SlideShare une entreprise Scribd logo

JavaScript security and tools evolution at 2017 OWASP Taiwan Week

Télécharger en tant que PPTX, PDF
D
dcervigni

Current status of client and JavaScript security and tools (to prevent vulnerabilities like XSS) and MindedSecurity's tool BlueClosure demo. https://www.youtube.com/watch?v=3_Q_KWx2Vko

Logiciels
1  sur  19
OWASP Taiwan Day 2017 Client Side Security And Testing Tools (Evolution of) david.cervigni@mindedsecurity.com
About me  10+ yeas of development  Software Security Enthusiast  Securing SDLC  Secure coding trainer/reviewer david.cervigni@mindedsecurity.com
JS Security, topics: • Evolution of client technologies (security) • Why is always important • Why is always difficult • Techniques and tools to avoid vulnerabilities
Client security is vast
XSS is always dangerous! • XSRF protection bypass • Cookies/session stealing • Defacement • Password/credential stealing • Enumeration … Attacker OWNS our website, and still: Consequences:
Anti XSS approaches: Classic: • Validation • Filtering • HTML Encoding • Encoding lib + Contextual Encoding • ? <div onclick="showError ('<%= Encoder.encodeForHtml(Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div> Requires: • Secure coding standards (enforced!) • Knowledge • Design (use the right libs) …still error prone!
Anti XSS evolution: Contextual encoding templates: • Very strict • Hard to encode in nested contexts / double encoding
Anti XSS evolution/2: Mitigations: • CPC: Content Security Policy • ECMAScript security features (e.g. strict mode) • Sandboxing JS (Google CAJA, sanitizer libraries) • Anti XSS browser features WAF Requires: • Secure Application Design • Third parties JS libraries compatibility? • Legacy systems? …still not fully secure (evasion)
So…Problem Solved? Sources: https://snyk.io/blog/xss-attacks-the-next-wave/ https://nvd.nist.gov/vuln/detail/CVE-2017-1160 “DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.[…]”
New challenges: Modern JS frameworks:
*Source: https://2017.appsec.eu/slides-and-videos "Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets " XSS Mitigation bypass On: Angular (1.x), Polymer (1.x), React, jQuery, jQuery UI, jQuery Mobile, Vue, Aurelia, Underscore / Backbone, Knockout, Ember, Closure Library, Ractive.js, Dojo Toolkit, RequireJS, Bootstrap…
• SPA: Single Page Applications • Mainly HTML & JavaScript (not anymore flash) • Frameworks: Angular, React… • Third party libraries (JQuery and others) • High degree of integration: portals/services Why is always more important?
• Big codebases • JavaScript is not easy to read: manual review • Developing and Quality Assure for JavaScript and client components is DIFFICULT, time consuming and error prone. • Classic security tools use SCA (Static Code Analysis) that leads to : 1. Too many false positives 2. Too many false negatives Why is always more difficult?
❑ Sources: the input data that can be directly or indirectly controlled by an attacker. ❑ Filters: operations on Sources which change the content or check for specific structures/values. ❑ Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation. Code Flow and Taint analysis <script> var l = location.href; var user = l.substring(l.indexOf(“user”)); document.write(“Hello, ” + user); </script> Tainted Source Sink The process of following the tainted value from source to sink is known as Taint Propagation.
Tools for JS Code analysis SCA, static code analysis: • Heavy • Difficult • Lower accuracy (false positives) • Adaptability (false negatives…needs custom rules) • Broad language support Dynamic code analysis/IAST: • Requires instrumentation • More accurate • Fuzzing capabilities! SDLC and Automation (CI)
DOM XSS Wiki: http://code.google.com/p/domxsswiki/wiki/LocationSources Attacker controls all parts of a location except the victim hostname. path/to/page.ext/ PathInfo ?Query=String #Hash=valuehttp://hostname/ He can force a user to visit a forged url address.! Direct Input Sources: Location
Cookie value could have been instantiated somewhere else and retrieved on another page. Its value can be accessed/modified with: ❑ document.cookie: <script> var cvalue = document.cookie; var cstart = cvalue.indexOf(“username="); cvalue = unescape(cvalue.substring(cstart+9, cstart+9+length)); alert(“Welcome ” + cvalue); </script> The attacker could force a malicious cookie value! Indirect Input Sources: Cookies
DEMO, Q/A, THANKS! AND NOW…
Tools for JS Code analysis

Recommandé

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingzeroXten
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 

Recommandé

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingzeroXten
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Nazar Tymoshyk, CEH, Ph.D.
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basisAnkita Bhalla
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Dan BerghJohnsson
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations CenterAlert Logic
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 

Contenu connexe

Tendances

Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Nazar Tymoshyk, CEH, Ph.D.
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basisAnkita Bhalla
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Dan BerghJohnsson
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations CenterAlert Logic
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 

Tendances (20)

Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 

Similaire à JavaScript security and tools evolution at 2017 OWASP Taiwan Week

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeDevOps.com
 

Similaire à JavaScript security and tools evolution at 2017 OWASP Taiwan Week (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Security testing
Security testingSecurity testing
Security testing
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 

Plus de dcervigni

Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Cm1 secure code_training_1day_intro
Cm1 secure code_training_1day_introCm1 secure code_training_1day_intro
Cm1 secure code_training_1day_introdcervigni
 
