Ajax Security

OWASP – Ajax Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 5 December 2007

Who am I?
Roberto Suggi Liverani
Security Consultant, CISSP
Security-Assessment.com
4 + years on Information Security focusing on web and network security
OWASP New Zealand leader

Agenda
Ajax
What is Ajax?
Ajax Components
Traditional Web Model vs Ajax Web Model
Why Ajax is used?
Who is using Ajax?
Ajax Security
Ajax and Security – Server of origin policy
Real Attack examples (Samy worm, Yammaner, Nduja - Webmail XSS worm)
Web worms – Comparison

Introduction
What is Ajax?
- Ajax is not synonymous of WEB 2.0
- Ajax = Asynchronous Javascript And XML
- Ajax is a group of technologies combined together to create new ways of interaction.
- Term coined by Jesse James Garrett of Adaptive Path (Feb 2005)
Before AJAX:
- DHTML
- Macromedia Flash 4
- Microsoft Remote Scripting
- Microsoft XMLHttpRequest object
- Object element in HTML 4
- Document Object Model Level 3

Ajax Components (cont.)
HTML/XHTML
- Necessary to display the information
JavaScript
- Necessary to initiate the client-server communication and manipulate the DOM to update the web page
Document Object Model (DOM)
- Necessary to change portions of an XHTML page without reloading it.
Server-side processing
- There is no Ajax without a stable, responsive server waiting to send content to the engine

Ajax Components
Cascading Style Sheet (CSS)
- In an Ajax application, the styling of a user interface may be modified interactively through CSS
Extensible Markup Language (XML)
- Data exchange format
Extensible Stylesheet Language Transformations (XSLT)
- Transforms XML to XHTML
XMLHttpRequest object
- XMLHttpRequest object allows retrieving data from the web server as a background activity

Ajax Components – Simple Diagram

Let’s define Ajax:
The browser hosts an application, not content
- A “rich” client application is delivered to the browser and it is able to handle input, respond or wait for requests
The server delivers data, not content
- The role of the server is only to send data. The client is a “rich” client and process the data
User interaction with the application can be fluid and continuous
- Asynchronous data transfers allows new way of interaction like drag and drop and double clicking. Traditional web = click-and-wait
This is real coding and requires discipline
- High-performance and maintainable code are the main requirements for Ajax applications

Traditional Web Model vs Ajax Web Model

Classic Web Model – Usability/Time

Ajax Web Model – Usability/Time

Why Ajax is used?
Speed
Only the data (or parameters) required are posted
Reduced network traffic
- Less data exchanged between client and server
Interactivity
- User doesn’t click and wait. User drags and drops
Functionality
- Richer client with more features available
Usability
- Easy to use -> friendly interface and content updated “on-the-fly”

Who is using Ajax? And many others…

Let’s talk about Ajax and security…
Many of the security issues that an Ajax application faces are the same as for a classical web application
So let’s talk about a specific security issue which relates to Ajax applications: Server of origin policy
Server of origin policy
The JavaScript security model prevents scripts from different domains from interacting with one another
An Ajax application can’t read or write to the local filesystem

Examples of cross browser security policy:
URLs Cross – Scripting allowed? Comments http://www.example.com:8080/script1.js No Port number doesn’t match. http://www.example.com/script2.js http://www.example.com/script1.js No Protocol type doesn’t match. https://www.example.com/script2.js http://www.example.com/script1.js No Browser will not perform domain name resolution. http://192.168.0.10/script2.js http://sub.example.com/script1.js No Subdomains treated as separate domains. http://www.example.com/script2.js http://www.example.com/hello/script1.js YES Domain name is the same. http://www.example.com/bye/script.2.js http://www.example2.com/script1.js NO Different domain names. http://www.example1.com/script2.js

So is it possible to bypass or avoid this security control?
Yes – there are multiple ways
Developer workaround: Proxing remote services
Make a call to the remote server from our own server rather than from the client, and then forward it on to the client
Example: http://website1/proxy?url=http://website2/
User workaround: Change browser security settings
IE: allow permission of executing code from a security zone to another. The user is presented with a popup security warning.
Firefox: PrivilegeManager need to be configured accordingly. The value signed.applets.codebase_principal_support should be set to “true”
Attacker workaround: Sending an email
This technique is showed in the case study of the Nduja - the webmail XSS worm of Rosario Valotta

Real attacks examples
Ajax seen by an attacker:
Group technologies means there are more elements to attack - increased attack surface
New ways of interaction means more complexity. Consequently, there are more chances developers commit mistakes like exposing internal functions of the application
Application is delivered to the browser. The attacker controls the functionality of the application
Ajax application is still a web application – traditional web attack techniques can be used
Let’s go through three real examples of attack involving Ajax:
Samy worm
Jammanner worm
Nduja - Webmail XSS worm

Ajax Security – Case Study – Samy worm
Started as a joke
Inserted HTML and JavaScript through MySpace’s profile editor.
Automated the friend selection process. Instead of someone selecting Samy as a friend, the worm automated the procedure with JavaScript.
The result of the code injection made the visitor and all visitor friends to befriend Samy when visiting Samy’s page. Samy automatically also became their “hero”.

