we’ll get started at 1[68]:05
client-side protections
6[84]43 week8
house cleaning
due dates
- the rest of the topic04 challenges should be out
- they’re due sunday week9.
reports (general feedback)
- consider context when determining impact, not everything is critical.
- keep technical stuff out of impact/remediation. It should mostly be in steps to reproduce.
mitigating xss
basic waf stuff
- sanitisation: stripping out unsafe tags/attributes
- <script>alert(1)<script> → alert(1)
- encoding: escaping control characters
- <> → <>
- validation: allow/block-listing of content
- block requests if you detect bad content
don’t use raw user input
.innerHTMLtreats content as HTML (control)- use
.innerTextwhich treats it as data
- use
sanitize your input with a library (DOMPurify???)
don’t write vanilla JS, use a framework.
- again, even if you use a framework, make sure the functions you’re using sanitize the input
breaking mitigations
- content stripped/blocked
- embed dummy characters:
<SCRscriptIPT> - use alternating case:
<ScRiPt> - different tag
<img onerror=...> - different event handler
<body onload=...>
- embed dummy characters:
X-XSS-Protection
- no, it’s terrible
‘First, XSS ‘protection’ is about to not be implemented by most browsers…’
‘Worse, the XSS ‘protection’ can be used to create security flaws…’
csrf mitigations
csrf tokens
Supply a single-use ’nonce’ value.
- when the page is loaded, generate the nonce
- when a request is made, it must include the nonce
- it’ll be stored as a: cookie, header,
<input>
quick demo
breaking mitigations
- bad programming, they might be doing it wrong
- re-use a previous token (if it doesn’t expire)
- create your own?
- they might not even check it.
clickjacking mitigations
- csp frame-src / X-Frame-Options
- same-site cookies
- framebusters (~js magic~)
CSP
Content Security Policy
limits where a site can load content from, e.g.
- only scripts from this website
- only images from
https://b.com/a/path/ - only elements with a certain nonce value
generally blocks iframes, inline scripts,
eval()powerful & hard to bypass (if devs were smart)
how is it defined
policy directives made of directive and value
e.g. script-src: unsafe-inline
script-srcis thedirectiveunsafe-inlineis thevalue- the whole thing is the policy directive
what directives are there
- script-src
- frame-src
- img-src
- object-src
- default-src
read more here
what values are there
- none: blocks all loading
- self: only from the current origin
- strict-dynamic: anything w/ a hash/nonce (& anything they load/create)
- unsafe-inline: e.g. <script>alert(1)</script>
- unsafe-eval: e.g. eval(), setTimeout()
where is it defined
http header
Content-Security-Policy: ???-src <policy directive>
or in a tag
<meta http-equiv="Content-Security-Policy" content="???-src <directive>">- though not as powerful
how to break it?
- corrupting the HTTP header (response splitting?)
- overwriting the
<meta>tag?
jsonp
what did people do before CORS was available?
json with padding
- you can’t load a resource from another domain
- but you can load a script
- so, return a script which loads the content? 🧠
what
how do you load the content? you run a function which takes the data as an argument.
since we’re loading the data, we define what function is being used to load it.
jsonp example
- define the function using a
callbackparameter
<!-- https://melon.com/numbers?callback=load_data -->
+we’ll get started at 1[68]:05
client-side protections
6[84]43 week8
house cleaning
due dates
- the rest of the topic04 challenges should be out
- they’re due sunday week9.
reports (general feedback)
- consider context when determining impact, not everything is critical.
- keep technical stuff out of impact/remediation. It should mostly be in steps to reproduce.
mitigating xss
basic waf stuff
- sanitisation: stripping out unsafe tags/attributes
- <script>alert(1)<script> → alert(1)
- encoding: escaping control characters
- <> → <>
- validation: allow/block-listing of content
- block requests if you detect bad content
don’t use raw user input
.innerHTML treats content as HTML (control)
- use
.innerText which treats it as data
sanitize your input with a library (DOMPurify???)
don’t write vanilla JS, use a framework.
- again, even if you use a framework, make sure the functions you’re using sanitize the input
breaking mitigations
- content stripped/blocked
- embed dummy characters:
<SCRscriptIPT> - use alternating case:
<ScRiPt> - different tag
<img onerror=...> - different event handler
<body onload=...>
X-XSS-Protection
- no, it’s terrible
‘First, XSS ‘protection’ is about to not be implemented by most browsers…’
‘Worse, the XSS ‘protection’ can be used to create security flaws…’
csrf mitigations
csrf tokens
Supply a single-use ’nonce’ value.
- when the page is loaded, generate the nonce
- when a request is made, it must include the nonce
- it’ll be stored as a: cookie, header,
<input>
quick demo
breaking mitigations
- bad programming, they might be doing it wrong
- re-use a previous token (if it doesn’t expire)
- create your own?
- they might not even check it.
clickjacking mitigations
- csp frame-src / X-Frame-Options
- same-site cookies
- framebusters (
js magic)
CSP
Content Security Policy
limits where a site can load content from, e.g.
