the future of web application security - ncc group€¦ · the future of web application security...
TRANSCRIPT
![Page 1: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/1.jpg)
The Future of
Web Application Security
W3Conf, November 15 & 16, 2011
Brad Hill
@hillbrad
Scott Stender
@scottstender
![Page 2: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/2.jpg)
The History of Web App Security
![Page 3: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/3.jpg)
HTTP
Attacker as Eavesdropper and
Impersonator
![Page 4: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/4.jpg)
Attacker as Client
![Page 5: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/5.jpg)
OWASP Top 10 2010 • A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication
and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
![Page 6: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/6.jpg)
Attacker as Server
Bank.com
Evil.com
![Page 7: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/7.jpg)
Confusing the Client: CSRF
GET /dancingpigs.html
<iframe src=https://bank.com/transfer?amt=$1M&to=Mallory>
Cookie: mycreds=sekr1t
GET /transfer?amt=$1M&to=Mallory
![Page 8: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/8.jpg)
Client Code Injection: Reflected XSS
GET /dancingpigs.html
<iframe src=https://bank.com/?amt=<script>evil.js</script>
<script>evil.js</script>
![Page 9: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/9.jpg)
Client Code Injection: Stored XSS
<script>evil.js</script>
POST /comment?txt=<script>evil.js</script>
GET /comment
![Page 10: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/10.jpg)
OWASP Top 10 2010 • A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication
and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
![Page 11: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/11.jpg)
Conventional Wisdom of Web Security:
Never trust the client.
Defend the server, at the server.
![Page 12: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/12.jpg)
HTTPS
< <
WEB SECURITY 1.0
![Page 13: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/13.jpg)
Enter Web 2.0
![Page 14: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/14.jpg)
AJAX Empowers Clients
![Page 15: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/15.jpg)
Mobile Code, not just Mobile UI
![Page 16: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/16.jpg)
Client Code Injection: DOM XSS
GET /dancingpigs.html
<iframe src=https://bank.com/app.js#alert(xss)>
GET /app.js
DOM
#alert(xss)
eval(location.href.split(“#”)[1]);
![Page 17: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/17.jpg)
Contrived Example, Real Vulnerability
Mindedsecurity.com tested a sample of the Alexa Top 1M, and found 56% of sites they examined had exploitable DOM XSS vulnerabilities.
Source of real vulnerabilities against Twitter, Omniture, more…
DOM XSS Sources: – document.URL
– document.URLUnencoded
– document.documentURI
– document.location
– document.referrer
– window.name
– window.location
– window.dialogArguments
– postMessage (HTML5)
![Page 18: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/18.jpg)
Web APIs beyond the Browser
![Page 19: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/19.jpg)
What is the sound of Cross-Site
Scripting without a Site?
Credit: kyleosborn.org
![Page 20: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/20.jpg)
Data from Everywhere:
Meet the Mashups
![Page 21: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/21.jpg)
One App, Many Servers
• Accessing map data is great – if you are Google
• What about every other use of maps?
• Can’t we re-use that service?
![Page 22: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/22.jpg)
NO!
Bank.com
Evil.com
![Page 23: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/23.jpg)
First Generation Mashups: Hacking the
Same-Origin Policy • Clever uses of <script> <img> <iframe>
aggregate content and work around the SOP
• JSONP is a fantastic example of a mature technology built on clever use of <script>
Or…
![Page 24: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/24.jpg)
Making Mashups Work
• JSONP is a great way of inviting arbitrary code execution in your DOM
• JSONP places all of your security in the hands of the script source
• Sourcing script gives that server checkin privileges on your code
![Page 25: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/25.jpg)
But they are trustworthy…
• Even trustworthy companies are compromised
• Even trustworthy companies enjoy your customers and your data
• Are your users, your customers, expecting that security model?
![Page 26: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/26.jpg)
HTML5+
Mashing Up with permission
![Page 27: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/27.jpg)
CORS and XHR2
• Cross-Origin Resource Sharing : Server-supplied headers permitting the client to relax the Same-Origin Policy
– With or without credentials
• Richer response types with XMLHttpRequest Level 2
– ArrayBuffer, Blob, File, FormData
– Also allows anonymous requests
![Page 28: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/28.jpg)
WebSockets
• Bi-directional communication between server
and Web client
• May be cross-origin, client sends verified origin
![Page 29: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/29.jpg)
CORS, XHR2, WebSockets
• No policy file at well-known location as, e.g.:
– crossdomain.xml for Flash
– clientaccesspolicy.xml for Silverlight
• Access control is dynamically determined, per-resource
Harder to identify and audit cross-domain permissions on a server than with plugin-based approaches.
![Page 30: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/30.jpg)
postMessage
• Cross-Document and Channel Messaging establish communication between instances of client-side code in the same browser, including across origins
• Includes“origin”targets, but ports can be passed to other origins or an origin may itself be a mashup
![Page 31: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/31.jpg)
Web RTC
• postMessage communicates between client-side
apps in the same browser…
• Web RTC (in development) communicates real-
time multimedia between client-side apps
running in different browsers
![Page 32: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/32.jpg)
HTTP, XHR
CORS, XHR2,
WebSockets
postMessage
Web RTC
WebSto
rage
![Page 33: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/33.jpg)
HTTPS
< <
DOM
#alert(xss)
Post
Mess
age
![Page 34: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/34.jpg)
Assets and attack surface are moving
to the client.
