SlideShare a Scribd company logo

A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript

Achim D. Brucker
Achim D. Brucker

The document outlines security challenges in JavaScript applications, including examples from SAP UI5, Apache Cordova, and HANA XS Engine. It discusses common vulnerabilities like cross-site scripting, insecure functions, and secrets stored in source code. Specific issues addressed include prototype-based inheritance risks in SAP UI5, the JavaScript to Java bridge in Cordova exposing more than intended, and SQL injection risks in HANA XS Engine applications. The goal is to help detect security problems during development for these application types.

Technology
1 of 19
Download to read offline
A Collection of Real World (JavaScript) Security Problems Examples from 21/2 Applications Areas of JavaScript Achim D. Brucker achim.brucker@sap.com SAP AG, Central Code Analysis Team July 2, 2014
A Collection of Real World (JavaScript) Security Problems Abstract JavaScript is gaining more and more popularity as an implementation language for various applications types such as Web applications (client-side), mobile applications, or server-side applications. We outline a few security challenges that need to be prevented in such applications and, thus, for which there is a demand for analysis methods that help to detect them during during development. © 2014 SAP AG. All Rights Reserved. Page 2 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 3 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 4 of 18
What We Want to Find Programming Patterns That May Cause Security Vulnerabilities Mainly two patterns Local issues (no data-flow dependency), e. g., • Insecure functions 1 var x = Math.random(); • Secrets stored in the source code 1 var password = ’secret’; Data-flow related issues, e. g., • Cross-site Scripting (XSS) 1 var docref = document.location.href; 2 var input = docref.substring( 3 docref.indexOf("default=")+8); 4 var fake = function (x) {return x;} 5 var cleanse = function (x) { 6 return ’hello world’;} 7 document.write(fake(input)); 8 document.write(cleanse(uinput)); • Secrets stored in the source code 1 var foo = ’secret’; 2 var x = decrypt(foo,data); © 2014 SAP AG. All Rights Reserved. Page 5 of 18
Functions as First-Class Objects 1 var href = document.location.href; 2 var unsafeInput = href.substring(href.indexOf("default=")+8) // unsafe input 3 var safeInput = "1+2"; // safe input 4 5 // aliasing eval 6 var exec = eval; 7 var doit = exec; 8 9 var func_eval1 = function (x) {eval(x);}; 10 var func_eval2 = function (x,y) {eVaL(y);}; 11 12 var func_eval_eval = function (x) {func_eval1(x);}; 13 var func_doit = function (x) {doit(x);}; 14 var func_exec = function (x) {exec(y);}; 15 var run = func_eval1; 16 var inject_code = func_exec; 17 18 doit(safeInput); // secure 19 doit(unsafeInput); // code injection © 2014 SAP AG. All Rights Reserved. Page 6 of 18
Where is The Code of my Application? 1 var input = document.location.href.substring(document.location..indexOf("default=")+8); 2 var fake = function (x) {return x;} 3 var cleanse = function (x) {return ’hello world’;} 4 5 var uinput = unknown(input); // unknown is nowhere defined 6 document.write(uinput); // secure!? 7 8 var finput = fake(input); 9 document.write(finput); // not secure 10 11 var cinput = cleanse(input); 12 document.write(cinput); // secure 13 14 var extfinput = extfake(input); // defined externally (part of scan) 15 document.write(extfinput); // not secure 16 17 var extcinput = extcleanse(input); defined externally (part of scan) 18 document.write(extcinput); // secure 19 20 var nobodyKnows = toCleanOrNotToCleanse(input); multiply defined (underspecified) 21 document.write(nobodyKnows); // not secure!? © 2014 SAP AG. All Rights Reserved. Page 7 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 8 of 18
The SAP UI5 Architecture © 2014 SAP AG. All Rights Reserved. Page 9 of 18
Prototype-based Inheritance 1 var vl = new sap.ui.commons.layout.VerticalLayout(); 2 sap.ui.core.Control.extend("foo.Label", { 3 metadata : { 4 properties : { 5 "text" : "string" 6 } 7 }, 8 renderer : function(oRm, oControl) { 9 oRm.write("<span>XSSLabel: "); 10 oRm.write(oControl.getText()); 11 oRm.write("</span>"); 12 } 13 }); 14 var p = jQuery.sap.getUriParameters().get("xss"); 15 vl.addContent(new foo.Label({text:p})); 16 return vl; © 2014 SAP AG. All Rights Reserved. Page 10 of 18
CSRF Prevention You need to know your frameworks 1 var request = { 2 headers : { 3 "X-Requested-With" : "XMLHttpRequest", 4 "Content-Type" : "application/atom+xml", 5 "X-CSRF-Token" : "Fetch" 6 }, 7 }; 8 if (Appcc.CSRFToken) 9 var request = { 10 headers : { 11 "X-Requested-With" : "XMLHttpRequest", 12 "Content-Type" : "application/atom+xml", 13 "X-CSRF-Token" : Appcc.CSRFToken 14 }, 15 }; 16 else var request = { 17 headers : { 18 "X-Requested-With" : "XMLHttpRequest", 19 "Content-Type" : "application/atom+xml", 20 "X-CSRF-Token" : "etch" // secure? 21 }, 22 }; 23 var response = this.oServiceManager.read(request, this, this.batch, this.busy); © 2014 SAP AG. All Rights Reserved. Page 11 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 12 of 18
Apache Cordova (SAP Kapsel): Overall Idea An integrated platform for developing hybrid mobile apps • Apache Cordova plus • App management • Encrypted Storage • Authentication • Logging • . . . • Application management (SMP) • Can be used with device management solutions © 2014 SAP AG. All Rights Reserved. Page 13 of 18
Exploiting the JavaScript to Java Bridge • We can expose Java methods in JavaScript foo.addJavascriptInterface(new FileUtils(), "FUtil"); • And use them in JavaScript easily 1 <script type="text/javascript">// <![CDATA[ 2 filename = ’/data/data/com.livingsocial.www/’ + id +’_cache.txt’; 3 FUtil.write(filename, data, false); 4 // ]]></script> • Which might expose much more than expected 1 function execute(cmd){ 2 return 3 window._cordovaNative.getClass().forName(’java.lang.Runtime’). 4 getMethod(’getRuntime’,null).invoke(null,null).exec(cmd); 5 } © 2014 SAP AG. All Rights Reserved. Page 14 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 15 of 18
The HANA XS Engine Architecture Overview © 2014 SAP AG. All Rights Reserved. Page 16 of 18
History Repeats: SQL Injection 1 $.response.contentType = "text/html"; 2 var userInput = $.request.parameters.get(’userStuff’); 3 4 // We assume 5 // - $.db.getConnection().prepareStatement(x0, ..., xn) is secure iff x0 is *not* 6 // influenced by user input 7 // - sql_sanitize() safeguards us against SQL injections. 8 // - any other preparedStatement call is evil regardless if it is influenced by 9 // user input or not 10 11 if (userInput) { 12 13 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 14 + userInput + "’"; 15 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 16 + sql_sanitize(userInput) + "’"; 17 18 var db_object = $.db; 19 var conn = db_object.getConnection(); 20 21 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 23 _ © 2014 SAP AG. All Rights Reserved. Page 17 of 18
History Repeats: SQL Injection 1 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 2 + userInput + "’"; 3 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 4 + sql_sanitize(userInput) + "’"; 5 6 var db_object = $.db; 7 var conn = db_object.getConnection(); 8 9 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 10 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 11 12 var pstmt02 = db_object.getConnection().prepareStatement(sql); // SQL injection 13 var pstmt03 = db_object.getConnection().prepareStatement(safe_sql); // secure 14 15 var pstmt04 = conn.prepareStatement(sql); // SQL injection 16 var pstmt05 = conn.prepareStatement(safe_sql); // secure 17 18 var pstmt06 = conn.prepareStatement("... where ID = ’$1’",userInput); // secure 19 var pstmt07 = myconn.prepareStatement("... where ID = ’$1’",userInput); // SQL injection 20 21 var pstmt08 = $.mydb.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt09 = $.mydb.getConnection().prepareStatement(safe_sql); // SQL injection © 2014 SAP AG. All Rights Reserved. Page 18 of 18
© 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 19 of 18

Recommended

Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...Aniketos EU FP7 Project
 
Federated identity and trust management redp3678
Federated identity and trust management redp3678Federated identity and trust management redp3678
Federated identity and trust management redp3678Banking at Ho Chi Minh city
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
GlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScriptGlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScriptJonathan Baker
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 

