![GETTING STARTED
RUNNING THE APP
▸ $ git clone https://github.com/devgeeks/pixfor-vulnerable
▸ $ cd pixfor-vulnerable
▸ $ npm install
▸ $ phonegap serve (and use the PhoneGap Developer App), or
▸ $ phonegap run [ios|android] [--device]
~ or ~
▸ Open the PhoneGap Developer App and point it at:
http://take.pixfor.me:8888
13](https://image.slidesharecdn.com/phonegapdayeu2016workshop-privacyandsecurity-160527190137/85/PGDAY-EU-2016-workshop-privacy-and-security-13-320.jpg)
(seems contrived, but allows arbitrary script execution if input `foo` is untrusted)
27](https://image.slidesharecdn.com/phonegapdayeu2016workshop-privacyandsecurity-160527190137/85/PGDAY-EU-2016-workshop-privacy-and-security-27-320.jpg)
PGDAY EU 2016 workshop - privacy and security
- 1. PRIVACY AND SECURITY PHONEGAP PHONEGAP DAY EU - MAY 20, 2016 1
- 2. WHO AM I? STEVE GILL ▸ Computer Scientist at Adobe ▸ @stevesgill ▸ https://github.com/stevengill ▸ stevengill97@gmail.com 2
- 3. TEXT DISCLAIMER ▸ This Workshop was written and performed by Tommy Williams (@devgeeks) at PhoneGap Day US.
- 4. What is the difference between “Security” and “Privacy”? 4
- 5. WHAT IS THEIR RELATIONSHIP? SECURITY AND PRIVACY GO HAND IN HAND 👬 ▸ One does not always guarantee the other ▸ Good security does not always keep data private ▸ Privacy is also a security issue (attack vectors, etc) 5
- 6. WHAT IS THEIR RELATIONSHIP? STRONG PRIVACY NEEDS SECURITY ▸ Without good security, Privacy cannot be protected from those with malicious intent 6
- 7. “HACK YOURSELF FIRST” TO QUOTE TROY HUNT (VIA JEREMIAH GROSSMAN): Fun resource: http://hackyourselffirst.troyhunt.com 7 https://www.webdirections.org/resources/hack-yourself-first-troy-hunt/
- 8. WHAT KINDS OF ATTACKS MIGHT BE MOUNTED AGAINST A PHONEGAP APP? PRETTY MUCH THE SAME AS THOSE USED TO ATTACK BROWSER APPS ▸ Direct API or Server Access ▸ Cross Site Scripting (XSS) ▸ Cross Site Request Forgery (CSRF) ▸ SQL Injection ▸ MitM ▸ Broken Auth and Session Management ▸ User Exploitation (Phishing, etc) ▸ Etc… 8
- 9. IS HACKING HARD? DOES IT TAKE MAD SKILLZ? 9
- 10. WHO ARE YOU CALLING A DORK… YA DORK? NOT GOING TO BOTHER DEMOING THIS, YOU GET THE IDEA GOOGLE DORKS 10
- 11. DON’T REQUIRE ADVANCED KNOWLEDGE PLENTY OF HACKING TOOLS 11
- 12. PIXFOR (THE VULNERABLE EDITION) OK, SO WHAT ARE WE GOING TO HACK ON TODAY? 12
- 13. GETTING STARTED RUNNING THE APP ▸ $ git clone https://github.com/devgeeks/pixfor-vulnerable ▸ $ cd pixfor-vulnerable ▸ $ npm install ▸ $ phonegap serve (and use the PhoneGap Developer App), or ▸ $ phonegap run [ios|android] [--device] ~ or ~ ▸ Open the PhoneGap Developer App and point it at: http://take.pixfor.me:8888 13
- 14. ‘ OR 1=1; -- SQL INJECTION 14
- 15. ROBERT’; DROP TABLE STUDENTS; -- LITTLE BOBBY TABLES 15
- 17. WHAT CAN WE DO? SQL INJECTION 17
- 18. SQL INJECTION IF NOTHING ELSE ‣ Avoid SQL injection by use of parameterization ‣ This keeps untrusted input from breaking out of the parameter context ‣ And of course, listen to Bobby’s mom and sanitize your inputs 18
