Black Hat 2016 Summary Part 2.1

A few months ago I had the opportunity to visit this year’s Black Hat in Las Vegas. Due to a few weeks of vacation following the conference here are my delayed 2 cents (part 1)

Abusing Bleeding Edge Web Standards For AppSec Glory – Bryant Zadegan & Ryan Lester (Slides)

Bryant and Ryan talked about new web standards which are already implemented in parts of the current browser jungle. Namely these standard were:

  • SubResource Integrity
  • Content Security Policy
  • HTTP Public Key Pinning

I went to their talk because I am very interested in current and upcoming web technologies on the one hand. On the other hand I identify hacking, or the hacker mindset, with something Wau Holland once said on what hacker is: “Someone who tries to find a way to make toast with his coffee machine.” Using a thing, in most cases something technology related, to do something it was not supposed to be used and make it work.

So i was very eager to find out what Bryant and Ryan were to show.

SubResource Integrity primarily is a way to check the integrity of third party scripts fetched from a CDN for example to detect and prevent unexpected manipulation of code that is to be executed in the clients browser. Coming to the hacky part the speakers showed that on the one hand there were flaws in the implementation which allowed the bypass of the validation. On the other hand they introduced their implementation of providing a fallback source if the integrity check fails. From my point of view a nice-to-know but no wow-effect.

Moving on to the Content Security Poilicy Bryant and Ryan introduced the concept of CSP Meta Hardening to me. This basically means preventing the browser from executing inline code from execution. But not until inline code is executed which e.g. contains to complex application logic. This is done by adding a <meta> tag to the DOM via JavaScript changing the present CSP to a stricter policy. Thus making it harder to exploit common Cross Site Scripting vulnerabilities in web sites.

The third part of the talk was all about HTTP Public Key Pinning (HPKP) and what it can be used for apart from the obvious. In short HPKP tells your browser to trust a SSL certificate, and only this particular certificate, after visiting this site for the first time. Obvious use case for this is to prevent a ransom entity to impersonate you, e.g. during a MITM attack, by presenting a valid certificate signed by a “valid” CA where valid means some CA in your trust store.

The first hacky use case Bryant and Ryan showed was HPKP Suicide. On the one hand an attack someone could perform to lock out valid user from a web page and blackmail the page owners which is covered step by step in the slides of the talk and also explained in this (german) heise article. On the other hand, they reasoned a scenario to intentionally lock out users and force them to use cached content in order to improve performance and prevent users from being affected of security breaches on the server side. In theory some kind of code signing.

I for myself tend to assess both scenarios as a bit over the top. But I am no web developer guy which may be why I am more likely to comprehend the ransom use case.

The other HPKP shenanigan introduced in this talk was the implementation of the HPKP SuperCookie. Basically a way of user tracking in the web by implementing one of the privacy considerations pointed out in RFC7469. Surprisingly this also works if you change into incognito mode in your browser, which is of course beneficial for the actual use case of HPKP but not for the SuperCookie. At this point my requirement for unorthodox usage of technology for a use case other than its desired one was met. For a more thorough description of the SuperCookie see the implementation and the slides.

For some more information on the SuperCookie issue I’d like to point to this blog post and for some real world demo click here.