Recommended

Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...Aniketos EU FP7 Project
 
Federated identity and trust management redp3678
Federated identity and trust management redp3678Federated identity and trust management redp3678
Federated identity and trust management redp3678Banking at Ho Chi Minh city
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
GlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScriptGlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScriptJonathan Baker
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Mist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache SparkMist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache SparkВадим Челышов
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Provectus
 
Java Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languagesJava Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languagesErik Gur
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingMax Kleiner
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Codemotion
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne
 
Java vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris BaileyJava vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris BaileyJAXLondon_Conference
 
Ascs virtual
Ascs virtualAscs virtual
Ascs virtualwistwiser
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and moreWSO2
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
InterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsInterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsChris Bailey
 
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Tom Diederich
 
JAX London 2015: Java vs Nodejs
JAX London 2015: Java vs NodejsJAX London 2015: Java vs Nodejs
JAX London 2015: Java vs NodejsChris Bailey
 
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A GrzesikApache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesikmfrancis
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Sanath pabba hadoop resume 1.0
Sanath pabba hadoop resume 1.0Sanath pabba hadoop resume 1.0
Sanath pabba hadoop resume 1.0Pabba Gupta
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
 

More Related Content

Similar to A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Provectus
 
Java Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languagesJava Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languagesErik Gur
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingMax Kleiner
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Codemotion
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne
 
Java vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris BaileyJava vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris BaileyJAXLondon_Conference
 
Ascs virtual
Ascs virtualAscs virtual
Ascs virtualwistwiser
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and moreWSO2
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
InterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsInterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsChris Bailey
 
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Tom Diederich
 
JAX London 2015: Java vs Nodejs
JAX London 2015: Java vs NodejsJAX London 2015: Java vs Nodejs
JAX London 2015: Java vs NodejsChris Bailey
 
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A GrzesikApache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesikmfrancis
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Sanath pabba hadoop resume 1.0
Sanath pabba hadoop resume 1.0Sanath pabba hadoop resume 1.0
Sanath pabba hadoop resume 1.0Pabba Gupta
 

Similar to A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Mist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache SparkMist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache Spark
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
 
Java Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languagesJava Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languages
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
Java vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris BaileyJava vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris Bailey
 
Ascs virtual
Ascs virtualAscs virtual
Ascs virtual
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and more
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
InterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsInterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring Nodejs
 
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)
 
JAX London 2015: Java vs Nodejs
JAX London 2015: Java vs NodejsJAX London 2015: Java vs Nodejs
JAX London 2015: Java vs Nodejs
 
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A GrzesikApache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Sanath pabba hadoop resume 1.0
Sanath pabba hadoop resume 1.0Sanath pabba hadoop resume 1.0
Sanath pabba hadoop resume 1.0
 

More from Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetAchim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsAchim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantAchim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service CompositionAchim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glassAchim D. Brucker
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessAchim D. Brucker
 

More from Achim D. Brucker (20)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 

