Successfully reported this slideshow.

Jsonp null-meet-02-2015

0

Share

Feb. 27, 2015
0 likes 494 views
Upcoming SlideShare
Approach to find critical vulnerabilities
Approach to find critical vulnerabilities
Loading in …3
×
1 of 20
1 of 20

Jsonp null-meet-02-2015

Feb. 27, 2015
0 likes 494 views

0

Share

Download to read offline

Software

Null Meet Dharamsala February 27 2015

Null Meet Dharamsala February 27 2015

Software

Recommended

More Related Content

Viewers also liked

初心者のためのPythonによるWebAPI活用方入門
Xoxzo Inc.
Logs management
Mantas Klasavicius
XoxzoテレフォニーAPI入門2017
Xoxzo Inc.
RestMQ - HTTP/Redis based Message Queue
Gleicon Moraes
Using Logstash, elasticsearch & kibana
Alejandro E Brito Monedero
Php file upload, cookies & session
Jamshid Hashimi
HTML5 Web Messaging
Mike Taylor
05 File Handling Upload Mysql
Geshan Manandhar
Web Scraping with PHP
Matthew Turland
Realtime Analytics Using MongoDB, Python, Gevent, and ZeroMQ
Rick Copeland
Web Apps in Perl - HTTP 101
hendrikvb
Hack the box open admin writeup
tamlaiyin
If love is_blind_-_tiffany
tenka
RESTful Web API and MongoDB go for a pic nic
Nicola Iarocci
When RSS Fails: Web Scraping with HTTP
Matthew Turland
How the internet works
Sharon Chen
We love NLTK
Dhiana Deva
Ruby on embedded devices rug::b Aug 2014
Eno Thierbach
rtwerewr
esolinhighered

Similar to Jsonp null-meet-02-2015

Ultimate xss
ARahim Özel
JSON based CSRF
Amit Dubey
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
RSA Conference 2010 San Francisco
Aditya K Sood
PGDAY EU 2016 workshop - privacy and security
Steve Gill
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
Sam Bowne
So you think you know REST - DPC11
Evert Pot
Basics of the Web Platform
Sanjeev Verma, PhD
OAuth and OEmbed
leahculver
a
Sandeep Kumar
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
JavaScript Security
Jason Harwig
Web Security - Cookies, Domains and CORS
Perfectial, LLC
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
Web Security - Introduction
SQALab
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
HTML5 storage and communication - Zohar Arad
Israeli Internet Association technology committee

More from Sunil Kumar

Basics of Cryptography
Sunil Kumar
3Es of Ransomware
Sunil Kumar
Http2 Security Perspective
Sunil Kumar
Memory forensics
Sunil Kumar
n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden
Sunil Kumar
Dt5 varenni win_pcapdosdonts
Sunil Kumar
Nullcon 2011- Behaviour Analysis with DBI
Sunil Kumar

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
101 Awesome Builds: Minecraft®™ Secrets from the World's Greatest Crafters Triumph Books
(4.5/5)
Free
How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life J. J. Luna
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(4/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
The Social Life of Information: Updated, with a New Preface-Revised John Seely Brown
(0/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Brian Christian
(4.5/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World Bruce Schneier
(4.5/5)
Free

Jsonp null-meet-02-2015

  1. 1. JSONP Security Consideration
  2. 2. @ME  Malware Analyst  badboy16a@gmail.com  @_badbot
  3. 3. JSONP?  JSON-with-padding  JSON-P  JSON++
  4. 4. WEB PAGE  HTML  CSS  Resources  Image  Audio  Video  Flash  …  JavaScript
  5. 5. SOP  Same-Origin-Policy  Protects against interference from other domains.  Not for JavaScript, Image,…  GET only
  6. 6. JSON  JavaScript Object Notation  Data-interchange format  For Human  For Machine  Restricted by SOP {key1 : value, key2: [x,y,z], key3 : “String” }
  7. 7. JSONP  SOP workaround for JSON Data  Browsers not supportingCORS  JSON data wrapped in JavaScript
  8. 8. JSONP  Provider Domain  Owner of data  Consumer Domain  Owner of document
  9. 9. JSONP <script type=“text/javascript” src=http://api.example.com/jsonp?callback=foo /> <script> function foo(data){ Console.log(“value=“+data.key); } </script>
  10. 10. JSONP <script type=“text/javascript” src=http://api.example.com/jsonp?callback=foo /> <script> function foo(data){ Console.log(“value=“+data.key); } </script> GET jsonp?callback=foo HTTP/1.1 Host: api.example HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 16 foo({key: value});
  11. 11. DYNAMIC(AJAX) JSONP  Create appropriate <script> elements  Add to body  Remove after processing  jQuery implements as helper function
  12. 12. JSONP  Only a convention  Not Standard  Padding can be anything  Convention:A function call  Limited to GET requests only  Control first few bytes of every response
  13. 13. JSONP::XSS  Also called Self-Inflicted XSS  Provider can provide anything  What about??  Ultimate trust on provider. HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 16 foo({key: value}); (function(){…evil code…})();
  14. 14. JSONP::CONTENT SNIFFING HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 100 <script>…evil javascript code…</script>
  15. 15. JSONP::CONTENT SNIFFING  Browsers may ignore Content-Type  Specific Scenarios  Infer the content based on data  Use X-Content-Type: nosniff HTTP/1.1 200 OK Server: Apache/2.2 Content-Type: text/javascript Content-Length: 100 <script>…evil javascript code…</script>
  16. 16. JSONP::CSRF  Easy target for CSRF  CSRFToken can be sniffed
  17. 17. JSONP::FLASH INJECTION  Flash may ignore Content-Type if provided data is a valid flash file  Can bypass X-Content-Type  Can talk to originating domain  Validate callback name
  18. 18. JSONP::ROSSETA FLASH EXPLOIT  Developed by Michele Spagnuoloy from Google  Converts any flash files to valid alphanumeric flash file.  Evades callback validation  Many high profile domain were vulnerable  accounts.google.com  maps.google.com  Youtube  Twitter  Flickr  …  More : https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
  19. 19. CONCLUSION  Hard to protect against CSRF  Hard to authenticate users  Mostly attacked in conjunction with Flash  Validate callback parameter  Create a sandbox domain for JSONP api  An empty javascript comment breaks Flash injection  /**/  Use CORS whenever possible.
  20. 20. THANKYOU

Editor's Notes

  • References
    http://en.wikipedia.org/wiki/JSONP
    http://quaxio.com/jsonp_handcrafted_flash_files/
    https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
    https://molnarg.github.io/ascii-flash/
  • Proposed in December 2005.
  • On Client/Browser

    HTML : Content/Structure
    CSS: Layout/Representation
    JavaScript: Logic, Manipulation
  • As static tag on page.
  • Padding: assignment, logic, …
  • Will this work?

    Might with IE,Chrome
  • Will this work?

    Might with IE,Chrome
  • Validate for alpha, num, . & _

    Flash contains other data.
  • Vulnerable as on July 2014

    • ×