Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cyber Camp 2014 
(In)Security Implications in 
JavaScript Universe 
Stefano Di Paola, CTO Minded Security
$ whoami 
Stefano Di Paola @WisecWisec 
Research (Spare Time) 
 Bug Hunter & Sec Research (Pdf Uxss, Flash Security, 
HPP...
What’s this talk about 
 Birth and Raise of an important language. 
 The security implication around it 
 Try to use th...
Brief History Of JS – 1990 - 2000 
1990 Only HTML 1996 Javascript is in the browser 1999 Ajax
Brief History 2000-2009 
Something’s 
Happening 
Can you 
see it?
Brief History 2009-2014 
 Browser Vendors are pushing 
new features: 
 improving speed 
 graphics capabilities 
 sound...
Brief History The big picture
PAST 
1996-2012
1996 - Why JS became so important? 
 Improve user experience during browsing. 
 On the other side gives a way to: 
 rea...
Browser with new Powers 
I mean. 
 Without JavaScript a Browser was just a HTML 
Parser (Not only I know..). 
 With Java...
Browser with new Powers - Risks 
 Browser now has to protect some way: 
 User Remote Data: WebSite A (evil) to read/modi...
Browser with new Powers - SOP 
 Concept of same-origin policy (SOP) dates back to 
Netscape Navigator 2 in 1995 
 Same O...
Subverting the SandBox – The old style 
“<html>..+ 
<html>.. taintedInput+”..</html>” 
<script>evilJs</script> 
..</html> ...
Subverting the SandBox – The old-new style 
Abuse the functionalities of a plugin that 
 behaves differently from the br...
Subverting the SandBox – Acrobat Reader Plugin 
Example: Acrobat Reader Plugin UXSS 2006 
 Suppose a pdf is reachable fr...
Subverting the SandBox – The old-new-new style 
 Browser Extensions : 
 JavaScript running in extensions has much more p...
Meantime.. 
On the Server Side..
Yay! Look Ma’ I’m on the Server Side! 
An early implementation of JavaScript on the server side but 
the results where no...
Meantime.. 
On users PC
Mo’ Money Mo’ Trouble 
 It’s around 2005. 
 A new interesting thing happens. 
 JavaScript + Ajax increase the number of...
What would a naive user do?
Man In The Browser - Banking Malware 
 In 2005 it was theorized for the first time the 
use of virus to hook browsers int...
Man In The Browser 
 Configuration Example:
Meantime.. 
On the Mobile..
Yay! Look Ma’ I’m in a telephone! 
 Every Mobile OS gives developers to use a so called 
webview. 
It’s 2011: iOS Skype ...
Just Before the Present – The JavaScript Situation 
It's 2011 
 WebSites are full of JavaScript coming from: 
 Advertis...
Just Before the Present - DOMinator 
 I wrote tool called DOMinator: 
 Modification of Firefox 
 Helps to track JavaScr...
Present 
2012-2014
Present + Past 
 Past stuff is actually (Mostly) still here :) 
 Some effort from browser vendors to improve SOP: 
 Con...
HTML Templating – Complex JS Models 
 Welcome to a new way to dynamically 
generate HTML page on the fly on the browser 
...
AngularJS – a New Sandbox to Escape From 
{{ qty * cost }} 
not directly executed by the browser’s JS Parser. 
 A Expre...
AngularJS – a New Sandbox to Escape From 
 Try to run {{alert(1)}} 
 Sandbox removes access to “dangerous 
objects” and ...
AngularJS – a New Problem to Face 
 User content is completely generated on the 
client. 
 How can we create a pdf on th...
AngularJS – a New Problem to Face 
 User content is completely generated on the 
client. 
 How can we create a pdf on th...
PDF Generation from Complex Content 
 WebKit – Webkit2PDF 
 Other Browser Based Solution. 
 What could go wrong with th...
JavaScript 
in 
the 
full 
Web 
Stack!
JavaScript on the Server Side.. Again! 
 JavaScript is used by hundreds of thousands of 
developers. 
 It's too popular....
JavaScript on the Server Side.. Again!
JavaScript on the Server Side.. Again! 
 Request the following to a node application: 
Client: http://127.0.0.1:49090/?pa...
JavaScript on a DB! SQL Injection?KindOf 
 Is still possible some other fancy server side 
attack? 
Let’s See. 
1. Creat...
JavaScript on a DB! SQL Injection?KindOf 
3. Now look at MongoDB Manual and find the 
interesting parts. 
http://docs.mong...
Future 
2015-?
What’s going on? 
 Web as Gaming Platform No Plugins (QuakeJs) 
 Possibile to “compile” games written in C/C++ in 
asm.j...
What’s going on? Mobile? 
 FirefoxOS (Mobile Applications in HTML5 + JS)
What’s going on? Anything Left? 
 JS Internet Of Things (JS Interpreter in a chip). 
Projects about creating an operativ...
Conclusions 
 We live in a world that changes faster than before. 
 New interesting technologies could get a huge user b...
Future?? 
I cant even imagine how much intricate 
Will be next years! 
And This is only one Language!
Thank you! 
/*Go and Exploit Ethically */ 
Q&A 
Twitter: @wisecwisec 
https://www.mindedsecurity.com 
Mail: stefano.dipaol...
(In)Security Implication in the JS Universe
Upcoming SlideShare
Loading in …5
×

