Yo. Type that in where it says Class Name. Don t hit the OK button yet.

BEGINNER PHP Table of Contents

Chapter01.fm Page 1 Monday, August 23, :52 PM. Part I of Change. The Mechanics. of Change

Worksheet - Reading Guide for Keys and Passwords

Module 6. Campaign Layering

SECURITY TESTING. Towards a safer web world

(GOT YOUR NOSE) (got your nose) (How Attackers steal your precious Data without using Scripts) A Presentation by Mario Heiderich, 2012

Lock Picking and Physical Security. Tyler Nighswander

The Activist Guide to Secure Communication on the Internet. Introduction

Applied Cryptography Basic Protocols

ctio Computer Hygiene /R S E R ich

What's the Slope of a Line?


Blog post on updates yesterday and today:

Content Security Policy

Digital Marketing Manager, Marketing Manager, Agency Owner. Bachelors in Marketing, Advertising, Communications, or equivalent experience

MITOCW watch?v=zlohv4xq_ti

BOOSTING THE SECURITY

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

It Might Be Valid, But It's Still Wrong Paul Maskens and Andy Kramek

Web basics: HTTP cookies

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Ad Muncher's New Interface Layout


An Introduction to How PGP Works

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

INCOGNITO TOOLKIT: TOOLS, APPS, AND CREATIVE METHODS FOR REMAINING ANONYMOUS, PRIVATE, AND SECURE WHILE COMMUNICATING, PUBLISHING, BUYING,

Introduction to Information Security Miscellaneous

Smart formatting for better compatibility between OpenOffice.org and Microsoft Office

Who am I? I m a python developer who has been working on OpenStack since I currently work for Aptira, who do OpenStack, SDN, and orchestration

Principles. Security. Douglas Crockford Yahoo!

mismatch between what is maybe possible today and what is going on in many of today's IDEs.

Man-In-The-Browser Attacks. Daniel Tomescu


ECEN 5022 Cryptography

Client Side JavaScript and AJAX

Meet our Example Buyer Persona Adele Revella, CEO

Establishing Trust in Disconnected Environments, page 1

The following content is provided under a Creative Commons license. Your support

The security of Mozilla Firefox s Extensions. Kristjan Krips

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

AJAX Programming Overview. Introduction. Overview

Skill 1: Multiplying Polynomials

WINDOWS NT FILE SYSTEM INTERNALS : OSR CLASSIC REPRINTS BY RAJEEV NAGAR

Sample Online Survey Report: Complex Software Application

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Download Beginning ASP.NET E-Commerce In C#: From Novice To Professional (Expert's Voice In.NET) PDF

Chrome if I want to. What that should do, is have my specifications run against four different instances of Chrome, in parallel.

Integrating Visual FoxPro and MailChimp

Initial Alpha Test Documentation and Tutorial

Why you should never ask favors from a graphic designer:

EasyCrypt passes an independent security audit

C++: C++ And Hacking For Dummies. A Smart Way To Learn C Plus Plus And Beginners Guide To Computer Hacking (C Programming, HTML, Javascript,

Web basics: HTTP cookies

Post Experiment Interview Questions

The Stack, Free Store, and Global Namespace

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

MITOCW watch?v=9h6muyzjms0

How to Create a Killer Resources Page (That's Crazy Profitable)

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Match the attack to its description:

Instructor: Craig Duckett. Lecture 07: Tuesday, April 17 th, 2018 Conflicts and Isolation, MySQL Workbench

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

===============================================================================

Distributed System Security

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

CIS 4360 Secure Computer Systems XSS

Your Clickbank Treasure Map

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

The following content is provided under a Creative Commons license. Your support

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Below is another example, taken from a REAL profile on one of the sites in my packet of someone abusing the sites.

MITOCW watch?v=yarwp7tntl4

WINDOWS POWERSHELL 3.0 FIRST STEPS BY ED WILSON DOWNLOAD EBOOK : WINDOWS POWERSHELL 3.0 FIRST STEPS BY ED WILSON PDF

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

[PDF] Hacking: The Ultimate Beginners Guide To The World Of Hacking

In today s video I'm going show you how you can set up your own online business using marketing and affiliate marketing.

CS Paul Krzyzanowski

Solutions Business Manager Web Application Security Assessment

Lecture 44 Blockchain Security I (Overview)

CSCE 548 Building Secure Software SQL Injection Attack

Close Your File Template

MITOCW ocw f99-lec07_300k

Transcription:

tostatichtml() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53 mario@cure53.de @0x6D6172696F 1 of 45

Here is Alice. She wants to write an encrypted message. And send it to Bob. This is my company 2 of 45

Here is Bob. He wants to be able to read what Alice has to write. About NASCAR. That's nothing to be ashamed about. But still privacy-relevant for many! 3 of 45 We do really good pentests

Both Bob and Alice want to exchange encrypted mails with each other. 4 of 45 But I guess you know that already

Bob and Alice both use, let's call it... ElectronMail. A fancy tool that allows to encrypt and decrypt mail messages Right in the browser. You probably know what I am referring to. 5 of 45

ElectronMail is great. All the server sees is an encrypted piece of text. Useless to anyone without the key. 6 of 45

Unless that person is really good at mathematics 7 of 45

ElectronMail chose a very smart approach. We refer to that as End-to-End encryption. Or E2E. From a technical standpoint, that whole process is easy to describe. 8 of 45

The next day, both Bob and Alice receive an encrypted mail from Mallory. They both open the mail. Both their accounts get compromised without them knowing. 9 of 45

Mallory not only gets access to all mails Bob and Alice have exchanged in the past... but also grabs their private keys, all contacts in Alice and Bob's address-books, and installs a key-logger. Just in case. 10 of 45

Mallory isn't overly great at mathematics. She doesn't know much about buffer overflows and UAFs. She is not in possession of a vast attack infrastructure, number crunchers or any dedicated soft- or hardware. 11 of 45

Mallory is pretty good at HTML and JavaScript. The modern cyber-crime action-pack. There. Cyber. I said it. 12 of 45

Mallory made use of a classic Cross-Site Scripting attack and smuggled executable client-side code into the message she sent out. Executing in the DOM used by ElectronMail, provided by the browsers Alice and Bob use. 13 of 45 Remember, when folks said XSS is lame? Pepperidge Farm remembers!

