SPArring with the Security of Single

Page Applications
Tale of the Tape
• Brief review of AppSec origins
• Brief intro on Mixed Martial Arts (MMA)
• Fighting styles vs Hacking styles
• Getting in the ring with a SPA
Our Introduction to Web Apps
HTTP Standard Format

INPUTS IN SIMPLE ‘NAME=VALUE’ PAIRS

GET /search.php?item=Shirt&color=Blue HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h

Same for POST requests

POST /search.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h

item=Shirt&color=Blue
Our Introduction to App Sec
---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12

-------------------------[ NT Web Technology Vulnerabilities

--------[ rain.forest.puppy / [WT] <rfpuppy@iname.com>

----[ ODBC and MS SQL server 6.5

Ok, topic change again. Since we've hit on web service and database stuff,
let's roll with it. Onto ODBC and MS SQL server 6.5.

I worked with a fellow WT'er on this problem. He did the good thing and told
Microsoft, and their answer was, well, hilarious. According to them,
what you're about to read is not a problem, so don't worry about doing
anything to stop it.

- WHAT'S THE PROBLEM? MS SQL server allows batch commands.

- WHAT'S THAT MEAN? I can do something like:

SELECT * FROM table WHERE x=1 SELECT * FROM table WHERE y=5

Exactly like that, and it'll work. It will return two record sets, with each
set containing the results of the individual SELECT.

- WHAT'S THAT REALLY MEAN? People can possibly piggyback SQL commands into your statements.
Let's say you have:

SELECT * FROM table WHERE x=%%criteria from webpage user%%

 Fun with SQL Injection

http://myspace.com/login.php?username=admin’&password=abd123

Invalid User
Error 1064: You have an error in your SQL syntax near ‘” at line 1 of
SELECT * FROM tAccounts WHERE username=admin’ AND password=“abc123”
 Fun with SQL Injection

http://myspace.com/login.php?username=admin’#&password=abd123
http://myspace.com/login.php?username=admin’&password=abc123

Welcome Admin

Create User | View Users | View Logs

SELECT * from tAccounts WHERE username=‘admin’ # ‘ AND password=‘abc123’

Which discipline is better?

Savate vs Sumo
Which discipline is better?

Boxing vs Jiu Jitsu

Which discipline is better?

Savate vs Jiu Jitsu

Which attacks are better?
Starting to “Mix” Disciplines
MMA
Mixed Martial Arts (MMA): A Sport
UFC: A League
UFC puts on MMA events
Like NFL puts on Football events
Possible levels of a fight
Standing – at a distance

Standing – up close

Grappling – Standing or on the ground

Grappling – Attempting to submit

Avoid being one - d im e ns io na l
Avoid being one - d im e ns io na l
Avoid being one - d im e ns io na l
Avoid being one - d im e ns io na l
Modern fighters must be well rounded
Possible layers of an App

Classic HTML & JavaScript Client - Standard

Client – Discovery challenges, Complex client code

AJAX, SPA’s & Mobile apps
plus API challenges

Web Services / REST API’s Services – Various data formats

OAuth & other API Auth Services – Challenging authentication schemes

Layer 1: Discovery
“You can’t attack what
you can’t see”
No longer just HTML
JavaScript becomes Asynchronous

Reque
st

Respons
e
Reque
st

Respons
e
Applications getting more difficult
Then Now

Rich client (HT ML, J avas cript, AJ AX)

HTML
& Web s ervices (J SON, SOAP, etc.)
Crawling AJAX Apps
SPA’s = No relaxation for us
Layer 2: AJAX to the extreme
SPA Frameworks
 R EACT J S
• Created in a collaboration between Facebook and Instagram
• Used by the likes of Netflix,Imgur, Bleacher Report,Feedly, Airbnb, SeatGeek,
HelloSign, and others
• Implements a Virtual DOM
• Makes heavy use of RESTful API’s
DOM – D o c um e nt O b je c t M o d e l
REACT Virtual DOM: Breaking scanners
• Breaks even advanced scanners that make use of browsers & JavaScript
execution
• Virtual DOM does not have events attached to DOM Elements
• Virtual DOM registers one event on window.document
REACT Virtual DOM

“React abstracts away the DOM from you, giving you a simpler programming model and better
performance”
A rose by any other name
• Web Services
• RESTful API’s
• Web API’s
• or simply API’s
HTTP Standard Format

GET /search.php?item=Shirt&color=Blue HTTP/1.1

Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h

POST /search.php HTTP/1.1

Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h

item=Shirt&color=Blue
AJAX & REST API Formats
Custom URL handlers GET /rest/search/item/Shirt/color/Blue

POST /rest/
XML format <search><item>Shirt</item><color>Blue</color></search>

POST /json/
JSON: JavaScript Object Notation {“search”: {“item”: Shirt ; “color”: Blue} }

POST /GWT/
GWT: Google Web Toolkit
Search|Shirt|Blue|

AMF: Old school Adobe/Flash POST /amf/amf.php

Actionscript Messaging Format □□□□□□□□null□□□□/3□□□<
□□□□□□□Oflex.messaging.messages.RemotingMessagesource□operation□search□it
em□color
□□□□Shirt□ Blue□□□ DSId□IBA98D1B7-
SE1C-6007-6D98-2CEF173C5AF□SEndpoint□my-amf□□IOB63`
Many others: SOAP, XML-RPC
& many custom formats
 {"products":[{"shirt":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","large",
As one line "xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]
}

{ "products" : [
{ "shirt" : {
"colors" : [
"blue",
"red",
"yellow",
"green"
],
"price" : "19.99",
"sizes" : [
"small",
"medium",
"large", JSON supports
Nicely formatted
"xlarge"
],
"text" : “NTO"
nested data
} },
{ "hat" : {
just like XML
"colors" : [
"black",
"red"
],
"price" : "24.99",
"sizes" : [
"kids",
"adult"
],
"text" : “NTO"
}
}
]
}
Swing and a Miss
{"products":[{"shirt":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","large",
Original "xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]
}
request

{"products":[{"shirt’_OR_1=‘1":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","large","xlarge"],"price":"
{"products":[{"shirt":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","larg
Attack 19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]}
e","xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.
request 99"}}]}’ OR 1=‘1

Accomplished nothing
Landing the blow
{"products":[{"shirt":{"text":“NTO","colors":["blue","red","yellow","green"],"sizes":["small","medium","large",
Original "xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]
}
request

{"products":[{"shirt’ OR1=‘1“{"text":“NTO","colors":
["blue","red","yellow","green"],"sizes":["small","medium","large","xlarge"],"price":"19.99"}},{"hat":{"text":“N
Attack TO","colors":["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]}
request

Successful delivery

{"products":[{"shirt":{"text":“NTO","colors":["blue","red’ OR 1=‘1",
Attack "yellow","green"],"sizes":["small","medium","large","xlarge"],"price":"19.99"}},{"hat":{"text":“NTO","colors":
["black","red"],"sizes":["kids","adult"],"price":"24.99"}}]}
request
Documenting RESTful API’s
REACT Recap
• Very difficult to do discovery
• Very complex client-side code
• Relies heavily on REST API’s
Don’t forget Mobile!
REST WEB SERVICE
Web Service Authentication
Web Service Authentication
• Classic solutions
• HTTP Auth (Basic/NTLM/Digest)
• Custom HTTP Header
• Session Cookie
• Popular standardized solutions
• OAuth support
• Supports most installations with simple configuration settings
• Custom signing code
• User driven/macro solutions
Web Service Authentication Methods
• Classic solutions
• HTTP Auth (Basic/NTLM/Digest)
• Custom HTTP Header
• Session Cookie
• Popular standardized solutions
• OAuth support
• Supports most installations with simple configuration settings
• Custom signing code
• User driven/macro solutions
Custom Request Signing
Example Authenticated REST Request
GET /api/v1/lookup HTTP/1.1
Host: 127.0.0.1:8000
Accept: application/json
Content-type: application/json
Authorization: creds joe.user:RMEsPFo1AakM9YDtgVckJMIrk=
x-by-date: Thu, 31 Oct 2013 01:48:37 GMT
Cache-Control: no-cache
 Sample Custom Signing Code

1.$username = ‘joe.user’;
2.$YouAPIKey = ‘1cd9b8b190ed02d1d0f2b9ff40c050604e7a2c7f’;
3.$exp_date = datetime.strftime(TimeUTC, "%a,%d %b %Y %H:%M:%S");
4.$StringToSign = HTTP-Verb + $exp_date + URL_WITHPARAMS;
5.$Signature = Base64(HMAC-SHA256($YourAPIKey, $StringToSign ) );
6.$AuthString = "Creds" + " " + $username + ":" + $Signature;

7.AddHTTPHeader(‘Authorization’, $AuthString);
8.AddHTTPHeader(‘x-by-date’, $exp_date);
Possible layers of an App

Classic HTML & JavaScript Client - Standard

Client – Discovery challenges, Complex client code

AJAX, SPA’s & Mobile apps
plus API challenges

Web Services / REST API’s Services – Various data formats

OAuth & other API Auth Services – Challenging authentication schemes

Modern fighters must be well rounded
Modern AppSec pros must be well rounded
Embrace the challenge

“Do not pray for

an easy app, pray
For the strength
to hack a difficult
one”
Embrace the challenge

“Do not pray for

an easy life, pray
For the strength
to endure a difficult
one”
Thank you!
Twitter: @dan_kuykendall
Email: dan_kuykendall@rapid7.com
Blog/Podcast: http://manvswebapp.com

To learn more, visit us at: https://www.rapid7.com/products/insightappsec/