- only scripts from this website
- only images from
https://b.com/a/path/ - only elements with a certain nonce value
generally blocks iframes, inline scripts, eval()
powerful & hard to bypass (if devs were smart)
how is it defined
policy directives made of directive and value
e.g. script-src: unsafe-inline
script-src is the directiveunsafe-inline is the value- the whole thing is the policy directive
what directives are there
- script-src
- frame-src
- img-src
- object-src
- default-src
read more here
what values are there
- none: blocks all loading
- self: only from the current origin
- strict-dynamic: anything w/ a hash/nonce (& anything they load/create)
- unsafe-inline: e.g. <script>alert(1)</script>
- unsafe-eval: e.g. eval(), setTimeout()
where is it defined
http header
Content-Security-Policy: ???-src <policy directive>
or in a tag
<meta http-equiv="Content-Security-Policy" content="???-src <directive>">- though not as powerful
how to break it?
- corrupting the HTTP header (response splitting?)
- overwriting the
<meta> tag?
jsonp
what did people do before CORS was available?
json with padding
- you can’t load a resource from another domain
- but you can load a script
- so, return a script which loads the content? 🧠
what
how do you load the content? you run a function which takes the data as an argument.
since we’re loading the data, we define what function is being used to load it.
jsonp example
- define the function using a
callback parameter
<!-- https://melon.com/numbers?callback=load_data -->
load_data([1, 2, 3, 4, 5])
- the script below will invoke
load_data([...])
<script src="https://melon.com/numbers?callback=load_data"></script>
demo
http response splitting
- an exploit when user-controlled input is used in a server’s HTTP response header
- how does program determine:
- the end of a header?
- the end of the headers/start of the body?
- headers are separated by
\r\n (CR\LF) - body is separated with two
\r\n’s - what if our input included
\r\n\r\n?
demo
Challenges
gl with report & support-v2 lul
COMP6[84]45 Slides /Recent content on COMP6[84]45 Slides Hugo en-au 1: intro /week1/Mon, 01 Jan 0001 00:00:00 +0000 /week1/ we’ll get started at 1[68]:05 recon & tooling 6[84]43 week1 good faith policy We expect a high standard of professionalism from you at all times while you are taking any of our courses. We expect all students to act in good faith at all times
-TLDR: Don’t be a jerk
-sec.edu.au/good-faith-policy
-> whoami Lachlan how to contact me lachlan.waugh@student.unsw.edu.au @melon on the SecSoc Discord @melon on the SecEdu Slack (kinda dead) places for course discussion course information > course discussion on webcms secso. 10: advanced stuff /week10/Mon, 01 Jan 0001 00:00:00 +0000 /week10/ We’ll get started at 1[68]:05 Revision 6[84]43 week10 My Experience How’d you find the course
-What’d you like What’d you dislike What can be improved https://myexperience.unsw.edu.au
-TODO TODO 2: auth /week2/Mon, 01 Jan 0001 00:00:00 +0000 /week2/ We’ll get started at 1[68]:05 authorization & authentication 6[84]43 week2 admin stuff challenges how are you finding this week’s challenges? for each set of challenges, I’ll say which I think you should try this week: all of them lol there’s some flags online that are old, ignore them points don’t indicate difficulty walkthroughs present your solution for some of the challenges only the harder ones (maybe some of files/blog) Reports what to talk about vulnerability details proof of concept / steps to Reproduce impact ! 3: iam groot /week3/Mon, 01 Jan 0001 00:00:00 +0000 /week3/ We’ll get started at 1[68]:05 identity and access management 6[84]43 week3 Challenges From now on, all challenges are worth marks. From next week, the challenges are more difficult! We’ll say which challenges are required What’s coming up? wk4+5: server-side injection SQLi, SSI, XXE, SSRF, SSTI, file uploads wk7+8: client-side injection XSS, JSONP, Clickjacking, CSRF due dates topic2 challenges: THIS SUNDAY 11:59pm midterm: week5 monday report: week5 sunday 11:59pm reports any questions 4: ssi /week4/Mon, 01 Jan 0001 00:00:00 +0000 /week4/ We’ll get started at 1[68]:05 server-side injection 6[84]43 week4 SSTI (did they gggo through this? idk) Shell injection, RCE and Reverse Shells Upcoming due dates? next week
-wed 6-7pm: mid-sem (10%) sun 11:59pm report01 (20%) topic03 challenges SQL Structured Query Language
-SQLite, PostgreSQL, MySQL, MSSQL Server Fingerprinting
-work out the flavour/version MySQL: Version() SQLite: sqlite_version() MSSQL: @@Version Finding the schema
-what tables exist, what do they look like? MySQL: information_schema.[tables|columns] SQLite: sqlite_[master|schema] MSSQL: SHOW TABLES; DESCRIBE <table_name> Queries > 5: serverside /week5/Mon, 01 Jan 0001 00:00:00 +0000 /week5/ We’ll get started at 1[68]:05 more server-side 6[84]43 week5 House cleaning Report groups If you aren’t in a group please let me know
-Midterm How’d you all find it (trivial enough?)
