Your SlideShare is downloading. ×
0
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Client-side JavaScript Vulnerabilities

22,074

Published on

Automatically detecting client side JavaScript vulnerabilities using IBM Rational AppScan and JavaScript Security Analyzer (hybrid analysis)

Automatically detecting client side JavaScript vulnerabilities using IBM Rational AppScan and JavaScript Security Analyzer (hybrid analysis)

Published in: Technology
3 Comments
5 Likes
Statistics
Notes
  • nice
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I guess I don't understand. You can manually execute any javascript from the client anyway just by typing 'javascript:{...}' in the address bar of any modern browser and the webkit browsers have a console where you can type and execute your own javascript commands, so if one wanted to call APIs from his own client, he could easily do it without js injection....

    I guess someone could create a malicious link as in the examples, but http could be configured not to run cross domains so you can't extract any information from any http request. Most sites require authentication before you access sensitive information anyway, so for the 'attack' to have any effect you would have to be logged in in one tab and then click on a link in another that redirects you back to a hacked page on the first, which would be a strange thing to do.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • FYI - JSA has been improved greatly recently, and now actually located that 40% of the F500 web sites are actually vulnerable!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
22,074
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
215
Comments
3
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Client-side JavaScript<br />Security vulnerabilities<br />The Twilight Zone of Web Application Security <br />Ory Segal<br />Security Products Architect, Rational<br />
  • 2. ORY SEGAL<br />Security products architect, Rational<br />AppScan product manager<br />Web Application Security Consortium officer<br />Contributor (WASC, MITRE, NIST, OWASP)<br />Renowned application security expert<br />AppScan<br />
  • 3. From server to client side – The migration story of web application logic<br />
  • 4. 1990<br />&lt;HTML&gt;<br />Capable of presenting only text and hyperlinks<br />1993<br />&lt;IMG&gt;<br />Embedded images in web pages (3rd. Party allowed)<br />1995<br />&lt;SCRIPT&gt;<br />JavaScript enables programmatic modifications to HTML<br />1996<br />&lt;IFRAME&gt;<br />Embeds a page within a page (3rd party contents)<br />&lt;EMBED&gt;<br />Embed an Adobe Flash file for animation<br />1999<br />Client-side API (e.g. JS). Send &amp; receive HTTP traffic programmatically, without refreshing the entire page<br />XHR<br />Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look &amp; feel<br />AJAX<br />2005<br />Canvas, Media, Offline storage, D&amp;D, Geolocation, Local SQL, …<br />HTML5 &amp; <br />APIs<br />2011<br />
  • 5. Logic is Migrating from Server to Client…<br />We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010<br />
  • 6. Client-side JavaScript Security Issues <br />
  • 7. DOM-Based Cross-site Scripting<br />A type of XSS (the third type after “Reflected” &amp; “Stored”)<br />Application doesn’t need to echo back user input like in Type I &amp; Type II<br />We poison a DOM element, which is used in JavaScript code<br />Example<br />http://www.vuln.site/welcome.html?name=Ory<br />1:&lt;HTML&gt;2: &lt;TITLE&gt;Welcome!&lt;/TITLE&gt;3: Hi4: &lt;SCRIPT&gt;5: var pos = document.URL.indexOf(&quot;name=&quot;) + 5;<br />6: document.write(document.URL.substring(pos,document.URL.length));<br />7: &lt;/SCRIPT&gt; &lt;BR/&gt;8: Welcome to our system<br />9:&lt;/HTML&gt;<br />Source : document.URL<br />Sink : document.write()<br />Results : document.write(&quot;Ory&quot;)<br />
