It's only about frontend. Sergey Belov

1. It’s only about frontend
Sergey Belov
Digital Security
OWASP EEE. 6th of October 2015. Poland

2. $ whoami
• @ Digital Security
– Penteser
– ZeroNights team
• Bug hunting (Yandex, Google, CloudFlare ...)
• Speaker – OWASP RU, BlackHat 2014, HiP 2014, ZeroNights
• Like all web related security :]

3. What we're talking about
Frontend security
≠
client side attacks
Example – CSRF is client side attack but depend on server side

4. What we're talking about
Some techniques are well known
but some are not

5. What we're talking about
SOP
Same Origin Policy
scheme://domain:port
+ hardening

6. Cross Site Scripting
DOM

7. DOM XSS
document.write("Site is at: " + document.location.href);
http://victim.com/action#<script>alert('xss')</script>

8. DOM XSS
Sources
 document.URL
 location
 document.referrer
 window.name
 localStorage
 cookies
 …

9. DOM XSS
Sinks
 eval
 document.write
 (element).innerHTML
 (element).src
 setTimeout / setInterval
 execScript
 …
https://code.google.com/p/domxsswiki/

10. DOM XSS

11. Information leaks

12. Information leaks
Javascript examples
testServer = host.match(/[^.]+.((?:f|my.XXX)d*).YYY.com/)
devServer = host.match(/^.+.dev.YYY.com$/),
isXXX = testServer && testServer[1].indexOf('my.XXX') == 0,
...
internalDevHOST = '172.16.22.2';
internalProdHOST = '172.16.22.5';
...
var admin_url = '/secretArea/'

13. Information leaks
CSS examples
file:///applications/hackerone/releases/20140221175929/app
/assets/stylesheets/application/browser-not-supported.scss
file:///applications/hackerone/releases/20140221175929/app
/assets/stylesheets/application/modules/add-category.scss
file:///applications/hackerone/releases/20140221175929/app
/assets/stylesheets/application/modules/alias-preview.scss

14. MVC Frameworks

15. MVC Frameworks

16. MVC Frameworks
- Templates
- New elements <rockyou></rockyou>
- Bindings

17. MVC Frameworks
Logic-less templates
<ul>
<li ng-repeat="phone in phones">
<span>{{phone.name}}</span>
<p>{{phone.snippet}}</p>
</li>
</ul>

18. MVC Frameworks
Сurly braces
<ul>
<li ng-repeat="phone in phones">
<span>{{phone.name}}</span>
<p>{{phone.snippet}}</p>
</li>
</ul>

19. MVC Frameworks
Logic-less templates.
http://mustache.github.io/

20. MVC Frameworks
Mustache Security
• VueJS
• AngularJS
• CanJS
• Underscore.js
• KnockoutJS
• Ember.js
• Polymer
• Ractive.js
• jQuery
• JsRender
• Kendo UI
https://code.google.com/p/mustache-security/

21. MVC Frameworks
AngularJS (1.1.5) – access to window
<div class="ng-app">
{{constructor.constructor('alert(1)'
)()}}
</div>

22. MVC Frameworks
AngularJS (1.2.18) – access to window, after fix
{{
(_=''.sub).call.call({}[$='constructor']
.getOwnPropertyDescriptor(_.__proto__,$)
.value,0,'alert(1)')()
}}

23. MVC Frameworks
Frameworks updating is important for security!

24. Flash

25. Flash
A typical example
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80"/>
</cross-domain-policy>

26. Flash
A non-typical example
<cross-domain-policy>
... multiple domains (some unregistered)...
</cross-domain-policy>
Real bugbounty report - $$$

27. Flash
A non-typical example
<cross-domain-policy>
...domains from social networks (apps)...
</cross-domain-policy>
Real bugbounty report - $$$

28. Flash
XSS via Flash
getURL(_root.URI,'_targetFrame');
and many other cases
https://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OTG-CLIENT-008)

29. Flash
CVE-2011-2461 IS BACK!
1) Vulnerable verson of Adobe Flex
2) Full SOP bypass
https://github.com/ikkisoft/ParrotNG/
http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html

30. JSONP

31. JSONP
Typical case
<script
src="http://vuln/getInfo?c=parseResponse">
</script>

32. JSONP
No sensetive data? But Content-Type is:
• text/javascript
• application/javascript
• application/x-javascript
Try ?cb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)//
And get client side RCE (IE only / SE is required)

33. JSONP
http://www.youtube.com/watch?v=T0vwLsHUing

34. HTML5 security

35. HTML5 Security
otherWindow.postMessage(message, targetOrigin);
Window.postMessage()
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
{
if (event.origin !== "http://example.org:8080")
return;
// ...
}
Domain A
Domain B

36. HTML5 Security
Window.postMessage()
if(message.orgin.indexOf(".example.com")!=-1)
{
/* ... */
}
Wrong!
example.com.attacker.com

37. HTML5 Security
otherWindow.postMessage(message, targetOrigin);
Window.postMessage()
Iframe
https://accounts.google.com/b/0/ListAccounts?listPages=0&mo=1&origin=https%3A%2F%2F1
23123.google.com
window.parent.postMessage(
“... Sensetive data / user login etc...",
"https:x2Fx2F123123.google.com");

38. HTML5 security
HTTP access control (CORS)
1) Modern
2) Secure by default
3) Very hard to make a mistake 

39. HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *

40. HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

41. HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: *
is not compatible with
Access-Control-Allow-Credentials: true

42. HTML5 security
HTTP access control (CORS)
Access-Control-Allow-Origin: $origin;

43. HTML5 security
WebSockets
1) No authorization and/or authentication
2) WSS:// - for sensetive data
3) Validation
4) Check origin
5) …

44. HTML5 security
Example with websockets (Agar.IO – HTML5 game)
1) Visit Agar.IO
2) Get new server (/findServer response, some random IP)
3) Connect (ws://) to some random IP
Random IP handles only requests with valid origin (like agar.io). It can
prevent custom clients (exclude cases with full proxy on server side)
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet

45. Content Security Policy

46. Content Security Policy
X-Content-Security-Policy:
script-src js.example.com

47. Content Security Policy

48. Content Security Policy
Last Firefox: security csp command

49. Content Security Policy
@cure53 challenge – CSP bypass
• CDN with AngularJS is allowed ajax.googleapis.com
ng-app"ng-csp ng-
click=$event.view.alert(1337)>
<script src=
//ajax.googleapis.com/ajax/libs/angularjs
/1.0.8/angular.js>
</script>
https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22

50. Extensions / SmartTV

51. Extensions / SmarTV
- JS/HTML/CSS
- Interaction with DOM
- XHR qureies
- Extended API

52. For dessert

53. For dessert
<a href=“http://external.com”>Go!</a>
In headers will be
Referer: http://yoursite.com/
What about images, js, css files?

54. For dessert
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics.com/password.jpg>
...
Owner of
comics.com
Can see all secret tokens
https://github.com/cure53/HTTPLeaks

55. Anything else?
Yes:
• X-Frame-Options
• Iframe protection via JS – bypassing (iframe sandboxing / race conditions)
• Switching to HTTPS (HSTS)
• DOM Clobbering (XSS - http://www.slideshare.net/x00mario/in-the-dom-no-
one-will-hear-you-scream)
• Cookies (flags, domains – IE case)
• ...?

56. Thanks!
Any questions?
@sergeybelove