Professional Documents
Culture Documents
Why?
Because
SSH does not have totally broken session
management
SIMPLE THINGS, SIMPLY BROKEN
The web was never designed to have authenticated
resources
Auth was bolted on (because Basic/Digest never got fixed)
Normal Mechanism For Managing Credentials
Password causes Set-Cookie
Cookie sent with each query to target domain
Cookie is sent even with requests caused by third party
domains
User’s credentials are mixed with attacker’s URL
This is why most XSS/XSRF attacks are dangerous
nearly the big deal they are if they didn’t work cross site
THE PEN TESTER REACTION:
DEV, DO MORE WORK
XSRF Tokens
Manually add a token to every authenticated URL
Requires touching everything in a web app that generates a
URL
How’s that working out for us?
This seems to be a lot of work
If/when we come back six months later, it’s not usually done,
is it?
A MODEST PROPOSAL
Couldn’t the tools be better?
The big debate: Should SVGs animate?
Unsaid: Shouldn’t it be possible to easily log into a web site
without other sites being able to use your creds?
AN ATTEMPT
A fix that requires no change to the browser is better
So I tried to find one
Server Side Referrer Checking
Client Side Referrer Checking
Window.Name Checking
Window.SessionStorage Checking
Management!
They all failed
Thank you Cstone, Kuza55, Amit Klein, David Ross, SirDarckcat
WHEN FAILURE IS SUCCESS:
OUR PROBLEM WITH LATENCY
My suggested defenses were defeated early in
development
We, as a community, have a latency problem
We don’t break during development
We don’t break at release
By then, it’s in customer hands, and the best we can do is give the
Millions of characters
All of which could mutate (“best fit match”) into one another
Another approach:
w.code(“select* from foo where
x=“).data(argument1).code(“and y=“).data(argument2)
Similar to LINQ etc. but actually works for arbitary grammars
If you mismark code as data, or vice versa, it breaks
THE STATUS QUO
We see this doesn’t work:
String s = “select * from foo where x = \”“ + escape(s) +
“\”;”;
By doesn’t work: It is too similar to this:
String s = “select * from foo where x = \”“ + s + “\”;”;
Devs mess this up, but the code works anyway
Memory safety didn’t come from security engineers, it came from reliability
engineers
I think we need a way to write functions that execute in present scope
YES, THIS MEANS
(LISP) (WAS) (RIGHT)
(((NOT ABOUT EVERYTHING)))
(((THEY ( HAD A POINT ( HERE ))))
Crazy theory
JavaScript has been successful because it’s been able to
mutate to absorb almost any language construct
“More dialects of JavaScript than Chinese”
RISKS
There are three things that can go wrong with any defensive
technology
It doesn’t work
None of this mealy mouthed, “well, it depends on what your threat model
is”
Either it does what it says, or it doesn’t!