- 20. HTTPS://WWW.SEANCASSIDY.ME/LOSTPASS.HTML ಠ_ಠ BUT IS XSS THAT BIG OF A DEAL? 20
- 21. XSS TWO PRIMARY CONCERNS ▸ What are the sources of input? ▸ Where is this data going (the target)? 21
- 22. XSS TYPES OF SOURCES ▸ Location and URL Sources ▸ Cookies ▸ Referrer (less so in a PhoneGap app) ▸ Window Name ▸ Indirect Sources (Client side db such as sqlite/pouch/etc) ▸ Other Objects (Post Message/Intents/etc) 22
- 23. XSS TYPES OF TARGETS ▸ Execution Target ▸ HTML Element Target ▸ Set Location Target ▸ Control Flow Target ▸ …and more 23
- 24. XSS EXECUTION TARGET ▸ eval() ▸ onclick, onsubmit, … ▸ Function() ▸ script.src ▸ setTimeout() ▸ script.text ▸ setInterval() ▸ script.textContent ▸ setImmediate() ▸ script.innerText ▸ etc… 24
- 25. XSS HTML ELEMENT TARGET ▸ document.write ▸ document.writeln ▸ element.innerHTML ▸ element.insertAdjacentHTML ▸ Range.createContextualFragment ▸ HTMLButton.value ▸ etc… 25
- 26. XSS SET LOCATION TARGET ▸ window.location 26
- 27. XSS CONTROL FLOW TARGET ▸ this[foo](bar) (seems contrived, but allows arbitrary script execution if input `foo` is untrusted) 27
- 28. FRAMEWORKS A QUICK NOTE ABOUT 28
- 29. XSS FRAMEWORKS ▸ jQuery ▸ Angular ▸ React 29
- 30. XSS FRAMEWORKS - JQUERY ▸ jQuery is practically a target in and of itself (mostly fixed) ▸ be aware that old versions might be targets ▸ Choc-full of HTML element targets: element.add(userContent) element.append(userContent) element.after(userContent) element.html(userContent) etc… 30
- 31. XSS FRAMEWORKS - ANGULAR ▸ Old versions should be avoided and updated ▸ 1.1.5? <div class=“ng-app"> {{constructor.constructor('alert(1)')()}} </div> ▸ Fixed now, but beware older versions 31
- 32. XSS FRAMEWORKS - REACT ▸ Gives a clue in the function name: dangerouslySetInnerHTML(), but devs still use it (static site generators, etc) ▸ Not using it also doesn’t alleviate the need to sanitize your inputs 32
- 33. XSS PROBLEMS WITH FRAMEWORKS ▸ Add complexity ▸ Abstract away targets (innerHTML, etc) ▸ Add syntactic sugar ▸ Add loopholes to browser security controls ‣ The frameworks and practices you use should (attempt to) be secure by default ‣ If your frameworks add syntactic sugar, be aware of the implications 33
- 34. XSS STAY. UP. TO. DATE. ▸ This applies to PhoneGap/Cordova and its plugins as much as your front-end JavaScript frameworks 34
- 35. WHAT CAN WE DO? XSS 35
- 36. XSS MINIMISE ATTACK SURFACE ▸ Avoid converting strings to scripts ▸ Avoid innerHTML wherever possible! ▸ Don't write your own HTML sanitizer (srsly) ▸ Whitelist* ▸ Content Security Policy (CSP)* * we’ll get to these in a bit 36
- 37. XSS AVOID CONVERTING STRINGS TO SCRIPTS ▸ eval, Function.apply, setTimeout("string"), etc ▸ inline event handlers like onclick="string", etc 37
- 38. XSS AVOID INNERHTML WHEREVER POSSIBLE! ▸ .textContent ▸ $(el).text() ▸ document.createElement/setAttribute ▸ Use a template system with escaping ▸ HOWEVER!! location targets are not as protected i.e.: <a href="{{value}}">...</a> 38