Ajax – Case Study – Samy worm (cont)
Impact: “In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community”

Screenshot showing list of Myspace profiles infected by Samy Worm

And today there are still Myspace accounts with Samy as a hero! 532 results with live.com

Ajax – Case Study – Samy worm
What we learnt from Samy worm technique?
Embedding JavaScript in CSS tags
Used “java script” to avoid Myspace’s stripping of the string “javascript”.
Used JavaScript String.fromCharCode to convert quotes (‘’) to avoid restrictions
Used the XML-HTTP object with the use of both HTTP GETs and POSTs from/to the victim’s profile.
Worm Source Code:
http://namb.la/popular/tech.html

Ajax – Case Study – Yamanner worm
Exploits a vulnerability in the onload event handling of Yahoo! Mail and then executes a script
Scans emails in the personal folders of the Yahoo! Mail account
Sends a copy of itself to the email addresses gathered
Redirects the Web browser from Yahoo! Mail to the following Web site: [http://]www.av3.net/index.htm
Sends the list of gathered email addresses to the above URL

Ajax – Case Study – Yamanner worm
Impact: It is unknown the number of yahoo users hit by this worm. Harvested addresses from the address book have then been submitted to a remote URL, which is likely that was used for a spam database
What we learnt?
Large email provider does not guarantee security – Yahoo! Mail software vulnerability was exploited in this case.
XML GET to retrieve contact addresses and use of window.navigate to send data to third party site
Source Code Example:
http://archives.neohapsis.com/archives/incidents/2006-06/0028.html
http://groovin.net/stuff/yammer.txt

Ajax – Case Study – Nduja - Webmail XSS worm
Probably the first cross domain worm
Worm developed as PoC by Rosario Valotta
Tested on four webmail services in Italy:
Libero.it
Tiscali.it
Lycos.it
Excite.com
Exploit XSS vulnerabilities in the webmail applications and then:
Steal e-mails from the Inbox
Steal email addresses from Contact List
Self propagation to contacts

Ajax Security – Case Study – Nduja - Webmail XSS Worm
Impact: the worm is able to capture emails, contact addresses from four different domains and post them to third party site.
What we learnt?
It is possible to create cross domain worms exploiting multiple XSS vulnerabilities at the same time in different domains. The server of origin policy is bypassed using a feature of the application targeted (email function)
The malicious script checks the domain and then applies the relative XSS attack
Extracts of source code: http://rosario.valotta.googlepages.com/home

Nduja - Webmail XSS Worm Demo

Web worms – Comparison So the question is: Can you think about the impact of the next cross domain web worm? Worm Target Domain(s) Cross Domain? Impact Samy worm Myspace.com No 1 million of users affected Yannamer worm Yahoo.com No Unknown number of yahoo users affected Nduja worm Tiscali.it Libero.it Lycos.it Excite.com Yes N/A – This is a PoC

Questions/Conclusion
Thank you!
[email_address]

References – Misc.
Stefano Di Paola, Giorgio Fedon – Subverting Ajax – Whitepaper
Andrew Van Der Stock – Ajax Security - Presentation
Billy Hoffman – Ajax Security Dangers - Whitepaper
Billy Hoffman – Analysis of Web Application Worms and Viruses - Whitepaer
Alex Stamos, Zane Lackey – Attacking AJAX Web Applications - Presentation

References – Misc.
AJAX Security - http://www.cgisecurity.com/ajax/
Ajax Security Basics - http://www.securityfocus.com/infocus/1868/2
MySpace Worm Explanation - http://namb.la/popular/tech.html
Adaptive Path - http://www.adaptivepath.com/ideas/essays/archives/000385.php
Nduja Connection - http://rosario.valotta.googlepages.com/home
Yamanner Worm - http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99

References – Books
Christopher Wells – Securing Ajax Applications – O’Reilly - Book
V.A. – The Professional Ajax – 2 nd edition – Wrox - Book
V.A. – Ajax In Action – Manning - Book

Table of Figures
Slide 7 – From Ajax In Action, Manning
Slide 9 – The Professional Ajax – 2 nd edition – Wrox
Slide 10 – Adaptive web site - http://www.adaptivepath.com/ideas/essays/archives/000385.php
Slide 11 – Adaptive web site - http://www.adaptivepath.com/ideas/essays/archives/000385.php
Slide 19 – Rsnake web site - http://ha.ckers.org/blog/20070319/samy-worm-analysis/

Ajax Security

by Roberto Suggi Liverani on Mar 25, 2010

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 2

Statistics

Ajax Security Presentation Transcript