Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
2. Web Security MICHAEL L NORTH
Addepar
Apple
Buffer
Checkmate
Dollar Shave
Club
Ericsson
Facebook
Freshbooks
Github
Google
Heroku
Intercom
Iora Health
LinkedIn
Microsoft
Netflix
Pagerduty
Pivotshare
Practice Fusion
Thoughtbot
Ticketfly
Travis-CI
Tumblr
Twitch
Yahoo
Zenefits
Teaching developers from…
3. Web Security MICHAEL L NORTH
We have a BIG problem
• Features & Deadlines vs. Security
• Web Developers have fallen behind
• Attacks are escalating in severity
• Barriers to staging an attack are lower than ever
4. Web Security MICHAEL L NORTH
Our Strawman
Strawbank
mike@mike.works
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
http://strawbank.com • Cookie-based "session"
authentication
• List of accounts
• Ability to lookup other
accounts & transfer funds
5. Web Security MICHAEL L NORTH
The Hacks
NETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
12. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
WiFi Pineapple
• Linux
• 2x Wifi Cards
• High gain antennas
• "App store"
2000mw WiFi
9dB antenna
17. Web Security
DEFENSE
MICHAEL L NORTH
Man in the middle
Strawbank
mike@mike.works
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
https://strawbank.com🔒
• TLS not SSL
• Private key needed to read or
alter request/response
• Getting a cert requires
"Domain Validation"
18. Web Security MICHAEL L NORTH
~56% of the web uses HTTPS
% of
page
loads
over
HTTPS
Time
20. Web Security MICHAEL L NORTH
[1] https://arstechnica.com/security/2009/07/benign-security-warnings-have-trained-users-to-ignore-them/
[2] https://adrifelt.github.io/sslinterstitial-chi.pdf
[3] http://lorrie.cranor.org/pubs/bridging-gap-warnings.pdf
After extensive data-driven improvement to
Chrome warning messages, 42% of users ignore
them instead of over 70% [2]
42%
51%
Over 50% of users don't understand
eavesdropping vs. malware risk factors [3]
44%
"...at least 44 percent of the top 382,860
SSL-enabled websites had certificates that
would trigger warnings" [1]
22. Web Security
ATTACK
MICHAEL L NORTH
SSLStrip
🔒 HTTPS
🔒 HTTPSHTTP
Strawbank
Client continues with HTTP, Server is unaware
HTTP
23. Web Security
DEFENSE
MICHAEL L NORTH
HTTP Strict Transport Security
Strict-Transport-Security: max-age=31536000; includeSubDomains
Do not allow plain HTTP
• Failure to include subdomains permits a broad range of cookie-
related attacks
• There's still the issue of the first request
32. Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Scripting (XSS)
Strawbank
mike@mike.works
ACCOUNTS TRANSFERS
From Acct
To Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
<script src="http:
• Escape all user input
• Use a view layer that has
thorough built-in XSS
protection
• Don't forget about styles too!
<img src="javascript:alert('XSS!')"!/>
33. Web Security
WARNING
MICHAEL L NORTH
Cross-Site Scripting (XSS)
• How confident are you in the XSS protection of your OSS libraries?
• How carefully do people scrutinize browser plugins?
• If XSS happens, what's your exposure?
36. Web Security
DEFENSE
MICHAEL L NORTH
Embedded Malware
Never trust user-generated content
• Optimize all images (nearly always drops non-visual content)
• Avoid spreading "raw" attachments
• Limit file types for uploads
• Don't permit arbitrary HTML input
• Whitelist content that can be embedded
37. Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery
Strawbank
mike@mike.works
ACCOUNTS TRANSFERS
From Acct
To Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
Lisa's Savings
<form name="badform" method="post"
action="https:"//strawbank.com/api/transfer">
<input type="hidden"
name="destination" value="2" !/>
<input type="hidden"
name="amount" value="8500" !/>
!</form>
<script type="text/javascript">
document.badform.submit();
!</script>
38. Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery
• Exclusively targets state-changing requests
• Exploits browser "automatically" sending credentials
• A good reason to conform to RESTful HTTP verbs
• POST requests are also susceptible
<img src="https:"//strawbank.com/api/transfer?amount=8500&destination=12345">
39. Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Request Forgery
• Only Basic or cookie authentication schemes are vulnerable
• Exception: "Client side cookie"
• CSRF Token - non-predictable and per-request
• Ensure CORS headers are appropriately restrictive
40. Web Security
ATTACK
MICHAEL L NORTH
Clickjacking
https://strawbank.com-securebank.cc?tok=108...🔒
Proceed
StrawCard
You're approved!Strawbank
mike@mike.works
ACCOUNTS TRANSFERS
From Acct
To Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com?amount=8500&dest=185...🔒
Lisa's Savings
41. Web Security
DEFENSE
MICHAEL L NORTH
Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https:"//strawbank.com/
42. Web Security MICHAEL L NORTH
The Hacks
NETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking
43. Web Security MICHAEL L NORTH
But Wait""...There's more.
• SQL Injection
• Timing attacks
• Resource depletion attacks
• Session hijacking
• Execution after redirect
• Log Injection attacks
• Content Security Policy (CSP)
• Cache Poisoning
• Subresource Integrity (SRI)
• Sandboxing untrusted content
• Preventing attack escalation
• Encryption at rest: best practices
44. Web Security MICHAEL L NORTH
Thanks!
Want to know more?
Ask me about a
security workshop