Advanced Ajax Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Advanced Ajax Security

on

  • 5,288 views

Advanced Ajax Security

Advanced Ajax Security

Statistics

Views

Total Views
5,288
Views on SlideShare
5,125
Embed Views
163

Actions

Likes
6
Downloads
110
Comments
0

5 Embeds 163

http://www.vigilia.org 132
http://www.secguru.com 23
http://www.slideshare.net 6
http://www.blogger.com 1
http://www.google.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Advanced Ajax Security Presentation Transcript

  • 1. Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs
  • 2. Who am I?
    • Manager HP Security Labs
    • In security space for 6 years
    • CS Degree from Georgia Tech
    • Areas of focus
      • Crawling and sampling
      • JavaScript static analysis
      • XSS
    • Frequent presenter at hacker/security conferences
  • 3. Presentation Overview
    • Manipulating Client-side logic
    • Defeating logic protection techniques
    • Function Hijacking
    • JSON Hijacking
    • Hacking Google Gears
    June 2, 2009
  • 4. “ Boring” Ajax Security
    • Increased attack surface
    • Direct API access
    • Easier to reverse engineer
    • Amplifying web attacks
    • Offline attacks
    • “ Surely no one actually does this right?”
    June 2, 2009
  • 5.
    • Sample Ajax travel website
    • Built using “expert” advice
      • Popular books
      • Articles/How-tos
      • Forums
    • Riddled with security defects
    Sexy Ajax Security June 2, 2009
  • 6. API Domino Effect June 2, 2009 holdSeat(flightID) makeOffer(price, flightID) debitAccount(price) bookSeat(flightID)
  • 7. Overly Granular Application API June 2, 2009 Insecure More secure
  • 8. Polling Status Call June 2, 2009
  • 9. Real-world Example June 2, 2009
  • 10. Web 1.0 to Web 2.0 Conversion June 2, 2009
  • 11. Premature Ajax-ulation! June 2, 2009
  • 12. Exposed Administrative API June 2, 2009 Malicious use Intended use
  • 13. Defeating Logic Protection
    • Obfuscation
    • Lazy Loading
    June 2, 2009
  • 14. All Your Obfuscation Are Belong To Us!
  • 15.
    • How to debug code if you don’t have it all?
    • Firebug cannot debug dynamic code
      • JSON responses
      • Remote scripting
      • Lazy loading
    • “ View Source” vs “View Generated Source”
    • Need a way to monitor JavaScript environment
    On-Demand JavaScript
  • 16. Understanding JavaScript Variable Scope
    • Everything is a object
      • Primitives (Strings, numbers, regexp)
      • Functions
    • All global variables and functions are properties of global object
    • Provided by environment
    • Web browser = window
    • Can we enumerate?
  • 17. Example Code
    • function BogusFunction1() {
    • //empty function
    • }
    • function BogusFunction2() {
    • //empty function
    • }
    • var ret = "";
    • for(var i in window) {
    • if(typeof(window[i]) == "function") {
    • ret += i + " ";
    • }
    • }
    • alert(ret);
  • 18. Enumerating All Functions
  • 19. HOOK: JavaScript Monitoring Framework
    • Enumerates the environment and traps on-demand code.
    • Side-steps obfuscation
    • Reads from the environment itself
    • Demo
  • 20. Take Aways: Client-side Code
    • Client-side code is just a suggestion!
    • Client-side code cannot be protected, encrypted, or obfuscated
    • Store all secrets on the server
    • Enforce control flow on the server
    • Always match allocations with frees in the same method
    • Use Server-side locking to prevent race condition vulnerabilities
    June 2, 2009
  • 21. JavaScript Function Clobbering
    • Highly dynamics language
    • Typeless, dynamic execution paths
    • Can redefine itself at runtime
    June 2, 2009
  • 22. JavaScript Namespaces
    • Namespaces prevent collisions
    • Solution: Make functions properties of objects
    • var com.SomeSite.common = {};
    • com.SomeSite.common.debug
    • = function () { … };
    • com.SomeSite.common.debug();
    • var com.SexyWidgets = {};
    • com.SexyWidgets.debug = function() {…};
    • com.SexyWidgets.debug();
  • 23. JavaScript Namespaces
  • 24. Intentional Function Clobbering
    • Attacker deliberately clobbers functions
    • What kind of functions can you clobber?
      • User defined functions?
      • System functions?
    • Demo
  • 25. Clobbering System Functions: alert()
  • 26. Prototype’s Ajax.Request()
  • 27.
    • Can clobber anything
    • Automatic Man In The Middle
    • Other things
      • Dojo.Storage
      • Callback functions
      • Encryption functions?
    Limitless Clobbering Possibilities
  • 28. The Myth of the Same Origin Policy
    • Myth: Same Origin Restricts prevent JavaScript from seeing 3 rd party content
    • Fact: Kind of prevents
      • Remote Scripting
      • Image and Iframe events (JavaScript port scanning)