We are still only defending at the
server, but it does not see all data
flows.
![Page 35: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/35.jpg)
Servers are still broken…
But the future of Web App
Security is in the client.
![Page 36: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/36.jpg)
So what now?
![Page 37: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/37.jpg)
Testing/Verification
• Comprehensive analysis of standard web apps already stressed our abilities to test
• Now we have to manage the entire set of potential state in a DOM
• Test tools, even developer tools, are not where they should be
![Page 38: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/38.jpg)
The State of Mobile Code Engineering:
Stay vulnerable,
my friends.
![Page 39: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/39.jpg)
What do we do? What can we do?
• Today: Features you want come with built-in “Game Over” security problems
– JSONP and <script src=> patterns
– plaintext HTTP
• We need Mobile Code designed to be securable:
– Compartmentalized
– Decoupled
– Explicit
– Testable: Think TDD
![Page 40: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/40.jpg)
Today:
• Use HTML5+ Mashup APIs
• Authenticate Origins: HTTPS and HSTS everywhere
• Secure Design: Compartmentalize and Sandbox Origins
• Client-Side Testing
![Page 41: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/41.jpg)
Design: Compartmentalization
• Use httpOnly cookies – Isolate session credentials’ value from the DOM
• Minimize foreign origins – Remember: <script src=‘X’> is equivalent to giving ‘X’
unsupervised check-in privileges to your codebase
• Create unique origins to isolate apps and sandbox dangerous / active content – example.com, example-sandbox.com, example-marketing.com
– Remember that scripts can reset their origin to something less-specific!
![Page 42: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/42.jpg)
Seamless IFRAME Sandbox
Blog blog blog blog blog blog…
USER COMMENTS:
Mallory: <script>Whoops, a bypass!</script>
origin=safe.com
<iframe seamless sandbox> origin=null
![Page 43: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/43.jpg)
IFRAME Sandbox + JSONP
script src=evil.com/jsonp?callback=pwned
origin=safe.com
origin=safe.com
<iframe sandbox=“allow-scripts”>
postMessage
origin=null
![Page 44: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/44.jpg)
Implementation: Validate!
• Context-sensitive validation of untrusted data
– HTML, Attribute, CSS, JS, JSON, URL
• Do this client-side, even if you also do it server-side
– Better view of the data through the local parser
• http://plugins.jquery.com/project/jqencoder
![Page 45: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/45.jpg)
Some great starts on tooling: • DOMinator
– Firefox runtime tool for analyzing and identification of DOM-based XSS
– Stefano Di Paola and MindedSecurity
– http://blog.mindedsecurity.com/2011/05/dominator-project.html
• DOM Snitch – Chrome runtime tool: passive analysis of dangerous client-side practices in the DOM
– Radoslav Vasilev @ Google
– http://code.google.com/p/domsnitch/
• Other DOM XSS tools from IBM, Blueinfy
• WebDriver and Selenium for testing in-the-client
![Page 46: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/46.jpg)
Near Future
• Make and Demand better tooling.
• Design for and use a Content Security
Policy
• Tell your browser vendors and API
providers that security matters to you!
![Page 47: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/47.jpg)
Least-Privilege: Content Security Policy
• New work pioneered by Mozilla and Google, now on W3C recommendation track.
• Header or META tag to allow/force a page to drop privileges and capabilities – No inline script, no code from strings (eval), no data: URIs (mostly)
– Code must come from libraries at origins specified in script-src whitelist
– Origin whitelisting for other features: • Image, media, frame, font, object/plugin
![Page 48: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/48.jpg)
Challenges Remaining
![Page 49: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/49.jpg)
Clickjacking / UI Redressing
• A serious threat to in-context mashups.
– “Like”, “+1”, “Follow”, “Pay”, “Friend”, “Share”
• “Pay” can be reversed. You can’t claw back your social graph after being Friend-jacked.
• X-Frame-Options allows refusal to render when framed
– Breaks the Web to secure it
– Not helpful when you want to be framed
– Work underway to fix this in W3C WebAppSec WG
![Page 50: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/50.jpg)
The DOM is still a mess
• Hundreds of browser-specific quirks
– Hinders tool market, understanding of attack surface, cross-platform testing
• Amazing and innovative efforts at client-side security models by Mario Heiderich, Gareth Heyes, etc.
– Client-side, foolproof anti-XSS, sandboxing, even RBAC in the DOM
– Constantly foiled by the mess of the DOM
![Page 51: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/51.jpg)
Need for a Strict DOM?
The Standard
The Whole Standard
And Nothing But the Standard
![Page 52: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/52.jpg)
Thank you!
![Page 53: The Future of Web Application Security - NCC Group€¦ · The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender](https://reader034.vdocuments.us/reader034/viewer/2022050205/5f58423e94fa4454236f0ab1/html5/thumbnails/53.jpg)
Others to follow: @WisecWisec, @garethheyes, @0x6D6172696F, @johnwilander, @jeremiahg, @kkotowicz, @randomdross, @lcamtuf
http://www.schemehostport.com/ (Adam Barth)
The Tangled Web (new book by lcamtuf)
We are: [email protected], @hillbrad
[email protected], @scottstender