Emily Stark is a core developer at Meteor Development Group and an expert in JavaScript security and cryptography (see her bio at http://www.meteor.com/about/people).
On September 12, 2013, Emily gave a guest lecture at Hack Reactor, a San Francisco-based coding academy (http://hackreactor.com). She covered several topics in JavaScript and Web Security, including:
• Secure password storage and authentication
• SRP protocol (http://srp.stanford.edu)
• Common JS security threats and injection techniques
2. Common attacks on the web, how to
prevent them, and tidbits from Meteor
along the way
3. Outline
1. Why the web is a dangerous place
2. Web security in the traditional world and the
meteor world:
- Authentication and password storage
- cross-site request forgery (CSRF)
- SRP
- Cross-site scripting (XSS)
22. Password storage
> 60 billion
(<1 min to crack a 7 character
alphanumeric password)
http://www.zdnet.com/25-gpus-devour-password-hashes-at-up-to-348-billion-per-second-7000008368/
23. Password storage
● bcrypt, scrypt
○ password hashes
○ slow, scalable
● General-purpose hashes
(SHA, MD5) designed to
be fast
24. Password storage
● bcrypt, scrypt
○ password hashes
○ slow, scalable
● General-purpose hashes
(SHA, MD5) designed to
be fast
30. No CSRF in meteor apps
● No cookies.
○ Only your app can make
authenticated requests to itself.
● Cost: httponly, secure cookie
protections.
31. Crypto diversion: SRP
● Server can’t learn client password.
● Server and client authenticate each other.
● Resistant to man-in-the-middle attacks.
32. Crypto diversion: SRP in
one cramped slide
client server
username, random value r1
salt, g^H(salt, password)
salt, another random value r2
use password to
compute shared key
use g^H(salt,
password) to compute
shared key
password
H(shared key || r1 || r2)
H(message from client || shared key)
33. Crypto diversion: SRP
Why don’t all web apps use it?
● Client-side crypto is almost always useless.
● Meteor uses it in anticipation of non-browser
DDP clients.
34. Auth takeaways
● Use a framework’s implementation.
● Use bcrypt.
● Use httponly and secure cookie flags.
● Cookies can be avoided when connections
are stateful.
45. Sanitize untrusted URLs
and CSS
○ Don't try to filter out "javascript:",
"expression", etc.
○ Do strict checking: urls start with http, css
values come from a list of safe values
○ Use Content Security Policy
Ex: Content-Security-Policy: default-src
'self'
46. Meteor to the rescue?
Automatic, contextual sanitization*
*in the future, maybe
47. Conclusion
● The web is a dangerous place.
● Full-stack frameworks, stateful
connections: new security territory.