      • 3 rd party plug-in communications
  • 29. JSON Hijacking
    • JSON is a valid subset of JavaScript
    • eval() can be used to “see” the response
    • Could use remoting scripting to read JSON web services?
    June 2, 2009
  • 30. JSON Hijacking
    • <script type=&quot;text/javascript&quot;>
    • [[&quot;AJAXWorld&quot;, &quot;2007-04-15&quot;, &quot;2007-04-19&quot;, [&quot;ATL&quot;, &quot;JFK&quot;, &quot;ATL&quot;],
    • 95120657, true],
    • [&quot;Honeymoon&quot;, &quot;2007-04-30&quot;, &quot;2007-05-13&quot;, [&quot;ATL&quot;, &quot;VAN&quot;, &quot;SEA&quot;, &quot;ATL&quot;],
    • 19200435, false],
    • [&quot;MS Trip&quot;, &quot;2007-07-01&quot;, &quot;2007-07-04&quot;, [&quot;ATL&quot;, &quot;SEA&quot;, &quot;ATL&quot;],
    • 74905862, true],
    • [&quot;Black Hat USA&quot;, &quot;2007-07-29&quot; &quot;2007-08-03&quot;, [&quot;ATL&quot;, &quot;LAS&quot;, &quot;ATL&quot;],
    • 90398623, true]];
    • </script>
  • 31. JSON Hijacking
    • How does JS interpreter handle literals?
    • [9,4,3,1,33,7,2].sort();
    • Creates temporary Array object
    • Executed sort() function
    • Never assigned to variable
    • Garbage collected away
  • 32. JSON Hijacking
    • How does JS interpreter handle literals?
    • [9,4,3,1,33,7,2].sort();
    • Creates temporary Array object
      • Invokes Array() constructor function
    • Executed sort() function
    • Never assigned to variable
    • Garbage collected away
  • 33. JSON Hijacking
    • Clobber the Array() function with malicious version
    • Use <SCRIPT SRC> to point to JSON web service
    • Malicious Array() function harvests the data that comes back!
    • function Array() {
    • var foo = this;
    • var bar = function() {
    • var ret = &quot;Captured array items are: [&quot;;
    • for(var x in foo) {
    • ret += foo[x] + &quot;, &quot;;
    • }
    • ret += &quot;]&quot;;
    • //notify an attacker here
      • };
    • setTimeout(bar, 100);
    • }
  • 34. JSON Hijacking Example
  • 35. JSON Hijacking Example
  • 36. JSON Hijacking Defense
    • XMLHttpRequest can see the response and perform operations on it before eval() ing
    • <SCRIPT SRC> cannot!
    • Make the JSON response non-valid JavaScript
    • XHR removes it!
    • <SCRIPT SRC> fails!
  • 37. Bad Approach #1
    • <script type=&quot;text/javascript&quot;>
    • I'// a bl0ck of inva1id $ynT4x! WHOO!
    • [[&quot;AJAXWorld&quot;, &quot;2007-04-15&quot;, &quot;2007-04-19&quot;, [&quot;ATL&quot;, &quot;JFK&quot;, &quot;ATL&quot;],
    • 95120657, true],
    • [&quot;Honeymoon&quot;, &quot;2007-04-30&quot;, &quot;2007-05-13&quot;, [&quot;ATL&quot;, &quot;VAN&quot;, &quot;SEA&quot;, &quot;ATL&quot;],
    • 19200435, false],
    • [&quot;MS Trip&quot;, &quot;2007-07-01&quot;, &quot;2007-07-04&quot;, [&quot;ATL&quot;, &quot;SEA&quot;, &quot;ATL&quot;],
    • 74905862, true],
    • [&quot;Black Hat USA&quot;, &quot;2007-07-29&quot; &quot;2007-08-03&quot;, [&quot;ATL&quot;, &quot;LAS&quot;, &quot;ATL&quot;],
    • 90398623, true]];
    • </script>
  • 38.
    • <script type=&quot;text/javascript&quot;>
    • /*
    • [&quot;Eve&quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot;Nidhi&quot;]
    • */
    • </script>
    Bad Approch #2
  • 39. Bad Approach #2
    • <script type=&quot;text/javascript&quot;>
    • /*
    • [&quot; Eve*/[&quot;bogus &quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot; bogus&quot;]/*Nidhi &quot;]
    • */
    • </script>
    • <script type=&quot;text/javascript&quot;>
    • /*
    • [&quot;Eve*/ [&quot;bogus&quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot;bogus&quot;] /*Nidhi&quot;]
    • */
    • </script>
  • 40. Correct Approach
    • <script type=&quot;text/javascript&quot;>
    • for(;;);
    • [&quot;Eve&quot;, &quot;Jill&quot;, &quot;Mary&quot;, &quot;Jen&quot;, &quot;Ashley&quot;, &quot;Nidhi&quot;]
    • </script>
  • 41. Correct Approach
    • function defangJSON(json) {
    • if(json.substring(0,8) == &quot;for(;;);&quot;) {
    • json = json.substring(8);
    • }
    • Return json;
    • }
    • var safeJSONString = defangJSON(xhr.responseText);
    • var jsonObject = safeJSONString.parseJSON();
  • 42. Securing Ajax Applications
    • Perform authentication/authorization checks on both web pages and web services
    • Group code libraries by function
    • Validate all input for your application
      • HTTP headers, cookies, query string, POST data
    • Verify data type, length and format
    • Always use parameterized queries
    • Always encoded output appropriately
    June 2, 2009
  • 43. Salvation Is Here!
    • Ajax Security Addison-Wesley
    • &quot; Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't.”
    • -Jesse James Garret
    • In stores now!
    June 2, 2009
  • 44. Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs