emily stark at hack reactor - javascript and web security
DESCRIPTION
Emily Stark is a core developer at Meteor Development Group and an expert in JavaScript security and cryptography (see her bio at http://www.meteor.com/about/people). On September 12, 2013, Emily gave a guest lecture at Hack Reactor, a San Francisco-based coding academy (http://hackreactor.com). She covered several topics in JavaScript and Web Security, including: • Secure password storage and authentication • SRP protocol (http://srp.stanford.edu) • Common JS security threats and injection techniquesTRANSCRIPT
![Page 1: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/1.jpg)
Web security 101Emily Stark, Meteor core dev
Web security 101
![Page 2: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/2.jpg)
Common attacks on the web, how to prevent them, and tidbits from Meteor
along the way
![Page 3: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/3.jpg)
Outline1. Why the web is a dangerous place
2. Web security in the traditional world and the meteor world:- Authentication and password storage - cross-site request forgery (CSRF)
- SRP- Cross-site scripting (XSS)
![Page 4: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/4.jpg)
Why the web is a dangerous place
![Page 5: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/5.jpg)
Same Origin Policy
protocol, host, port
![Page 6: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/6.jpg)
Why the web is a dangerous place
drive-by code execution
![Page 7: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/7.jpg)
Why the web is a dangerous place
drive-by code execution
client serverrequest
![Page 8: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/8.jpg)
Why the web is a dangerous place
drive-by code execution
client serverrequest
response
![Page 9: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/9.jpg)
Why the web is a dangerous place
drive-by code execution
client serverrequest
response
execute as code
![Page 10: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/10.jpg)
Why the web is a dangerous place
stateless
client serverrequest
response
request
response
![Page 11: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/11.jpg)
Why the web is a dangerous place
![Page 12: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/12.jpg)
Why the web is a dangerous place
meteor uses a stateful protocol
client meteorserver
request
response
DDP over websockets
![Page 13: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/13.jpg)
Why the web is a dangerous place
code + data intermingled
client serverrequest
response
request
response
![Page 14: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/14.jpg)
Why the web is a dangerous place
meteor: code and data separate
client meteorserver
request
response (code)
DDP over websockets (data)
![Page 15: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/15.jpg)
Authentication and password storage
![Page 16: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/16.jpg)
Auth flow
client serverusername, password
session cookie
request
response
![Page 17: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/17.jpg)
Auth flow
client serverusername, password
session cookie
request
response
![Page 18: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/18.jpg)
Auth flow
client server
username, passwordH(password)
![Page 19: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/19.jpg)
Password storage
What is H?
![Page 20: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/20.jpg)
Password storage
How many MD5, SHA1 guesses per second?
![Page 21: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/21.jpg)
Password storage
> 60 billion
http://www.zdnet.com/25-gpus-devour-password-hashes-at-up-to-348-billion-per-second-7000008368/
![Page 22: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/22.jpg)
Password storage
> 60 billion
(<1 min to crack a 7 character alphanumeric password)
http://www.zdnet.com/25-gpus-devour-password-hashes-at-up-to-348-billion-per-second-7000008368/
![Page 23: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/23.jpg)
Password storage● bcrypt, scrypt
○ password hashes○ slow, scalable
● General-purpose hashes (SHA, MD5) designed to be fast
![Page 24: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/24.jpg)
Password storage● bcrypt, scrypt
○ password hashes○ slow, scalable
● General-purpose hashes (SHA, MD5) designed to be fast
![Page 25: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/25.jpg)
Auth flow
client server
username, password
session cookie
![Page 26: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/26.jpg)
Auth flow
● random, unguessable
● httponly
● secure
![Page 27: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/27.jpg)
Meteor authentication
client meteorserver
DDP over websockets
login
token
(authenticated)store in
localStorage
![Page 28: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/28.jpg)
CSRF
victimbank.com server
victimbank.comlogin
![Page 29: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/29.jpg)
CSRF
victimbank.com server
victimbank.comlogin
evil.com
transfer $100 million billion to evil.com
![Page 30: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/30.jpg)
No CSRF in meteor apps● No cookies.
○ Only your app can make authenticated requests to itself.
● Cost: httponly, secure cookie protections.
![Page 31: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/31.jpg)
Crypto diversion: SRP
● Server can’t learn client password.
● Server and client authenticate each other.
● Resistant to man-in-the-middle attacks.
![Page 32: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/32.jpg)
Crypto diversion: SRP in one cramped slide
client server
username, random value r1
salt, g^H(salt, password)
salt, another random value r2
use password to compute shared key
use g^H(salt, password) to compute
shared key
password
H(shared key || r1 || r2)
H(message from client || shared key)
![Page 33: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/33.jpg)
Crypto diversion: SRP
Why don’t all web apps use it?
● Client-side crypto is almost always useless.
● Meteor uses it in anticipation of non-browser DDP clients.
![Page 34: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/34.jpg)
Auth takeaways● Use a framework’s implementation.
● Use bcrypt.
● Use httponly and secure cookie flags.
● Cookies can be avoided when connections are stateful.
![Page 35: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/35.jpg)
Cross-site scripting
![Page 36: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/36.jpg)
Cross-site scripting (XSS)
![Page 37: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/37.jpg)
Cross-site scripting (XSS)
![Page 38: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/38.jpg)
HTML encoding foils some attacks...
< > ' " ` &
< > ' " ` &
![Page 39: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/39.jpg)
But not all<a href="{{ userWebsite }}"> {{ username }}'s website</a>
![Page 40: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/40.jpg)
URL sanitization<a href="javascript:alert(localStorage)"> {{ username }}'s website</a>
![Page 41: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/41.jpg)
URL sanitization<a href="javascript:alert(localStorage)"> {{ username }}'s website</a>
Can you execute any damaging Javascript when quotes are escaped?
![Page 42: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/42.jpg)
URL sanitization<a href="javascript:eval(String.fromCharCode(77, 101, ...))"> {{ username }}'s website</a>
![Page 43: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/43.jpg)
CSS sanitization<div style="background-color:{{ usersFavoriteColor }}"></div>
![Page 44: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/44.jpg)
<div style="background-color:expression(alert(localStorage))"></div>
CSS sanitization
![Page 45: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/45.jpg)
Sanitize untrusted URLs and CSS○ Don't try to filter out "javascript:",
"expression", etc.
○ Do strict checking: urls start with http, css values come from a list of safe values
○ Use Content Security PolicyEx: Content-Security-Policy: default-src 'self'
![Page 46: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/46.jpg)
Meteor to the rescue?
Automatic, contextual sanitization*
*in the future, maybe
![Page 47: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/47.jpg)
Conclusion● The web is a dangerous place.
● Full-stack frameworks, stateful connections: new security territory.
![Page 48: Emily Stark at Hack Reactor - JavaScript and Web Security](https://reader034.vdocuments.site/reader034/viewer/2022051512/540604818d7f729b768b510b/html5/thumbnails/48.jpg)
@estark37
security-resources.meteor.com