Cm8 secure code_training_1day_security libraries
Cm8 secure code_training_1day_security librariesCm8 secure code_training_1day_security libraries
Cm8 secure code_training_1day_security librariesdcervigni
 
Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controldcervigni
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingdcervigni
 
Cm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configurationCm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configurationdcervigni
 
Cm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file managementCm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file managementdcervigni
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssdcervigni
 

Plus de dcervigni (9)

Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Cm1 secure code_training_1day_intro
Cm1 secure code_training_1day_introCm1 secure code_training_1day_intro
Cm1 secure code_training_1day_intro
 
Cm8 secure code_training_1day_security libraries
Cm8 secure code_training_1day_security librariesCm8 secure code_training_1day_security libraries
Cm8 secure code_training_1day_security libraries
 
Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_control
 
Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and logging
 
Cm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configurationCm5 secure code_training_1day_system configuration
Cm5 secure code_training_1day_system configuration
 
Cm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file managementCm6 secure code_training_1day_file management
Cm6 secure code_training_1day_file management
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xss
 

Dernier

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburgmasabamasaba
 

Dernier (20)

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 

JavaScript security and tools evolution at 2017 OWASP Taiwan Week

  • 1. OWASP Taiwan Day 2017 Client Side Security And Testing Tools (Evolution of) david.cervigni@mindedsecurity.com
  • 2. About me  10+ yeas of development  Software Security Enthusiast  Securing SDLC  Secure coding trainer/reviewer david.cervigni@mindedsecurity.com
  • 3. JS Security, topics: • Evolution of client technologies (security) • Why is always important • Why is always difficult • Techniques and tools to avoid vulnerabilities
  • 5. XSS is always dangerous! • XSRF protection bypass • Cookies/session stealing • Defacement • Password/credential stealing • Enumeration … Attacker OWNS our website, and still: Consequences:
  • 6. Anti XSS approaches: Classic: • Validation • Filtering • HTML Encoding • Encoding lib + Contextual Encoding • ? <div onclick="showError ('<%= Encoder.encodeForHtml(Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div> Requires: • Secure coding standards (enforced!) • Knowledge • Design (use the right libs) …still error prone!
  • 7. Anti XSS evolution: Contextual encoding templates: • Very strict • Hard to encode in nested contexts / double encoding
  • 8. Anti XSS evolution/2: Mitigations: • CPC: Content Security Policy • ECMAScript security features (e.g. strict mode) • Sandboxing JS (Google CAJA, sanitizer libraries) • Anti XSS browser features WAF Requires: • Secure Application Design • Third parties JS libraries compatibility? • Legacy systems? …still not fully secure (evasion)
  • 9. So…Problem Solved? Sources: https://snyk.io/blog/xss-attacks-the-next-wave/ https://nvd.nist.gov/vuln/detail/CVE-2017-1160 “DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.[…]”
  • 11. *Source: https://2017.appsec.eu/slides-and-videos "Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets " XSS Mitigation bypass On: Angular (1.x), Polymer (1.x), React, jQuery, jQuery UI, jQuery Mobile, Vue, Aurelia, Underscore / Backbone, Knockout, Ember, Closure Library, Ractive.js, Dojo Toolkit, RequireJS, Bootstrap…
  • 12. • SPA: Single Page Applications • Mainly HTML & JavaScript (not anymore flash) • Frameworks: Angular, React… • Third party libraries (JQuery and others) • High degree of integration: portals/services Why is always more important?
  • 13. • Big codebases • JavaScript is not easy to read: manual review • Developing and Quality Assure for JavaScript and client components is DIFFICULT, time consuming and error prone. • Classic security tools use SCA (Static Code Analysis) that leads to : 1. Too many false positives 2. Too many false negatives Why is always more difficult?
  • 14. ❑ Sources: the input data that can be directly or indirectly controlled by an attacker. ❑ Filters: operations on Sources which change the content or check for specific structures/values. ❑ Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation. Code Flow and Taint analysis <script> var l = location.href; var user = l.substring(l.indexOf(“user”)); document.write(“Hello, ” + user); </script> Tainted Source Sink The process of following the tainted value from source to sink is known as Taint Propagation.
  • 15. Tools for JS Code analysis SCA, static code analysis: • Heavy • Difficult • Lower accuracy (false positives) • Adaptability (false negatives…needs custom rules) • Broad language support Dynamic code analysis/IAST: • Requires instrumentation • More accurate • Fuzzing capabilities! SDLC and Automation (CI)
  • 16. DOM XSS Wiki: http://code.google.com/p/domxsswiki/wiki/LocationSources Attacker controls all parts of a location except the victim hostname. path/to/page.ext/ PathInfo ?Query=String #Hash=valuehttp://hostname/ He can force a user to visit a forged url address.! Direct Input Sources: Location
  • 17. Cookie value could have been instantiated somewhere else and retrieved on another page. Its value can be accessed/modified with: ❑ document.cookie: <script> var cvalue = document.cookie; var cstart = cvalue.indexOf(“username="); cvalue = unescape(cvalue.substring(cstart+9, cstart+9+length)); alert(“Welcome ” + cvalue); </script> The attacker could force a malicious cookie value! Indirect Input Sources: Cookies
  • 19. Tools for JS Code analysis

Notes de l'éditeur

  1. From OWASP WEBSITE: IT shows howm many test we need to do on the client side, almost all of them are causes and consequences of Javascript Execution