A CDN that can not XSS you. Using Subresource Integrity

Similar documents
Browser code isolation

Extending the browser to secure applications

s642 web security computer security adam everspaugh

Alert. In [ ]: %%javascript alert("hello");

Modern client-side defenses. Deian Stefan

CIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1

Lesson 12: JavaScript and AJAX

CIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1

Scan Results - ( Essentials - Onsharp )

Black Box DCX3000 / DCX1000 Using the API

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

ID: Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/2018 Version:

Triple DES and AES 192/256 Implementation Notes

High Performance Websites Questions [10 pts] Computer Science nd Exam Prof. Papa Thursday, May 4, 2017, 6:00pm 7:20pm. Student ID Number:

Basics of Web Development

Matt Terwilliger. Networking Crash Course

Integrity of messages

ICS 351: Today's plan. HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol

Introduction to Ethical Hacking

RKN 2015 Application Layer Short Summary

4. Specifications and Additional Information

The security of Mozilla Firefox s Extensions. Kristjan Krips

XSS Homework. 1 Overview. 2 Lab Environment

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

Status: SEO Tests. Title. Title Length. Title Relevancy. Description. Description Length. Description Relevancy. Keywords.

Flask-Cors Documentation

HashCookies A Simple Recipe

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

Executive Summary. Performance Report for: The web should be fast. How does this affect me?

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Cryptographic Hash Functions. Secure Software Systems

Penetration Test Report

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Match the attack to its description:

Executive Summary. Performance Report for: The web should be fast. Top 1 Priority Issues. How does this affect me?

The HTTP Protocol HTTP

Computer Networks. Wenzhong Li. Nanjing University

Combating Common Web App Authentication Threats

WHY CSRF WORKS. Implicit authentication by Web browsers

CIS 5373 Systems Security

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

The cache is 4-way set associative, with 4-byte blocks, and 16 total lines

Web Applica+on Security

COMP9321 Web Application Engineering

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

Hosting Roadmap Upgrades, Improvements and Changes

Yioop Full Historical Indexing In Cache Navigation. Akshat Kukreti

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Your Turn to Hack the OWASP Top 10!

ID: Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version:

Website review kizi10.top

LEARN HOW TO USE CA PPM REST API in 2 Minutes!

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

CIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1

CS144 Notes: Web Standards

BOOSTING THE SECURITY

CS7026. Introduction to jquery

TECHNICAL NOTES. Player Security Statement. BrightSign, LLC Lark Ave., Suite 200 Los Gatos, CA

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

ID: Cookbook: browseurl.jbs Time: 23:19:26 Date: 20/08/2018 Version:


Executive Summary. Performance Report for: The web should be fast. Top 4 Priority Issues

SEEM4570 System Design and Implementation. Lecture 3 Cordova and jquery

AGENCE WEB MADE IN DOM

CSCI-1680 WWW Rodrigo Fonseca

eb Security Software Studio

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CSCI-1680 WWW Rodrigo Fonseca

Client-Side Security Using CORS

Managing Administrative Security

Origin Policy Enforcement in Modern Browsers

Web as a Distributed System

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Executive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues

Web Architecture and Technologies

Web Security. Thierry Sans

ZN-DN312XE-M Quick User Guide

ECE297 Quick Start Guide Wiki

Web Security Model and Applications

HTTP Protocol and Server-Side Basics

The HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1

Secure Remote Password (SRP)

Executive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues. How does this affect me?

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Lecture 6: Web Security CS /17/2017

JavaScript: Events, the DOM Tree, jquery and Timing

AppSpider Enterprise. Getting Started Guide

COMP9321 Web Application Engineering

Web Application Security. Philippe Bogaerts

Internet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP

Transcription:

A CDN that can not XSS you Using Subresource Integrity

about:frederik Frederik Braun Security Engineer at Mozilla fbraun@mozilla.com https://frederik-braun.com @freddyb

Why am I here? https://www.mozilla.org/en-us/about/manifesto/

Content Delivery Networks

Who has seen code like this? <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script> <link href='http://fonts.googleapis.com/css?family=pt+sans ' rel='stylesheet' type='text/css'>

What does it do? <script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>

The Same-Origin Policy

Origins Explained http:// www.example.com :80

Can execute but most not read? <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script>

The Same Origin Policy

The Same Origin Policy XMLHttpRequest DOM Access Cookies Permissions

kotowicz's XSS-Track

kotowicz's XSS-Track

one vulnerability is enough

http://www.securityweek.com/jquery-confrms-website-hacked-again

Picture from Cloudfare https://blog.cloudfare.com/an-introduction-to-javascript-based-ddos/ Popular JS libraries used for DDoS

Dear burglar, here's the combination to our safe. Please do not wake us up.