-Injection Bash Injection SSTI PHP Injection bash injection If you’re ever using os.system() (or similar) to call shell functions containing user input first of all, probably don’t second of all, it’s kinda vulnerable Demo SSTI (Server-side template injection) Templating engines (eg. 7: cs injection /week7/Mon, 01 Jan 0001 00:00:00 +0000 /week7/ We’ll get started at 1[68]:05 client side injection 6[84]43 week7 house cleaning due dates most of the Topic04 challenges should be out these are due Week8 Sunday @ 11:59pm report groups the second report is out if you need a new group for the 2nd report, msg me. marks/feedback will be out at some point origin vs site origin https://www.example.com:80
-origin = scheme + host + port
-origin vs site site http://www. 8: clientside /week8/Mon, 01 Jan 0001 00:00:00 +0000 /week8/ we’ll get started at 1[68]:05 client-side protections 6[84]43 week8 house cleaning due dates the rest of the topic04 challenges should be out they’re due sunday week9. reports (general feedback) consider context when determining impact, not everything is critical. keep technical stuff out of impact/remediation. It should mostly be in steps to reproduce. mitigating xss basic waf stuff
-sanitisation: stripping out unsafe tags/attributes <script>alert(1)<script> → alert(1) encoding: escaping control characters <> → &lt;&gt; validation: allow/block-listing of content block requests if you detect bad content don’t use raw user input . 9: devsecops /week9/Mon, 01 Jan 0001 00:00:00 +0000 /week9/ We’ll get started at 1[68]:05 dev sec ops 6[84]43 week9 Final exam saturday, 27th april 3 hours (1pm - 4pm) worth 50% whats in it everything is assessable™ not just stuff from wargames submit a short writeup explaination there’s also a shortish devsecops question how2hack my biggest tip is try not to stress out + practice, practice, practice start with recon before you write payloads My Experience How’d you find the course 9: protections /lectures/week9/Mon, 01 Jan 0001 00:00:00 +0000 /lectures/week9/ client-side mitigations 6443 week9 pre-amble: reports slides are up on webcms demos are at github.com/lachlan-waugh/6443 go into demos/lectures and theres setup instructiong Origin https://www.example.com:80
-origin = scheme + host + port
-Site http://www.example.com:80
-https://api.example.com:443
-site = private_domain + public_suffix
-scheme, subdomain and port SOP (Same Origin Policy) blocks resource requests to/from an external site
-“external” is based on sop: only requests from the same origin are allowed to use the resources Help /help/Mon, 01 Jan 0001 00:00:00 +0000 /help/ DO COMP6447 DO COMP6447
-Exam suggestions don’t stress out seperate vulnerability from exploit have a good thought process vulnerability vs exploit theres more to the vulns than we cover in the challenges
-xss is more than just html injection sqli is more than just ' OR 1=1 # thought process it can be easy to go down a rabbit hole, dont do that
-think about what the application is doing try to do what the application expects, but in wierd ways note down what you’re doing, as you do them in case you change challenges also helpful for the writeup solving the challenge a lot of what we’re testing is if you can identify what type of vulnerability it is x8: cs /lectures/ext8/Mon, 01 Jan 0001 00:00:00 +0000 /lectures/ext8/ We’ll get started at 18:05 client side attacks 6843 week8 overview how do browsers work? how can we exploit this mutation xss dom clobbering client-side js exploitation how do browsers work they render html, css, and js into the DOM
-you can think of them kinda like an interpreters or a couple of interpreters (js + html parser) read more here
-syntax errors what happens when a brower receives invalidly formatted content (js, html, css)? COMP6[84]45 Slides /Recent content on COMP6[84]45 Slides Hugo en-au 1: intro /1/Mon, 01 Jan 0001 00:00:00 +0000 /1/ <h2 id="well-get-started-at-16805">we’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h1 id="recon--tooling">recon & tooling</h1>
+<h3 id="68443-week1">6[84]43 week1</h3>
+<hr>
+<h2 id="good-faith-policy">good faith policy</h2>
+<p>We expect a high standard of professionalism from you at all times while you are taking any of our courses. We expect all students to act in good faith at all times</p>
+<p><em>TLDR: Don’t be a jerk</em></p>
+<p><a href="https://sec.edu.au/good-faith-policy">sec.edu.au/good-faith-policy</a></p>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="-whoami">> whoami</h2>
+<ul>
+<li>Lachlan</li>
+</ul>
+<hr>
+<h2 id="how-to-contact-me">how to contact me</h2>
+<ul>
+<li><a href="mailto:lachlan.waugh@student.unsw.edu.au">lachlan.waugh@student.unsw.edu.au</a></li>
+<li><a href="">@melon</a> on the SecSoc Discord</li>
+<li><a href="">@melon</a> on the SecEdu Slack (kinda dead)</li>
+</ul>
+<hr>
+<h2 id="places-for-course-discussion">places for course discussion</h2>
+<ul>
+<li><a href="https://webcms3.cse.unsw.edu.au/COMP6443/24T1/resources/96261">course information > course discussion</a> on webcms</li>
