0
Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs
Who am I? <ul><li>Manager HP Security Labs </li></ul><ul><li>In security space for 6 years </li></ul><ul><li>CS Degree fro...
Presentation Overview <ul><li>Manipulating Client-side logic </li></ul><ul><li>Defeating logic protection techniques </li>...
“ Boring” Ajax Security <ul><li>Increased attack surface </li></ul><ul><li>Direct API access </li></ul><ul><li>Easier to r...
<ul><li>Sample Ajax travel website  </li></ul><ul><li>Built using “expert” advice </li></ul><ul><ul><li>Popular books </li...
API Domino Effect April 29, 2010 holdSeat(flightID) makeOffer(price, flightID) debitAccount(price) bookSeat(flightID)
Overly Granular Application API April 29, 2010 Insecure More secure
Polling Status Call April 29, 2010
Real-world Example  April 29, 2010
Web 1.0 to Web 2.0 Conversion April 29, 2010
Premature Ajax-ulation! April 29, 2010
Exposed Administrative API April 29, 2010 Malicious use Intended use
Defeating Logic Protection <ul><li>Obfuscation </li></ul><ul><li>Lazy Loading </li></ul>April 29, 2010
All Your Obfuscation Are Belong To Us!
<ul><li>How to debug code if you don’t have it all? </li></ul><ul><li>Firebug cannot debug dynamic code </li></ul><ul><ul>...
Understanding JavaScript Variable Scope <ul><li>Everything is a object </li></ul><ul><ul><li>Primitives (Strings, numbers,...
Example Code <ul><li>function BogusFunction1() { </li></ul><ul><li>//empty function </li></ul><ul><li>} </li></ul><ul><li>...
Enumerating All Functions
HOOK: JavaScript Monitoring Framework <ul><li>Enumerates the environment and traps on-demand code. </li></ul><ul><li>Side-...
Take Aways: Client-side Code <ul><li>Client-side code is just a suggestion! </li></ul><ul><li>Client-side code cannot be p...
JavaScript Function Clobbering <ul><li>Highly dynamics language </li></ul><ul><li>Typeless, dynamic execution paths </li><...
JavaScript Namespaces <ul><li>Namespaces prevent collisions </li></ul><ul><li>Solution: Make functions properties of objec...
JavaScript Namespaces
Intentional Function Clobbering <ul><li>Attacker deliberately clobbers functions </li></ul><ul><li>What kind of functions ...
Clobbering System Functions:  alert()
Prototype’s  Ajax.Request()
<ul><li>Can clobber anything </li></ul><ul><li>Automatic Man In The Middle </li></ul><ul><li>Other things </li></ul><ul><u...
The Myth of the Same Origin Policy <ul><li>Myth: Same Origin Restricts prevent JavaScript from seeing 3 rd  party content ...
JSON Hijacking <ul><li>JSON is a valid subset of JavaScript </li></ul><ul><li>eval()  can be used to “see” the response </...
JSON Hijacking <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>[[&quot;AJAXWorld&quot;, &quot;2007-04-...
JSON Hijacking <ul><li>How does JS interpreter handle literals? </li></ul><ul><li>[9,4,3,1,33,7,2].sort(); </li></ul><ul><...
JSON Hijacking <ul><li>How does JS interpreter handle literals? </li></ul><ul><li>[9,4,3,1,33,7,2].sort(); </li></ul><ul><...
JSON Hijacking <ul><li>Clobber the  Array()  function with malicious version </li></ul><ul><li>Use  <SCRIPT SRC>  to point...
JSON Hijacking Example
JSON Hijacking Example
JSON Hijacking Defense <ul><li>XMLHttpRequest can see the response and perform operations on it before  eval() ing </li></...
Bad Approach #1 <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>I'// a bl0ck of inva1id $ynT4x! WHOO! ...
<ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>/* </li></ul><ul><li>[&quot;Eve&quot;, &quot;Jill&quot...
Bad Approach #2 <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>/* </li></ul><ul><li>[&quot; Eve*/[&qu...
Correct Approach <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>for(;;); </li></ul><ul><li>[&quot;Eve...
Correct Approach <ul><li>function defangJSON(json) { </li></ul><ul><li>if(json.substring(0,8) == &quot;for(;;);&quot;) { <...
Securing Ajax Applications <ul><li>Perform authentication/authorization checks on  both  web pages  and  web services </li...
Salvation Is Here! <ul><li>Ajax Security Addison-Wesley </li></ul><ul><li>&quot; Ajax Security  is a remarkably rigorous a...
Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs
Upcoming SlideShare
Loading in...5
×

Advanced Ajax Security - active

860

Published on

1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
860
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Advanced Ajax Security - active"

  1. 1. Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs
  2. 2. Who am I? <ul><li>Manager HP Security Labs </li></ul><ul><li>In security space for 6 years </li></ul><ul><li>CS Degree from Georgia Tech </li></ul><ul><li>Areas of focus </li></ul><ul><ul><li>Crawling and sampling </li></ul></ul><ul><ul><li>JavaScript static analysis </li></ul></ul><ul><ul><li>XSS </li></ul></ul><ul><li>Frequent presenter at hacker/security conferences </li></ul>
  3. 3. Presentation Overview <ul><li>Manipulating Client-side logic </li></ul><ul><li>Defeating logic protection techniques </li></ul><ul><li>Function Hijacking </li></ul><ul><li>JSON Hijacking </li></ul><ul><li>Hacking Google Gears </li></ul>April 29, 2010
  4. 4. “ Boring” Ajax Security <ul><li>Increased attack surface </li></ul><ul><li>Direct API access </li></ul><ul><li>Easier to reverse engineer </li></ul><ul><li>Amplifying web attacks </li></ul><ul><li>Offline attacks </li></ul><ul><li>“ Surely no one actually does this right?” </li></ul>April 29, 2010
  5. 5. <ul><li>Sample Ajax travel website </li></ul><ul><li>Built using “expert” advice </li></ul><ul><ul><li>Popular books </li></ul></ul><ul><ul><li>Articles/How-tos </li></ul></ul><ul><ul><li>Forums </li></ul></ul><ul><li>Riddled with security defects </li></ul>Sexy Ajax Security April 29, 2010
  6. 6. API Domino Effect April 29, 2010 holdSeat(flightID) makeOffer(price, flightID) debitAccount(price) bookSeat(flightID)
  7. 7. Overly Granular Application API April 29, 2010 Insecure More secure
  8. 8. Polling Status Call April 29, 2010
  9. 9. Real-world Example April 29, 2010
  10. 10. Web 1.0 to Web 2.0 Conversion April 29, 2010
  11. 11. Premature Ajax-ulation! April 29, 2010
  12. 12. Exposed Administrative API April 29, 2010 Malicious use Intended use
  13. 13. Defeating Logic Protection <ul><li>Obfuscation </li></ul><ul><li>Lazy Loading </li></ul>April 29, 2010
  14. 14. All Your Obfuscation Are Belong To Us!
  15. 15. <ul><li>How to debug code if you don’t have it all? </li></ul><ul><li>Firebug cannot debug dynamic code </li></ul><ul><ul><li>JSON responses </li></ul></ul><ul><ul><li>Remote scripting </li></ul></ul><ul><ul><li>Lazy loading </li></ul></ul><ul><li>“ View Source” vs “View Generated Source” </li></ul><ul><li>Need a way to monitor JavaScript environment </li></ul>On-Demand JavaScript
  16. 16. Understanding JavaScript Variable Scope <ul><li>Everything is a object </li></ul><ul><ul><li>Primitives (Strings, numbers, regexp) </li></ul></ul><ul><ul><li>Functions </li></ul></ul><ul><li>All global variables and functions are properties of global object </li></ul><ul><li>Provided by environment </li></ul><ul><li>Web browser = window </li></ul><ul><li>Can we enumerate? </li></ul>
  17. 17. Example Code <ul><li>function BogusFunction1() { </li></ul><ul><li>//empty function </li></ul><ul><li>} </li></ul><ul><li>function BogusFunction2() { </li></ul><ul><li>//empty function </li></ul><ul><li>} </li></ul><ul><li>var ret = &quot;&quot;; </li></ul><ul><li>for(var i in window) { </li></ul><ul><li>if(typeof(window[i]) == &quot;function&quot;) { </li></ul><ul><li>ret += i + &quot; &quot;; </li></ul><ul><li>} </li></ul><ul><li>} </li></ul><ul><li>alert(ret); </li></ul>
  18. 18. Enumerating All Functions
  19. 19. HOOK: JavaScript Monitoring Framework <ul><li>Enumerates the environment and traps on-demand code. </li></ul><ul><li>Side-steps obfuscation </li></ul><ul><li>Reads from the environment itself </li></ul><ul><li>Demo </li></ul>
  20. 20. Take Aways: Client-side Code <ul><li>Client-side code is just a suggestion! </li></ul><ul><li>Client-side code cannot be protected, encrypted, or obfuscated </li></ul><ul><li>Store all secrets on the server </li></ul><ul><li>Enforce control flow on the server </li></ul><ul><li>Always match allocations with frees in the same method </li></ul><ul><li>Use Server-side locking to prevent race condition vulnerabilities </li></ul>April 29, 2010
  21. 21. JavaScript Function Clobbering <ul><li>Highly dynamics language </li></ul><ul><li>Typeless, dynamic execution paths </li></ul><ul><li>Can redefine itself at runtime </li></ul>April 29, 2010
  22. 22. JavaScript Namespaces <ul><li>Namespaces prevent collisions </li></ul><ul><li>Solution: Make functions properties of objects </li></ul><ul><li>var com.SomeSite.common = {}; </li></ul><ul><li>com.SomeSite.common.debug </li></ul><ul><li>= function () { … }; </li></ul><ul><li>com.SomeSite.common.debug(); </li></ul><ul><li>var com.SexyWidgets = {}; </li></ul><ul><li>com.SexyWidgets.debug = function() {…}; </li></ul><ul><li>com.SexyWidgets.debug(); </li></ul>
  23. 23. JavaScript Namespaces
  24. 24. Intentional Function Clobbering <ul><li>Attacker deliberately clobbers functions </li></ul><ul><li>What kind of functions can you clobber? </li></ul><ul><ul><li>User defined functions? </li></ul></ul><ul><ul><li>System functions? </li></ul></ul><ul><li>Demo </li></ul>
  25. 25. Clobbering System Functions: alert()
  26. 26. Prototype’s Ajax.Request()
  27. 27. <ul><li>Can clobber anything </li></ul><ul><li>Automatic Man In The Middle </li></ul><ul><li>Other things </li></ul><ul><ul><li>Dojo.Storage </li></ul></ul><ul><ul><li>Callback functions </li></ul></ul><ul><ul><li>Encryption functions? </li></ul></ul>Limitless Clobbering Possibilities
  28. 28. The Myth of the Same Origin Policy <ul><li>Myth: Same Origin Restricts prevent JavaScript from seeing 3 rd party content </li></ul><ul><li>Fact: Kind of prevents </li></ul><ul><ul><li>Remote Scripting </li></ul></ul><ul><ul><li>Image and Iframe events (JavaScript port scanning) </li></ul></ul><ul><ul><li>3 rd party plug-in communications </li></ul></ul>
  29. 29. JSON Hijacking <ul><li>JSON is a valid subset of JavaScript </li></ul><ul><li>eval() can be used to “see” the response </li></ul><ul><li>Could use remoting scripting to read JSON web services? </li></ul>April 29, 2010
  30. 30. JSON Hijacking <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>[[&quot;AJAXWorld&quot;, &quot;2007-04-15&quot;, &quot;2007-04-19&quot;, [&quot;ATL&quot;, &quot;JFK&quot;, &quot;ATL&quot;], </li></ul><ul><li>95120657, true], </li></ul><ul><li>[&quot;Honeymoon&quot;, &quot;2007-04-30&quot;, &quot;2007-05-13&quot;, [&quot;ATL&quot;, &quot;VAN&quot;, &quot;SEA&quot;, &quot;ATL&quot;], </li></ul><ul><li>19200435, false], </li></ul><ul><li>[&quot;MS Trip&quot;, &quot;2007-07-01&quot;, &quot;2007-07-04&quot;, [&quot;ATL&quot;, &quot;SEA&quot;, &quot;ATL&quot;], </li></ul><ul><li>74905862, true], </li></ul><ul><li>[&quot;Black Hat USA&quot;, &quot;2007-07-29&quot; &quot;2007-08-03&quot;, [&quot;ATL&quot;, &quot;LAS&quot;, &quot;ATL&quot;], </li></ul><ul><li>90398623, true]]; </li></ul><ul><li></script> </li></ul>
  31. 31. JSON Hijacking <ul><li>How does JS interpreter handle literals? </li></ul><ul><li>[9,4,3,1,33,7,2].sort(); </li></ul><ul><li>Creates temporary Array object </li></ul><ul><li>Executed sort() function </li></ul><ul><li>Never assigned to variable </li></ul><ul><li>Garbage collected away </li></ul>
  32. 32. JSON Hijacking <ul><li>How does JS interpreter handle literals? </li></ul><ul><li>[9,4,3,1,33,7,2].sort(); </li></ul><ul><li>Creates temporary Array object </li></ul><ul><ul><li>Invokes Array() constructor function </li></ul></ul><ul><li>Executed sort() function </li></ul><ul><li>Never assigned to variable </li></ul><ul><li>Garbage collected away </li></ul>
  33. 33. JSON Hijacking <ul><li>Clobber the Array() function with malicious version </li></ul><ul><li>Use <SCRIPT SRC> to point to JSON web service </li></ul><ul><li>Malicious Array() function harvests the data that comes back! </li></ul><ul><li>function Array() { </li></ul><ul><li>var foo = this; </li></ul><ul><li>var bar = function() { </li></ul><ul><li>var ret = &quot;Captured array items are: [&quot;; </li></ul><ul><li>for(var x in foo) { </li></ul><ul><li>ret += foo[x] + &quot;, &quot;; </li></ul><ul><li>} </li></ul><ul><li>ret += &quot;]&quot;; </li></ul><ul><li>//notify an attacker here </li></ul><ul><ul><li>}; </li></ul></ul><ul><li>setTimeout(bar, 100); </li></ul><ul><li>} </li></ul>
  34. 34. JSON Hijacking Example
  35. 35. JSON Hijacking Example
  36. 36. JSON Hijacking Defense <ul><li>XMLHttpRequest can see the response and perform operations on it before eval() ing </li></ul><ul><li><SCRIPT SRC> cannot! </li></ul><ul><li>Make the JSON response non-valid JavaScript </li></ul><ul><li>XHR removes it! </li></ul><ul><li><SCRIPT SRC> fails! </li></ul>
  37. 37. Bad Approach #1 <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>I'// a bl0ck of inva1id $ynT4x! WHOO! </li></ul><ul><li>[[&quot;AJAXWorld&quot;, &quot;2007-04-15&quot;, &quot;2007-04-19&quot;, [&quot;ATL&quot;, &quot;JFK&quot;, &quot;ATL&quot;], </li></ul><ul><li>95120657, true], </li></ul><ul><li>[&quot;Honeymoon&quot;, &quot;2007-04-30&quot;, &quot;2007-05-13&quot;, [&quot;ATL&quot;, &quot;VAN&quot;, &quot;SEA&quot;, &quot;ATL&quot;], </li></ul><ul><li>19200435, false], </li></ul><ul><li>[&quot;MS Trip&quot;, &quot;2007-07-01&quot;, &quot;2007-07-04&quot;, [&quot;ATL&quot;, &quot;SEA&quot;, &quot;ATL&quot;], </li></ul><ul><li>74905862, true], </li></ul><ul><li>[&quot;Black Hat USA&quot;, &quot;2007-07-29&quot; &quot;2007-08-03&quot;, [&quot;ATL&quot;, &quot;LAS&quot;, &quot;ATL&quot;], </li></ul><ul><li>90398623, true]]; </li></ul><ul><li></script> </li></ul>
  38. 38. <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>/* </li></ul><ul><li>[&quot;Eve&quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot;Nidhi&quot;] </li></ul><ul><li>*/ </li></ul><ul><li></script> </li></ul>Bad Approch #2
  39. 39. Bad Approach #2 <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>/* </li></ul><ul><li>[&quot; Eve*/[&quot;bogus &quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot; bogus&quot;]/*Nidhi &quot;] </li></ul><ul><li>*/ </li></ul><ul><li></script> </li></ul><ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>/* </li></ul><ul><li>[&quot;Eve*/ [&quot;bogus&quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot;bogus&quot;] /*Nidhi&quot;] </li></ul><ul><li>*/ </li></ul><ul><li></script> </li></ul>
  40. 40. Correct Approach <ul><li><script type=&quot;text/javascript&quot;> </li></ul><ul><li>for(;;); </li></ul><ul><li>[&quot;Eve&quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot;Nidhi&quot;] </li></ul><ul><li></script> </li></ul>
  41. 41. Correct Approach <ul><li>function defangJSON(json) { </li></ul><ul><li>if(json.substring(0,8) == &quot;for(;;);&quot;) { </li></ul><ul><li>json = json.substring(8); </li></ul><ul><li>} </li></ul><ul><li>Return json; </li></ul><ul><li>} </li></ul><ul><li>var safeJSONString = defangJSON(xhr.responseText); </li></ul><ul><li>var jsonObject = safeJSONString.parseJSON(); </li></ul>
  42. 42. Securing Ajax Applications <ul><li>Perform authentication/authorization checks on both web pages and web services </li></ul><ul><li>Group code libraries by function </li></ul><ul><li>Validate all input for your application </li></ul><ul><ul><li>HTTP headers, cookies, query string, POST data </li></ul></ul><ul><li>Verify data type, length and format </li></ul><ul><li>Always use parameterized queries </li></ul><ul><li>Always encoded output appropriately </li></ul>April 29, 2010
  43. 43. Salvation Is Here! <ul><li>Ajax Security Addison-Wesley </li></ul><ul><li>&quot; Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't.” </li></ul><ul><li>-Jesse James Garret </li></ul><ul><li>In stores now! </li></ul>April 29, 2010
  44. 44. Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×