JavaScript Security

JavaScript Security jason harwig

quot;How dangerous could this silly little toy scripting language running inside a browser be?quot; Jeff Atwood codinghorror.com stackoverﬂow.com

“JavaScript's biggest weakness is that it is not secure.” douglas crockford

quot;.. nine out of 10 websites still have serious vulnerabilities. . (XSS) as the top vulnerability classquot; WhiteHat Security Website Security Statistic Report

OWASP Top 10 2007 1. XSS 6. Information Leakage 2. Injection Flaws 7. Broken Auth 3. File Exec 8. Insecure Crypto 4. Direct Object 9. Insecure Reference Communications 5. CSRF 10.Failure to restrict URL access

browser limitations

javascript IO • Ajax • Image • iFrame • Source script • Bridge to ﬂash, Java applets

var xhr = new XmlHttpRequest(); xhr.open(...)

NIC Server Google * get or post

var image = new Image(); image.src = url; * can detect connection success failure

NIC Server Google * get requests only | onload | onerror

f = document.createElement('iframe'); f.src = url; document.body.appendChild(f); * only if same domain

NIC Server Google * get requests only

s = document.createElement('script'); s.type = 'text/javascript'; s.src= url; document.body.appendChild(s); * if JSON returned

NIC Server Google * get requests only

f = document.createElement('form'); f.method = 'post'; ... f.submit();

NIC Server Google * get or post

white hat • Mashup / Aggregate content • SSO Solutions • Protect users / application integrity

black hat • XSS • CSRF • JSON hi-jacking • Cookie session hijacking • Internal network scanning • History checking

cross-site scripting

Browser IFrame same origin policy

user input escape it!

XSS Flavors • Type 0 - DOM • Type 1 - Non-Persistant • Type 2 - Persistant

type 0 var p = location.href.params; document.body.innerHTML = p

Type 1 Search: <script>alert('xss');</script>

Type 2 Please enter username: <script>alert('xss');</script>

<c:out value=quot;${var}quot; Your Username: <script>alert('xss');</script> escapeXml=quot;truequot;/>

html filtering

samy is my hero from http://fast.info/myspace/

Friend Requests 7,000 5,250 3,500 1,750 0 12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm

tag/attribute whitelist <div style=quot;background:url( 'javascript:alert('xss')' )quot;>

'javascript' stripped <div style=quot;background:url( 'javanscript:alert('xss')' )quot;>

quot; stripped String.fromCharCode(34);

innerHTML stripped eval('document.body.inne' + 'rHTML');

onreadystatechange stripped eval('xmlhttp.onread' + 'ystatechange = callback');

to be continued..

alternatives to escaping?

google caja / ADsafe

attack vectors to prevent?

code evaluation eval('alert(document.cookie)'); (new Function('alert(document.cookie)'))();

code eval continued <iframe src=quot;java�script:alert('xss')quot;> </iframe>

poluting global objects try { throw EvilArrayFunction; } catch (Array) { }

xss lessons • Escape XML

cross site request forgery the new kid

NIC Server Google

Digg.com • “digg” a story while logged in • Cookie authentication • known url, parameters

digg exploit code mf = window.frames[quot;myframequot;]; html = '<form name=quot;diggformquot; action=quot;http://digg.com/diginfullquot; method=quot;postquot;>'; html = html+'<input type=quot;textquot; name=quot;idquot; value=quot;367034quot;/>'; html = html+'<input type=quot;textquot; name=quot;orderchangequot; value=quot;2quot;/>'; html = html+'<input type=quot;textquot; name=quot;categoryquot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;pagequot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;tquot; value=quot;undefinedquot;/>'; html = html+'<input type=quot;textquot; name=quot;rowquot; value=quot;1quot;/>'; html = html+'</form>'; mf.document.body.innerHTML = html; mf.document.diggform.submit(); from http://4diggers.blogspot.com/

Fixes? • Referral checking? • quick cookie expiration? • post?

solved session.setAttribute(quot;tokenquot;, token); <input type=quot;hiddenquot; value=quot;${token}quot;/>

double submit cookie

digg link <a href=quot;javascript:dig([num],[id],[digCheck])quot;>digg it</a>

digg submit js new Ajax.Request(quot;/diginfullquot;, { quot;methodquot;: quot;postquot;, quot;parametersquot;: quot;id=quot; + itemd + quot;&row=quot; + row + quot;&digcheck=quot; + digcheck + quot;&type=quot; + type + quot;&loc=quot; + pagetype });

no diggcheck, no digg

digg.com • Added random hash as post parameter • server veriﬁes request

myspace • used hash in post to add friends • XSS vulnerable so the hash could be retrieved

HDIV • HTTP Data Integrity Validator

rsnake joins twitter

crossdomain.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <cross-domain-policy xmlns:xsi=quot;http://www.w3.org/2001/ XMLSchema-instancequot; xsi:noNamespaceSchemaLocation=quot;http:// www.adobe.com/xml/schemas/PolicyFile.xsdquot;> <allow-access-from domain=quot;*.twitter.comquot; /> <site-control permitted-cross-domain-policies=quot;master-onlyquot;/> <allow-http-request-headers-from domain=quot;*.twitter.comquot; headers=quot;*quot; secure=quot;truequot;/> </cross-domain-policy>

http://www.yourminis.com/search_minis.aspx?q=XSS

stealing your gmail contacts

google contacts url contacts?out=js&callback=google

responseText google ({ Success: true, Errors: [], Body: { Contacts: [ { id, email, etc. } ] } });

google’s solution? • responseXml

lessons • Protect high value forms • CANNOT be stopped if site is vulnerable to XSS

json hijacking

new Ajax.Request('secretStuff', { onSuccess: doWork }); // server responds with [ { sensitive_info: '...' }, { sensitive_info: '...' } ]

So how do I do it? • Override Array • Source script

solved /*-secure- [ { sensitive_info: '...' }, { sensitive_info: '...' } ] */

“solved” continued • protect JSON services behind post

lessons • Many experts recommend JSON services shouldn’t serve sensitive data • use secure comment • responseXml as alternative

Session hijacking

internal network penetration

history hijack

resources quot;Security Now! Podcastquot; quot;Fortifyquot; twit.tv/sn fortifysoftware.com/security- resources/ quot;WhiteHat Securityquot; whitehatsec.com quot;XSS Generatorquot; ha.ckers.org/xss.html quot;Jeremiah Grossman Blogquot; jeremiahgrossman.blogspot.com quot;Samy is my Heroquot; fast.info/myspace quot;Digg Hackquot; 4diggers.blogspot.com quot;HDIVquot; hdiv.org

twitter: jharwig jason.harwig@nearinfinity.com nearinfinity.com/blogs careers@nearinfinity.com 81

http://www.nearinfinity.com	363
http://www.slideshare.net	40
http://localhost	24
http://www.nofluffjuststuff.com	14
http://nearinfinity.com	6
http://translate.googleusercontent.com	4
http://static.slideshare.net	3
http://server1.webkicks.de	2
http://www.feedhaus.com	1
http://www.therichwebexperience.com	1

JavaScript Security

by Jason Harwig on Nov 08, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

10 Embeds 458

Statistics

JavaScript Security — Presentation Transcript