(In)Security Implication in the JS Universe

1,367 views

Published on

JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

(In)Security Implication in the JS Universe

  1. 1. Cyber Camp 2014 (In)Security Implications in JavaScript Universe Stefano Di Paola, CTO Minded Security
  2. 2. $ whoami Stefano Di Paola @WisecWisec Research (Spare Time)  Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)  Software Security Since '99  Dealing with JavaScript since 2006 Work CTO @ Minded Security Application Security Consulting Director of Minded Security Research Labs
  3. 3. What’s this talk about  Birth and Raise of an important language.  The security implication around it  Try to use the JavaScript phenomenon to understand some things about Security and Real World  I won’t say JavaScript is unsecure. It’d be a complete nonsense.
  4. 4. Brief History Of JS – 1990 - 2000 1990 Only HTML 1996 Javascript is in the browser 1999 Ajax
  5. 5. Brief History 2000-2009 Something’s Happening Can you see it?
  6. 6. Brief History 2009-2014  Browser Vendors are pushing new features:  improving speed  graphics capabilities  sound  Sounds Like a plan!  …and guess what’s the glue? JavaScript of course!
  7. 7. Brief History The big picture
  8. 8. PAST 1996-2012
  9. 9. 1996 - Why JS became so important?  Improve user experience during browsing.  On the other side gives a way to:  read  create  modify  delete page content.
  10. 10. Browser with new Powers I mean.  Without JavaScript a Browser was just a HTML Parser (Not only I know..).  With JavaScript a Browser has a whole new playground.  Can those features be abused?
  11. 11. Browser with new Powers - Risks  Browser now has to protect some way:  User Remote Data: WebSite A (evil) to read/modify/etc content using WebSite B (victim) abusing the victim’s browser.  User Local Data: A malicious site could try to access disk files. User Data is gone
  12. 12. Browser with new Powers - SOP  Concept of same-origin policy (SOP) dates back to Netscape Navigator 2 in 1995  Same Origin Policy: http://evil.com :80  Implementation of access control rules in hostile environment is also known as Sandbox
  13. 13. Subverting the SandBox – The old style “<html>..+ <html>.. taintedInput+”..</html>” <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script>
  14. 14. Subverting the SandBox – The old-new style Abuse the functionalities of a plugin that  behaves differently from the browser  gives too much power without controls.  in order to access data. whatever the browser rules are. Universal Cross Site Scripting
  15. 15. Subverting the SandBox – Acrobat Reader Plugin Example: Acrobat Reader Plugin UXSS 2006  Suppose a pdf is reachable from: http://www.google.com/doc.pdf Attacker adds http://www.google.com/doc.pdf?fdf=javascript:evilJS... And forces a browser’s victim to visit the url. The plugin executes the JavaScript as it originated from google.com  What happens when a user just have some pdf on it’s PC ?  an attacker could access to the whole filesystem!
  16. 16. Subverting the SandBox – The old-new-new style  Browser Extensions :  JavaScript running in extensions has much more power than on HTML pages.  can be developed by anyone  Could be malicious  ..or simply badly written (vulnerable to external attacks)  Very similar to plugin model but easier to develop.  Any user can install them  Useful for lot of stuff (Gmail Inbox Checking, Ad Block etc.)
  17. 17. Meantime.. On the Server Side..
