Abstract image of a woman sitting on books and studying on a laptop

JavaScript security and tools evolution at 2017 OWASP Taiwan Week

Download as PPTX, PDF
D
dcervigni

The document discusses the evolution of client-side security, specifically focusing on vulnerabilities such as XSS and the necessity for secure coding standards. It highlights challenges posed by modern JavaScript frameworks and the inadequacy of traditional security tools for analyzing complex JavaScript code. The document emphasizes the importance of implementing sophisticated coding techniques and dynamic analysis for effective security in a rapidly evolving landscape.

Software
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
OWASP Taiwan Day 2017 Client Side Security And Testing Tools (Evolution of) david.cervigni@mindedsecurity.com
About me  10+ yeas of development  Software Security Enthusiast  Securing SDLC  Secure coding trainer/reviewer david.cervigni@mindedsecurity.com
JS Security, topics: • Evolution of client technologies (security) • Why is always important • Why is always difficult • Techniques and tools to avoid vulnerabilities
Client security is vast
XSS is always dangerous! • XSRF protection bypass • Cookies/session stealing • Defacement • Password/credential stealing • Enumeration … Attacker OWNS our website, and still: Consequences:
Anti XSS approaches: Classic: • Validation • Filtering • HTML Encoding • Encoding lib + Contextual Encoding • ? <div onclick="showError ('<%= Encoder.encodeForHtml(Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div> Requires: • Secure coding standards (enforced!) • Knowledge • Design (use the right libs) …still error prone!
Anti XSS evolution: Contextual encoding templates: • Very strict • Hard to encode in nested contexts / double encoding
Anti XSS evolution/2: Mitigations: • CPC: Content Security Policy • ECMAScript security features (e.g. strict mode) • Sandboxing JS (Google CAJA, sanitizer libraries) • Anti XSS browser features WAF Requires: • Secure Application Design • Third parties JS libraries compatibility? • Legacy systems? …still not fully secure (evasion)
So…Problem Solved? Sources: https://snyk.io/blog/xss-attacks-the-next-wave/ https://nvd.nist.gov/vuln/detail/CVE-2017-1160 “DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.[…]”
New challenges: Modern JS frameworks:
*Source: https://2017.appsec.eu/slides-and-videos "Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets " XSS Mitigation bypass On: Angular (1.x), Polymer (1.x), React, jQuery, jQuery UI, jQuery Mobile, Vue, Aurelia, Underscore / Backbone, Knockout, Ember, Closure Library, Ractive.js, Dojo Toolkit, RequireJS, Bootstrap…
• SPA: Single Page Applications • Mainly HTML & JavaScript (not anymore flash) • Frameworks: Angular, React… • Third party libraries (JQuery and others) • High degree of integration: portals/services Why is always more important?
• Big codebases • JavaScript is not easy to read: manual review • Developing and Quality Assure for JavaScript and client components is DIFFICULT, time consuming and error prone. • Classic security tools use SCA (Static Code Analysis) that leads to : 1. Too many false positives 2. Too many false negatives Why is always more difficult?
❑ Sources: the input data that can be directly or indirectly controlled by an attacker. ❑ Filters: operations on Sources which change the content or check for specific structures/values. ❑ Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation. Code Flow and Taint analysis <script> var l = location.href; var user = l.substring(l.indexOf(“user”)); document.write(“Hello, ” + user); </script> Tainted Source Sink The process of following the tainted value from source to sink is known as Taint Propagation.
Tools for JS Code analysis SCA, static code analysis: • Heavy • Difficult • Lower accuracy (false positives) • Adaptability (false negatives…needs custom rules) • Broad language support Dynamic code analysis/IAST: • Requires instrumentation • More accurate • Fuzzing capabilities! SDLC and Automation (CI)
DOM XSS Wiki: http://code.google.com/p/domxsswiki/wiki/LocationSources Attacker controls all parts of a location except the victim hostname. path/to/page.ext/ PathInfo ?Query=String #Hash=valuehttp://hostname/ He can force a user to visit a forged url address.! Direct Input Sources: Location
Cookie value could have been instantiated somewhere else and retrieved on another page. Its value can be accessed/modified with: ❑ document.cookie: <script> var cvalue = document.cookie; var cstart = cvalue.indexOf(“username="); cvalue = unescape(cvalue.substring(cstart+9, cstart+9+length)); alert(“Welcome ” + cvalue); </script> The attacker could force a malicious cookie value! Indirect Input Sources: Cookies
DEMO, Q/A, THANKS! AND NOW…
Tools for JS Code analysis

More Related Content

PPTX
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
PDF
Devbeat Conference - Developer First Security
Michael Coates
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PDF
Real World Application Threat Modelling By Example
NCC Group
 
