Security testing of YUI powered applications

2,607
-1

Published on

http://lanyrd.com/2012/yuiconf/szwrf/

Everyone agrees that application security is of crucial importance, and attacks on web frontends are getting more frequent, sophisticated, and dangerous. Yet the area of security testing of frontend and YUI-based applications has so far received little attention. This talk highlights the need to embed security testing in the standard repertoire of every Javascript and YUI developer, alongside with functionality and performance tests. We will emphasize the security testing as part of development workflow - writing and running tests alongside creating the code. Our main goal is to attract the YUI community's attention to this grey area and start a discussion and cooperation of webappsec and YUI worlds.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,607
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • http://www.youtube.com/watch?v=RqC3oY-Fofo 37’57 - Dav Glass on YUIConf 2011 at 37’57 “Testing – saves our ass”
  • Why Security Testing
  • What is Pentesting? Make sure
  • Add a separate slide for each of them? Depending on time. Add a demo for couple of them
  • Code on https://github.com/dmitris/yuiconftalk2012
  • TODO app
  • Write tests to validate the assumptions
  • Static = find issue without running the codeAbstract Syntax Tree and Call Flow Graphhttp://www.flickr.com/photos/la_sombra/6036168427/
  • [put javascript good parts book image ]
  • [ add limitations ] [ script in html ] [ relationship of different scripts. Single file only]
  • MESSAGE1: What I am expecting to find?MESSAGE 2: How many of them are False Positives? False positives is intolerable in testing
  • http://www.flickr.com/photos/sethmazow/2088372704/
  • http://www.flickr.com/photos/djackmanson/489401961/Reviewer to complain? Or someone hurt ?
  • Consider adding it into your test script today and enforce it
  • http://www.flickr.com/photos/katjung/1199062421/
  • Why these are bad
  • Why these are bad
  • Lastly, we could talk about some interesting findings on use strictAmazon has a JS flattening code which accidentally included use strict in the middle of it (since one file has it) and it breaks another scriptMozilla has a MDN page that provides very comprehensive details on use strict. However, the JS on that page is not having strict mode enabled.
  • When you set to do at least some security-related tests, you have to consider more carefully edge cases, unintended usage of the application (interface, function etc.), assumptions made about the types of usage and input, whether protections are made, how they are implemented, and whether the implementation of those protection measures / controls is done in a way that allows to understand and verify in sufficient isolation.
  • Security testing of YUI powered applications