  18. 18. Yay! Look Ma’ I’m on the Server Side! An early implementation of JavaScript on the server side but the results where not so nice: var year=eval("date['"+request["params"]["year"]+"'];");  Became a Remote Code Execution! http://host/?year='+response.write(system("cat /etc/passwd"))+‘ Was a bank Web Application (implemented in 2003 tested by me in 2008).
  19. 19. Meantime.. On users PC
  20. 20. Mo’ Money Mo’ Trouble  It’s around 2005.  A new interesting thing happens.  JavaScript + Ajax increase the number of commercial web applications  The cost of computers lowers  The platforms are converging to a common one. The browser.  Big user base > Big money > Crime > Profit
  21. 21. What would a naive user do?
  22. 22. Man In The Browser - Banking Malware  In 2005 it was theorized for the first time the use of virus to hook browsers interaction with banking websites.  Takes advantage of the common interface the browser gives  Changes the page on the fly.  It’s a win-win. Browsers Rules are completely subverted!  Perfect Sandbox Bypass
  23. 23. Man In The Browser  Configuration Example:
  24. 24. Meantime.. On the Mobile..
  25. 25. Yay! Look Ma’ I’m in a telephone!  Every Mobile OS gives developers to use a so called webview. It’s 2011: iOS Skype HTML Injection on the username visualization. Lead to access to whatever the app can access. https://www.superevr.com/blog/2011/xss-in-skype-for-ios/
  26. 26. Just Before the Present – The JavaScript Situation It's 2011  WebSites are full of JavaScript coming from:  Advertising,  Web analytics,  User Interaction,  Helper libraries.
  27. 27. Just Before the Present - DOMinator  I wrote tool called DOMinator:  Modification of Firefox  Helps to track JavaScript flow during its execution  Alerts if there's some potentially exploitable flaw in the code.  Took first top 100 most visited sites, analyzed with it:  57 had at least some weakness in their JavaScript code.
  28. 28. Present 2012-2014
  29. 29. Present + Past  Past stuff is actually (Mostly) still here :)  Some effort from browser vendors to improve SOP:  Content Security Policy  Implemented by all browsers  Not widely used by web applications.  Unfortunately everything is happening on top of an old model. There’s more! New JavaScript frameworks and models are gaining interest.
  30. 30. HTML Templating – Complex JS Models  Welcome to a new way to dynamically generate HTML page on the fly on the browser side!  Welcome HTML Templates  Welcome Client Side Full Dynamic Content  Welcome AngularJS and siblings!
  31. 31. AngularJS – a New Sandbox to Escape From {{ qty * cost }} not directly executed by the browser’s JS Parser.  A Expression parser is implemented on top of JS.  It’s actually a Sandbox around JS implemented in JS.
  32. 32. AngularJS – a New Sandbox to Escape From  Try to run {{alert(1)}}  Sandbox removes access to “dangerous objects” and their attributes.  Still often the Sandbox security is a long process to be refined in time.  Here’s a (mindblowing) Sandbox bypass (fixed): ''.sub.call.call( ({})["constructor"].getOwnPropertyDescriptor( ''.sub.__proto__, "constructor").value, null, "alert(1)" )() https://code.google.com/p/mustache-security/wiki/AngularJS
  33. 33. AngularJS – a New Problem to Face  User content is completely generated on the client.  How can we create a pdf on the server side using the user page? 1.Extract the generated HTML 2.Send it to the server 3.Use a browser on the server to recreat the graphics 4.Convert it to PDF.