Subresource Integrity to the Rescue

SR I1.0 <script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg=" crossorigin="anonymous"></script>

<script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg=" SR I1.0 crossorigin="anonymous"></script>

Integrity Cryptographic Hash Functions

$ sha256sum ubuntu-15.04-desktop-amd64.iso b970b014b3a2ea216fcf077328bfe32 18ed5c2f923fe2d9dfd2b41df9d735a5

Cryptographic Hash Functions Input Digest Fox cryptographic hash function DFCD 3454 BBEA 788A 751A 696C 24D9 7009 CA99 2D17 The red fox jumps over the blue dog cryptographic hash function 0086 46BB FB7D CBE2 823C ACC7 6CD1 90B1 EE6E 3ABC The red fox jumps ouer the blue dog cryptographic hash function 8FD8 7558 7851 4F32 D1C6 76B1 79A9 0DA4 AEFE 4819 The red fox jumps oevr the blue dog cryptographic hash function FCD3 7FDB 5AF2 C6FF 915F D401 C0A9 7D9A 46AF FB45 The red fox jumps oer the blue dog cryptographic hash function 8ACA D682 D588 4C75 4BF4 1799 7D88 BCF8 92B9 6A6C Image released into the public domain by Wikipedia user Lichtspiel

Cryptographic Hash Functions Input normal jquery modified jquery Digest cryptographic hash function DFCD 3454 BBEA 788A 751A 696C 24D9 7009 CA99 2D17 cryptographic hash function 0086 46BB FB7D CBE2 823C ACC7 6CD1 90B1 EE6E 3ABC

Reading Cross-Origin Data?

http://victim.example.com/status.json { 'status': 'authenticated, 'username': 'Alice' }

Let's attack! <script src="https://victim.example.com/status.json" integrity="{ hash for Bob }"></script> <script src="https://victim.example.com/status.json" integrity="{ hash for Alice }"></script>

http://192.168.1.1/confg.js HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: max-age=604800 Content-Type: text/html Date: Wed, 29 Apr 2015 09:33:56 GMT Etag: "359670651" Server: Content-Length: {'wifi_enabled': true,, 'password': 'admin'}

Cross Origin Resource Sharing (CORS)

Recap

CORS Required

Using CORS HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: max-age=604800 Content-Type: text/html Date: Wed, 29 Apr 2015 09:33:56 GMT Etag: "359670651" Server: Access-Control-Allow-Origin: * Content-Length:

SR I1.0 <script src="https://code.jquery.com/jquery.min.js" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg=" crossorigin="anonymous"></script>

The Fineprint

integrity Syntax SR I1.0 <script src="https://code.jquery.com/jquery.min.js" integrity="sha256-c6cb9u qfqmyg=" crossorigin="anonymous"></script>

integrity Syntax SR I1.0 sha256-c6cb9u qfqmyg=

Multiple Hash Functions SR I1.0 <script src="https://code.jquery.com/jquery.min.js" integrity="sha256-c6cb9u qfqmyg= sha384-h8brh8j48o9oyatfu5azz t1flm52t+ex6xo" crossorigin="anonymous"></script>

Multiple Hashes SR I1.0 <script src="https://code.jquery.com/jquery.min.js" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg= sha256-qznlcsrox4gacp2dm0uckczcg+hiz1guq6zzdob/tng=" crossorigin="anonymous"></script>

Multiple Hashes SR I1.0 <script src="https://code.jquery.com/jquery.min.js" integrity="sha256-c6cb9uyis9ujeqinphwth 5qFQmYg= sha256-qznlcsrox4gacp2dm0uck Dob/Tng= sha384-h8brh8j48o9oyatfu5azz t1flm52t+ex6xo sha384-vqh/e1uhg5twh+yczcg+h LznqHiZ1guq6ZZ" crossorigin="anonymous"></script>

Outdated Hash Function SR I1.0 <script src="https://code.jquery.com/jquery.min.js" integrity="brokenalgo-c6cb9uyis9ujeqinphwh/e1uhg5twh+y5qfqmyg=" crossorigin="anonymous"></script>

over HTTP or HTTPS?

Failover

An evil script was blocked \o/

Manual Error Recovery <script src="https://code.jquery.com/jquery.min.js" integrity="sha256-c6cb9uyis9ujeqinphwthvq " crossorigin="anonymous"></script> SR I1.0 <script>window.jquery document.write('<script src="/jquery-.min.js"><\/script>')</script>

Future Work

Built-in Error Recovery? NO T IN SP EC <script src="https://code.jquery.com/jquery.min.js" integrity="sha256-c6cb9uyis9ujeqinphwthvq " crossorigin="anonymous" fallbacksrc="/jquery.min.js"> </script>

Integrity Policies & Error Reporting NO T IN SP EC Content-Security-Policy: integrity-policy: ("block" / "report" / "fallback") ["require-forall"]

More Use Cases SR I1.0 <link rel="stylesheet" href="https://site53.cdn.net/style.css" integrity="sha256-sdfwewfae wefjijfe"/>

NO T IN SP EC Integrity and videos

NO T IN SP EC Integrity and videos

We need your help!

Editor's Draft http://w3c.github.io/webappsec/specs/subresourceintegrity/

Tool Support Needed

Enable CORS! Send Access-Control-Allow-Origin: * now!

Conclusion

You can soon add integrity to secure your script loads.

Extending the Web is non-trivial

Browser Security needs to step up (and will)

Frederik Braun fbraun@mozilla.com @freddyb #security on irc.mozilla.org Obligatory Red Panda photo by Wikipedia user Aconcagua, CC-BY-SA-3.0 Thank you for listening!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback