tostatichtml() for everyone!...1 of 45 tostatichtml() for everyone! about dompurify, security in the...
TRANSCRIPT
![Page 1: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/1.jpg)
1 of 45
toStaticHTML() for Everyone!About DOMPurify, Security in the DOM,
and Why We Really Need Both
A talk by Dr.-Ing. Mario Heiderich, [email protected] || @0x6D6172696F
![Page 2: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/2.jpg)
2 of 45
Here is Alice. She wants to write an encrypted message.
And send it to Bob.
�
This is my company
![Page 3: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/3.jpg)
3 of 45
Here is Bob. He wants to be able to read what Alice has to write.
About NASCAR.
�
That's nothing to be ashamed about. But still privacy-relevant for many!
We do really good pentests
![Page 4: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/4.jpg)
4 of 45
Both Bob and Alice want to exchange encrypted mails
with each other.
� ✉️ �
But I guess you know that already
![Page 5: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/5.jpg)
5 of 45
Bob and Alice both use, let's call it... “ElectronMail”.
A fancy tool that allows to encrypt and decrypt mail messages Right in the browser.
�⚡️ ✉️ ⚡️�You probably know what I am referring to.
![Page 6: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/6.jpg)
6 of 45
“ElectronMail” is great.
All the server sees is an encrypted piece of text.
Useless to anyone without the key.
�🔑⚡️ ✉️ ⚡️🔑�
![Page 7: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/7.jpg)
7 of 45
Unless that person is really good at mathematics
�
![Page 8: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/8.jpg)
8 of 45
“ElectronMail” chose a very smart approach.
We refer to that as End-to-End encryption. Or E2E.
From a technical standpoint, that whole process is easy to describe.
� 🔐 �
![Page 9: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/9.jpg)
9 of 45
The next day, both Bob and Alice receive an encrypted mail from Mallory.
They both open the mail.
Both their accounts get compromised without them knowing.
� 💣 👱 💣 �
![Page 10: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/10.jpg)
10 of 45
Mallory not only gets access to all mails Bob and Alice have exchanged in the past...
but also grabs their private keys, all contacts in Alice and Bob's address-books,
and installs a key-logger. Just in case.
� 👱 �
![Page 11: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/11.jpg)
11 of 45
Mallory isn't overly great at mathematics.
She doesn't know much about buffer overflows and UAFs.
She is not in possession of a vast attack infrastructure, number crunchers or any dedicated soft- or hardware.
⚛✖ 👱
![Page 12: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/12.jpg)
12 of 45
Mallory is pretty good at HTML and JavaScript.
The modern cyber-crime action-pack.
👱 �✔ There. Cyber. I said it.
![Page 13: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/13.jpg)
13 of 45
Mallory made use of a classic Cross-Site Scripting attack and smuggled executable client-side code
into the message she sent out.
Executing in the DOM used by “ElectronMail”, provided by the browsers Alice and Bob use.
� ☣ 👱 ☣ �Remember, when folks said “XSS is lame”?
Pepperidge Farm remembers!
![Page 14: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/14.jpg)
14 of 45
It was harder for Mallory to do that kind of thing in the past.
Mail providers, before the dawn of cryptography in the browser, relied on strong server-side filters to scrub anything bad from
HTML email bodies.
� 👮� �
![Page 15: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/15.jpg)
15 of 45
But with encryption in the browser, those days are over. The server can no longer see,
if there is anything bad in the mail body.
Because it's encrypted.
� 👮� �
![Page 16: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/16.jpg)
16 of 45
Damn you, encryption!
Enabler of crime and malice! All that should be forbidden! Or back-doored!
� 👱 �
![Page 17: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/17.jpg)
17 of 45
Damn you, encryption!
Enabler of crime and malice! All that should be forbidden! Or back-doored!
Well, maybe not!
� 👱 �
![Page 18: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/18.jpg)
18 of 45
Let's isolate our initial problem.
We cannot sanitize on the server any more. Encrypted mails are left to be sanitized on the client.
So we need to sanitize on the client.
�👮 � 👮�
![Page 19: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/19.jpg)
19 of 45
And browsers surely give us the right tools for that, correct?
�👮 � 👮�
![Page 20: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/20.jpg)
20 of 45
Well, sadly, they do not.
�👮 � 👮�
![Page 21: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/21.jpg)
21 of 45
You will now jump up and start screaming.
“Sandboxed Iframes!” “HTTP Only cookies!” “XSS filters!” “Web Workers!”
“The Same Origin Policy!” “Sub-Resource Integrity!”
And of course the cure for everything - “Content Security Policy!”
😠😩 😡😱 😤😠 That's Mike West!
![Page 22: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/22.jpg)
22 of 45
But the more you look at those features, the more you realize that they come close to solving our problem
But never manage to be a perfect solution.
😐😐 😐😐 😤😐
Trust me, I am a Doctor. I have butter on my bread Just because of that.
![Page 23: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/23.jpg)
23 of 45
We are missing something that does, what the servers did in the past.
We need to be able to tell apart the bad from the good and only leave the good to be shown in the browser.
We don't have that.
😶😶 😶😶 😐😶
![Page 24: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/24.jpg)
24 of 45
Well, we kinda do. It's called toStaticHTML() and it does exactly that.