It was harder for Mallory to do that kind of thing in the past. Mail providers, before the dawn of cryptography in the browser, relied on strong server-side filters to scrub anything bad from HTML email bodies. 14 of 45

But with encryption in the browser, those days are over. The server can no longer see, if there is anything bad in the mail body. Because it's encrypted. 15 of 45

Damn you, encryption! Enabler of crime and malice! All that should be forbidden! Or back-doored! 16 of 45

Damn you, encryption! Enabler of crime and malice! All that should be forbidden! Or back-doored! Well, maybe not! 17 of 45

Let's isolate our initial problem. We cannot sanitize on the server any more. Encrypted mails are left to be sanitized on the client. So we need to sanitize on the client. 18 of 45

And browsers surely give us the right tools for that, correct? 19 of 45

Well, sadly, they do not. 20 of 45

You will now jump up and start screaming. Sandboxed Iframes! HTTP Only cookies! XSS filters! Web Workers! The Same Origin Policy! Sub-Resource Integrity! And of course the cure for everything - Content Security Policy! That's Mike West! 21 of 45

But the more you look at those features, the more you realize that they come close to solving our problem But never manage to be a perfect solution. 22 of 45 Trust me, I am a Doctor. I have butter on my bread Just because of that.

We are missing something that does, what the servers did in the past. We need to be able to tell apart the bad from the good and only leave the good to be shown in the browser. We don't have that. 23 of 45

Well, we kinda do. It's called tostatichtml() and it does exactly that. Take a string, throw any bad HTML out and hopefully return a sanitized string. 24 of 45 Mike is not amused.

But it's only available in MSIE. Or on Firefox with NoScript installed. So let's scratch that. We need a tostatichtml() for everyone! In all browsers. Now! 25 of 45

So, I created it. It's called DOMPurify and its task is to do exactly what we need. Take a string of HTML. Or SVG. Or MathML. Analyze it using an isolated DOM. Throw out the bad, leave in the good. Return a sane result. 26 of 45

The browser DOM and it's really messy properties were one of the biggest problem here. DOM Clobbering attacks, inhomogeneous APIs, HTML elements implemented in completely different ways, different attribute handling. The DOM is a mess! Yeah! Let's make Visual Basic Script great again! 27 of 45

But we believe to have them solved and haven't received a bypass in months. Despite generous bug bounty in case an issue gets spotted. 28 of 45

Many websites already use DOMPurify and are happy with it. In Germany for example, we have Gov-Approved Mail system called de-mail. They had the same problem and guess how even they solved it. That's right, DOMPurify. 29 of 45 There's several 100M users protected by our library by now

So. Is our problem already solved? Something seems fishy here 30 of 45

Am I the savior of souls, the bringer of security, the knight in shining armor, slaying the XSS dragon? Me, fighting the XSS dragon. 31 of 45

Hell no! Because now we have a well working library. But that gives us a trust problem. You have to trust me! 32 of 45

What if I turn rogue? And release an update with a back-door? Me, after back-dooring DOMPurify 33 of 45

I have been writing XSS exploits for the last ten years. I think I could hide a back-door in DOMPurify. Maybe in the compressed version we ship. 34 of 45

Of course I would never do that. Right? 35 of 45

Riiight? 36 of 45

Or would I? God I LOVE Money! Mmmmmmmoney! Aaah.. 37 of 45

And now what. What options do we have? The problem now is that we have a solution to our former problem... Now, the security of millions of users depends on a small circle of library authors and hopefully a bunch of cautious pairs of eyes noticing malicious changes. 38 of 45

We need a specification and implement DOMPurify inside browsers! As part of the almighty DOM and its countless APIs. We need many eyes on that, not just a few. We need a written and published description of risks models and matching solutions. We need templates that developers can use with great ease and small foot-gun potential. 39 of 45

We need to specify what DOMPurify does and implement it Inside the browsers' core. Despite CSP. Because of CSP. Because we need to fill all gaps, not just accidental intersections. 40 of 45

Now, you might point at me with your finger and ask - why don't you write the specification then? And I will respond... 41 of 45

Why don't YOU write the specification! We already did the hard work, identified the problem, proposed solutions......and showed, that even our own approach is fundamentally flawed because of the inherently required trust in us, the maintainers. 42 of 45

Now, it's not just my but OUR turn. If you agree on the problem, the proposed solutions and share our views about what needs to be done: Be the one who starts it. We're happy to help! But we're not gonna do it alone. 43 of 45

Let's make all the ElectronMails and other tools much safer and implement XSS protection where it belongs. Not into the server, not into WAFs and IPS. But into the browser. Right, where the action happens. 44 of 45

And that concludes my presentation. Thank you for your time :) 45 of 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback