Documente Academic
Documente Profesional
Documente Cultură
www.salesforce.com
Finding Salesforce.com
Is it in the Browser Cache?
www.salesforce.com
Is it in the Router cache?
Talking to Salesforce.com
www.salesforce.com
TCP
96.43.144.26
Talking to Salesforce.com
GET / HTTP/1.1
Host: www.salesforce.com
User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;
q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: unique=true;
Connection: keep-alive
Talking to Salesforce.com
HTTP/1.1 200 OK
Server: SFDC
Vary: Accept-Encoding
Last-Modified: Tue, 08 Apr 2014 22:51:07
GMT
Content-Type: text/html; charset=UTF-8
Date: Tue, 08 Apr 2014 22:51:06 GMT
Content-Length: 120179
[REST OF THE BODY]
www.salesforce.com
Rebuild DOM
Plugins
Complexity
Abstractions
Abstraction is necessary to
summarize complex
processes into well defined
behaviors and functionality
Roles
Roles and
Abstractions
This makes building
complex applications
tractable
Security Issues
Insecure Abstractions
Some abstraction layers, by
design, do not have any
security properties or
guarantees
Security Issues
Program Objective
Understand common security issues on
the Salesforce platform
Understand abstraction weaknesses,
behaviors and misconceptions that are
the common causes of security bugs
Hand-on coverage on finding security
issues
Browser
Transport
Storage
CSRF
XSS
Browser
SQLi
Transport
Insecure
Transport
Storage
Insecure
Storage
Logical
The Web
Abstraction
The Document Object Model (DOM) is an application programming interface (API) for valid HTML
and XML documents.
It defines the logical structure of documents and the way a document is accessed and manipulated
Dynamic HTML
Dynamic HTML
User Input
User Input
User Input
User Input
User Input
User Input
Hands On
HTML
Encoding
Hands On Takeaways
Browsers are very error tolerant
Theres no way for the browser to distinguish data
from code
Special characters must be encoded
HTML Entities
Used to print characters that have a special meaning in HTML
> denotes the greater than sign (>)
< denotes the less than sign (<)
& denotes the ampersand (&)
" denotes double quote (")
HTML Entities
http://dev.w3.org/html5/html-author/charref
HTML Injection
<html>
<body>
Hello there John! You are feeling {%
User Input
=request.getAttribute(mood)%}
You have 5$ in your account
<img src="somthing.gif>
</body>
</html>
HTML Injection
<html>
<body>
Hello there John! You are feeling {%
=request.getAttribute(mood)%}
You have 5$ in your account
<img src="somthing.gif>
</body>
</html>
HTML Injection
hidden iframe
Johns
Browser
HTML Injection
scheme://
login.password@
address
:port
/path
?querystring
#fragment
JavaScript Pseudo-URI
javascript:
Data Pseudo-URI
data:
media type
;base64
uri data
URL Encoding
Request Methods
GET used to retrieve information identified by the request URI (in theory)
GET Request
POST Request
HTTP Response
Server sends a three digit code indicating status
1XX : Informational Response
2XX : Successful Response
3XX : Redirection Messages
4XX : Client Error
5XX : Server Error
Server sends HTTP response headers
Final block contains the data
HTTP Response
Hands On
HTML &
HTTP
Dissection
with Burp
Hands On Takeaways
Everything can be tampered with
Efficacy of Client side validation
Web applications should not make any assumptions about
input
Dreamforce Hotel Reservation Bug: W-2342203
The
Browser
Abstraction
Cookies
Makes HTTP stateful
Server sends a Set-Cookie Header in the HTTP Response
Set-Cookie: cookie-name=cookie-value;Domain=domain;Path=path;
Expires=date; HttpOnly; Secure
Set-Cookie: sid=some_value; Domain=.salesforce.com; Path=/
Cookies
Key-Value pairs with attributes stored in the browser
Key-Values are sent to every request if Domain and Path
matches in the Cookie Header
Cookie: cookie-name=cookie-value;
Cookies
Browser Cookie Jar
key=value; domain=.my.salesforce.com
key=value; domain=na1.my.salesforce.com
*.my.salesforce.com
na1.my.salesforce.com
cs0.my.salesforce.com
na1.my.salesforce.com
(except IE, but lets ignore)
key=value; domain=.salesforce.com
*.salesforce.com
my.salesforce.com
cs0.my.salesforce.com
Cookies
Server can set domain attribute to parent domains except top
level domain (enforced by browser)
Set-Cookie: key=value; domain=.my.salesforce.com
Set-Cookie: key=value;
na1.my.salesforce.com
Cookies
Server can set domain attribute to parent domains except top level
domain (enforced by browser)
Set-Cookie: key=value; domain=.my.salesforce.com
Set-Cookie: key=value;
na1.my.salesforce.com
tld
child domain
Session Cookie
Set-Cookie: sessionid=cookie-value;Path=/;Expires=date;
HttpOnly; Secure
Cookie Quiz
A web application sets the session cookie value as <username>
after authenticating the user using 2 factor authentication.
Also, the web application displays the image below
Is this Secure?
Cookie Quiz
Cross-Site
Request
Forgery
CSRF
Cookies are sent by the browser for ALL requests, including
cross-domain requests
www.salesforce.com
www.attacker.com
Request
salesforce
cookies
CSRF
An attacker can force a user to make legitimate requests
with attacker supplied parameters to any site
www.salesforce.com
www.attacker.com
Request
salesforce
cookies
CSRF
www.salesforce.com
www.attacker.com
evil XDR to
salesforce.com
il
ev
re
attacker
cookies
User / Browser
st
e
qu
salesforce
cookies
<img src="http://www.salesforce.com/someServlet?doStuff"/>
<a href="http://www.salesforce.com/someServlet?doStuff">click!</a>
<body onload="document.getElementById('CSRF_form').
submit()">
<form id="CSRF_form" method=POST action="http://www.
salesforce.com/dostuff">
<input type="hidden" name="sendmoney" value="amal"/>
<input type="submit">
</form>
</body>
CSRF
State changing web operations should be accompanied by a
secret that isnt sent automatically like Cookies
These secrets are called CSRF tokens
CSRF tokens are typically included in the DOM
Custom headers with secrets are effective
Identify state changing operations in a feature (If you have to prioritize, start with
the most critical operation)
Identify the CSRF token in the request (Body element or a Custom Header)
Repeat the request without the token and the operation should fail on proper
implementation (Burp repeater will be covered in the next hand-on)
Alter the value of the token and the operation should fail on proper
implementation
Re-using user As CSRF token (by editing the request) on a different session( A
terminates session and creates a new session Or user Bs session) should
result in failure
CSRF
CSRF
Are operations that require multiple steps (requests) safe
from CSRF by default?
CSRF
Hands On
Cross-Site
Request
Forgery
JavaScript
allCookies = document.cookie;
alert(allCookies);
document.body.innerHTML = "This is my new body";
Events are sent to notify code of interesting things that have taken place in the DOM (click,
mouseover)
Event Reference: https://developer.mozilla.org/en-US/docs/Web/Reference/Events
Mechanism of registering event listeners via on... attributes or properties in HTML and other
web APIs
<button onclick="alert(this)"> or window.onload = function() { /* ... */ }
Encoding in JavaScript
<script>
var value = {%=userinput%};
var new_value = {%=userinput2%};
</script>
Encoding in JavaScript
Does Javascript encoding work here?
<script>
eval({%=userinput%});
</script>
JavaScript Quiz
JavaScript Quiz
Cross-Site
Scripting
Reflected XSS
Data from request parameter is reflected in the page without
proper sanitization or appropriate encoding
Reflected XSS
Request: www.vulnapplication.com?userName=me
<html>
<body>
Hello there {%=request.getAttribute
(userName)%}
</body>
</html>
Reflected XSS
Request: www.vulnapplication.com?userName=
<script>AttackerCode</script>
<html>
<body>
Hello there {%=request.getAttribute
(userName)%}
</body>
</html>
Stored XSS
Stored XSS
Attacker
userName = PAYLOAD
<html>
<body>
Hello there {%=getFromDataBase(userName)%}
</body>
</html>
Stored XSS
Attacker
evilcookie = PAYLOAD
<html>
<body>
Hello there {%=getCookieValue(evilcookie)%}
</body>
</html>
<script>
document.write("document.location.href.
substring(document.location.href.indexOf
("default=")+8)+"</OPTION>");
</script>
Identify where the input appears and what characters are encoded
Cross-site Scripting
Would replacing all instances of < and > in input solve the
problem?
Remember Set-Cookie?
A server identifies a user (after logging in) by setting a session
cookie
Set-Cookie: sessionid=cookie-value; Path=/;
=date; HttpOnly; Secure
Cookies with HttpOnly flag set cannot be accessed over nonHTTP APIs (JavaScript)
Cross-site Scripting
Hands On
XSS
Blending
Abstractions
Breaking Salesforce
Multi-tenancy
The
Transport
Abstraction
None
Anyone on the network can eavesdrop traffic
Anyone on the network can modify content
Anyone on the network can divert traffic
We were sort of doing all the above with Burp
Asymmetric Cryptography
Signatures
Certificates
Certificates
Mixed Content
Whats wrong with this?
https://www.salesforce.com
<script src=http://www.salesforce.com/script.js>
Remember Cookies ?
host : port
Advanced
XSS
Hands On
SQL Injection
SQL Injection
Application
username
password
HTTP GET/POST
Database
Run as
Application
SQL Injection
Application
username
password
HTTP GET/POST
Database
Run as
Application
SQL Injection
Application
username
password
HTTP GET/POST
Database
Run as
Application
SQL Injection
Unlike XSS, affects server-side state
Data leakage (confidentiality)
Data loss (integrity)
Application logic bypass (authentication/authorization)
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)
What Next?
The Tangled Web by Michael
Zalewski
Find a P0-2 Security bug and well
expense a hard copy
What Next?
OWASP WebGoat
http://webgoat.github.io
What Next?
References
developer.mozilla.org
RFCs
OWASP
Security Essentials deck by Robert
Sussland & Sergey Gobaty
wiki{art,pedia}
Feedback to amal.krishnan@salesforce.com