# Security & Web 2.0 # Chaos and Progress ### QConSP 2014
# @abstractj
# Passionate about # cryptography
# But just a wannabe
# I'm not ![](img/who-will-take-the-iron-throne.jpg)
# Nor this guy ![](img/paul-blart.jpg)
# More like ![](img/hammering.jpg)
#DISCLAIMER
# The Web ![](img/empire-of-light.jpg)
# Lots of standards ![](img/Standards_Only_sorted_by_status__W3C.jpg)
# But no pattern ![](img/battle-of-web-browsers-600x573.jpg)
# Althought, # JavaScript <3 Browser
# But is also # hostile to security

Example

beEvil();
console.log(getRandomValue());
function getRandomValue() {
  var random = new Uint32Array( 1 );
  crypto.getRandomValues( random );
  return random[ 0 ];
}
function beEvil() {
  window.crypto.getRandomValues = function( array ) {
    array[ 0 ] = 42;
  }
}
# Malware alert ![](img/google-warning-new-650x483.png)
# People avoid ![](img/How_to_Disable_Google_Malware_Warnings__eHow_20140408_085832_20140408_085835.jpg)
# Customers don't care ![](img/postitnote.jpg)
# Security vs. Usability ![](img/captcha.jpg)
# Security is hard ![](img/n0jyBWk.png)
# But also omnipresent in our lives
# Why should we care?
# Security is # our responsibility
# There is no back-end # or front-end
# There is only # safe or unsafe
# OWASP top 10 ![](img/OWASP_Top_10__20132.pdf_page_4_of_22_20140408_171617_20140408_171620.jpg)
# Basics first
# MiTM # Man in the middle
# MiTM ![](img/MiTM.png)
# SSL, please
# Even if your ![](img/heartbleed.png) # bleed
# To the whole website ## not only for some parts
# Why?
# SSLStrip ![](img/sslstrip-tldr.png)
# SSLStrip ![](img/sslstrip-tldr.png)
# HSTS ## HTTP Strict Transport Security ### Instructs the web browser to interact only with HTTPS

How?

nginx

# Remember for 30 days
add_header Strict-Transport-Security max-age=2592000; includeSubDomains
curl -I https://www.openshift.com
HTTP/1.1 200 OK
...
Date: Thu, 10 Apr 2014 04:50:11 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 10 Apr 2014 04:50:11 GMT
domain=www.openshift.com; secure; HttpOnly
...
Strict-Transport-Security: max-age=15768000, includeSubDomains

Statistics

7 major Brazillian banks don't have HSTS

curl -I https://www.yourfavoritebank.here | grep -i strict

Statistics

6 major Brazillian banks don't have HTTPS redirect

$ curl -sI http://www.idontcareaboutcustomers.com

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html
Date: Thu, 10 Apr 2014 05:15:05 GMT
Connection: keep-alive

Statistics

1 major Brazillian bank have HTTPS redirect

$ curl -sI http://www.doingitright.com

HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://www.doingitright.com
Date: Thu, 10 Apr 2014 05:19:08 GMT
Connection: keep-alive

Cookies


    
        true
    

Cookies

curl -I https://www.openshift.com
HTTP/1.1 200 OK
Date: Thu, 10 Apr 2014 17:09:15 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
...
Set-Cookie: ...; expires=Thu, 17-Apr-2014 17:09:15 GMT;
path=/; domain=www.openshift.com; secure; HttpOnly
# Authentication # & # Authorization
# Password hints ![](img/example-chatty-interface.jpg)
# Clear text ![](img/tumblr_my0b2dwwOh1qifaplo1_1280.png)
# Avoid sensitive data on local storage ## In the worst case scenario, go with session storage
# Code injection is scary
# XSS ## Cross-Site Scripting ### Client trusts on server
# Non persistent XSS ![](img/xss-nonpersistent.png)
# Persistent XSS ![](img/xss-persistent.png)
# Escape characters # HTML tags

JSFuck

alert(1)
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
# Modern frameworks can # handle it ## Ember.js, Angular.js, Backbone.js, ##Knockout.js...
# Maybe
# We all have deadlines
# We can commit mistakes # in any technology