Take a string, throw any bad HTML out and hopefully return a sanitized string.
😍😉 😌😒️ 😐😋
Mike is not amused.
![Page 25: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/25.jpg)
25 of 45
But it's only available in MSIE.
Or on Firefox with NoScript installed. So let's scratch that.
We need a toStaticHTML() for everyone! In all browsers. Now!
😶😶 😶😶 😐😶
![Page 26: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/26.jpg)
26 of 45
So, I created it.
It's called DOMPurify and its task is to do exactly what we need. Take a string of HTML. Or SVG. Or MathML. Analyze it
using an isolated DOM.
Throw out the bad, leave in the good. Return a sane result.
😶😶 😶😶 😐😶
![Page 27: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/27.jpg)
27 of 45
The browser DOM and it's really messy properties were one of the biggest problem here.
DOM Clobbering attacks, inhomogeneous APIs, HTML elements implemented in completely different ways, different attribute
handling.
The DOM is a mess!
😶😶 😶😶 😐😶
Yeah! Let's make Visual Basic Script great again!
![Page 28: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/28.jpg)
28 of 45
But we believe to have them solved and haven't received a bypass in months.
Despite generous bug bounty in case an issue gets spotted.
😍😌 😇😒️ 😐😍
![Page 29: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/29.jpg)
29 of 45
Many websites already use DOMPurify and are happy with it.
In Germany for example, we have “Gov-Approved Mail” system called “de-mail”.
They had the same problem and guess how even they solved it. That's right, DOMPurify.
😍😍 😇😒️ 😐😍 There's several 100M users protected by our library by now
![Page 30: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/30.jpg)
30 of 45
So. Is our problem already solved?
😍😌 😇😒️ 😐😍 “Something seems fishy here”
![Page 31: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/31.jpg)
31 of 45
Am I the savior of souls, the bringer of security, the knight in shining armor, slaying the XSS dragon?
😇 🔨�😐😐 😐😒️ 😐😐
Me, fighting the XSS dragon.
![Page 32: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/32.jpg)
32 of 45
Hell no! Because now we have a well working library. But that gives us a
trust problem. You have to trust me!
😲😲 😲😲 😨😲
![Page 33: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/33.jpg)
33 of 45
What if I turn rogue?
And release an update with a back-door?
� 👿 �😨😭 😱😡 😨😨
Me, after back-dooring DOMPurify
![Page 34: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/34.jpg)
34 of 45
I have been writing XSS exploits for the last ten years.
I think I could hide a back-door in DOMPurify.
Maybe in the compressed version we ship.
👿😨😨 😨😨 😨😨
![Page 35: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/35.jpg)
35 of 45
Of course I would never do that. Right?
👿😅😅 😅😅 😅😅
![Page 36: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/36.jpg)
36 of 45
Riiight?
👿😨😨 😨😨 😨😨
![Page 37: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/37.jpg)
37 of 45
Or would I?
��� 👿😨😨 😨😨 😨😨
“God I LOVE Money! Mmmmmmmoney! Aaah..”
![Page 38: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/38.jpg)
38 of 45
And now what.
What options do we have? The problem now is that we have a solution to our former problem...
Now, the security of millions of users depends on a small circle of library authors and hopefully a bunch of cautious pairs of eyes
noticing malicious changes.
👷 🔓 👮
![Page 39: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/39.jpg)
39 of 45
We need a specification and implement DOMPurify inside browsers!
As part of the almighty DOM and its countless APIs.
We need many eyes on that, not just a few. We need a written and published description of risks models and matching
solutions. We need templates that developers can use with great ease and small foot-gun potential.
🙌 💡 🙌
![Page 40: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/40.jpg)
40 of 45
We need to specify what DOMPurify does and implement it Inside the browsers' core.
Despite CSP. Because of CSP.
Because we need to fill all gaps, not just accidental intersections.
👷 💡 👮
![Page 41: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/41.jpg)
41 of 45
Now, you might point at me with your finger and ask - why don't you write the specification then?
And I will respond...
😐😐 😐😠 😐😐
![Page 42: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/42.jpg)
42 of 45
Why don't YOU write the specification! We already did the hard work, identified the problem,
proposed solutions...
...and showed, that even our own approach is fundamentally flawed because of the inherently required trust in us, the
maintainers.
😲😲 😲😲 😲😲
![Page 43: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/43.jpg)
43 of 45
Now, it's not just my but OUR turn.
If you agree on the problem, the proposed solutions and share our views about what needs to be done: Be the one who starts it.
We're happy to help! But we're not gonna do it alone.
😲😃 😉😋 😉😍
![Page 44: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/44.jpg)
44 of 45
Let's make all the “ElectronMails” and other tools much safer and implement XSS protection where it belongs.
Not into the server, not into WAFs and IPS. But into the browser.
Right, where the action happens.
😃😃 😃😃 😉😃
![Page 45: toStaticHTML() for Everyone!...1 of 45 toStaticHTML() for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both A talk by Dr.-Ing. Mario Heiderich, Cure53](https://reader034.vdocument.in/reader034/viewer/2022050109/5f46dd9386542f381633310d/html5/thumbnails/45.jpg)
45 of 45
And that concludes my presentation.
Thank you for your time :)
😍😍 😘😍 😍😍