Advanced Ajax Security

Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs

Who am I?

Manager HP Security Labs

In security space for 6 years

CS Degree from Georgia Tech

Areas of focus

Crawling and sampling

JavaScript static analysis

XSS

Frequent presenter at hacker/security conferences

Presentation Overview

Manipulating Client-side logic

Defeating logic protection techniques

Function Hijacking

JSON Hijacking

Hacking Google Gears

June 2, 2009

“ Boring” Ajax Security

Increased attack surface

Direct API access

Easier to reverse engineer

Amplifying web attacks

Offline attacks

“ Surely no one actually does this right?”

June 2, 2009

Sample Ajax travel website

Built using “expert” advice

Popular books

Articles/How-tos

Forums

Riddled with security defects

Sexy Ajax Security June 2, 2009

API Domino Effect June 2, 2009 holdSeat(flightID) makeOffer(price, flightID) debitAccount(price) bookSeat(flightID)

Overly Granular Application API June 2, 2009 Insecure More secure

Polling Status Call June 2, 2009

Real-world Example June 2, 2009

Web 1.0 to Web 2.0 Conversion June 2, 2009

Premature Ajax-ulation! June 2, 2009

Exposed Administrative API June 2, 2009 Malicious use Intended use

Defeating Logic Protection

Obfuscation

Lazy Loading

June 2, 2009

All Your Obfuscation Are Belong To Us!

How to debug code if you don’t have it all?

Firebug cannot debug dynamic code

JSON responses

Remote scripting

Lazy loading

“ View Source” vs “View Generated Source”

Need a way to monitor JavaScript environment

On-Demand JavaScript

Understanding JavaScript Variable Scope

Everything is a object

Primitives (Strings, numbers, regexp)

Functions

All global variables and functions are properties of global object

Provided by environment

Web browser = window

Can we enumerate?

Example Code

function BogusFunction1() {

//empty function

}

function BogusFunction2() {

//empty function

}

var ret = "";

for(var i in window) {

if(typeof(window[i]) == "function") {

ret += i + " ";

}

}

alert(ret);

Enumerating All Functions

HOOK: JavaScript Monitoring Framework

Enumerates the environment and traps on-demand code.

Side-steps obfuscation

Reads from the environment itself

Demo

Take Aways: Client-side Code

Client-side code is just a suggestion!

Client-side code cannot be protected, encrypted, or obfuscated

Store all secrets on the server

Enforce control flow on the server

Always match allocations with frees in the same method

Use Server-side locking to prevent race condition vulnerabilities

June 2, 2009

JavaScript Function Clobbering

Highly dynamics language

Typeless, dynamic execution paths

Can redefine itself at runtime

June 2, 2009

JavaScript Namespaces

Namespaces prevent collisions

Solution: Make functions properties of objects

var com.SomeSite.common = {};

com.SomeSite.common.debug

= function () { … };

com.SomeSite.common.debug();

var com.SexyWidgets = {};

com.SexyWidgets.debug = function() {…};

com.SexyWidgets.debug();

JavaScript Namespaces

Intentional Function Clobbering

Attacker deliberately clobbers functions

What kind of functions can you clobber?

User defined functions?

System functions?

Demo

Clobbering System Functions: alert()

Prototype’s Ajax.Request()

Can clobber anything

Automatic Man In The Middle

Other things

Dojo.Storage

Callback functions

Encryption functions?

Limitless Clobbering Possibilities

The Myth of the Same Origin Policy

Myth: Same Origin Restricts prevent JavaScript from seeing 3 rd party content

Fact: Kind of prevents

Remote Scripting

Image and Iframe events (JavaScript port scanning)

3 rd party plug-in communications

JSON Hijacking

JSON is a valid subset of JavaScript

eval() can be used to “see” the response

Could use remoting scripting to read JSON web services?

June 2, 2009

JSON Hijacking

<script type="text/javascript">

[["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],

95120657, true],

["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],

19200435, false],

["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],

74905862, true],

["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],

90398623, true]];

</script>

JSON Hijacking

How does JS interpreter handle literals?

[9,4,3,1,33,7,2].sort();

Creates temporary Array object

Executed sort() function

Never assigned to variable

Garbage collected away

JSON Hijacking

How does JS interpreter handle literals?

[9,4,3,1,33,7,2].sort();

Creates temporary Array object

Invokes Array() constructor function

Executed sort() function

Never assigned to variable

Garbage collected away

JSON Hijacking

Clobber the Array() function with malicious version

Use <SCRIPT SRC> to point to JSON web service

Malicious Array() function harvests the data that comes back!

function Array() {

var foo = this;

var bar = function() {

var ret = "Captured array items are: [";

for(var x in foo) {

ret += foo[x] + ", ";

}

ret += "]";

//notify an attacker here

};

setTimeout(bar, 100);

}

JSON Hijacking Example

JSON Hijacking Defense

XMLHttpRequest can see the response and perform operations on it before eval() ing

<SCRIPT SRC> cannot!

Make the JSON response non-valid JavaScript

XHR removes it!

<SCRIPT SRC> fails!

Bad Approach #1

I'// a bl0ck of inva1id $ynT4x! WHOO!

[["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],

95120657, true],

["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],

19200435, false],

["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],

74905862, true],

["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],

90398623, true]];

</script>

/*

["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]

*/

</script>

Bad Approch #2

Bad Approach #2

/*

[" Eve*/["bogus ", "Jill", "Mary", "Jen", "Ashley", " bogus"]/*Nidhi "]

*/

</script>

/*

["Eve*/ ["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"] /*Nidhi"]

*/

</script>

Correct Approach

for(;;);

["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]

</script>

Correct Approach

function defangJSON(json) {

if(json.substring(0,8) == "for(;;);") {

json = json.substring(8);

}

Return json;

}

var safeJSONString = defangJSON(xhr.responseText);

var jsonObject = safeJSONString.parseJSON();

Securing Ajax Applications

Perform authentication/authorization checks on both web pages and web services

Group code libraries by function

Validate all input for your application

HTTP headers, cookies, query string, POST data

Verify data type, length and format

Always use parameterized queries

Always encoded output appropriately

June 2, 2009

Salvation Is Here!

Ajax Security Addison-Wesley

" Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't.”

-Jesse James Garret

In stores now!

June 2, 2009

Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs

Advanced Ajax Security

0 comments

Notes on slide 1

4 Favorites