  34. 34. AngularJS – a New Problem to Face  User content is completely generated on the client.  How can we create a pdf on the server side using the user page? 1.Extract the generated HTML 2.Send it to the server 3.Use a browser on the server to recreated the graphics
  35. 35. PDF Generation from Complex Content  WebKit – Webkit2PDF  Other Browser Based Solution.  What could go wrong with the following content? <iframe src=“http://internalRouter/”></iframe>  Parsed by a browser on the server side?  Write access to the whole internal network as if you had access with your browser to Web Server Network!  Arbitrary Server Side Requests
  36. 36. JavaScript in the full Web Stack!
  37. 37. JavaScript on the Server Side.. Again!  JavaScript is used by hundreds of thousands of developers.  It's too popular. There's a new breakthrough.  NodeJS - JS on the server side. - Welcome Back 2003.  MongoDB JavaScript on the DBMS Layer
  38. 38. JavaScript on the Server Side.. Again!
  39. 39. JavaScript on the Server Side.. Again!  Request the following to a node application: Client: http://127.0.0.1:49090/?parameter=sss&parameter=fff Node: { parameter: [ 'sss', 'fff' ] } Client: http://127.0.0.1:49090/?parameter[XX]=sss&parameter[YYY]=fff Node: { parameter: { XX: 'sss', YYY: 'fff' } }  Node gets the query string and transform it in JavaScript Object Notation (JSON).  Completely Different from all other Web Servers!
  40. 40. JavaScript on a DB! SQL Injection?KindOf  Is still possible some other fancy server side attack? Let’s See. 1. Create a simple nodeJS + MongoDB Application //MongoDB Access from NodeJS User.findOne({user: req.body.user, pass: req.body.pass},... 2.Test the environment Client Request: user=aUserName&pass=aPassword Node sees as: { user: 'aUserName', pass: 'aPassword' }
  41. 41. JavaScript on a DB! SQL Injection?KindOf 3. Now look at MongoDB Manual and find the interesting parts. http://docs.mongodb.org/manual/reference/sql-comparison/ 4. Identify one of many attacks that can be performed: Client Request: user[$ne]=aUserName&pass[$ne]=aPassword Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne': 'aPassword' } } MongoDB Sees as: SELECT * from users where user != ‘aUsername’ and pass != ‘aPassword’;
  42. 42. Future 2015-?
  43. 43. What’s going on?  Web as Gaming Platform No Plugins (QuakeJs)  Possibile to “compile” games written in C/C++ in asm.js. (Speed 1.5 respect to native ones!)
  44. 44. What’s going on? Mobile?  FirefoxOS (Mobile Applications in HTML5 + JS)
  45. 45. What’s going on? Anything Left?  JS Internet Of Things (JS Interpreter in a chip). Projects about creating an operative system on top of nodeJS.
  46. 46. Conclusions  We live in a world that changes faster than before.  New interesting technologies could get a huge user base in few months  When happens Can everything you moves even See faster it  Without giving the right time to understand the implications or the subtleties underneath Now? them.  JavaScript seems easy but as usually happens quality code means more than basic JS skills.  Thing are getting even harder.  Yet we need talented people to break and build code and innovate as much as possible!
  47. 47. Future?? I cant even imagine how much intricate Will be next years! And This is only one Language!
  48. 48. Thank you! /*Go and Exploit Ethically */ Q&A Twitter: @wisecwisec https://www.mindedsecurity.com Mail: stefano.dipaola@mindedsecurity.com

×