+<li><a href="https://secso.cc/discord">secso.cc/discord</a></li>
+<li><a href="https://seceduau.slack.com/signup">seceduau.slack.com/signup</a> > #cs6443 (kinda dead)</li>
+</ul>
+<hr>
+<h2 id="faq">faq</h2>
+<ul>
+<li>are tuts compulsory? no</li>
+<li>are they recorded? maybe?</li>
+<li>where are these resources? <a href="https://waugh.zip/6443/">waugh.zip/6443/</a></li>
+</ul>
+
+</section>
+<hr>
+<h2 id="-whoareu">> whoareu</h2>
+
+
+<section data-shortcode-section>
+<p><img src="./assets/img/week1/icebreaker.jpg" alt=""></p> 10: advanced stuff /10/Mon, 01 Jan 0001 00:00:00 +0000 /10/ <h2 id="well-get-started-at-16805">We’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h1 id="revision">Revision</h1>
+<h3 id="68443-week10">6[84]43 week10</h3>
+<hr>
+<h2 id="my-experience">My Experience</h2>
+<p>How’d you find the course</p>
+<ul>
+<li>What’d you like</li>
+<li>What’d you dislike</li>
+<li>What can be improved</li>
+</ul>
+<blockquote>
+<p><a href="https://myexperience.unsw.edu.au">https://myexperience.unsw.edu.au</a></p>
+</blockquote>
+<hr>
+<h3 id="todo">TODO</h3>
+<p>TODO</p> 2: auth /2/Mon, 01 Jan 0001 00:00:00 +0000 /2/ <h2 id="well-get-started-at-16805">We’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h1 id="authorization--authentication">authorization & authentication</h1>
+<h3 id="68443-week2">6[84]43 week2</h3>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="admin-stuff">admin stuff</h2>
+<hr>
+<h2 id="challenges">challenges</h2>
+<ul>
+<li>how are you finding this week’s challenges?</li>
+<li>for each set of challenges, I’ll say which I think you should try
+<ul>
+<li><em>this week: all of them lol</em></li>
+</ul>
+</li>
+<li>there’s some flags online that are old, ignore them</li>
+<li>points don’t indicate difficulty</li>
+</ul>
+<hr>
+<h2 id="walkthroughs">walkthroughs</h2>
+<ul>
+<li>present your solution for some of the challenges</li>
+<li>only the harder ones (maybe some of files/blog)</li>
+</ul>
+
+</section>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="reports">Reports</h2>
+<hr>
+<h3 id="what-to-talk-about">what to talk about</h3>
+<ul>
+<li>vulnerability details</li>
+<li>proof of concept / steps to Reproduce</li>
+<li><strong>impact</strong> !important</li>
+<li>remediation</li>
+</ul>
+<hr>
+<h3 id="really-consider-the-impact">Really consider the impact</h3>
+<ul>
+<li>Order the report based on how damaging the vulnerabilities are</li>
+<li>Don’t just include things we’ve talked about in lectures/tuts, discuss general security issues you came across</li>
+<li>Good explanation of the impact <code>>>>></code> more flags</li>
+</ul>
+<hr>
+<h3 id="what-to-include">what to include</h3>
+<blockquote>
+<p>everything™!!</p> 3: iam groot /3/Mon, 01 Jan 0001 00:00:00 +0000 /3/ <h2 id="well-get-started-at-16805">We’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h1 id="identity-and-access-management">identity and access management</h1>
+<h3 id="68443-week3">6[84]43 week3</h3>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="challenges">Challenges</h2>
+<ul>
+<li>From now on, all challenges are worth marks.</li>
+<li>From next week, the challenges are more difficult!</li>
+<li>We’ll say which challenges are required</li>
+</ul>
+<hr>
+<h2 id="whats-coming-up">What’s coming up?</h2>
+<ul>
+<li>wk4+5: server-side injection
+<ul>
+<li>SQLi, SSI, XXE, SSRF, SSTI, file uploads</li>
+</ul>
+</li>
+<li>wk7+8: client-side injection
+<ul>
+<li>XSS, JSONP, Clickjacking, CSRF</li>
+</ul>
+</li>
+</ul>
+<hr>
+<h2 id="due-dates">due dates</h2>
+<ul>
+<li>topic2 challenges: THIS SUNDAY 11:59pm</li>
+<li>midterm: week5 monday</li>
+<li>report: week5 sunday 11:59pm</li>
+</ul>
+
+</section>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="reports">reports</h2>
+<p>any questions</p> 4: ssi /4/Mon, 01 Jan 0001 00:00:00 +0000 /4/ <h2 id="well-get-started-at-16805">We’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h2 id="server-side-injection">server-side injection</h2>
+<h3 id="68443-week4">6[84]43 week4</h3>
+<hr>
+<ul>
+<li>SSTI (did they gggo through this? idk)</li>
+<li>Shell injection, RCE and Reverse Shells</li>
+</ul>
+<h2 id="upcoming-due-dates">Upcoming due dates?</h2>
+<blockquote>
+<p>next week</p>
+</blockquote>
+<ul>
+<li>wed 6-7pm: mid-sem (10%)</li>
+<li>sun 11:59pm
+<ul>
+<li>report01 (20%)</li>
+<li>topic03 challenges</li>
+</ul>
+</li>
+</ul>
+<hr>
+<h2 id="sql">SQL</h2>
+
+
+<section data-shortcode-section>
+<blockquote>
+<p>Structured Query Language</p>
+</blockquote>
+<ul>
+<li>SQLite, PostgreSQL, MySQL, MSSQL Server</li>
+</ul>
+<hr>
+<blockquote>
+<p>Fingerprinting</p>
+</blockquote>
+<ul>
+<li>work out the flavour/version
+<ul>
+<li><strong>MySQL</strong>: <code>Version()</code></li>
+<li><strong>SQLite</strong>: <code>sqlite_version()</code></li>
+<li><strong>MSSQL</strong>: <code>@@Version</code></li>
+</ul>
+</li>
+</ul>
+<hr>
+<blockquote>
+<p>Finding the schema</p>
+</blockquote>
+<ul>
+<li>what tables exist, what do they look like?