  • 8. DOM-Based Cross-site Scripting<br />Attack Example<br />http://www.vuln.site/welcome.html#?name=&lt;script&gt;alert(&apos;hacked&apos;)&lt;/script&gt;<br />1: &lt;HTML&gt;2: &lt;TITLE&gt;Welcome!&lt;/TITLE&gt;3: Hi4: &lt;SCRIPT&gt;5: var pos = document.URL.indexOf(&quot;name=&quot;) + 5;<br />6: document.write(document.URL.substring(pos,document.URL.length));<br />7: &lt;/SCRIPT&gt; &lt;BR/&gt;8: Welcome to our system<br />9: &lt;/HTML&gt;<br />Source : document.URL<br />Sink : document.write()<br />Results : document.write(&quot;&lt;script&gt;alert(&apos;hacked&apos;)&lt;/script&gt;&quot;)<br /><ul><li>The attack took place entirely on the client-side (# fragment identifier)
  • 9. Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.</li></li></ul><li>Client-side Open Redirect<br />JavaScript code automatically redirects the browser to a new location<br />New location is taken from a DOM element (URL, Query, Referrer, etc.)<br />Example<br />http://www.vuln.site/redirect.html?a=5&amp;url=http://www.some.site<br />...<br />12: varsData = document.location.search.substring(1);<br />13: varsPos = sData.indexOf(&quot;url=&quot;) + 4;<br />14: varePos = sData.indexOf(&quot;&amp;&quot;, sPos);<br />15: varnewURL;<br />16: if (ePos&lt; 0) { newURL = sData.substring(sPos);} <br />17: else { newURL = sData.substring(sPos, ePos);}<br />18:window.location.href = newURL;<br />Source : document.location<br />Sink : window.location.href<br />Results : window.location.href = &quot;http://www.some.site&quot;;<br />
  • 10. Stored DOM-Based Cross-Site Scripting<br />Exploiting HTML5 localStorage API<br />...<br />17: var pos = document.URL.indexOf(&quot;name=&quot;) + 5;<br />18: varyourName = document.URL.substring(pos,document.URL.length)<br />19: decodeURI(yourName);<br />20: window.localStorage.name = yourName;<br />21: }<br />...<br />welcome<br />register<br />...<br />3: &lt;div id=&quot;header&quot;&gt;&lt;/div&gt;<br />4: &lt;script&gt;<br />5: varelem = document.getElementById(&quot;header&quot;);<br />6: varname = window.localStorage.name;<br />7: elem.innerHTML = &quot;Hello, &quot; + name;<br />8: &lt;/script&gt;<br />...<br />Source : document.URL<br />Storage : window.localStorage.name<br />Sink : elem.innerHTML<br />Results : elem.innerHTML = &lt;value_of_name_parameter&gt;<br />
  • 11. So, how common are client-side JavaScript issues?<br />
  • 12. (Lack of) Statistics on Client-Side JS Issues<br />Two options for gathering statistics<br />Automated discovery<br />Manual discovery<br />Automated tools<br />Dynamic analysis tools only uncover ~30%<br />Static analysis tools struggle with dynamic code (AJAX)<br />Manual code review is hell – have you seen JavaScript lately?<br />dojo._xdReset();if(dojo[&quot;_xdDebugQueue&quot;]&amp;&amp;dojo._xdDebugQueue.length&gt;0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]==&quot;boolean&quot;){return;}}<br />dojo._inFlightCount=0;if(dojo._initFired&amp;&amp;!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!