- 39. XSS DON'T WRITE YOUR OWN HTML SANITIZER If you MUST… ▸ Whitelist, NOT blacklist ▸ fail conservatively, better to fail to display nicely than to be insecure ▸ instead consider: DOMPurify, Angular's $sanitize, Bleach,js (for workers?), etc… 39
- 40. XSS TL;DR ‣ Avoid eval & innerHTML ‣ Use a template lang* with escaping, but be careful with attributes ‣ filter HTML input conservatively ‣ Whitelist / CSP * However, a lot of the tempting langs don’t play well CSP, but we’ll get to that… 40
- 41. YOU ARE AWAKE NEXT, MAYBE SOME FUN TO MAKE SURE 41
- 42. DO YOU RECOGNISE ANY OF THESE? #SFO FREE WIFI, 13WestMyrtle, 2WIRE012, 5099251212, @Hyatt-WiFi, @yvrairport, ACU, ADBEEmp2014, ADO, ATT2yrd6rC, AccessDenied, Admirals_Club, AdobeCorp, AdobeGuest, Aer_Lingus_WIFI, Amanda's iPhone, AmtrakConnect, AndroidAP, Avatar Hotel, Avcenter, BDLpublic, BELL647, BELL_WIFI, BERNIES CAFE, BWW-PUBLIC, Best Western Park Place, BestBuy, Boingo Hotspot, Boyd's iPhone 6 Plus, Bycen, CAFE ZUPAS, CORTECH_Guest, CSWireless5ghz, Cafe 300, CapNet, CenturyLink1499, Cl-Wireless, CoJPublic, CoxWiFi, D&B_Guest, DIMTER, DIRECT-6bM2020 Series, DVG-N5402SP-212017, Detroit Airport Wi-Fi, DevMountain, DevMountainApt7, Douglas Guest, DrupalCon, ETS, El Mexsal, EmployeeHotspot, Engedi, EuropaCoffeehouse, FairPublic, Fly-Fi, FourSeasons Guest, Frahmbo's iPhone, Free PHX Boingo WiFi, FullCircle, Fusion-IO Guest, Google Starbucks, GoogleGuest, HI Express Richfield, HI Express Richfield , HOME-6CF2, HOME-C4C8, Handlery_San_Francisco, Happy Campers, HarborLink - Buffalo Wild Wings, Hope Alliance, Hyatt, IMEG-GUEST, ITGUEST, Jerk Grill, Joss, Kimpton, KingMaint, LYNDA-GUEST, Learntoprogram, MATHIS, MATHIS2, MH_Network, MMM_WiFi_Guest, MPLS, MiFi4620L Jetpack B472 Secure, MokiGuest, Mothership-guest, NETGEAR-Guest, NETGEAR53, NETGEAR82, NS FCCLA, OMA-Free-WiFi, OPTUSDN368CFC, OceanWiFi Very Hotspot, Ocho, Oscars, PCMC_Ice_Free_Wifi, PDI-Guest, PIGS, PPS, Park City Ice Patron Wifi, PhoneGap, Public, Quality, Quantum, Rain-Guest, Rangle.io WiFi, ReactWeek, Reclaim_EC, Redtail, Rogers, SDC2014, SEATAC-FREE-WIFI, SFUNET-SECURE, SGMC, SIN, SKYHARBOR PUBLIC WLAN, Seabay, Selnate, Shazron's iPhone 5, Shopify Guests, Solid Attendees, SouthwestWiFi, SpencerWireless, SpringOne2GX, Starbucks WiFi, Stratus018222, Streamyx Mobility, T-Mobile Broadband 67, TJR 008, TPCG0, Taco Bell, The Hotel Collection Guest WiFi, Two Jacks Pizza, U Street Cafe Wifi, UConnect, UNITE-295E, Virgin Hotels, WL, WebsterRec, Willowcreek, Wolverine-WiFi, WorkbarGuest, activehit, appigo47, attwifi, attwifibn, bPhone, baker, bycen, cabinsusa, dd-wrt, dlink, doraemon, duece, elive, ethostream, fazidin2, gogoinflight, hhonors, hhonors lobby, hhonors_lobby, hills, houseofnuts, iPhone (2), indiapalace, intermountain_guest, iviejuicebar, jexus, jucienjava, juicenjava, lhm-open, loganwifi, mikes, mywifi, nortel-wlan, qds_office, rangleio Extension, raspberry-pi, reSETguest, rogers, silvermtnsuites6, surveillance vehicle 2, testnet, video2g, wguest, xfinitywifi, zulkefley13@unifi 42
