Web Security
Stepan Suvorov
CTO @ Studytube
Masters in Information Security
Philippe de Ryck
Thank you for the inspiration!
Agenda
- What is security?
- Authorization
- SQL Injection
- XSS
- CSRF
- Project dependencies
- Content Security Policy
- HTTPS
SQL Injection
What is Security?
-
Prevent vulnerabilities
-
Access Management
Authentification
vs
Authorization
-
Authorization is about checking if an entity has the proper privileges for an action
-
Authentication is about verifying that an entity is who it claims to be
-
Session management is the glue between authentication and authorization
Traditional Server-Side session-management
taken from pragmaticwebsecurity.com
Modern Client-Side session-management
taken from pragmaticwebsecurity.com
What's the best way?
3 Properties of Session-Management
- The locality
- The storage mechanism
- The transport mechanism
server-side vs client-side sessions
session identifiers vs self-contained JWT tokens
cookies vs localStorage vs SessionStorage
cookies vs authorization header
Server-Side vs Client-Side
- stateless backend
- no control
- lager requests
- encoded session object on client side
Server-Side
- Results in stateful backend
- Gives server full control (invalidate)
- Id to server side Object
Client-Side
Authorization based on JWT
JSON Web Token
Can you spot security issue here?
export class TokenInterceptor implements HttpInterceptor {
constructor(public auth: AuthService) { }
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
request = request.clone({
setHeaders: {
Authorization: `Bearer ${this.auth.getToken()}`
}
});
return next.handle(request);
}
}
XSS
XSS
- Reflected
- Stored
- DOM-based
Reflected XSS
taken from pragmaticwebsecurity.com
Stored XSS
taken from pragmaticwebsecurity.com
Sanitization in practice
Don't even think about rolling your own sanitizer!
DOM-based XSS
taken from pragmaticwebsecurity.com
var url = new URL(location.gref)
.searchParams.get("user");
$('#form')
.append('<input type="hidden" value="' + url + '">');
https://...?user=https://example.com"/><script>console.log(1)</script>
<form id="#form">
<input type="hidden"
value="https://example.com"/><script>console.log(1)</script>
</form>
How can you bypass XSS filters?
$save_text = str_replace('script', 'span', $text);
<ScRiPt>/* bad code here*/ </ScRiPt>
<input type="image" src="javascript:/* ... */;">
<img src="no.png" onerror="/* bad code here */">
Angular against XSS
Sanitization out of box:
- HTML
- Styles
- Url
- Resource Url
bypassSecurityTrust*
- Angular controls the data in the template
- Data is always escaped for the right context
- HTML-bound data is sanitized by Angular
Are we safe now?
and what about
Template Injection?!
- never mix Angular with other dynamic page generation techniques
- use AoT
CSRF
CSRF
taken from pragmaticwebsecurity.com
The essence of CSRF
- CSRF exists because browser handles cookies very liberally
- Many applications are unaware that any browsing context can send requests
- None of the cookie security measures covered so far helps here
The password cannot be updated by using this method.
However, the information that’s needed to reset the password can.
What to do against CSRF
taken from pragmaticwebsecurity.com
SameSite Cookie
Dependencies
88.45% of the Alexa top 10,000 web sites “included at least one remote JavaScript library
Why this remote JavaScript is a problem?
Are you loading something from CDN?
taken from pragmaticwebsecurity.com
What to do?
Subresource Integrity
- Integrity attribute can be added to script or stylesheet
- When loading the resource browser first verifies the hash
- The properties of the hash function ensure the security of this mechanism
taken from pragmaticwebsecurity.com
Do you know all your project dependencies?
True story
npm audit
npm install angularcli
Content Security Policy
What does CSP do?
Report Only Mode
HTTPS
SSL vs TLS
What are the objections not to use Https?
How can we get people to use the HTTPS version of the site?
Redirect
taken from pragmaticwebsecurity.com
But
95% of HTTPS servers vulnerable to trivial MITM attack
taken from pragmaticwebsecurity.com
HSTS
taken from pragmaticwebsecurity.com
Bonus
With great power comes great responsibility
Thank you for your attention.
Stepan Suvorov
Questions?
Ačiū už dėmesį.
DevDays Europe 2019 - Web Security
By Stepan Suvorov
DevDays Europe 2019 - Web Security
- 1,237