=&quot;undefined&quot;){dojo.isBrowser=true;dojo._name=&quot;browser&quot;;(function(){var d=dojo;if(document&amp;&amp;document.getElementsByTagName){var _9a=document.getElementsByTagName(&quot;script&quot;);var _9b=/dojo(.xd)?.js(W|$)/i;for(vari=0;i&lt;_9a.length;i++){varsrc=_9a[i].getAttribute(&quot;src&quot;);if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl)<br />{d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute(&quot;djConfig&quot;);if(cfg){var _9c=eval(&quot;({ &quot;+cfg+&quot; })&quot;);for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion,<br />tv=parseFloat(dav);if(dua.indexOf(&quot;Opera&quot;)&gt;=0){d.isOpera=tv;}if(dua.indexOf(&quot;AdobeAIR&quot;)&gt;=0){d.isAIR=1;}d.isKhtml=(dav.indexOf(&quot;Konqueror&quot;)&gt;=0)?tv:0;d.isWebKit=parseFloat(dua.split(&quot;WebKit/&quot;)[1])||undefined;d.isChrome=parseFloat(dua.split(&quot;Chrome/&quot;)[1])||undefined;d.isMac=dav.indexOf(&quot;Macintosh&quot;)&gt;=0;var _9d=Math.max(dav.indexOf(&quot;WebKit&quot;),dav.indexOf(&quot;Safari&quot;),0);if(_9d&amp;&amp;!dojo.isChrome)<br />{d.isSafari=parseFloat(dav.split(&quot;Version/&quot;)[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))&lt;=419.3){d.isSafari=2;}}if(dua.indexOf(&quot;Gecko&quot;)&gt;=0&amp;&amp;!d.isKhtml&amp;&amp;!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split(&quot;Firefox/&quot;)[1]||dua.split(&quot;Minefield/&quot;)[1])||undefined;}if(document.all&amp;&amp;!d.isOpera){d.isIE=parseFloat(dav.split(&quot;MSIE &quot;)[1])||undefined;var _9e=document.documentMode;if(_9e&amp;&amp;_9e!=5&amp;&amp;Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&amp;&amp;window.location.protocol===&quot;file:&quot;) {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode==&quot;BackCompat&quot;;d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();<br />
  • 13. Introducing JavaScript Security Analyzer<br />
  • 14. What is JSA?<br />1st and only to auto-detect client-side issues such as:<br />DOM-based XSS<br />Phishing through Open Redirect<br />HTML5 Notification API Phishing<br />HTML5 Web Storage API Poisoning<br />HTML5 Client-side SQL Injection<br />HTML5 Client-side Stored XSS<br />HTML5 Web Worker Script URL Manipulation<br />Email Attribute Spoofing<br />x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x2x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas<br />DE-OBFUSCATION<br />STRING<br />/* analysis */<br />HTML5<br />Analysis<br />Hybrid<br />
  • 15. Using JavaScript Security Analyzer<br />Zero configuration required<br />Super-simple<br />Super-fast<br />
  • 16. 16<br />Viewing JSA Results in AppScan Standard<br />AppScan Standard – Scan Results<br />Vulnerable URL and line of code<br />Tainted data flow information<br />
  • 17. Lets try again…How common are client-side JavaScript issues?<br />
  • 18. Using JSA we ran a research on real sites<br />Fortune 500<br />175 Most popular sites<br />Non-obtrusive automated review<br />Manually verified results<br />Scary outcome…<br />
  • 19. 14.5% Vulnerable<br />169,443 Total Pages<br />90,929 Unique Pages<br />1659 Pages with Vulnerabilities<br />Likelihood for a web page to be vulnerable is 1 : 55 <br />
  • 20. Who wrote these vulnerabilities?<br />62%<br />In house<br />38%<br />3rd Party<br /><ul><li>Marketing campaign JavaScript snippets
  • 21. Flash embedding JavaScript snippets
  • 22. Social networking JavaScript snippets
  • 23. Deep linking JavaScript libraries for Flash and AJAX applications</li></li></ul><li>Issue Distribution<br />DOM-based XSS<br />Open Redirect<br />
  • 24. JavaScript is becoming prominent <br />Modern applications HTML5 AJAX Web2.0<br />Application logic is shifting to client-side<br />More code == more vulnerabilities<br />Happens when code relies on parts of the DOM that are hacker-controlled<br />Detection requires tedious manual work<br />AppScan with JSA can automate client-side issues detection<br />
  • 25. Q &amp; A<br />
  • 26. Thank You<br />You can download the full whitepaper at:<br />http://tinyurl.com/5w6koqj <br />

×