SlideShare une entreprise Scribd logo

JavaScript security and tools evolution at 2017 OWASP Taiwan Week

Télécharger en tant que PPTX, PDF
D
dcervigni

Current status of client and JavaScript security and tools (to prevent vulnerabilities like XSS) and MindedSecurity's tool BlueClosure demo. https://www.youtube.com/watch?v=3_Q_KWx2Vko

Logiciels
1  sur  19
OWASP Taiwan Day 2017 Client Side Security And Testing Tools (Evolution of) david.cervigni@mindedsecurity.com
About me  10+ yeas of development  Software Security Enthusiast  Securing SDLC  Secure coding trainer/reviewer david.cervigni@mindedsecurity.com
JS Security, topics: • Evolution of client technologies (security) • Why is always important • Why is always difficult • Techniques and tools to avoid vulnerabilities
Client security is vast
XSS is always dangerous! • XSRF protection bypass • Cookies/session stealing • Defacement • Password/credential stealing • Enumeration … Attacker OWNS our website, and still: Consequences:
Anti XSS approaches: Classic: • Validation • Filtering • HTML Encoding • Encoding lib + Contextual Encoding • ? <div onclick="showError ('<%= Encoder.encodeForHtml(Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div> Requires: • Secure coding standards (enforced!) • Knowledge • Design (use the right libs) …still error prone!
Anti XSS evolution: Contextual encoding templates: • Very strict • Hard to encode in nested contexts / double encoding
Anti XSS evolution/2: Mitigations: • CPC: Content Security Policy • ECMAScript security features (e.g. strict mode) • Sandboxing JS (Google CAJA, sanitizer libraries) • Anti XSS browser features WAF Requires: • Secure Application Design • Third parties JS libraries compatibility? • Legacy systems? …still not fully secure (evasion)
So…Problem Solved? Sources: https://snyk.io/blog/xss-attacks-the-next-wave/ https://nvd.nist.gov/vuln/detail/CVE-2017-1160 “DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.[…]”
New challenges: Modern JS frameworks:
*Source: https://2017.appsec.eu/slides-and-videos "Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets " XSS Mitigation bypass On: Angular (1.x), Polymer (1.x), React, jQuery, jQuery UI, jQuery Mobile, Vue, Aurelia, Underscore / Backbone, Knockout, Ember, Closure Library, Ractive.js, Dojo Toolkit, RequireJS, Bootstrap…
• SPA: Single Page Applications • Mainly HTML & JavaScript (not anymore flash) • Frameworks: Angular, React… • Third party libraries (JQuery and others) • High degree of integration: portals/services Why is always more important?
• Big codebases • JavaScript is not easy to read: manual review • Developing and Quality Assure for JavaScript and client components is DIFFICULT, time consuming and error prone. • Classic security tools use SCA (Static Code Analysis) that leads to : 1. Too many false positives 2. Too many false negatives Why is always more difficult?
❑ Sources: the input data that can be directly or indirectly controlled by an attacker. ❑ Filters: operations on Sources which change the content or check for specific structures/values. ❑ Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation. Code Flow and Taint analysis <script> var l = location.href; var user = l.substring(l.indexOf(“user”)); document.write(“Hello, ” + user); </script> Tainted Source Sink The process of following the tainted value from source to sink is known as Taint Propagation.
Tools for JS Code analysis SCA, static code analysis: • Heavy • Difficult • Lower accuracy (false positives) • Adaptability (false negatives…needs custom rules) • Broad language support Dynamic code analysis/IAST: • Requires instrumentation • More accurate • Fuzzing capabilities! SDLC and Automation (CI)
DOM XSS Wiki: http://code.google.com/p/domxsswiki/wiki/LocationSources Attacker controls all parts of a location except the victim hostname. path/to/page.ext/ PathInfo ?Query=String #Hash=valuehttp://hostname/ He can force a user to visit a forged url address.! Direct Input Sources: Location
Cookie value could have been instantiated somewhere else and retrieved on another page. Its value can be accessed/modified with: ❑ document.cookie: <script> var cvalue = document.cookie; var cstart = cvalue.indexOf(“username="); cvalue = unescape(cvalue.substring(cstart+9, cstart+9+length)); alert(“Welcome ” + cvalue); </script> The attacker could force a malicious cookie value! Indirect Input Sources: Cookies
DEMO, Q/A, THANKS! AND NOW…
Tools for JS Code analysis

Recommandé

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
zeroXten
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 

Recommandé

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
zeroXten
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
Lalit Kale
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
Michael Coates
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
bryns
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
Ankita Bhalla
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014
Dan BerghJohnsson
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
Michael Coates
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
Michael Coates
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
Alert Logic
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
Priyanka Aash
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 

Contenu connexe

Tendances

2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
Michael Coates
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
bryns
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
Ankita Bhalla
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
Michael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
Michael Coates
 

Tendances (20)

Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 

Similaire à JavaScript security and tools evolution at 2017 OWASP Taiwan Week

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 

Similaire à JavaScript security and tools evolution at 2017 OWASP Taiwan Week (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Security testing
Security testingSecurity testing
Security testing
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 

