Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.

1. Web Security
A Primer for Web App DevelopersJune 21, 2017
Mike North
Fluent Conf
© 2017, Mike Works, Inc. All Rights Reserved

2. Web Security MICHAEL L NORTH
Addepar
Apple
Buffer
Checkmate
Dollar Shave
Club
Ericsson
Facebook
Freshbooks
Github
Google
Heroku
Intercom
Iora Health
LinkedIn
Microsoft
Netflix
Pagerduty
Pivotshare
Practice Fusion
Thoughtbot
Ticketfly
Travis-CI
Tumblr
Twitch
Yahoo
Zenefits
Teaching developers from…

3. Web Security MICHAEL L NORTH
We have a BIG problem
• Features & Deadlines vs. Security
• Web Developers have fallen behind
• Attacks are escalating in severity
• Barriers to staging an attack are lower than ever

4. Web Security MICHAEL L NORTH
Our Strawman
Strawbank
mike@mike.works
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
http://strawbank.com • Cookie-based "session"
authentication
• List of accounts
• Ability to lookup other
accounts & transfer funds

5. Web Security MICHAEL L NORTH
The Hacks
NETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking

6. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Starbucks WiFi
HTTP HTTP

7. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Public WiFi: Trusted forever by default

8. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
WiFi Devices broadcast what they're looking for

9. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Router as DNS

10. Web Security
ATTACK
MICHAEL L NORTH
DNS Hijacking

11. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
Starbucks WiFi
Airport Free WiFi
💥 💥 💥

12. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle
WiFi Pineapple
• Linux
• 2x Wifi Cards
• High gain antennas
• "App store"
2000mw WiFi
9dB antenna

13. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle

14. Web Security
ATTACK
MICHAEL L NORTH
Man in the middle

15. Web Security MICHAEL L NORTH
Let's say you've locked down WiFi

16. Web Security
ATTACK
MICHAEL L NORTH
Femtocell
📱
📱
📱
📱

17. Web Security
DEFENSE
MICHAEL L NORTH
Man in the middle
Strawbank
mike@mike.works
Checking ****7890 $10,000
Savings ****1234 $8,000
ACCOUNTS TRANSFERS
https://strawbank.com🔒
• TLS not SSL
• Private key needed to read or
alter request/response
• Getting a cert requires
"Domain Validation"

18. Web Security MICHAEL L NORTH
~56% of the web uses HTTPS
% of
page
loads
over
HTTPS
Time

19. Web Security
ATTACK
MICHAEL L NORTH
Man in the Middle II

20. Web Security MICHAEL L NORTH
[1] https://arstechnica.com/security/2009/07/benign-security-warnings-have-trained-users-to-ignore-them/
[2] https://adrifelt.github.io/sslinterstitial-chi.pdf
[3] http://lorrie.cranor.org/pubs/bridging-gap-warnings.pdf
After extensive data-driven improvement to
Chrome warning messages, 42% of users ignore
them instead of over 70% [2]
42%
51%
Over 50% of users don't understand
eavesdropping vs. malware risk factors [3]
44%
"...at least 44 percent of the top 382,860
SSL-enabled websites had certificates that
would trigger warnings" [1]

21. Web Security
ATTACK
MICHAEL L NORTH
SSLStrip
🔒 HTTPS 🔒 HTTPS
🔒 HTTPSHTTP
Strawbank
Begins with downgrade to HTTP

22. Web Security
ATTACK
MICHAEL L NORTH
SSLStrip
🔒 HTTPS
🔒 HTTPSHTTP
Strawbank
Client continues with HTTP, Server is unaware
HTTP

23. Web Security
DEFENSE
MICHAEL L NORTH
HTTP Strict Transport Security
Strict-Transport-Security: max-age=31536000; includeSubDomains
Do not allow plain HTTP
• Failure to include subdomains permits a broad range of cookie-
related attacks
• There's still the issue of the first request

24. Web Security
DEFENSE
MICHAEL L NORTH
HSTS Preload

25. Web Security
DEFENSE
MICHAEL L NORTH
HSTS WARNING
DEFENSE

26. Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!

27. Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!

28. Web Security
WARNING
MICHAEL L NORTH
Treat Certificates With Care!

29. Web Security MICHAEL L NORTH
The Hacks
NETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking

30. Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Scripting (XSS)
Strawbank
mike@mike.works
ACCOUNTS TRANSFERS
From Acct
To Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
Lisa's Savings
<select>
<option value="1">
Mike's Checking
!</option>
<option value="2">
Lisa's Savings
!</option>
<option value="3">
Elliot's Checking
<script src="https:"//""...totally-fine.js
!</option>
!</select>

31. Web Security
ATTACK
MICHAEL L NORTH
Cross Site Scripting (XSS)

32. Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Scripting (XSS)
Strawbank
mike@mike.works
ACCOUNTS TRANSFERS
From Acct
To Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
<script src="http:
• Escape all user input
• Use a view layer that has
thorough built-in XSS
protection
• Don't forget about styles too!
<img src="javascript:alert('XSS!')"!/>

33. Web Security
WARNING
MICHAEL L NORTH
Cross-Site Scripting (XSS)
• How confident are you in the XSS protection of your OSS libraries?
• How carefully do people scrutinize browser plugins?
• If XSS happens, what's your exposure?

34. Web Security
ATTACK
MICHAEL L NORTH
Embedded Malware

35. Web Security
ATTACK
MICHAEL L NORTH
Embedded Malware

36. Web Security
DEFENSE
MICHAEL L NORTH
Embedded Malware
Never trust user-generated content
• Optimize all images (nearly always drops non-visual content)
• Avoid spreading "raw" attachments
• Limit file types for uploads
• Don't permit arbitrary HTML input
• Whitelist content that can be embedded

37. Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery
Strawbank
mike@mike.works
ACCOUNTS TRANSFERS
From Acct
To Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com🔒
Lisa's Savings
<form name="badform" method="post"
action="https:"//strawbank.com/api/transfer">
<input type="hidden"
name="destination" value="2" !/>
<input type="hidden"
name="amount" value="8500" !/>
!</form>
<script type="text/javascript">
document.badform.submit();
!</script>

38. Web Security
ATTACK
MICHAEL L NORTH
Cross-Site Request Forgery
• Exclusively targets state-changing requests
• Exploits browser "automatically" sending credentials
• A good reason to conform to RESTful HTTP verbs
• POST requests are also susceptible
<img src="https:"//strawbank.com/api/transfer?amount=8500&destination=12345">

39. Web Security
DEFENSE
MICHAEL L NORTH
Cross-Site Request Forgery
• Only Basic or cookie authentication schemes are vulnerable
• Exception: "Client side cookie"
• CSRF Token - non-predictable and per-request
• Ensure CORS headers are appropriately restrictive

40. Web Security
ATTACK
MICHAEL L NORTH
Clickjacking
https://strawbank.com-securebank.cc?tok=108...🔒
Proceed
StrawCard
You're approved!Strawbank
mike@mike.works
ACCOUNTS TRANSFERS
From Acct
To Acct
Mike's Checking
Amount $8500
Transfer Funds
https://strawbank.com?amount=8500&dest=185...🔒
Lisa's Savings

41. Web Security
DEFENSE
MICHAEL L NORTH
Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https:"//strawbank.com/

42. Web Security MICHAEL L NORTH
The Hacks
NETWORK
Man in the middle
HTTPS downgrading via SSLStrip
CLIENT SIDE ATTACKS
XSS
CSRF
Clickjacking

43. Web Security MICHAEL L NORTH
But Wait""...There's more.
• SQL Injection
• Timing attacks
• Resource depletion attacks
• Session hijacking
• Execution after redirect
• Log Injection attacks
• Content Security Policy (CSP)
• Cache Poisoning
• Subresource Integrity (SRI)
• Sandboxing untrusted content
• Preventing attack escalation
• Encryption at rest: best practices

44. Web Security MICHAEL L NORTH
Thanks!
Want to know more?
Ask me about a
security workshop