+<ul>
+<li><strong>MySQL</strong>: <code>information_schema.[tables|columns]</code></li>
+<li><strong>SQLite</strong>: <code>sqlite_[master|schema]</code></li>
+<li><strong>MSSQL</strong>: <code>SHOW TABLES; DESCRIBE <table_name></code></li>
+</ul>
+</li>
+</ul>
+<hr>
+<p>Queries ></p> 5: serverside /5/Mon, 01 Jan 0001 00:00:00 +0000 /5/ <h2 id="well-get-started-at-16805">We’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h1 id="more-server-side">more server-side</h1>
+<h3 id="68443-week5">6[84]43 week5</h3>
+<hr>
+<h1 id="house-cleaning">House cleaning</h1>
+
+
+<section data-shortcode-section>
+<hr>
+<h2 id="report-groups">Report groups</h2>
+<blockquote>
+<p>If you aren’t in a group please let me know</p>
+</blockquote>
+<hr>
+<h2 id="midterm">Midterm</h2>
+<blockquote>
+<p>How’d you all find it (trivial enough?)</p>
+</blockquote>
+
+</section>
+<hr>
+<h2 id="injection">Injection</h2>
+<ul>
+<li>Bash Injection</li>
+<li>SSTI</li>
+<li>PHP Injection</li>
+</ul>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="bash-injection">bash injection</h2>
+<ul>
+<li>If you’re ever using os.system() (or similar) to call shell functions containing user input
+<ul>
+<li>first of all, probably don’t</li>
+<li>second of all, it’s kinda vulnerable</li>
+</ul>
+</li>
+</ul>
+<hr>
+<h2 id="demohttpsgithubcomlachlan-waugh6443treemaindemosserver-side-injectionshell_injection"><a href="https://github.com/lachlan-waugh/6443/tree/main/demos/server-side-injection/shell_injection">Demo</a></h2>
+
+</section>
+<hr>
+
+
+<section data-shortcode-section>
+<h3 id="ssti-server-side-template-injection">SSTI (Server-side template injection)</h3>
+<ul>
+<li>
+<p>Templating engines (eg. Jinja2, Pug) use templates to inject code and variables into static files</p> 7: cs injection /7/Mon, 01 Jan 0001 00:00:00 +0000 /7/ <h2 id="well-get-started-at-16805">We’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h1 id="client-side-injection">client side injection</h1>
+<h3 id="68443-week7">6[84]43 week7</h3>
+<hr>
+<h1 id="house-cleaning">house cleaning</h1>
+
+
+<section data-shortcode-section>
+<h2 id="due-dates">due dates</h2>
+<ul>
+<li>most of the Topic04 challenges should be out</li>
+<li>these are due Week8 Sunday @ 11:59pm</li>
+</ul>
+<hr>
+<h2 id="report-groups">report groups</h2>
+<ul>
+<li>the second report is out</li>
+<li>if you need a new group for the 2nd report, msg me.</li>
+<li>marks/feedback will be out at some point</li>
+</ul>
+
+</section>
+<hr>
+<h2 id="origin-vs-site">origin vs site</h2>
+<h3 id="origin">origin</h3>
+<blockquote>
+<p><span style="color: #021691">https://</span><span style="color: #fffacd">www.example.com</span><span style="color: #7FFFD4">:80</span></p>
+</blockquote>
+
+
+<span class='fragment ' ><p>origin = <span style="color: #021691">scheme</span> + <span style="color: #fffacd">host</span> + <span style="color: #7FFFD4">port</span></p> 8: clientside /8/Mon, 01 Jan 0001 00:00:00 +0000 /8/ <h2 id="well-get-started-at-16805">we’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h2 id="client-side-protections">client-side protections</h2>
+<h3 id="68443-week8">6[84]43 week8</h3>
+<hr>
+<h1 id="house-cleaning">house cleaning</h1>
+
+
+<section data-shortcode-section>
+<h2 id="due-dates">due dates</h2>
+<ul>
+<li>the rest of the topic04 challenges should be out</li>
+<li>they’re due sunday week9.</li>
+</ul>
+<hr>
+<h2 id="reports-general-feedback">reports (general feedback)</h2>
+<ul>
+<li>consider context when determining impact, not everything is critical.</li>
+<li>keep technical stuff out of impact/remediation. It should mostly be in steps to reproduce.</li>
+</ul>
+
+</section>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="mitigating-xss">mitigating xss</h2>
+<p>basic waf stuff</p>
+<ul>
+<li><em>sanitisation</em>: stripping out unsafe tags/attributes
+<ul>
+<li><script>alert(1)<script> → alert(1)</li>
+</ul>
