Vous êtes sur la page 1sur 46

roLecung !

ava LL Web Apps


wlLh Secure P11 Peaders
!avaCne 2012
1
AbouL
lrank klm
ConsulLanL, 1hlnkSec
AuLhor, SAnS Secure Codlng ln !ava
SAnS Appllcauon SecurlLy Currlculum Lead
ShouL ouL
1hanks Lo !ason Lam who co-auLhored Lhese slldes
2
!avaCne 8ock SLar
3
CuLllne
xSS
Sesslon Pl[acklng
Cllck[acklng
Wrap up
4
Cross-SlLe Scrlpung (xSS)
Cccurs when unvalldaLed daLa ls rendered ln
Lhe browser
1ypes of xSS
8eecLed
SLored
uocumenL Cb[ecL Model (uCM) based
3


xSS uemo
6
PupCnly llag
Lnsures LhaL Lhe Cookle cannoL be accessed
vla cllenL slde scrlpLs (e.g. !avaScrlpL)
SeL by defaulL for Lhe !SLSSlCnlu ln 1omcaL 7
Congure ln web.xml as of ServleL 3.0
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
rogrammaucally
String cookie = "mycookie=test; Secure; HttpOnly";
response.addHeader("Set-Cookie", cookie);
7
x-xSS-roLecuon
8locks common reecLed xSS
Lnabled by defaulL ln lL, Safarl, Chrome
noL supporLed by llrefox
8ug 328661 open Lo address
x-xSS-roLecuon: 1
8rowser modles Lhe response Lo block xSS
x-xSS-roLecuon: 0
ulsables Lhe xSS lLer
x-xSS-roLecuon: 1, mode=block
revenLs renderlng of Lhe page enurely
8
!ava Code
x-xSS-roLecuon: 1
response.addHeader("X-XSS-Protection", "1");
x-xSS-roLecuon: 0
response.addHeader("X-XSS-Protection", "0");
x-xSS-roLecuon: 1, mode=block
response.addHeader("X-XSS-Protection", "1; mode=block");
9


x-xSS-roLecuon uemo
10
ConLenL SecurlLy ollcy
Pelps mlugaLe reecLed xSS
Crlglnally developed by Mozllla
CurrenLly a W3C dra
hups://dvcs.w3.org/hg/conLenL-securlLy-pollcy/raw-
le/up/csp-speclcauon.dev.hLml
SupporLed browsers
llrefox and lL 10 uslng x-ConLenL-SecurlLy-ollcy
Chrome and Safarl uslng x-WebklL-CS header
11
CS 8equlremenLs
no lnllne scrlpLs
Can'L puL code ln <script> blocks
Can'L do lnllne evenL handlers llke
<a onclick="javascript">
no lnllne sLyles
Can'L wrlLe sLyles lnllne
12
CS ulrecuves
defaulL-src
scrlpL-src
ob[ecL-src
sLyle-src
lmg-src
medla-src
frame-src
fonL-src
connecL-src
13
CS Lxamples
1) Cnly load resources from Lhe same orlgln
X-Content-Security-Policy: default-src 'self'
2) Lxample from mlkewesL.org
x-content-security-policy:
default-src 'none';
style-src https://mikewestdotorg.hasacdn.net;
frame-src
https://www.youtube.com
http://www.slideshare.net;
script-src
https://mikewestdotorg.hasacdn.net
https://ssl.google-analytics.com;
img-src 'self'
https://mikewestdotorg.hasacdn.net
https://ssl.google-analytics.com data:;
font-src https://mikewestdotorg.hasacdn.net
14
8eporL Cnly
lacebook Lxample
x-content-security-policy-report-only:
allow *;
script-src https://*.facebook.com
http://*.facebook.com
https://*.fbcdn.net
http://*.fbcdn.net
*.facebook.net
*.google-analytics.com
*.virtualearth.net
*.google.com
127.0.0.1:*
*.spotilocal.com:*;
options inline-script eval-script;
report-uri https://www.facebook.com/csp.php
13


ConLenL SecurlLy ollcy uemo
16
CuLllne
xSS
Sesslon Pl[acklng
Cllck[acklng
Wrap up
17
Sesslon Pl[acklng
Public WiFi
Network
mybank.com
vlcum
Auacker
Internet
1) V|cnm goes to mybank.com v|a n11
18
Sesslon Pl[acklng
Public WiFi
Network
mybank.com
vlcum
Auacker
Internet
2) Auacker sn|s the pub||c w|h network and
stea|s the ISLSSICNID
19
Sesslon Pl[acklng
Public WiFi
Network
mybank.com
vlcum
Auacker
Internet
3) Auacker uses the sto|en ISLSSICNID
to access the v|cnm's sess|on
20
Secure llag
Lnsures LhaL Lhe Cookle ls only senL vla SSL
Congure ln web.xml as of ServleL 3.0
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
rogrammaucally
Cookie cookie = new Cookie("mycookie", "test");
cookie.setSecure(true);
21
SLrlcL-1ransporL-SecurlLy
1ells browser Lo only Lalk Lo Lhe server vla P11S
llrsL ume your slLe accessed vla P11S !"# Lhe header
ls used Lhe browser sLores Lhe cerucaLe lnfo
SubsequenL requesLs Lo P11 auLomaucally use P11S
SupporLed browsers
lmplemenLed ln llrefox and Chrome
CurrenLly an lL1l dra