Plus de dcervigni

Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
dcervigni
 
Cm1 secure code_training_1day_intro
Cm1 secure code_training_1day_introCm1 secure code_training_1day_intro
Cm1 secure code_training_1day_intro
dcervigni
 
Cm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file managementCm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file management
dcervigni
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xss
dcervigni
 

Plus de dcervigni (9)

Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Cm1 secure code_training_1day_intro
Cm1 secure code_training_1day_introCm1 secure code_training_1day_intro
Cm1 secure code_training_1day_intro
 
Cm8 secure code_training_1day_security libraries
Cm8 secure code_training_1day_security librariesCm8 secure code_training_1day_security libraries
Cm8 secure code_training_1day_security libraries
 
Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_control
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and logging
 
Cm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configurationCm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configuration
 
Cm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file managementCm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file management
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xss
 

Dernier

StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
steffenkarlsson2
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
Tomasz Kowalczewski
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
CloudMetic
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
Natan Silnitsky
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
Prakhyath Rai
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Marc Lester
 

Dernier (20)

StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
 

JavaScript security and tools evolution at 2017 OWASP Taiwan Week

  • 1. OWASP Taiwan Day 2017 Client Side Security And Testing Tools (Evolution of) david.cervigni@mindedsecurity.com
  • 2. About me  10+ yeas of development  Software Security Enthusiast  Securing SDLC  Secure coding trainer/reviewer david.cervigni@mindedsecurity.com
  • 3. JS Security, topics: • Evolution of client technologies (security) • Why is always important • Why is always difficult • Techniques and tools to avoid vulnerabilities
  • 5. XSS is always dangerous! • XSRF protection bypass • Cookies/session stealing • Defacement • Password/credential stealing • Enumeration … Attacker OWNS our website, and still: Consequences:
  • 6. Anti XSS approaches: Classic: • Validation • Filtering • HTML Encoding • Encoding lib + Contextual Encoding • ? <div onclick="showError ('<%= Encoder.encodeForHtml(Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div> Requires: • Secure coding standards (enforced!) • Knowledge • Design (use the right libs) …still error prone!
  • 7. Anti XSS evolution: Contextual encoding templates: • Very strict • Hard to encode in nested contexts / double encoding
  • 8. Anti XSS evolution/2: Mitigations: • CPC: Content Security Policy • ECMAScript security features (e.g. strict mode) • Sandboxing JS (Google CAJA, sanitizer libraries) • Anti XSS browser features WAF Requires: • Secure Application Design • Third parties JS libraries compatibility? • Legacy systems? …still not fully secure (evasion)
  • 9. So…Problem Solved? Sources: https://snyk.io/blog/xss-attacks-the-next-wave/ https://nvd.nist.gov/vuln/detail/CVE-2017-1160 “DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.[…]”
  • 11. *Source: https://2017.appsec.eu/slides-and-videos "Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets " XSS Mitigation bypass On: Angular (1.x), Polymer (1.x), React, jQuery, jQuery UI, jQuery Mobile, Vue, Aurelia, Underscore / Backbone, Knockout, Ember, Closure Library, Ractive.js, Dojo Toolkit, RequireJS, Bootstrap…
  • 12. • SPA: Single Page Applications • Mainly HTML & JavaScript (not anymore flash) • Frameworks: Angular, React… • Third party libraries (JQuery and others) • High degree of integration: portals/services Why is always more important?
  • 13. • Big codebases • JavaScript is not easy to read: manual review • Developing and Quality Assure for JavaScript and client components is DIFFICULT, time consuming and error prone. • Classic security tools use SCA (Static Code Analysis) that leads to : 1. Too many false positives 2. Too many false negatives Why is always more difficult?
  • 14. ❑ Sources: the input data that can be directly or indirectly controlled by an attacker. ❑ Filters: operations on Sources which change the content or check for specific structures/values. ❑ Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation. Code Flow and Taint analysis <script> var l = location.href; var user = l.substring(l.indexOf(“user”)); document.write(“Hello, ” + user); </script> Tainted Source Sink The process of following the tainted value from source to sink is known as Taint Propagation.
  • 15. Tools for JS Code analysis SCA, static code analysis: • Heavy • Difficult • Lower accuracy (false positives) • Adaptability (false negatives…needs custom rules) • Broad language support Dynamic code analysis/IAST: • Requires instrumentation • More accurate • Fuzzing capabilities! SDLC and Automation (CI)
  • 16. DOM XSS Wiki: http://code.google.com/p/domxsswiki/wiki/LocationSources Attacker controls all parts of a location except the victim hostname. path/to/page.ext/ PathInfo ?Query=String #Hash=valuehttp://hostname/ He can force a user to visit a forged url address.! Direct Input Sources: Location
  • 17. Cookie value could have been instantiated somewhere else and retrieved on another page. Its value can be accessed/modified with: ❑ document.cookie: <script> var cvalue = document.cookie; var cstart = cvalue.indexOf(“username="); cvalue = unescape(cvalue.substring(cstart+9, cstart+9+length)); alert(“Welcome ” + cvalue); </script> The attacker could force a malicious cookie value! Indirect Input Sources: Cookies
  • 19. Tools for JS Code analysis

Notes de l'éditeur

  1. From OWASP WEBSITE: IT shows howm many test we need to do on the client side, almost all of them are causes and consequences of Javascript Execution