- 43. CONSTANTLY PROBING YOUR DEVICES ARE ALWAYS LOOKING FOR WIFI THEY KNOW ▸ These are called “Probe Requests” ▸ If the WiFi was unencrypted (no WEP/WPA, etc), then another device could see these probe requests and simply pretend to be that WiFi (i.e.: A WiFi Pineapple, etc) ▸ Most devices would then happily join and start sending traffic through the malicious WiFi spot ▸ Even easier is a “honey pot” like a WiFi called “FREE WIFI”, etc. Everyone likes free WiFi. 43
- 44. MAN IN THE MIDDLE (MITM) THESE ARE JUST SOME OF THE MANY WAYS TO BECOME A: "→☠←$ 44
- 45. DEMO I THINK THIS CALLS FOR ANOTHER 45
- 46. WHAT CAN WE DO? MITM 46
- 48. LET’S ENCRYPT! TOO HARD? TOO EXPENSIVE? 48
- 50. CSP CSP IS AWESOME ▸ What is it? ▸ It’s a whitelist of content sources ▸ http://www.html5rocks.com/en/tutorials/security/ content-security-policy ▸ Cordova / PhoneGap “hello World” templates include a CSP 50
- 51. CSP HELLO WORLD <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> 51
- 52. PHONEGAP SPECIFIC OK, LET’S GET MORE 52
- 54. WHITELIST READ AND UNDERSTAND THE WHITELIST GUIDE ‣ http://cordova.apache.org/docs/en/latest/guide/appdev/ whitelist/index.html ‣ <access origin=“https://*.mydomain.com" /> ‣ On iOS: ‣ Application Transport Security (ATS) ‣ <access origin="https://*.mydomain.com" minimum-tls- version="TLSv1.1" requires-forward-secrecy="false" /> 54
- 56. THE PROBLEM WITH IFRAMES ACCESS TO THE “BRIDGE” ‣ If content is served in an iframe from a whitelisted domain, that domain will have access to the native Cordova bridge ‣ This means that if you whitelist a third-party advertising network and serve those ads through an iframe, it is possible that a malicious ad will be able to break out of the iframe and perform malicious actions ‣ Be careful what you whitelist 56
- 57. CERTIFICATE PINNING GETTING HARDCORE WITH 57
- 58. CERTIFICATE PINNING (LIMITED) OPTIONS FOR CERT PINNING ‣ Cordova does not support true certificate pinning ‣ There are ways to approximate certificate pinning ‣ TOFU (yum) ‣ EddyVerbruggen/SSLCertificateChecker-PhoneGap- Plugin ‣ True certificate pinning for some platforms ‣ wymsee/cordova-HTTP 58
- 59. SELF-SIGNED CERTIFICATES FOR DEVELOPMENT ONLY! 59
- 60. MORE… SOME MORE ADVICE FROM THE SECURITY GUIDE ‣ Do not use Android Gingerbread (2.3)! ‣ Use InAppBrowser for outside links ‣ Validate all user input (worth repeating) ‣ Do not cache sensitive data ‣ Don't use eval() unless you know what you're doing ‣ Do not assume that your source code is secure 60
- 61. RESOURCES A FEW RESOURCES AS YOU GO FORWARD ‣ OWASP Top 10 - http://www.veracode.com/directory/owasp- top-10 ‣ SQL Injection Myths and Fallacies - http://www.slideshare.net/ billkarwin/sql-injection-myths-and-fallacies ‣ PhoneGap Platform Security wiki - https://github.com/phonegap/ phonegap/wiki/Platform-Security ‣ Online Security Confs - http://www.tunnelsup.com/online- security-conferences ‣ HTML4 Security Cheat Sheet - https://html5sec.org/ 61
- 62. LET’S STAY SAFE OUT THERE THANKS, AND 62 💖