Strict-Transport-Security: max-age=seconds
[; includeSubdomains]
22
CuLllne
xSS
Sesslon Pl[acklng
Cllck[acklng
Wrap up
23
Cllck[acklng
1rlcks Lhe user lnLo cllcklng a hldden buuon
user has no ldea Lhe buuon was cllcked
Works by conceallng Lhe LargeL slLe slLe
vlcum slLe placed ln an lnvlslble lframe
Auacker slLe overlays Lhe vlcum slLe
lmage source: hup://seclab.sLanford.edu/websec/framebusung/framebusL.pdf



Cllck[acklng uemo
23
Cllck[acklng Code
uL Lhe vlcum ln an lnvlslble lframe

<iframe id="attacker" width=1000 height=400
src="http://victim" style="opacity:0.0;
position:absolute;left:10;bottom:100">
</iframe>

26
Adobe llash Lxample
Cllck[acklng dlscovered by !eremlah Crossman
& 8oberL "8snake" Pansen
Showed how Lo use llash Lo spy on users
use Cllck[acklng Lo Lrlck users lnLo enabllng Lhe
mlc and camera vla llash
27
lacebook Lxample
1he "besL passporL appllcauon re[ecuon ln
hlsLory" became popular on lacebook
28
lacebook Llke Code
<div style="overflow:hidden; width:10px; height:12px;
filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:
0.0; opacity:0.0; position:absolute;" id="icontainer">

<iframe src"http://www.facebook.com/plugins/like.php?
href=http://credittreport.info/the-best-passport-
application-rejection-in-history.html&amp;
layout=standard&amp;show_faces=false&amp;width=450&amp;act
ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height=
80" scrolling="no" frame border="0" style="border:none;
overflow:hidden;width:50px; height:23px;"
allowTransparency="true" id="likee" name="likee">
</iframe>

</div>
Source: hups://lsc.sans.edu/dlary.hLml?sLoryld=8893

lacebook Llke Code
<div style="overflow:hidden; width:10px; height:12px;
filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:
0.0; opacity:0.0; position:absolute;" id="icontainer">

<iframe src"http://www.facebook.com/plugins/like.php?
href=http://credittreport.info/the-best-passport-
application-rejection-in-history.html&amp;
layout=standard&amp;show_faces=false&amp;width=450&amp;act
ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height=
80" scrolling="no" frame border="0" style="border:none;
overflow:hidden;width:50px; height:23px;"
allowTransparency="true" id="likee" name="likee">
</iframe>

</div>
Source: hups://lsc.sans.edu/dlary.hLml?sLoryld=8893

lacebook Llke Code
<div style="overflow:hidden; width:10px; height:12px;
filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:
0.0; opacity:0.0; position:absolute;" id="icontainer">

<iframe src"http://www.facebook.com/plugins/like.php?
href=http://credittreport.info/the-best-passport-
application-rejection-in-history.html&amp;
layout=standard&amp;show_faces=false&amp;width=450&amp;act
ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height=
80" scrolling="no" frame border="0" style="border:none;
overflow:hidden;width:50px; height:23px;"
allowTransparency="true" id="likee" name="likee">
</iframe>

</div>
Source: hups://lsc.sans.edu/dlary.hLml?sLoryld=8893

lacebook Llke Code
<div style="overflow:hidden; width:10px; height:12px;
filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity:
0.0; opacity:0.0; position:absolute;" id="icontainer">

<iframe src"http://www.facebook.com/plugins/like.php?
href=http://credittreport.info/the-best-passport-
application-rejection-in-history.html&amp;
layout=standard&amp;show_faces=false&amp;width=450&amp;act
ion=like&amp;font=tahoma&amp;colorscheme=light&amp;height=
80" scrolling="no" frame border="0" style="border:none;
overflow:hidden;width:50px; height:23px;"
allowTransparency="true" id="likee" name="likee">
</iframe>

</div>
Source: hups://lsc.sans.edu/dlary.hLml?sLoryld=8893



Llke 8uuon uemo
33
Llke 8uuon Code
var like = document.createElement('iframe');

