SlideShare ist ein Scribd-Unternehmen logo

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.

Krzysztof Kotowicz
Krzysztof Kotowicz

Presentation slides from my OWASP Appsec EU 2014 and Hack in Paris 2014 talk.

IngenieurwesenTechnologie
1 von 58
Downloaden Sie, um offline zu lesen
Biting into the forbidden fruit Lessons from trusting Javascript crypto Krzysztof Kotowicz, Hack in Paris, June 2014
About me • Web security researcher • HTML5 • UI redressing • browser extensions • crypto • I was a Penetration Tester @ Cure53 • Information Security Engineer @ Google Disclaimer: “My opinions are mine. Not Google’s”.
 Disclaimer: All the vulns are fixed or have been publicly disclosed in the past.
Introduction
JS crypto history • Javascript Cryptography Considered Harmful
 http://matasano.com/articles/javascript- cryptography/ • Final post on Javascript crypto
 http://rdist.root.org/2010/11/29/final-post-on- javascript-crypto/
JS crypto history • It’s not needed! • Implicit trust in the server • SSL / TLS required • It’s dangerous! • Any XSS can circumvent the code • It’s hard! • Poor crypto support in the language • Mediocre library quality • JS crypto is doomed to fail!
Doomed to fail? https://www.mailvelope.com/https://crypto.cat/ http://openpgpjs.org/ Multiple crypto primitives libraries, symmetric & asymmetric encryption, TLS implementation, a few OpenPGP implementations, and a lot of user applications built upon them. Plus custom crypto protocols.
Action plan • Look at the code • Find the vulnerabilities • Understand the root cause • Compare to native crypto
JS crypto vulns in the wild • Language issues • Caused by a flaw of the language ! • Web platform issues • “The web is broken”
Language issues
Language issues matter if (you_think_they_dont)! goto fail;! ! goto fail;
Javascript in a glance • a dynamic language • a weakly typed language • with prototypical inheritance • with a global object • and a forgiving parser
It’s a flexible language • Code in 6 characters only! ! ! ! ! • alert(1), obviously [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!! []+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[] +!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+ [])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+ (![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+! +[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]] +(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]] +(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
Bit quirks • All numbers are floats
 http://www.2ality.com/2012/04/number-encoding.html • Bit shifts are tricky ! ! ! • “The right operand should be less than 32, but if not only the low five bits will be used.”
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/ Bitwise_Operators 1 << 31 // -2147483648! 1 << 32 // 1
 1 << 33 // 2! 1 << 31 << 1 // 0! 1 << 31 >> 31 // -1
 1 << 31 >>> 31 // 1. Sigh!
Weak typing • A lot of gotchas & silent type conversions
 ! ! ! • Devs don’t use types. This matters to crypto! // From wtfjs.com! ! true == 'true'! false != 'false'! ! Math.min() > Math.max()! ! typeof null == 'object'! !(null instanceof Object)
Weak typing • Cryptocat adventures with entropy
 http://tobtu.com/decryptocat.php ! ! ! • != 64 random bytes. • Entropy loss - 512 bits => 212 bits // Generate private key (64 random bytes)! var rand = Cryptocat.randomString(64, 0, 0, 1, 0); "7065451732615196458..." // Generates a random string of length `size` characters.! // If `alpha = 1`, random string will contain alpha characters, // and so on.! // If 'hex = 1', all other settings are overridden.! Cryptocat.randomString = function(! size, alpha, uppercase, numeric, hex)
Magic properties • Cryptocat - a multiparty chat application • Check if we don’t yet have the user’s key (=new user). 
 Generate shared secrets (hmac key + encryption key) ! ! • Decrypt incoming message (if you have a secret already) if (!publicKeys[sender]) {! publicKeys[sender] = receivedPublicKey;! multiParty.genSharedSecret(sender);! } if (sharedSecrets[sender]) {! if (message[myName]['hmac'] === HMAC(ciphertext, ! sharedSecrets[sender]['hmac'])) {! message = decryptAES(ct, sharedSecrets[sender]['msg']);! return message;! }
Magic properties • Meet __proto__. Always there ! ! • publicKeys[‘__proto__’] == true, so shared secret is never generated • But sharedSecrets[‘__proto__’] == true, so decryption throws exception • [CVE 2013-4100] Joining chat as __proto__ breaks chat for everyone.
 http://www.2ality.com/2012/01/objects-as-maps.html publicKeys = {one: "1", two: "2"}! publicKeys['__proto__'] // {}! Boolean(publicKeys[‘__proto__’]) // true
Magic properties • Python has them too! • Kill an application by submitting a hash algorithm __delattr__ • http://blog.kotowicz.net/2013/12/breaking-google- appengine-webapp2.html
Silent errors ! ! • Out-of-bounds array access does not throw error • At least it returns harmless undefined
 (I‘m looking at you, C) a = [1];! a[0] // 1! a[1000] // undefined. No error!
Unicode fun • JS strings are unicode, not byte arrays • String.charCodeAt(index) returns the numeric Unicode value of the character • Not a byte value! • https://speakerdeck.com/mathiasbynens/hacking- with-unicode
16 snowmen attack! • Reveals AES key by encrypting Unicode and decrypting the result
 http://vnhacker.blogspot.com/2014/06/why- javascript-crypto-is-useful.html ☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃
AES S-BOX INVERSE S-BOX INVERSE S-BOX S-BOX
Encrypting… function SubBytes(state, Sbox) // state = [9740, 9796, 9743, ...] ! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [undefined, undefined, ...]! }
Implicit type coercion function MixColumns(state) { // [undefined, undefined, ...]! c0 = state[I(0,col)]; // c0 = undefined,...! state[I(0,col)] = aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! return state! }! ! function aes_mul(a, b) { // 2, undefined! var res = 0;! res = res ^ b; // 0 ^ undefined = 0 :)! } aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! undefined ^ undefined ^ 0 ^ 0 // 0
AES 0x00, 0x00 0x00, 0x00
Decrypting… • Decrypt the ciphertext with the same key • In last round: ! ! ! • plaintext = key ⊕ [0x52, 0x52, …] • key = plaintext ⊕ [0x52, 0x52, …] function SubBytes(state, Sbox) // state = [0, 0, …]! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [0x52, 0x52, …]! }
Type coercion CVE-2014-0092 GnuTLS certificate validation bypass
 http://blog.existentialize.com/the-story-of-the-gnutls-bug.html! ! ! ! • C has no exceptions. Errors were reported as negative numbers. But callers treated return value as a boolean:
 
 /* Checks if the issuer of a certificate is a! * Certificate Authority
 * Returns true or false, if the issuer is a CA,! * or not.! */! static int! check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,! unsigned int flags) if (ret == 0) { /*cert invalid, abort */}
Language issues • They are not unique to Javascript • You can overcome them! • ES 5 strict mode
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/ Functions_and_function_scope/Strict_mode • Type enforcing - e.g. Closure Compiler
 https://developers.google.com/closure/compiler/ • Development practices: tests, continuous integration, code reviews
Web platform issues
Web platform • Javascript code runs in a JS engine…
 *Monkey, v8, Nitro, Chakra, SunSpider • In an execution environment…
 browser renderer process, server process • With different APIs available…
 DOM, WebCrypto, browser extension API • With different restriction/isolation policies…
 Same Origin Policy, CSP, iframe sandbox, extension security policies • These conditions are much more important to crypto!
XSS • Web is full of it • Any XSS is RCE equivalent for web • XSS can bypass any crypto code in the same origin • replace a PRNG • exfiltrate the key or plaintext • replace the public key • There are XSSes in crypto code
XSS • Mailvelope - DOM XSS in Gmail by sending encrypted <img onerror=alert(1)> to the victim
XSS • [CVE 2013-2259] Cryptocat used client side filtering of nickname / conversation name. ! ! ! ! • Chrome extension: CSP, only UI Spoofing • Firefox extension: XSS = RCE in the OS
RCE in non-JS crypto • [CVE-2014-3466] A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.
Poor randomness • Math.random() is not good enough • You can recover the state cross-origin
 http://ifsec.blogspot.com/2012/05/cross-domain- mathrandom-prediction.html • Instead, use crypto.getRandomValues() in browsers* and crypto.randomBytes() in node.js. * IE 11 and greater, poor mobile browser support
Poor randomness • OpenPGP.js RSA encryption padding /**! * Create a EME-PKCS1-v1_5 padding! */! encode: function(message, length) {! //...! for (var i = 0; i < length - message.length - 3; i++) {! r += String.fromCharCode(random.getPseudoRandom(1, 255)); ! }! return r;! }! ! random.getPseudoRandom: function(from, to) {! return Math.round(Math.random() * (to - from)) + from; ! }
Poor randomness • [CVE-2013-4102] Cryptocat uses BOSH for XMPP transport.
 “The session identifier (SID) and initial request identifier (RID) are security-critical and therefore MUST be both unpredictable and non-repeating.” ! ! this.rid = Math.floor(Math.random() * 4294967295);
Non-JS randomness fail Debian OpenSSL fiasco (2006-2008)! • OpenSSL used uninitialized memory buffers as entropy sources • Debian maintainer analyzed OpenSSL with Valgrind, asked openssl-dev about the warnings. Group said - go ahead, just remove the calls. • Only process ID remained in the entropy pool • ssh-keygen - only 32K possible keys
 http://research.swtch.com/openssl
Timing side-channels • Timing differences are measurable • Attacks are not remote • same CPU, • same thread (<iframe>) • Demonstrated by Eduardo Vela Nava
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web-application- timing.html
 “It is possible to bruteforce an 18 digit number in about 3 minutes on most machines.” (cross-domain!)
Timing side-channels • OpenPGP.js RSA decryption unpadding ! ! ! ! ! • This needs to be constant time to avoid Bleichenbacher’s attack
 http://archiv.infsec.ethz.ch/education/fs08/secsem/ Bleichenbacher98.pdf /**! * Decodes a EME-PKCS1-v1_5 padding! */! decode: function(message, len) {! if (message.length < len)! message = String.fromCharCode(0) + message; // branching! if (message.length < 12 || message.charCodeAt(0) !== 0 ||! message.charCodeAt(1) != 2) // branching! return -1; // early exit! var i = 2;! return message.substring(i + 1, message.length);! }
Timing side-channels • Similar problem in Java - JSSE (RSA used in TLS)
 http://www-brs.ub.ruhr-uni-bochum.de/netahtml/ HSS/Diss/MeyerChristopher/diss.pdf • [CVE-2012-5081] Different error messages • [CVE-2014-0411] Timing side-channel - random numbers were generated only on invalid padding
Compiler optimisation • JS engine is a blackbox. Even correct constant-time code can be optimised.
 http://stackoverflow.com/questions/18476402/how-to-disable-v8s-optimizing-compiler • Problems are not unique to the web: ! ! ! • Constant-time algorithm meets timing differences in Intel DIV instruction
 https://www.imperialviolet.org/2013/02/04/luckythirteen.html // golang.org/src/pkg/crypto/subtle/constant_time.go! func ConstantTimeByteEq(x, y uint8) int {! z := ^(x ^ y)! z &= z >> 4! z &= z >> 2! z &= z >> 1! return int(z)! }
Direct memory access • Remember Heartbleed? • Not a crypto vulnerability, but it allowed to bypass the encryption by just reading memory • client sends a large payload length + a tiny payload • no bounds check in the server • server replies with leaked memory contents
Direct memory access • Thankfully, JS is a memory-safe language. We have no buffers to overflow…
Direct memory access • Pwn2Own 2014, Firefox 28, Jüri Aedla
 “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the Javascript heap, allowing for arbitrary code execution.”
 https://www.mozilla.org/security/announce/2014/mfsa2014-31.html • Pwnium 4, Chrome 33, geohot (George Hotz)
 https://code.google.com/p/chromium/issues/detail?id=351787
 
 
 
 
 var ab = new ArrayBuffer(SMALL_BUCKET);! ab.__defineGetter__("byteLength",function(){return 0xFFFFFFFC;});! var aaa = new Uint32Array(ab);! // all your base are belong to us
Direct memory access • Browsers are an attack surface as well • network stack • HTML parser • JS engine • Any URL in any tab can trigger an exploit
Browser architecture • Firefox - single process
 http://lwn.net/Articles/576564/ • IE - multiprocess, sandboxed from OS
 http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx • Chrome - multiprocess, sandboxed from other tabs
 http://www.chromium.org/developers/design-documents/sandbox
Malware problem • Any malware can circumvent native crypto software as well. Kernels have vulnerabilities too. • GnuPG was bypassed by the authorities by simply installing a keylogger.
 https://www.gnupg.org/faq/gnupg-faq.html#successful_attacks • For JS crypto - your browser is the OS. Browser security = host security • There is one difference though…
Application delivery • You don’t install websites • Code delivery and execution is transparent (drive- by download) • Huge code execution playground, running code separated by Same Origin Policy only • Roughly half of the users use the browser with any kind of sandbox
Is JS crypto doomed? • Create perfect, XSS-free, constant time JS code • Ensure server will never be compromised • Put it in a website, serve over HTTPS • You’re safe until someone uses: • a browser exploit • a Same Origin Policy bypass • How can we fix this?
Extensions
 to the rescue
Browser extension • Not a plugin (Java, Flash, PDF reader) • A Javascript application running in privileged execution environment • You need to install it
Browser extension • Secure, signed code delivery • Better separation from websites than just Same Origin Policy • Much smaller attack surface • Process isolation in Chrome
 http://www.chromium.org/developers/design- documents/site-isolation
Browser extension • Not a perfect solution! • Your API needs to be secure too • XSS in extension is possible. XSS = native code execution in Firefox
 http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff- attacking-with-google-chrome-extensions • Chrome Extensions can share processes when limits are hit (use Chrome App to be sure)
Recommendations • Use isolated environment (server side, browser extension) • Use compilers to force strict typing • Use CSP to mitigate XSS • Use constant time operations (as much as you can) • Protect the exposed functions • Use request throttling to mitigate side-channel exploitation
Open problems • Timing sidechannels are exploitable and hard to fix
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web- application-timing.html • No mlock() equivalent - secrets can be swapped to disk • No secure store yet (wait for WebCrypto) • Extensions silently auto-update • Lack of full process isolation yet
Summary • JS crypto is way better than it used to be • A lot of perceived “JS crypto flaws” are present in other languages as well • The platform issues are much more difficult to mitigate • in-website crypto has too large attack surface • use extensions only
The end Me:
 http://blog.kotowicz.net, @kkotowicz, krzysztof@kotowicz.net More vulns:
 https://cure53.de/pentest-report_mailvelope.pdf
 https://cure53.de/pentest-report_openpgpjs.pdf
 https://blog.crypto.cat/wp-content/uploads/2012/11/Cryptocat-2-Pentest-Report.pdf Thanks to people who helped and inspired
 (in Math.random() order): 
 Mario Heiderich, Franz Antesberger, Juraj Somorovsky, Ian Beer, Ivan Fratric, Eduardo Vela Nava, Thai Duong, Frederic Braun, Ben Hawkes, Stephan Somogyi, Daniel Bleichenbacher, Adam Langley, Mathias Biennia

Empfohlen

Sync async-blocking-nonblocking-io
Sync async-blocking-nonblocking-ioSync async-blocking-nonblocking-io
Sync async-blocking-nonblocking-ioCheoloh Bae
 
Postgre sql vs oracle
Postgre sql vs oraclePostgre sql vs oracle
Postgre sql vs oracleJacques Kostic
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Reversing Google Protobuf protocol
Reversing Google Protobuf protocolReversing Google Protobuf protocol
Reversing Google Protobuf protocoln|u - The Open Security Community
 

Empfohlen

Sync async-blocking-nonblocking-io
Sync async-blocking-nonblocking-ioSync async-blocking-nonblocking-io
Sync async-blocking-nonblocking-ioCheoloh Bae
 
Postgre sql vs oracle
Postgre sql vs oraclePostgre sql vs oracle
Postgre sql vs oracleJacques Kostic
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsPriyanka Aash
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Abraham Aranguren
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Reversing Google Protobuf protocol
Reversing Google Protobuf protocolReversing Google Protobuf protocol
Reversing Google Protobuf protocoln|u - The Open Security Community
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)Amazon Web Services Korea
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2Luis Cabaceira
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Chat application with Azure SignalR Service
Chat application with Azure SignalR ServiceChat application with Azure SignalR Service
Chat application with Azure SignalR ServiceKrunal Trivedi
 
fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14N Masahiro
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension DevelopmentNSConclave
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Middleware Basics
Middleware BasicsMiddleware Basics
Middleware BasicsVarun Arora
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)Amazon Web Services Korea
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Chat application with Azure SignalR Service
Chat application with Azure SignalR ServiceChat application with Azure SignalR Service
Chat application with Azure SignalR ServiceKrunal Trivedi
 
fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14N Masahiro
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension DevelopmentNSConclave
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Middleware Basics
Middleware BasicsMiddleware Basics
Middleware BasicsVarun Arora
 

Was ist angesagt? (20)

Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
AWS와 Open Source - 윤석찬 (OSS개발자 그룹)
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
Chat application with Azure SignalR Service
Chat application with Azure SignalR ServiceChat application with Azure SignalR Service
Chat application with Azure SignalR Service
 
fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Middleware Basics
Middleware BasicsMiddleware Basics
Middleware Basics
 

Andere mochten auch

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Using Tai-chi to deal with agility
Using Tai-chi to deal with agilityUsing Tai-chi to deal with agility
Using Tai-chi to deal with agilityAlex Kempkens
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!Year of the X
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
 
Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain BarrierAlex Sexton
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesYuji Kosuga
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Почему Agile больше не работает
Почему Agile больше не работаетПочему Agile больше не работает
Почему Agile больше не работаетCEE-SEC(R)
 
Agile по русски- как это работает
Agile по русски- как это работаетAgile по русски- как это работает
Agile по русски- как это работаетAlexey Pikulev
 
Xotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookersXotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookersJeffrey Messud
 
Localized ic ts urban commons
Localized ic ts urban commonsLocalized ic ts urban commons
Localized ic ts urban commonsLabGov
 
Lisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. DurãoLisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. Durãomaditabalnco
 
課題発見とビール一杯無料以外からの誘引施策
課題発見とビール一杯無料以外からの誘引施策課題発見とビール一杯無料以外からの誘引施策
課題発見とビール一杯無料以外からの誘引施策stucon
 

Andere mochten auch (20)

When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Using Tai-chi to deal with agility
Using Tai-chi to deal with agilityUsing Tai-chi to deal with agility
Using Tai-chi to deal with agility
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
YOTG Munich - Katya Androshina & Oliver Kempkens Citrix & SAP - Fuck Inertia!
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain Barrier
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application Vulnerabilities
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Почему Agile больше не работает
Почему Agile больше не работаетПочему Agile больше не работает
Почему Agile больше не работает
 
Agile по русски- как это работает
Agile по русски- как это работаетAgile по русски- как это работает
Agile по русски- как это работает
 
Zaragoza Turismo 25
Zaragoza Turismo 25Zaragoza Turismo 25
Zaragoza Turismo 25
 
Beer is good!
Beer is good!Beer is good!
Beer is good!
 
Xotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookersXotelia - How to convert your visitors into bookers
Xotelia - How to convert your visitors into bookers
 
Localized ic ts urban commons
Localized ic ts urban commonsLocalized ic ts urban commons
Localized ic ts urban commons
 
Lisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. DurãoLisboa- Paintings By J. B. Durão
Lisboa- Paintings By J. B. Durão
 
課題発見とビール一杯無料以外からの誘引施策
課題発見とビール一杯無料以外からの誘引施策課題発見とビール一杯無料以外からの誘引施策
課題発見とビール一杯無料以外からの誘引施策
 

Ähnlich wie Biting into the forbidden fruit. Lessons from trusting Javascript crypto.

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data SecurityJonathan LeBlanc
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEMDamien Antipa
 

Ähnlich wie Biting into the forbidden fruit. Lessons from trusting Javascript crypto. (20)

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEM
 

Mehr von Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSKrzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffKrzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comesKrzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptKrzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Krzysztof Kotowicz
 

Mehr von Krzysztof Kotowicz (14)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Kürzlich hochgeladen

Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxpritamlangde
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Ramkumar k
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARKOUSTAV SARKAR
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...HenryBriggs2
 
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptxrouholahahmadi9876
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...
Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...
Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...jabtakhaidam7
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdfAldoGarca30
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksMagic Marks
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 

Kürzlich hochgeladen (20)

FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptx
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
 
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
457503602-5-Gas-Well-Testing-and-Analysis-pptx.pptx
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...
Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...
Jaipur ❤CALL GIRL 0000000000❤CALL GIRLS IN Jaipur ESCORT SERVICE❤CALL GIRL IN...
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.

  • 1. Biting into the forbidden fruit Lessons from trusting Javascript crypto Krzysztof Kotowicz, Hack in Paris, June 2014
  • 2. About me • Web security researcher • HTML5 • UI redressing • browser extensions • crypto • I was a Penetration Tester @ Cure53 • Information Security Engineer @ Google Disclaimer: “My opinions are mine. Not Google’s”.
 Disclaimer: All the vulns are fixed or have been publicly disclosed in the past.
  • 4. JS crypto history • Javascript Cryptography Considered Harmful
 http://matasano.com/articles/javascript- cryptography/ • Final post on Javascript crypto
 http://rdist.root.org/2010/11/29/final-post-on- javascript-crypto/
  • 5. JS crypto history • It’s not needed! • Implicit trust in the server • SSL / TLS required • It’s dangerous! • Any XSS can circumvent the code • It’s hard! • Poor crypto support in the language • Mediocre library quality • JS crypto is doomed to fail!
  • 6. Doomed to fail? https://www.mailvelope.com/https://crypto.cat/ http://openpgpjs.org/ Multiple crypto primitives libraries, symmetric & asymmetric encryption, TLS implementation, a few OpenPGP implementations, and a lot of user applications built upon them. Plus custom crypto protocols.
  • 7. Action plan • Look at the code • Find the vulnerabilities • Understand the root cause • Compare to native crypto
  • 8. JS crypto vulns in the wild • Language issues • Caused by a flaw of the language ! • Web platform issues • “The web is broken”
  • 10. Language issues matter if (you_think_they_dont)! goto fail;! ! goto fail;
  • 11. Javascript in a glance • a dynamic language • a weakly typed language • with prototypical inheritance • with a global object • and a forgiving parser
  • 12. It’s a flexible language • Code in 6 characters only! ! ! ! ! • alert(1), obviously [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!! []+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[] +!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+ [])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+ (![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+! +[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![] +[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]] +(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]] +(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+ (!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+ []]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
  • 13. Bit quirks • All numbers are floats
 http://www.2ality.com/2012/04/number-encoding.html • Bit shifts are tricky ! ! ! • “The right operand should be less than 32, but if not only the low five bits will be used.”
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/ Bitwise_Operators 1 << 31 // -2147483648! 1 << 32 // 1
 1 << 33 // 2! 1 << 31 << 1 // 0! 1 << 31 >> 31 // -1
 1 << 31 >>> 31 // 1. Sigh!
  • 14. Weak typing • A lot of gotchas & silent type conversions
 ! ! ! • Devs don’t use types. This matters to crypto! // From wtfjs.com! ! true == 'true'! false != 'false'! ! Math.min() > Math.max()! ! typeof null == 'object'! !(null instanceof Object)
  • 15. Weak typing • Cryptocat adventures with entropy
 http://tobtu.com/decryptocat.php ! ! ! • != 64 random bytes. • Entropy loss - 512 bits => 212 bits // Generate private key (64 random bytes)! var rand = Cryptocat.randomString(64, 0, 0, 1, 0); "7065451732615196458..." // Generates a random string of length `size` characters.! // If `alpha = 1`, random string will contain alpha characters, // and so on.! // If 'hex = 1', all other settings are overridden.! Cryptocat.randomString = function(! size, alpha, uppercase, numeric, hex)
  • 16. Magic properties • Cryptocat - a multiparty chat application • Check if we don’t yet have the user’s key (=new user). 
 Generate shared secrets (hmac key + encryption key) ! ! • Decrypt incoming message (if you have a secret already) if (!publicKeys[sender]) {! publicKeys[sender] = receivedPublicKey;! multiParty.genSharedSecret(sender);! } if (sharedSecrets[sender]) {! if (message[myName]['hmac'] === HMAC(ciphertext, ! sharedSecrets[sender]['hmac'])) {! message = decryptAES(ct, sharedSecrets[sender]['msg']);! return message;! }
  • 17. Magic properties • Meet __proto__. Always there ! ! • publicKeys[‘__proto__’] == true, so shared secret is never generated • But sharedSecrets[‘__proto__’] == true, so decryption throws exception • [CVE 2013-4100] Joining chat as __proto__ breaks chat for everyone.
 http://www.2ality.com/2012/01/objects-as-maps.html publicKeys = {one: "1", two: "2"}! publicKeys['__proto__'] // {}! Boolean(publicKeys[‘__proto__’]) // true
  • 18. Magic properties • Python has them too! • Kill an application by submitting a hash algorithm __delattr__ • http://blog.kotowicz.net/2013/12/breaking-google- appengine-webapp2.html
  • 19. Silent errors ! ! • Out-of-bounds array access does not throw error • At least it returns harmless undefined
 (I‘m looking at you, C) a = [1];! a[0] // 1! a[1000] // undefined. No error!
  • 20. Unicode fun • JS strings are unicode, not byte arrays • String.charCodeAt(index) returns the numeric Unicode value of the character • Not a byte value! • https://speakerdeck.com/mathiasbynens/hacking- with-unicode
  • 21. 16 snowmen attack! • Reveals AES key by encrypting Unicode and decrypting the result
 http://vnhacker.blogspot.com/2014/06/why- javascript-crypto-is-useful.html ☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃☃
  • 23. Encrypting… function SubBytes(state, Sbox) // state = [9740, 9796, 9743, ...] ! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [undefined, undefined, ...]! }
  • 24. Implicit type coercion function MixColumns(state) { // [undefined, undefined, ...]! c0 = state[I(0,col)]; // c0 = undefined,...! state[I(0,col)] = aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! return state! }! ! function aes_mul(a, b) { // 2, undefined! var res = 0;! res = res ^ b; // 0 ^ undefined = 0 :)! } aes_mul(2,c0) ^ aes_mul(3,c1) ^ c2 ^ c3;! undefined ^ undefined ^ 0 ^ 0 // 0
  • 26. Decrypting… • Decrypt the ciphertext with the same key • In last round: ! ! ! • plaintext = key ⊕ [0x52, 0x52, …] • key = plaintext ⊕ [0x52, 0x52, …] function SubBytes(state, Sbox) // state = [0, 0, …]! {! var i;! for( i=0; i<16; i++ )! state[i] = Sbox[ state[i] ];! return state; // [0x52, 0x52, …]! }
  • 27. Type coercion CVE-2014-0092 GnuTLS certificate validation bypass
 http://blog.existentialize.com/the-story-of-the-gnutls-bug.html! ! ! ! • C has no exceptions. Errors were reported as negative numbers. But callers treated return value as a boolean:
 
 /* Checks if the issuer of a certificate is a! * Certificate Authority
 * Returns true or false, if the issuer is a CA,! * or not.! */! static int! check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,! unsigned int flags) if (ret == 0) { /*cert invalid, abort */}
  • 28. Language issues • They are not unique to Javascript • You can overcome them! • ES 5 strict mode
 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/ Functions_and_function_scope/Strict_mode • Type enforcing - e.g. Closure Compiler
 https://developers.google.com/closure/compiler/ • Development practices: tests, continuous integration, code reviews
  • 30. Web platform • Javascript code runs in a JS engine…
 *Monkey, v8, Nitro, Chakra, SunSpider • In an execution environment…
 browser renderer process, server process • With different APIs available…
 DOM, WebCrypto, browser extension API • With different restriction/isolation policies…
 Same Origin Policy, CSP, iframe sandbox, extension security policies • These conditions are much more important to crypto!
  • 31. XSS • Web is full of it • Any XSS is RCE equivalent for web • XSS can bypass any crypto code in the same origin • replace a PRNG • exfiltrate the key or plaintext • replace the public key • There are XSSes in crypto code
  • 32. XSS • Mailvelope - DOM XSS in Gmail by sending encrypted <img onerror=alert(1)> to the victim
  • 33. XSS • [CVE 2013-2259] Cryptocat used client side filtering of nickname / conversation name. ! ! ! ! • Chrome extension: CSP, only UI Spoofing • Firefox extension: XSS = RCE in the OS
  • 34. RCE in non-JS crypto • [CVE-2014-3466] A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.
  • 35. Poor randomness • Math.random() is not good enough • You can recover the state cross-origin
 http://ifsec.blogspot.com/2012/05/cross-domain- mathrandom-prediction.html • Instead, use crypto.getRandomValues() in browsers* and crypto.randomBytes() in node.js. * IE 11 and greater, poor mobile browser support
  • 36. Poor randomness • OpenPGP.js RSA encryption padding /**! * Create a EME-PKCS1-v1_5 padding! */! encode: function(message, length) {! //...! for (var i = 0; i < length - message.length - 3; i++) {! r += String.fromCharCode(random.getPseudoRandom(1, 255)); ! }! return r;! }! ! random.getPseudoRandom: function(from, to) {! return Math.round(Math.random() * (to - from)) + from; ! }
  • 37. Poor randomness • [CVE-2013-4102] Cryptocat uses BOSH for XMPP transport.
 “The session identifier (SID) and initial request identifier (RID) are security-critical and therefore MUST be both unpredictable and non-repeating.” ! ! this.rid = Math.floor(Math.random() * 4294967295);
  • 38. Non-JS randomness fail Debian OpenSSL fiasco (2006-2008)! • OpenSSL used uninitialized memory buffers as entropy sources • Debian maintainer analyzed OpenSSL with Valgrind, asked openssl-dev about the warnings. Group said - go ahead, just remove the calls. • Only process ID remained in the entropy pool • ssh-keygen - only 32K possible keys
 http://research.swtch.com/openssl
  • 39. Timing side-channels • Timing differences are measurable • Attacks are not remote • same CPU, • same thread (<iframe>) • Demonstrated by Eduardo Vela Nava
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web-application- timing.html
 “It is possible to bruteforce an 18 digit number in about 3 minutes on most machines.” (cross-domain!)
  • 40. Timing side-channels • OpenPGP.js RSA decryption unpadding ! ! ! ! ! • This needs to be constant time to avoid Bleichenbacher’s attack
 http://archiv.infsec.ethz.ch/education/fs08/secsem/ Bleichenbacher98.pdf /**! * Decodes a EME-PKCS1-v1_5 padding! */! decode: function(message, len) {! if (message.length < len)! message = String.fromCharCode(0) + message; // branching! if (message.length < 12 || message.charCodeAt(0) !== 0 ||! message.charCodeAt(1) != 2) // branching! return -1; // early exit! var i = 2;! return message.substring(i + 1, message.length);! }
  • 41. Timing side-channels • Similar problem in Java - JSSE (RSA used in TLS)
 http://www-brs.ub.ruhr-uni-bochum.de/netahtml/ HSS/Diss/MeyerChristopher/diss.pdf • [CVE-2012-5081] Different error messages • [CVE-2014-0411] Timing side-channel - random numbers were generated only on invalid padding
  • 42. Compiler optimisation • JS engine is a blackbox. Even correct constant-time code can be optimised.
 http://stackoverflow.com/questions/18476402/how-to-disable-v8s-optimizing-compiler • Problems are not unique to the web: ! ! ! • Constant-time algorithm meets timing differences in Intel DIV instruction
 https://www.imperialviolet.org/2013/02/04/luckythirteen.html // golang.org/src/pkg/crypto/subtle/constant_time.go! func ConstantTimeByteEq(x, y uint8) int {! z := ^(x ^ y)! z &= z >> 4! z &= z >> 2! z &= z >> 1! return int(z)! }
  • 43. Direct memory access • Remember Heartbleed? • Not a crypto vulnerability, but it allowed to bypass the encryption by just reading memory • client sends a large payload length + a tiny payload • no bounds check in the server • server replies with leaked memory contents
  • 44. Direct memory access • Thankfully, JS is a memory-safe language. We have no buffers to overflow…
  • 45. Direct memory access • Pwn2Own 2014, Firefox 28, Jüri Aedla
 “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the Javascript heap, allowing for arbitrary code execution.”
 https://www.mozilla.org/security/announce/2014/mfsa2014-31.html • Pwnium 4, Chrome 33, geohot (George Hotz)
 https://code.google.com/p/chromium/issues/detail?id=351787
 
