Lightweight Integrity Protection for Web Storage-driven Content Caching OWASP The OWASP Foundation. Sebastian Lekies and Martin Johns

Similar documents
Relax Everybody: HTML5 Is Securer Than You Think

A Tale of the Weaknesses of Current Client-Side XSS Filtering

HTML5. Eoin Keary CTO BCC Risk Advisory.

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Criteria for web application security check. Version

HTTPParameter Pollution. ChrysostomosDaniel

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Cross-Site Scripting

Magento Security and Vulnerabilities. Roman Stepanov

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Developing ASP.NET MVC 4 Web Applications MOC 20486

A Tale of the Weaknesses of Current Client-side XSS Filtering

JVA-122. Secure Java Web Development

What is Web Security? Motivation

Sitefinity Security and Best Practices

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Hack Proof Your Webapps

Protection, Usability and Improvements in Reflected XSS Filters

Gateway Apps - Security Summary SECURITY SUMMARY

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

APPLICATION SECURITY AND ITS IMPORTANCE

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

Network Security Web Security

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Web Application Security

Developing ASP.NET MVC 4 Web Applications

Web-Application Security

Web Application Security

Performance Testing for Ajax Applications

Web Application Guidelines

Secure development and the SDLC. Presented By Jerry

Where every interaction matters.

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Project 2: Web Security Pitfalls

Cross Site Scripting in Joomla Acajoom Component

The Risks of Client-Side Data Storage From cookie to database

Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Check list for web developers

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Web Application Security Assessment and Vulnerability Mitigation Tests

25 Million Flows Later Large- scale Detec6on of DOM- based XSS. Published at ACM CCS 2013 Sebas5an Lekies, Ben Stock, Mar6n Johns

Web Application Security

Intrusion detection for web applications

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Dashlane Security Whitepaper

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

The only False Positive Free. Web Application Security Scanner

Webapps Vulnerability Report

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Practical Exploitation Using A Malicious Service Set Identifier (SSID)

Columbia University Web Security Standards and Practices. Objective and Scope

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Application security testing: Protecting your application and data

Recommended Practice Case Study: Cross-Site Scripting. February 2007

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Security features of ZK Framework

Complete Cross-site Scripting Walkthrough

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

elearning for Secure Application Development

Cross-site site Scripting Attacks on Android WebView

DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

OWASP TOP 10 ILIA

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Using Foundstone CookieDigger to Analyze Web Session Management

Cyber Security Challenge Australia 2014

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

CS 558 Internet Systems and Technologies

Summary of the SEED Labs For Authors and Publishers

Client Side Filter Enhancement using Web Proxy

The Dark Side of Ajax. Jacob West Fortify Software

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

XML Processing and Web Services. Chapter 17

Enterprise Application Security Workshop Series

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Data Breaches and Web Servers: The Giant Sucking Sound

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Adobe Systems Incorporated

A tale of the weaknesses of current client-side XSS filtering

Precise client-side protection against DOM-based Cross-Site Scripting

Web application security

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Web Application Attacks And WAF Evasion

Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Cross Site Scripting Prevention

Deciphering and Mitigating Blackhole Spam from -borne Threats

Transcription:

Lightweight Integrity Protection for Web Storage-driven Content Caching Sebastian Lekies and Martin Johns OWASP 07.11.2012 SAP Research / WebSand Project martin.johns@owasp.org Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

Agenda Technical Background Context What is Web Storage Use Cases for Web Storage Attacks Insecure Usage Attack Scenarios Survey Research Questions Results Countermeasure Implementation Evaluation 2012 SAP AG. All rights reserved. 2

Technical Background Context Server http://a.net Database Classical Web Applications Not able to keep client-side state State is kept on the server side Browser http://a.net Ø New use cases require client-side Storage Ø Web Storage API introduced by HTML5 Client Web Storage 2012 SAP AG. All rights reserved. 3

Technical Background What is Web Storage? Web Storage is a mechanism that allows a piece of JavaScript to store structured data within the user s browser (on the client-side). Ø Web Storage consists of three APIs Local Storage Session Storage Global Storage (deprecated) Other new client-side storage technologies exist IndexedDB Web SQL Databases File API Scope of this Presentation is limited to Local Storage, however our findings apply for all client-side storage technologies 2012 SAP AG. All rights reserved. 4

Technical Background What is Web Storage? <script> //Set Item localstorage.setitem("foo","bar");... //Get Item var testvar = localstorage.getitem("foo");... //Remove Item localstorage.removeitem("foo"); </script> Access to Web Storage API is restricted by the Same-Origin Policy Each origin receives its own, separated storage area Origin is defined by http://www.example.org:8080/some/webpage.html protocol host port 2012 SAP AG. All rights reserved. 5

Technical Background Use Cases for Web Storage Client-side state-keeping E.g. for HTML5 offline applications Store state within Local Storage and synchronize state when online Using Web Storage for controlled caching Current caching mechanism only allow storage of full HTTP responses n Transparent to the application and hence out of control Web Storage is useful when n n only sub-parts of HTML documents needs to be cached e.g. scripts close control is needed by the application Especially important in mobile environments 2012 SAP AG. All rights reserved. 6