...

function mouseMove(e) {
if (IE) {
tempX = event.clientX + document.body.scrollLeft;
tempY = event.clientY + document.body.scrollTop;
} else {
tempX = e.pageX;
tempY = e.pageY;
}

if (tempX < 0) tempX = 0;
if (tempY < 0) tempY = 0;

like.style.top = (tempY - 8) + 'px';
like.style.left = (tempX - 25) + 'px';

return true
}
Source: hup://erlckerr.com/llke-cllck[acklng

Llke buuon moves
wlLh cursor
Why Llke[acklng?
Send vlcums Lo evll slLes wlLh malware
1rlck users lnLo slgnlng up for unwanLed
subscrlpuon servlces
urlve Lramc Lo slLes Lo lncrease ad revenue
Adscend Medla
Alleged Lo have made up Lo $1.2 mllllon per
monLh vla Cllck[acklng
lacebook and WashlngLon SLaLe led lawsulLs
agalnsL Lhem ln !anuary 2012
33
Pow Lo llx?
use x-lrame-Cpuons
P11 8esponse Peader supporLed by all recenL browsers
1hree opuons
uLn?
revenLs any slLe from framlng Lhe page
SAMLC8lCln
Allows framlng only from Lhe same orlgln
ALLCW-l8CM $%&'&"
Allows framlng only from Lhe specled $%&'&"
Cnly supporLed by lL (based on my Lesung)
llrefox 8ug 690168 - "1hls was an unlnLenuonal overslghL"
36
!ava Code
uLn?
response.addHeader("X-Frame-Options", "DENY");

SAMLC8lCln
response.addHeader("X-Frame-Options", "SAMEORIGIN");

ALLCW-l8CM
String value = "ALLOW-FROM http://www.trustedsite.com:8080";
response.addHeader("X-Frame-Options", value);
37


x-lrame-Cpuons uemo
38
uslng x-lrame-Cpuons
?ou mlghL noL wanL Lo use lL for Lhe enure slLe
revenLs leglumaLe framlng of your slLe (l.e.
Coogle lmage Search)
lor sensluve Lransacuons
use SAMLC8lCln
And LesL Lhoroughly
lf Lhe page should never be framed
1hen use uLn?
39
lrame 8usung Code
WhaL abouL older browsers LhaL don'L supporL
x-lrame-Cpuons?
!avaScrlpL code llke Lhls ls commonly used
if (top != self)
top.location = self.location;
noL full-proof
varlous Lechnlques can be used Lo bypass frame
busung code
40
Some Anu-lrame 8usung 1echnlques
lL <lframe securlLy=resLrlcLed>
ulsables !avaScrlpL wlLhln Lhe lframe
on8eforeunload - 204 llushlng
8epeaLedly send a 204 (no ConLenL) response so
Lhe on8eforeunload handler geLs canceled
8rowser xSS lllLers
Chrome xSSAudlLor lLer cancels lnllne scrlpLs lf
Lhey are also found as a parameLer
<iframe src="http://www.victim.com/?v=if(top+!%3D
+self)+%7B+top.location%3Dself.location%3B+%7D">
41
CuLllne
xSS
Sesslon Pl[acklng
Cllck[acklng
Wrap up
42
Summary
use Lhe followlng P11 8esponse Peaders
! SeL-Cookle PupCnly
! x-xSS-roLecuon: 1, mode=block
! SeL-Cookle Secure
! SLrlcL-1ransporL-SecurlLy
! x-lrame-Cpuons: SAMLC8lCln
lan Lo use Lhe followlng
! ConLenL SecurlLy ollcy
43
44

lrank klm
frank[Lhlnksec.com
[Lhlnksec [sansappsec

43
8eferences
ConLenL SecurlLy ollcy
hups://dvcs.w3.org/hg/conLenL-securlLy-pollcy/raw-le/up/csp-
speclcauon.dev.hLml
8usung lrame 8usung: A SLudy of Cllck[acklng vulnerablllues on
opular SlLes
hup://seclab.sLanford.edu/websec/framebusung/framebusL.pdf
Llke Cllck[acklng
hup://erlckerr.com/llke-cllck[acklng
Cllck[acklng Auacks on lacebook's Llke lugln
hups://lsc.sans.edu/dlary.hLml?sLoryld=8893
Lessons from lacebook's SecurlLy 8ug 8ounLy rogram
hups://nealpoole.com/blog/2011/08/lessons-from-facebooks-
securlLy-bug-bounLy-program/
Coogle+ CeLs a "+1" for 8rowser SecurlLy
hup://www.barracudalabs.com/wordpress/lndex.php/2011/07/21/
google-geLs-a-1-for-browser-securlLy-3/
46