PDF
Finacle - Secure Coding Practices
Infosys Finacle
 
PDF
Scalable threat modelling with risk patterns
Stephen de Vries
 
PPTX
DevSecCon Talk: An experiment in agile Threat Modelling
zeroXten
 
PPTX
Web Application Security 101
Jannis Kirschner
 
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Devbeat Conference - Developer First Security
Michael Coates
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Real World Application Threat Modelling By Example
NCC Group
 
Finacle - Secure Coding Practices
Infosys Finacle
 
Scalable threat modelling with risk patterns
Stephen de Vries
 
DevSecCon Talk: An experiment in agile Threat Modelling
zeroXten
 
Web Application Security 101
Jannis Kirschner
 

What's hot (19)

PPTX
Application Security-Understanding The Horizon
Lalit Kale
 
PPTX
2013 michael coates-javaone
Michael Coates
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
PPTX
Secure programming language basis
Ankita Bhalla
 
PDF
[OPD 2019] Life after pentest
OWASP
 
PDF
Domain Driven Security at Internetdagarna-2014
Dan BerghJohnsson
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PDF
[OWASP Poland Day] Security knowledge framework
OWASP
 
PPTX
Cyber ppt
karthik menon
 
PPTX
Self Defending Applications
Michael Coates
 
ODP
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
PDF
we45 - Web Application Security Testing Case Study
we45
 
PPTX
Security in an Interconnected and Complex World of Software
Michael Coates
 
PDF
Stories from the Security Operations Center
Alert Logic
 
PDF
Testing Web Application Security
Ted Husted
 
PDF
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
PDF
Application Security Workshop
Priyanka Aash
 
Application Security-Understanding The Horizon
Lalit Kale
 
2013 michael coates-javaone
Michael Coates
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Secure programming language basis
Ankita Bhalla
 
[OPD 2019] Life after pentest
OWASP
 
Domain Driven Security at Internetdagarna-2014
Dan BerghJohnsson
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
[OWASP Poland Day] Security knowledge framework
OWASP
 
Cyber ppt
karthik menon
 
Self Defending Applications
Michael Coates
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
we45 - Web Application Security Testing Case Study
we45
 
Security in an Interconnected and Complex World of Software
Michael Coates
 
Stories from the Security Operations Center
Alert Logic
 
Testing Web Application Security
Ted Husted
 
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
Application Security Workshop
Priyanka Aash
 
Ad

Similar to JavaScript security and tools evolution at 2017 OWASP Taiwan Week (20)

PPTX
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
PPT
Code Quality - Security
sedukull
 
PDF
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPTX
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
PDF
Making DevSecOps a Reality in your Spring Applications
Hdiv Security
 
PPTX
DevBeat 2013 - Developer-first Security
Coverity
 
PPTX
Static Code Analysis
Obika Gellineau
 
PPS
Security testing
Tabăra de Testare
 
PDF
Web hackingtools 2015
devObjective
 
PDF
Web hackingtools 2015
ColdFusionConference
 
PPTX
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
PPTX
Security for developers
Abdelrhman Shawky
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PPTX
Altitude SF 2017: Security at the edge
Fastly
 
PDF
Web hackingtools cf-summit2014
ColdFusionConference
 
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
Code Quality - Security
sedukull
 
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
AppSec in an Agile World
David Lindner
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Making DevSecOps a Reality in your Spring Applications
Hdiv Security
 
DevBeat 2013 - Developer-first Security
Coverity
 
Static Code Analysis
Obika Gellineau
 
Security testing
Tabăra de Testare
 
Web hackingtools 2015
devObjective
 
Web hackingtools 2015
ColdFusionConference
 
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
Security for developers
Abdelrhman Shawky
 
00. introduction to app sec v3
Eoin Keary
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
Altitude SF 2017: Security at the edge
Fastly
 
Web hackingtools cf-summit2014
ColdFusionConference
 
Ad

More from dcervigni (9)

PPTX
Cm9 secure code_training_1day_input sanitization
dcervigni
 
PPTX
Cm2 secure code_training_1day_data_protection
dcervigni
 
PPTX
Cm1 secure code_training_1day_intro
dcervigni
 
PPTX
Cm8 secure code_training_1day_security libraries
dcervigni
 
PPTX
Cm3 secure code_training_1day_access_control
dcervigni
 
PPTX
Cm4 secure code_training_1day_error handling and logging
dcervigni
 
PPTX
Cm5 secure code_training_1day_system configuration
dcervigni
 
PPTX
Cm6 secure code_training_1day_file management
dcervigni
 
PPTX
Cm7 secure code_training_1day_xss
dcervigni
 
Cm9 secure code_training_1day_input sanitization
dcervigni
 
Cm2 secure code_training_1day_data_protection
dcervigni
 
Cm1 secure code_training_1day_intro
dcervigni
 
Cm8 secure code_training_1day_security libraries
dcervigni
 
Cm3 secure code_training_1day_access_control
dcervigni
 
Cm4 secure code_training_1day_error handling and logging
dcervigni
 
Cm5 secure code_training_1day_system configuration
dcervigni
 
Cm6 secure code_training_1day_file management
dcervigni
 
Cm7 secure code_training_1day_xss
dcervigni
 

Recently uploaded (20)

PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PDF
Website Design Services for Small Businesses.pdf
ecomme9
 
PPTX
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
PDF
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
PPTX
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PDF
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PDF
Types of Token_ From Utility to Security.pdf
Herond Labs
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
Website Design Services for Small Businesses.pdf
ecomme9
 
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
assetexplorer- product-overview - presentation
nonameist3434
 
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Types of Token_ From Utility to Security.pdf
Herond Labs
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 

JavaScript security and tools evolution at 2017 OWASP Taiwan Week

  • 1. OWASP Taiwan Day 2017 Client Side Security And Testing Tools (Evolution of) david.cervigni@mindedsecurity.com
  • 2. About me  10+ yeas of development  Software Security Enthusiast  Securing SDLC  Secure coding trainer/reviewer david.cervigni@mindedsecurity.com
  • 3. JS Security, topics: • Evolution of client technologies (security) • Why is always important • Why is always difficult • Techniques and tools to avoid vulnerabilities
  • 5. XSS is always dangerous! • XSRF protection bypass • Cookies/session stealing • Defacement • Password/credential stealing • Enumeration … Attacker OWNS our website, and still: Consequences:
  • 6. Anti XSS approaches: Classic: • Validation • Filtering • HTML Encoding • Encoding lib + Contextual Encoding • ? <div onclick="showError ('<%= Encoder.encodeForHtml(Encoder.encodeForJavaScript( request.getParameter("error")%>')))" > An error occurred ....</div> Requires: • Secure coding standards (enforced!) • Knowledge • Design (use the right libs) …still error prone!
  • 7. Anti XSS evolution: Contextual encoding templates: • Very strict • Hard to encode in nested contexts / double encoding
  • 8. Anti XSS evolution/2: Mitigations: • CPC: Content Security Policy • ECMAScript security features (e.g. strict mode) • Sandboxing JS (Google CAJA, sanitizer libraries) • Anti XSS browser features WAF Requires: • Secure Application Design • Third parties JS libraries compatibility? • Legacy systems? …still not fully secure (evasion)
  • 11. *Source: https://2017.appsec.eu/slides-and-videos "Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets " XSS Mitigation bypass On: Angular (1.x), Polymer (1.x), React, jQuery, jQuery UI, jQuery Mobile, Vue, Aurelia, Underscore / Backbone, Knockout, Ember, Closure Library, Ractive.js, Dojo Toolkit, RequireJS, Bootstrap…
  • 12. • SPA: Single Page Applications • Mainly HTML & JavaScript (not anymore flash) • Frameworks: Angular, React… • Third party libraries (JQuery and others) • High degree of integration: portals/services Why is always more important?
  • 13. • Big codebases • JavaScript is not easy to read: manual review • Developing and Quality Assure for JavaScript and client components is DIFFICULT, time consuming and error prone. • Classic security tools use SCA (Static Code Analysis) that leads to : 1. Too many false positives 2. Too many false negatives Why is always more difficult?
  • 14. ❑ Sources: the input data that can be directly or indirectly controlled by an attacker. ❑ Filters: operations on Sources which change the content or check for specific structures/values. ❑ Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation. Code Flow and Taint analysis <script> var l = location.href; var user = l.substring(l.indexOf(“user”)); document.write(“Hello, ” + user); </script> Tainted Source Sink The process of following the tainted value from source to sink is known as Taint Propagation.
  • 15. Tools for JS Code analysis SCA, static code analysis: • Heavy • Difficult • Lower accuracy (false positives) • Adaptability (false negatives…needs custom rules) • Broad language support Dynamic code analysis/IAST: • Requires instrumentation • More accurate • Fuzzing capabilities! SDLC and Automation (CI)
  • 16. DOM XSS Wiki: http://code.google.com/p/domxsswiki/wiki/LocationSources Attacker controls all parts of a location except the victim hostname. path/to/page.ext/ PathInfo ?Query=String #Hash=valuehttp://hostname/ He can force a user to visit a forged url address.! Direct Input Sources: Location
  • 17. Cookie value could have been instantiated somewhere else and retrieved on another page. Its value can be accessed/modified with: ❑ document.cookie: <script> var cvalue = document.cookie; var cstart = cvalue.indexOf(“username="); cvalue = unescape(cvalue.substring(cstart+9, cstart+9+length)); alert(“Welcome ” + cvalue); </script> The attacker could force a malicious cookie value! Indirect Input Sources: Cookies
  • 19. Tools for JS Code analysis

Editor's Notes

  • #5: From OWASP WEBSITE: IT shows howm many test we need to do on the client side, almost all of them are causes and consequences of Javascript Execution