Client-side JavaScript Vulnerabilities
Upcoming SlideShare
Loading in...5
×
 

Client-side JavaScript Vulnerabilities

on

  • 18,442 views

Automatically detecting client side JavaScript vulnerabilities using IBM Rational AppScan and JavaScript Security Analyzer (hybrid analysis)

Automatically detecting client side JavaScript vulnerabilities using IBM Rational AppScan and JavaScript Security Analyzer (hybrid analysis)

Statistics

Views

Total Views
18,442
Slideshare-icon Views on SlideShare
18,423
Embed Views
19

Actions

Likes
4
Downloads
155
Comments
3

4 Embeds 19

https://twitter.com 10
http://twitter.com 7
http://a0.twimg.com 1
http://192.168.6.179 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

13 of 3 Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • nice
    Are you sure you want to
    Your message goes here
    Processing…
  • I guess I don't understand. You can manually execute any javascript from the client anyway just by typing 'javascript:{...}' in the address bar of any modern browser and the webkit browsers have a console where you can type and execute your own javascript commands, so if one wanted to call APIs from his own client, he could easily do it without js injection....

    I guess someone could create a malicious link as in the examples, but http could be configured not to run cross domains so you can't extract any information from any http request. Most sites require authentication before you access sensitive information anyway, so for the 'attack' to have any effect you would have to be logged in in one tab and then click on a link in another that redirects you back to a hacked page on the first, which would be a strange thing to do.
    Are you sure you want to
    Your message goes here
    Processing…
  • FYI - JSA has been improved greatly recently, and now actually located that 40% of the F500 web sites are actually vulnerable!
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Client-side JavaScript Vulnerabilities Client-side JavaScript Vulnerabilities Presentation Transcript

    • Client-side JavaScript
      Security vulnerabilities
      The Twilight Zone of Web Application Security
      Ory Segal
      Security Products Architect, Rational
    • ORY SEGAL
      Security products architect, Rational
      AppScan product manager
      Web Application Security Consortium officer
      Contributor (WASC, MITRE, NIST, OWASP)
      Renowned application security expert
      AppScan
    • From server to client side – The migration story of web application logic
    • 1990
      <HTML>
      Capable of presenting only text and hyperlinks
      1993
      <IMG>
      Embedded images in web pages (3rd. Party allowed)
      1995
      <SCRIPT>
      JavaScript enables programmatic modifications to HTML
      1996
      <IFRAME>
      Embeds a page within a page (3rd party contents)
      <EMBED>
      Embed an Adobe Flash file for animation
      1999
      Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire page
      XHR
      Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feel
      AJAX
      2005
      Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, …
      HTML5 &
      APIs
      2011
    • Logic is Migrating from Server to Client…
      We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
    • Client-side JavaScript Security Issues
    • DOM-Based Cross-site Scripting
      A type of XSS (the third type after “Reflected” & “Stored”)
      Application doesn’t need to echo back user input like in Type I & Type II
      We poison a DOM element, which is used in JavaScript code
      Example
      http://www.vuln.site/welcome.html?name=Ory
      1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;
      6: document.write(document.URL.substring(pos,document.URL.length));
      7: </SCRIPT> <BR/>8: Welcome to our system
      9:</HTML>
      Source : document.URL
      Sink : document.write()
      Results : document.write("Ory")
    • DOM-Based Cross-site Scripting
      Attack Example
      http://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script>
      1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;
      6: document.write(document.URL.substring(pos,document.URL.length));
      7: </SCRIPT> <BR/>8: Welcome to our system
      9: </HTML>
      Source : document.URL
      Sink : document.write()
      Results : document.write("<script>alert('hacked')</script>")
      • The attack took place entirely on the client-side (# fragment identifier)
      • Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.
    • Client-side Open Redirect
      JavaScript code automatically redirects the browser to a new location
      New location is taken from a DOM element (URL, Query, Referrer, etc.)
      Example
      http://www.vuln.site/redirect.html?a=5&url=http://www.some.site
      ...
      12: varsData = document.location.search.substring(1);
      13: varsPos = sData.indexOf("url=") + 4;
      14: varePos = sData.indexOf("&", sPos);
      15: varnewURL;
      16: if (ePos< 0) { newURL = sData.substring(sPos);}
      17: else { newURL = sData.substring(sPos, ePos);}
      18:window.location.href = newURL;
      Source : document.location
      Sink : window.location.href
      Results : window.location.href = "http://www.some.site";
    • Stored DOM-Based Cross-Site Scripting
      Exploiting HTML5 localStorage API
      ...
      17: var pos = document.URL.indexOf("name=") + 5;
      18: varyourName = document.URL.substring(pos,document.URL.length)
      19: decodeURI(yourName);
      20: window.localStorage.name = yourName;
      21: }
      ...
      welcome
      register
      ...
      3: <div id="header"></div>
      4: <script>
      5: varelem = document.getElementById("header");
      6: varname = window.localStorage.name;
      7: elem.innerHTML = "Hello, " + name;
      8: </script>
      ...
      Source : document.URL
      Storage : window.localStorage.name
      Sink : elem.innerHTML
      Results : elem.innerHTML = <value_of_name_parameter>
    • So, how common are client-side JavaScript issues?
    • (Lack of) Statistics on Client-Side JS Issues
      Two options for gathering statistics
      Automated discovery
      Manual discovery
      Automated tools
      Dynamic analysis tools only uncover ~30%
      Static analysis tools struggle with dynamic code (AJAX)
      Manual code review is hell – have you seen JavaScript lately?
      dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}}
      dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(.xd)?.js(W|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl)
      {d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion,
      tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome)
      {d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
    • Introducing JavaScript Security Analyzer
    • What is JSA?
      1st and only to auto-detect client-side issues such as:
      DOM-based XSS
      Phishing through Open Redirect
      HTML5 Notification API Phishing
      HTML5 Web Storage API Poisoning
      HTML5 Client-side SQL Injection
      HTML5 Client-side Stored XSS
      HTML5 Web Worker Script URL Manipulation
      Email Attribute Spoofing
      x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x2x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas
      DE-OBFUSCATION
      STRING
      /* analysis */
      HTML5
      Analysis
      Hybrid
    • Using JavaScript Security Analyzer
      Zero configuration required
      Super-simple
      Super-fast
    • 16
      Viewing JSA Results in AppScan Standard
      AppScan Standard – Scan Results
      Vulnerable URL and line of code
      Tainted data flow information
    • Lets try again…How common are client-side JavaScript issues?
    • Using JSA we ran a research on real sites
      Fortune 500
      175 Most popular sites
      Non-obtrusive automated review
      Manually verified results
      Scary outcome…
    • 14.5% Vulnerable
      169,443 Total Pages
      90,929 Unique Pages
      1659 Pages with Vulnerabilities
      Likelihood for a web page to be vulnerable is 1 : 55
    • Who wrote these vulnerabilities?
      62%
      In house
      38%
      3rd Party
      • Marketing campaign JavaScript snippets
      • Flash embedding JavaScript snippets
      • Social networking JavaScript snippets
      • Deep linking JavaScript libraries for Flash and AJAX applications
    • Issue Distribution
      DOM-based XSS
      Open Redirect
    • JavaScript is becoming prominent
      Modern applications HTML5 AJAX Web2.0
      Application logic is shifting to client-side
      More code == more vulnerabilities
      Happens when code relies on parts of the DOM that are hacker-controlled
      Detection requires tedious manual work
      AppScan with JSA can automate client-side issues detection
    • Q & A
    • Thank You
      You can download the full whitepaper at:
      http://tinyurl.com/5w6koqj