#1 Underscore.js

/>

#2 Underscore.js

/>
# What's the difference?
# Dirty secret never # told by OWASP
# Your major vulnerability
# Coworkers ![](img/pair-programming.jpg)
# It must be like # an orchestra ![](img/Drummer-concert-sheet-music-fail.gif)
# Code review ![](img/Twitter__iamdevloper_10_lines_of_code__10_..._20140409_142948_20140409_142950.jpg)

CSRF

Cross-Site Request Forgery

<!--<img src="--><img src=meh width="1" height="1" onerror=alert("Do something!")//">
# CSRF ![](img/csrf.png)

Response splitting

JSP

<%
response.sendRedirect("/thanks.jsp?user="+
   request.getParameter("user"));
%>
# Solution ![](img/Settings__Content_settings_20140410_042349_20140410_042356.jpg)
![](img/94c19f3688c1ef82bfa1630041eb85356dbf6141c8ad30fa08cf3eccea778af4.jpg)

Secure Headers

nginx

add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self';

Secure Headers

Node

$ npm install helmet
var helmet = require('helmet')
var app = express();
app.use(helmet.iexss())
app.use(helmet.contentTypeOptions());
app.use(helmet.xframe('deny'));
app.use(helmet.xframe('sameorigin'));
app.use(helmet.csp());
app.use(helmet.hsts(2592000, true))

Secure Headers

Ruby

$ gem install secure_headers
::SecureHeaders::Configuration.configure do |config|
    config.x_xss_protection = {:value => 1, :mode => 'block'}
    config.x_content_type_options = "nosniff"
    config.x_frame_options = 'DENY'
    config.x_frame_options = 'SAMEORIGIN'
    config.csp = {
      :default_src => "https://* self"
    }
    config.hsts = {:max_age => 2592000, :include_subdomains => true}
end
# CSP ![](img/Content_Security_Policy_1.1_20140410_041414_20140410_041418.jpg)

CSP

style-src https://abstractj.org
          https://fonts.googleapis.com;
frame-src https://qconsp.com;

script-src https://ssl.google-analytics.com
                  https://abstractj.org;
img-src 'self' https://cdn.abstractj.com;
font-src https://cdn.abstractj.com;
# CSP ![](img/An_Introduction_to_Content_Security_Policy__HTML5_Rocks_20140410_103148_20140410_103150.jpg)
# SQL Injection ![](img/BkZH2wyIgAAbVEU.jpg)

Ruby

User.find(:first, :conditions =>
          "name = '#{params[:name]}'")

Injection

params[:name] = "name=') OR admin = 't' --"

SQL

SELECT "users".* FROM "users" WHERE (name = 'name=') OR admin = 't' --') LIMIT 1

Fix

Prepared statement

User.find(:first, :conditions => "name = ?", params[:name])
# More about ![](img/Rails_SQL_Injection_Examples_20140410_110623_20140410_110626.jpg)
# Scan your webapp # for vulnerable libraries ## [https://github.com/bekk/retire.js](https://github.com/bekk/retire.js)
# Authentication
# Never store a password # in plain text
# People still do it ![](img/Plain_Text_Offenders_Archive_20140410_110915_20140410_110918.jpg)
# Password validation
# Hashing is a bad idea # for passwords ## Hashcat can break it
# PBKDF2 or BCrypt ## To slow down ## the attacker
# Privacy matters
# JavaScript # Cryptography
# Libraries * Stanford Javascript Crypto Library (SJCL) * CryptoJS * OpenPGP.js
![](img/hvcrmeegvjrczw_small.jpg)
# Should we just give up!?
![](img/Cryptocat_20140410_114135_20140410_114137.jpg)
# Real life ## Digital signatures ## Critical transactions ## ...
# Cryptography is a # double-edged sword
# DON'T use * MD4 * MD5 * ECB * DES * 3DES or TripleDES
# WebCrypto ## Low level crypto operations ## Natively implemented in the browser
# One more thing...
# Heartbleed ![](img/Heartbleed_Bug_20140410_121538_20140410_121541.jpg)
# We are all exposed
# OpenSSL 1.0.1 and 1.0.1f # MUST BE # upgraded to 1.0.1g
# Revoke and # regenerate new keys
# Testing ## http://filippo.io/Heartbleed/ ## https://github.com/emboss/heartbeat
# Don't laugh at others
# Help them
# We are always # the next target
# Thank you ## [http://abstractj.org](http://abstractj.org) ## [https://aerogear.org/](https://aerogear.org/)