+</li>
+<li><em>encoding</em>: escaping control characters
+<ul>
+<li><> → &lt;&gt;</li>
+</ul>
+</li>
+<li><em>validation</em>: allow/block-listing of content
+<ul>
+<li>block requests if you detect bad content</li>
+</ul>
+</li>
+</ul>
+<hr>
+<h3 id="dont-use-raw-user-input">don’t use raw user input</h3>
+<ul>
+<li>
+<p><code>.innerHTML</code> treats content as HTML (control)</p> 9: devsecops /9/Mon, 01 Jan 0001 00:00:00 +0000 /9/ <h2 id="well-get-started-at-16805">We’ll get started at 1[68]:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h1 id="dev-sec-ops">dev sec ops</h1>
+<h3 id="68443-week9">6[84]43 week9</h3>
+<hr>
+
+
+<section data-shortcode-section>
+<h1 id="final-exam">Final exam</h1>
+<ul>
+<li>saturday, 27th april</li>
+<li>3 hours (1pm - 4pm)</li>
+<li>worth 50%</li>
+</ul>
+<hr>
+<h3 id="whats-in-it">whats in it</h3>
+<ul>
+<li>everything is assessable™</li>
+<li>not just stuff from wargames</li>
+<li>submit a short writeup explaination</li>
+<li>there’s also a shortish devsecops question</li>
+</ul>
+<hr>
+<h3 id="how2hack">how2hack</h3>
+<ul>
+<li>my biggest tip is try not to stress out</li>
+<li><em>+ practice, practice, practice</em></li>
+<li>start with recon before you write payloads</li>
+</ul>
+
+</section>
+<hr>
+<h2 id="my-experience">My Experience</h2>
+<p>How’d you find the course</p> 9: protections /lectures/9/Mon, 01 Jan 0001 00:00:00 +0000 /lectures/9/ <section data-noprocess data-shortcode-slide
+ class="center">
+
+<h2 id="client-side-mitigations">client-side mitigations</h2>
+<h3 id="6443-week9">6443 week9</h3>
+<hr>
+<h3 id="pre-amble-reports">pre-amble: reports</h3>
+<ul>
+<li>slides are up on webcms</li>
+<li>demos are at <a href="https://github.com/lachlan-waugh/6443">github.com/lachlan-waugh/6443</a>
+<ul>
+<li>go into demos/lectures and theres setup instructiong</li>
+</ul>
+</li>
+</ul>
+<hr>
+
+
+<section data-shortcode-section>
+<h3 id="origin">Origin</h3>
+<blockquote>
+<p><span style="color: #021691">https://</span><span style="color: #fffacd">www.example.com</span><span style="color: #7FFFD4">:80</span></p>
+</blockquote>
+<p>origin = <span style="color: #021691">scheme</span> + <span style="color: #fffacd">host</span> + <span style="color: #7FFFD4">port</span></p>
+<hr>
+<h3 id="site">Site</h3>
+<blockquote>
+<p><span style="color: #021691">http://</span><span style="color: #A52A2A">www.</span><u><span style="color: #fffacd">example</span><span style="color: #D2691E">.com</span></u><span style="color: #7FFFD4">:80</span><br>
+<span style="color: #021691">https://</span><span style="color: #A52A2A">api.</span><u><span style="color: #fffacd">example</span><span style="color: #D2691E">.com</span></u><span style="color: #7FFFD4">:443</span></p>
+</blockquote>
+<p>site = <span style="color: #fffacd">private_domain</span> + <span style="color: #D2691E">public_suffix</span></p>
+<ul>
+<li><s><span style="color: #021691">scheme</span>, <span style="color: #A52A2A">subdomain</span> and <span style="color: #7FFFD4">port</span></s></li>
+</ul>
+
+</section>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="sop-same-origin-policy">SOP (Same Origin Policy)</h2>
+<ul>
+<li>
+<p>blocks resource requests to/from an <em>external</em> site</p> Help /help/Mon, 01 Jan 0001 00:00:00 +0000 /help/ <h3 id="do-comp6447">DO COMP6447</h3>
+<p>DO COMP6447</p>
+<hr>
+
+
+<section data-shortcode-section>
+<h2 id="exam">Exam</h2>
+<hr>
+<h3 id="suggestions">suggestions</h3>
+<ul>
+<li>don’t stress out</li>
+<li>seperate vulnerability from exploit</li>
+<li>have a good thought process</li>
+</ul>
+<hr>
+<h3 id="vulnerability-vs-exploit">vulnerability vs exploit</h3>
+<p>theres more to the vulns than we cover in the challenges</p>
+<ul>
+<li>xss is more than just html injection</li>
+<li>sqli is more than just <code>' OR 1=1 #</code></li>
+</ul>
+<hr>
+<h3 id="thought-process">thought process</h3>