Attacks Insecure Usage Observation: Web sites tend to cache content that will be executed later on HTML-Fragments JavaScript code CSS style declarations <script> var content = localstorage.getitem( code ) if(content == undefined){ content = fetchandcachecontentfromserver( code ); } eval(content); </script> 2012 SAP AG. All rights reserved. 7

Attacks Insecure Usage First thought (WebApp Sec Pavlovian reaction): XSS!!!11! If the attacker can control the content of the Web storage, he can execute JavaScript!!! Second thought: This behavior is safe Web storage can only be accessed by same-origin resources So you need JS execution to cause JS execution Third thought: What if an attacker is able to circumvent this protection? Persistence: This is a persistent attack scenario Even if the causing vulnerability has been resolved in the meantime Client-side: Attack payload exists purely in the compromised browser Invisible from the server-based point-of-view WebApp rootkit 2012 SAP AG. All rights reserved. 8

Attacks Attack scenarios: Cross-Site Scripting Scenario: Reflected XSS problem somewhere in the site Vulnerability that does not necessarily require an authenticated context / session Attacker can exploit this vulnerability while the user is interacting with an unrelated web site E.g., a hidden iframe pointing to the vulnerable application During this attack, the malicious payload is persisted in the user s browser The payload now waits to be executed the next time the victim visits the application This effectively promotes a reflected unauthenticated XSS into a stored authenticated XSS Hence, the consequences are much more severe Furthermore, the payload resides a prolonged time in the victim s browser Invisible for the server 2012 SAP AG. All rights reserved. 9

Attacks Attack scenarios: Untrustworthy Network http://unrelated-website.com http://mybank.org Untrustworthy Network Javascript mybank.org Trustworthy Network User 2012 SAP AG. All rights reserved. 10

Attacks Attack scenarios: Shared Browser Server http://mybank.org Client Browser http://mybank.org javascript:localstorage.s Welcome to mybank.org malicious user victim 2012 SAP AG. All rights reserved. 11

Survey Methodology Scope Crawl of the Alexa Top 500,000 Web sites Research Questions 1. Penetration: 2.How many Web sites utilize Web Storage? 3.What kinds of storage APIs are used(local-, Session- or GlobalStorage)? 4.Does a relation exist between the popularity of a Web site and the usage of Web Storage? 5. Security: 6.How many Web sites utilize Web Storage for storing code fragments? 7.How many Web Sites utilize Web Storage in a secure/insecure fashion? 2012 SAP AG. All rights reserved. 12

Survey Results Penetration Usage of Web Storage 2012 SAP AG. All rights reserved. 13

Survey Results Penetration 2012 SAP AG. All rights reserved. 14

Survey Results Security Categorization Problematic: Code that is very likely executed by the Web site (e.g. HTML, Javascript, CSS) Suspicious: Code that could potentially be executed. (e.g. JSON data: Secure parsing via JSON.parse or insecure execution via eval) Unproblematic: Content that is unlikely being executed. (e.g. numbers, alphanumeric strings, empty values) Methodology Prefiltering: Values not containing <, >, {, } were marked unproblematic Manual categorization of the remaining items. 2012 SAP AG. All rights reserved. 15

Survey Results Security An additional interesting attack vector 68 entries of the JSON without code category contained URLs to Javascript or CSS files Manual inspection revealed that those URLs were used to fetch additional content Manipulation of these URLs leads to code execution capabilities Hence these entries were also marked as problematic 2012 SAP AG. All rights reserved. 16

Countermeasure Problem Anti-XSS techniques such as output encoding do not work This would make cached code unusable This would not help against the URL attacks Alternative Verify that values from Web Storage originate from your application and that integrity is guaranteed 2012 SAP AG. All rights reserved. 17

Countermeasure Implementation http://a.net Server code + Checksum Browser http://a.net Client OutputEncode( ) == Checksum Non-code value Web Storage 2012 SAP AG. All rights reserved. 18

Countermeasure Implementation: JavaScript Library: <script type= text/javascript src=./webstoragewrapper.js > Transparent to the applications by utilizing function wrapping techniques: var wrapper = new StorageWrapper(); Object.defineProperty(window, "localstorage, {value: wrapper}); //Get Item Usage var testvar of the = localstorage.getitem("foo"); wrapper is identical the original object 2012 SAP AG. All rights reserved. 19

Countermeasure Evaluation Performance Two performance critical steps: Transfer of our library to the client Calculation of checksums on the client-side Transfer of our Library Size of the library 563 bytes (packed) + 1731 for SHA256 = 2,294 bytes in total Average size of the 2,084 code fragments: ~76,000 bytes Hashing library not necessary in future (with the JS Crypto API available) Calculation of checksums For collision free checksums we chose SHA256 as a hashing algorithm To evaluate hashing performance we used the 2,084 code values from our survey 2012 SAP AG. All rights reserved. 20

Conclusion Web Storage is a client-side storage mechanism that is used for Client-side state keeping Content caching Caching code within Web Storage is a dangerous practice Enables second order attacks Used in practice Usage is likely to increase Traditional Anti-XSS mechanisms are not applicable for cached code Would make cached code unusable We proposed a lightweight integrity preserving mechanism for Web Storage Enables secure usage of Web Storage Preserves benefits Only implies very small overhead 2012 SAP AG. All rights reserved. 21

Thank you Contact information: Martin Johns martin.johns@sap.com http://martinjohns.com @datenkeller 2012 SAP AG. All rights reserved. 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information