 
 
 
 var ab = new ArrayBuffer(SMALL_BUCKET);! ab.__defineGetter__("byteLength",function(){return 0xFFFFFFFC;});! var aaa = new Uint32Array(ab);! // all your base are belong to us
  • 46. Direct memory access • Browsers are an attack surface as well • network stack • HTML parser • JS engine • Any URL in any tab can trigger an exploit
  • 47. Browser architecture • Firefox - single process
 http://lwn.net/Articles/576564/ • IE - multiprocess, sandboxed from OS
 http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx • Chrome - multiprocess, sandboxed from other tabs
 http://www.chromium.org/developers/design-documents/sandbox
  • 48. Malware problem • Any malware can circumvent native crypto software as well. Kernels have vulnerabilities too. • GnuPG was bypassed by the authorities by simply installing a keylogger.
 https://www.gnupg.org/faq/gnupg-faq.html#successful_attacks • For JS crypto - your browser is the OS. Browser security = host security • There is one difference though…
  • 49. Application delivery • You don’t install websites • Code delivery and execution is transparent (drive- by download) • Huge code execution playground, running code separated by Same Origin Policy only • Roughly half of the users use the browser with any kind of sandbox
  • 50. Is JS crypto doomed? • Create perfect, XSS-free, constant time JS code • Ensure server will never be compromised • Put it in a website, serve over HTTPS • You’re safe until someone uses: • a browser exploit • a Same Origin Policy bypass • How can we fix this?
  • 52. Browser extension • Not a plugin (Java, Flash, PDF reader) • A Javascript application running in privileged execution environment • You need to install it
  • 53. Browser extension • Secure, signed code delivery • Better separation from websites than just Same Origin Policy • Much smaller attack surface • Process isolation in Chrome
 http://www.chromium.org/developers/design- documents/site-isolation
  • 54. Browser extension • Not a perfect solution! • Your API needs to be secure too • XSS in extension is possible. XSS = native code execution in Firefox
 http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff- attacking-with-google-chrome-extensions • Chrome Extensions can share processes when limits are hit (use Chrome App to be sure)
  • 55. Recommendations • Use isolated environment (server side, browser extension) • Use compilers to force strict typing • Use CSP to mitigate XSS • Use constant time operations (as much as you can) • Protect the exposed functions • Use request throttling to mitigate side-channel exploitation
  • 56. Open problems • Timing sidechannels are exploitable and hard to fix
 http://sirdarckcat.blogspot.com/2014/05/matryoshka-web- application-timing.html • No mlock() equivalent - secrets can be swapped to disk • No secure store yet (wait for WebCrypto) • Extensions silently auto-update • Lack of full process isolation yet
  • 57. Summary • JS crypto is way better than it used to be • A lot of perceived “JS crypto flaws” are present in other languages as well • The platform issues are much more difficult to mitigate • in-website crypto has too large attack surface • use extensions only
  • 58. The end Me:
 http://blog.kotowicz.net, @kkotowicz, krzysztof@kotowicz.net More vulns:
 https://cure53.de/pentest-report_mailvelope.pdf
 https://cure53.de/pentest-report_openpgpjs.pdf
 https://blog.crypto.cat/wp-content/uploads/2012/11/Cryptocat-2-Pentest-Report.pdf Thanks to people who helped and inspired
 (in Math.random() order): 
 Mario Heiderich, Franz Antesberger, Juraj Somorovsky, Ian Beer, Ivan Fratric, Eduardo Vela Nava, Thai Duong, Frederic Braun, Ben Hawkes, Stephan Somogyi, Daniel Bleichenbacher, Adam Langley, Mathias Biennia