+<p>it can be easy to go down a rabbit hole, dont do that</p>
+<ul>
+<li>think about what the application is doing</li>
+<li>try to do what the application expects, but in wierd ways</li>
+<li>note down what you’re doing, as you do them
+<ul>
+<li>in case you change challenges</li>
+<li>also helpful for the writeup</li>
+</ul>
+</li>
+</ul>
+<hr>
+<h3 id="solving-the-challenge">solving the challenge</h3>
+<p>a lot of what we’re testing is if you can identify what type of vulnerability it is</p> x8: cs /lectures/e8/Mon, 01 Jan 0001 00:00:00 +0000 /lectures/e8/ <h2 id="well-get-started-at-1805">We’ll get started at 18:05</h2>
+<hr>
+
+<section data-noprocess data-shortcode-slide
+ class="center">
+
+<h2 id="client-side-attacks">client side attacks</h2>
+<h3 id="6843-week8">6843 week8</h3>
+<hr>
+<h3 id="overview">overview</h3>
+<ul>
+<li>how do browsers work?</li>
+<li>how can we exploit this
+<ul>
+<li>mutation xss</li>
+<li>dom clobbering</li>
+</ul>
+</li>
+<li>client-side js exploitation</li>
+</ul>
+<hr>
+
+
+<section data-shortcode-section>
+<h3 id="how-do-browsers-work">how do browsers work</h3>
+<p>they render html, css, and js into the DOM</p>
+<ul>
+<li>you can think of them kinda like an interpreters</li>
+<li>or a couple of interpreters (js + html parser)</li>
+</ul>
+<blockquote>
+<p>read more <a href="https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction">here</a></p>
+</blockquote>
+<hr>
+<h3 id="syntax-errors">syntax errors</h3>
+<p>what happens when a brower receives invalidly formatted content (js, html, css)?</p>
the browser thinks that code is reflected of user input
csrf mitigations
csrf tokens
Supply a single-use ’nonce’ value.
- when the page is loaded, generate the nonce
- when a request is made, it must include the nonce
- it’ll be stored as a: cookie, header,
<input>
quick demo
breaking mitigations
- bad programming, they might be doing it wrong
- re-use a previous token (if it doesn’t expire)
- create your own?
- they might not even check it.
demo
clickjacking mitigations
- csp frame-src / X-Frame-Options
- same-site cookies
- framebusters (~js magic~)
CSP
Content Security Policy
- limits where a site can load content from, e.g.
- only scripts from this website
- only images from
https://b.com/a/path/ - only elements with a certain nonce value
- powerful & hard to bypass (if devs were smart)
read more here
how is it defined
policy directives made of directive and value
e.g. script-src: unsafe-inline
script-srcis thedirectiveunsafe-inlineis thevalue- the whole thing is the policy directive
what directives are there
basically everything
- script-src
- frame-src
- img-src
- object-src
- default-src
what values are there
- none: blocks all loading
- self: only from the current origin
- hash-X: only things where their value hashes to X
- nonce-X: only things with nonce=X as an attribute
- strict-dynamic: (with hash/nonce) anything they load/create is also trusted
- unsafe-inline: e.g. <script>alert(1)</script>
- unsafe-eval: e.g. eval(), setTimeout()
where is it defined
http header
Content-Security-Policy: <policy directive>
or in a tag
<meta http-equiv="Content-Security-Policy" content="<policy directive>">
bypassing CSP
ok lachlan but idc about protections I care about exploitation
ok
how might you think to exploit it
- maybe some kind of browser zeroday
- hack…
nah just bad programming (again)
techniques
- clrf injection/response splitting
- dom clobbering (meta tag)
dom clobbering
- discussed in more detail in the week8 extended lecture (if you’re curious)
- what if we can trick the browser into thinking our
<meta>tag is the real source for csp - we could then set our own csp
demo
http response splitting
aka carriage-return line-feed injection
- http headers are considered “control”
- what if user-controlled input was used in a response header?
- what could you do?
question
- how does a program determine:
- the end of a header?
- the end of the headers/start of the body?
answer
- headers are separated by
\r\n(CR\LF) - body is separated with two
\r\n’s - what if our input included
\r\n\r\n?
demo
‘self’
- “The self keyword in a Content-Security-Policy header directive, … is an alias for the same origin.”
pretty simple
techniques
- uploading files
- writing to local files/jsonp
writing to local files
quick demo: filewriter
an aside: CORS
- sop was implemented in 1995
- cors was implemented in 2006
- what did people do before CORS was available?
jsonp
json with padding
- you can’t load a resource from another domain
- but you can load a script
- so, return a script which loads the content? 🧠
how does it work
you give the jsonp endpoint a callback function
- how do you load the content? you run a function which takes the data as an argument.
- since we’re loading the data, we define what function is being used to load it.
if you’re confused read up about callback functions
jsonp example
define the function using a callback parameter
<!-- https://melon.com/numbers?callback=load_data -->
+
the browser thinks that code is reflected of user input
csrf mitigations
csrf tokens
Supply a single-use ’nonce’ value.
- when the page is loaded, generate the nonce
- when a request is made, it must include the nonce
- it’ll be stored as a: cookie, header,
<input>
quick demo
breaking mitigations
- bad programming, they might be doing it wrong
- re-use a previous token (if it doesn’t expire)
- create your own?
- they might not even check it.
demo
clickjacking mitigations
- csp frame-src / X-Frame-Options
- same-site cookies
- framebusters (
js magic)
CSP
Content Security Policy
- limits where a site can load content from, e.g.
- only scripts from this website
- only images from
https://b.com/a/path/ - only elements with a certain nonce value
- powerful & hard to bypass (if devs were smart)
read more here
how is it defined
policy directives made of directive and value
e.g. script-src: unsafe-inline
script-srcis thedirectiveunsafe-inlineis thevalue- the whole thing is the policy directive
what directives are there
basically everything
- script-src
- frame-src
- img-src
- object-src
- default-src
what values are there
- none: blocks all loading
- self: only from the current origin
- hash-X: only things where their value hashes to X
- nonce-X: only things with nonce=X as an attribute
- strict-dynamic: (with hash/nonce) anything they load/create is also trusted
- unsafe-inline: e.g. <script>alert(1)</script>
- unsafe-eval: e.g. eval(), setTimeout()
where is it defined
http header
Content-Security-Policy: <policy directive>
or in a tag
<meta http-equiv="Content-Security-Policy" content="<policy directive>">
bypassing CSP
ok lachlan but idc about protections I care about exploitation
ok
how might you think to exploit it
- maybe some kind of browser zeroday
- hack…
nah just bad programming (again)
techniques
- clrf injection/response splitting
- dom clobbering (meta tag)
dom clobbering
- discussed in more detail in the week8 extended lecture (if you’re curious)
- what if we can trick the browser into thinking our
<meta>tag is the real source for csp - we could then set our own csp
demo
http response splitting
aka carriage-return line-feed injection
- http headers are considered “control”
- what if user-controlled input was used in a response header?
- what could you do?
question
- how does a program determine:
- the end of a header?
- the end of the headers/start of the body?
answer
- headers are separated by
\r\n(CR\LF) - body is separated with two
\r\n’s - what if our input included
\r\n\r\n?
demo
‘self’
- “The self keyword in a Content-Security-Policy header directive, … is an alias for the same origin.”
pretty simple
techniques
- uploading files
- writing to local files/jsonp
writing to local files
quick demo: filewriter
an aside: CORS
- sop was implemented in 1995
- cors was implemented in 2006
- what did people do before CORS was available?
jsonp
json with padding
- you can’t load a resource from another domain
- but you can load a script
- so, return a script which loads the content? 🧠
how does it work
you give the jsonp endpoint a callback function
- how do you load the content? you run a function which takes the data as an argument.
- since we’re loading the data, we define what function is being used to load it.
if you’re confused read up about callback functions
jsonp example
define the function using a callback parameter
<!-- https://melon.com/numbers?callback=load_data -->
load_data([1, 2, 3, 4, 5])
the script below will invoke load_data([...]) with the json
<script src="https://melon.com/numbers?callback=load_data"></script>
demo
file uploads
demo
nonce
resources will only be trusted if they have an attribute nonce=“nonce-X” where X is specified in the CSP header
read more here
how could we bypass this
similar to csrf tokens
if they reuse tokens
if the tokens are deterministic
… but what if the tokens are secure?
<base>d tag
specifies the base URL and/or target for all relative URLs in a document.
read more here
demo
how to resolve this
- use csp better
- there’s a
base-uridirective in CSP, specifying which locations can be specified to be the base
strict-dynamic
what is it?
- “the trust given to a script present in the markup, by a nonce or a hash, shall be propagated to all scripts loaded by that root script.”
from here
how could we bypass it?
- what if we could force something that’s validated with a hash/nonce, to create a script for us?
- or even just execute code for us (as it’s validated, it can do that)
script gadgets
- pieces of code within an application that can triggered to perform some task
- they’re legitimate pieces of javascript code, that can transform HTML injection into (js) code execution.
- note: these aren’t functions
how do html attributes work?
- some are directly built into the browser (e.g. uploading files)
- some are loaded in/defined by external libraries
demo
remediations
- Don’t allow HTML injection
- These aren’t always “vulnerabilities”