    1. 1. Security Testing Of YUI Powered ApplicationsNovember 15, 2012 YUIConf 2012 Dmitry Savintsev, Albert Yu
    2. 2. Who we areDmitry Savintsev- Yahoo Developer / Paranoid of 12+ years- Assembly -> C++ -> PHP -> Javascript- @dimisec, github.com/dmitrisAlbert Yu- Yahoo Engineer / Paranoid since 2005- @yukinying
    3. 3. Agenda: Why Security Testing JavaScript Testing vs. Pentesting Tools of Trade Testing for XSS Static Code Analysis The Road Ahead
    4. 4.  Testing Well-Known Benefits States and validates application behavior  “runnable documentation” No tests – not maintainable
    5. 5.  Security defects – highest negative impact Users’ data at stake! Your app WILL be tested by the world
    6. 6. Sad state of web application securityXSS is prevailingServer- and OS-level JavascriptNeed to pull all stops
    7. 7. Modern Javascript Testing: Unit, functional integration testing Code coverage / reporting tools Integral part of the CI workflow
    8. 8. Pentesting• Established practice in webappsec world• Combination of manual poking & use of different tools (ex. Burp Proxy)• Flourishing consulting business
    9. 9. Webappsec & Javascript• “it’s complicated” relationship• C++ / Java enterprise tradition• JS – too dynamic & wild
    10. 10. JS Dev and Webappsec need each other• Javascript eats the world • Just look at Yahoo! (Cocktails…)• Mobile / alt screens huge impetus• Attack surface rapidly expanding• Dire shortage of manpower and talent
    11. 11. Security testing challenges• “End of scanning”• Difficult-to-impossible to test automatically• “surface discovery” – mapping FE apps• Highly situation / context dependent
    12. 12. Code and feature coverage problemTesting needs to be guided through the appTesting and coding in close proximityPower to the developers!!
    13. 13. Tools for (security) testing• Selenium / Webdriver • Greatly matured in the recent years • JS bindings still new (only remote server)• PhantomJS (and Ghostdriver)• YUI Test
    14. 14. XSS Testing manual hacking Web automation JS unit tests
    15. 15. Some popular XSS Injections <xss> “><script>alert(123)</script> <img src=bla onerror=alert(123)> "onmouseover="alert(123)”x=” javascript:alert(123) alert(123)
    16. 16. XSS Testing DEMOhttps://github.com/dmitris /yuiconftalk2012
    17. 17. if (document.location.hash.substr(1)) {todoview_node = Y.one(.todo-view);todoview_node.setHTML(<input type="checkbox" class="todo-checkbox"> <span class="todo-content" tabindex="0"> + document.location.hash.substr(1) + </span> );
    18. 18. XSS SummaryBe careful paranoid with URL inputs:• location.hash• location.search• location.pathname• location.hrefAvoid passing Javascript in cgi parametersWRITE some SECURITY TESTS!
    19. 19. Static AnalyzerInteract without touching.
    20. 20. JSLint, JSHintThanks to NodeJS, now they are available asCLI tool.% # JavaScript Good Parts% npm -g install jslint% jslint --white --browserfoo.js% # JavaScript Less Good Parts% # Better reporting% npm -g install jshint
    21. 21. $ jslint --white --browser yui-debug.jsyui-debug.js #1 YUI was used before it was defined. if (typeof YUI != undefined) { // Line 15, Pos 12 #2 Expected !== and instead saw !=. if (typeof YUI != undefined) { // Line 15, Pos 16 #3 Unexpected dangling _ in _YUI. YUI._YUI = YUI; // Line 16, Pos 9$ jshint yui-debug.jsyui-debug.js: line 59, col 9, Redefinition of YUI.yui-debug.js: line 385, col 26, Missing semicolon.yui-debug.js: line 617, col 35, loader is already defined.yui-debug.js: line 632, col 18, Dont make functions within aloop.yui-debug.js: line 997, col 17, [loader] is better writtenin dot notation.yui-debug.js: line 2210, col 34, Expected an assignment orfunction call and instead saw an expression.
    22. 22. A Very Rough BenchmarkDisclaimers1. jQuery and YUI benchmark are not correct as the code does not stored on the path that stores Todomvc sample.2. JSLint stops when it sees critical error or too many errors.3. Minified code may affect the reporting.4. No yui-lint customizations.
    23. 23. Benchmarks on YUI GalleryRunning yui-lint (custom .jshintrc) 461 gallery modules 42 without any issues 74 warnings in average 86 modules > 100 issues 873 issues in maximum
    24. 24. One may belucky, strong,courageous …
    25. 25. … Some othersmay be moreeasily vulnerable.
    26. 26. Develop – where we run it now (?)Commit – where it should be runReview – and here as wellMergeRelease
    27. 27. var express = require(express);var app = express();var Y = require(yui/io-base);app.get(/api*, function(req, res){ var params = require(url).parse(req.url, true); var url = "http://localhost:3000/json/" + params.query.question ; Y.io(url, { on: { complete: function(id, e) { try { var json = JSON.parse(e.responseText); } catch (err) { console.log(err); } res.end( json.answer + "n" ); } } }); });app.get(/json/whoami, function(req, res){ res.end({"answer":"bob"}); });app.get(/json/*, function(req, res){ res.end("Error: I dont understand"); });app.listen(3000);
    28. 28. try { var json = JSON.parse(e.responseText);} catch (err) { console.log(err); } res.end( json.answer + "n" );}
    29. 29. JSLINT OUTPUT:#1 Missing use strict statement. var params = require(url).parse(req…#2 json was used before it was defined. try { json = JSON.parse(e.responseText); }Usually easier to enforce on server side.Frontend code are harder to enforce:1. Multiple script blocks2. Browser compatibilities3. Excuses ..?4. Frontend code will not be run on server?
    30. 30. DYNAMIC TESTTDD: TEST IT (safely), BREAK IT, FIX IT
    31. 31. ES5 STRICT MODETEST THE FORWARD COMPATIBLITY OF YOUR CODE FOR SECURE GOOD SAKE TEST IT, BREAK IT, FIX IT “use strict”;
    32. 32. On-the-fly Testing Hackinghttps://github.com/yukinying/connect-strictenjs Add “strict mode” without modifying the file Bonus 1: code-beautifier Bonus 2: middleware for nodejs server and test frameworks
    33. 33. On-the-fly Testing Hackinghttps://github.com/yukinying/connect-strictenjs Add “strict mode” without modifying the file Bonus 1: code-beautifier Bonus 2: middleware for nodejs server and test frameworks
    34. 34. ES5 Strict ModeOpt-in via “use strict” pragmaOption 1: Globally applying on same file/block/evalblock."use strict";YUI.use(...same script block, eval, fileOption 2: Function levelYUI.use(...’, function(Y){ "use strict"; var a = ...
    35. 35. The Big 4// 1. Global Variable Protectionvar dump_this_as_global = function() { "use strict"; console.log(this.a); // Err: // Cannot read property a of // undefined};dump_this_as_global();dump_this_as_global.call({a:1});
    36. 36. // 2. Global Variable Implicit// Declaration(function implicit_var() { "use strict"; for( var obj in list ) { ... // Err: obj is not defined})();console.log(i);DON’T DO THIS IN NODEJS
    37. 37. // 3. function inside function(function function_function () { "use strict"; if (1!=2) function dummy() { }; // Err: functions can only be // declared at top level or // immediately within // another function})();
    38. 38. // 4. Duplicated property(function duplicate() { "use strict"; var a = {b:1, b:2}; console.log(a.b);})();
    39. 39. Run LintMandate Tests in Build Env Use Strict. Test it, break it, fix it.
    40. 40. Security Testing Benefits
    41. 41. Intent (and attempt) of security testing => more robust product
    42. 42. Security Testing – basic safety
    43. 43. … just like seatbelts
    44. 44. We need good seatbelts and better cars…
    45. 45. but also cultural shift
    46. 46. Go real Pro
    47. 47. keep learning about web security
    48. 48. think about ways to misuse your app
    49. 49. think REAL HARDabout ways to misuse your app
    50. 50. Buckle Up
    51. 51. please WRITE someSECURITY TESTS
    52. 52. Creative Commons:http://upload.wikimedia.org/wikipedia/commons/2/2a/OperationDoorstep1-Car18.jpghttp://www.flickr.com/photos/77827383@N00/3873533711/http://www.flickr.com/photos/44449623@N07/6812272464/http://www.flickr.com/photos/djackmanson/489401961/http://www.flickr.com/photos/sethmazow/2088372704/http://www.flickr.com/photos/katjung/1199062421/http://www.flickr.com/photos/warriorswaytx/7606553088/http://www.flickr.com/photos/la_sombra/6036168427/http://www.flickr.com/photos/nicolas-baltenneck/4914565860/http://www.flickr.com/photos/danzen/2287834687http://upload.wikimedia.org/wikipedia/commons/e/ec/OperationDoorstep2-DemolishedHouse4.jpg

    ×