A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript

  • 1. A Collection of Real World (JavaScript) Security Problems Examples from 21/2 Applications Areas of JavaScript Achim D. Brucker achim.brucker@sap.com SAP AG, Central Code Analysis Team July 2, 2014
  • 2. A Collection of Real World (JavaScript) Security Problems Abstract JavaScript is gaining more and more popularity as an implementation language for various applications types such as Web applications (client-side), mobile applications, or server-side applications. We outline a few security challenges that need to be prevented in such applications and, thus, for which there is a demand for analysis methods that help to detect them during during development. © 2014 SAP AG. All Rights Reserved. Page 2 of 18
  • 3. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 3 of 18
  • 4. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 4 of 18
  • 5. What We Want to Find Programming Patterns That May Cause Security Vulnerabilities Mainly two patterns Local issues (no data-flow dependency), e. g., • Insecure functions 1 var x = Math.random(); • Secrets stored in the source code 1 var password = ’secret’; Data-flow related issues, e. g., • Cross-site Scripting (XSS) 1 var docref = document.location.href; 2 var input = docref.substring( 3 docref.indexOf("default=")+8); 4 var fake = function (x) {return x;} 5 var cleanse = function (x) { 6 return ’hello world’;} 7 document.write(fake(input)); 8 document.write(cleanse(uinput)); • Secrets stored in the source code 1 var foo = ’secret’; 2 var x = decrypt(foo,data); © 2014 SAP AG. All Rights Reserved. Page 5 of 18
  • 6. Functions as First-Class Objects 1 var href = document.location.href; 2 var unsafeInput = href.substring(href.indexOf("default=")+8) // unsafe input 3 var safeInput = "1+2"; // safe input 4 5 // aliasing eval 6 var exec = eval; 7 var doit = exec; 8 9 var func_eval1 = function (x) {eval(x);}; 10 var func_eval2 = function (x,y) {eVaL(y);}; 11 12 var func_eval_eval = function (x) {func_eval1(x);}; 13 var func_doit = function (x) {doit(x);}; 14 var func_exec = function (x) {exec(y);}; 15 var run = func_eval1; 16 var inject_code = func_exec; 17 18 doit(safeInput); // secure 19 doit(unsafeInput); // code injection © 2014 SAP AG. All Rights Reserved. Page 6 of 18
  • 7. Where is The Code of my Application? 1 var input = document.location.href.substring(document.location..indexOf("default=")+8); 2 var fake = function (x) {return x;} 3 var cleanse = function (x) {return ’hello world’;} 4 5 var uinput = unknown(input); // unknown is nowhere defined 6 document.write(uinput); // secure!? 7 8 var finput = fake(input); 9 document.write(finput); // not secure 10 11 var cinput = cleanse(input); 12 document.write(cinput); // secure 13 14 var extfinput = extfake(input); // defined externally (part of scan) 15 document.write(extfinput); // not secure 16 17 var extcinput = extcleanse(input); defined externally (part of scan) 18 document.write(extcinput); // secure 19 20 var nobodyKnows = toCleanOrNotToCleanse(input); multiply defined (underspecified) 21 document.write(nobodyKnows); // not secure!? © 2014 SAP AG. All Rights Reserved. Page 7 of 18
  • 8. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 8 of 18
  • 9. The SAP UI5 Architecture © 2014 SAP AG. All Rights Reserved. Page 9 of 18
  • 10. Prototype-based Inheritance 1 var vl = new sap.ui.commons.layout.VerticalLayout(); 2 sap.ui.core.Control.extend("foo.Label", { 3 metadata : { 4 properties : { 5 "text" : "string" 6 } 7 }, 8 renderer : function(oRm, oControl) { 9 oRm.write("<span>XSSLabel: "); 10 oRm.write(oControl.getText()); 11 oRm.write("</span>"); 12 } 13 }); 14 var p = jQuery.sap.getUriParameters().get("xss"); 15 vl.addContent(new foo.Label({text:p})); 16 return vl; © 2014 SAP AG. All Rights Reserved. Page 10 of 18
  • 11. CSRF Prevention You need to know your frameworks 1 var request = { 2 headers : { 3 "X-Requested-With" : "XMLHttpRequest", 4 "Content-Type" : "application/atom+xml", 5 "X-CSRF-Token" : "Fetch" 6 }, 7 }; 8 if (Appcc.CSRFToken) 9 var request = { 10 headers : { 11 "X-Requested-With" : "XMLHttpRequest", 12 "Content-Type" : "application/atom+xml", 13 "X-CSRF-Token" : Appcc.CSRFToken 14 }, 15 }; 16 else var request = { 17 headers : { 18 "X-Requested-With" : "XMLHttpRequest", 19 "Content-Type" : "application/atom+xml", 20 "X-CSRF-Token" : "etch" // secure? 21 }, 22 }; 23 var response = this.oServiceManager.read(request, this, this.batch, this.busy); © 2014 SAP AG. All Rights Reserved. Page 11 of 18
  • 12. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 12 of 18
  • 13. Apache Cordova (SAP Kapsel): Overall Idea An integrated platform for developing hybrid mobile apps • Apache Cordova plus • App management • Encrypted Storage • Authentication • Logging • . . . • Application management (SMP) • Can be used with device management solutions © 2014 SAP AG. All Rights Reserved. Page 13 of 18
  • 14. Exploiting the JavaScript to Java Bridge • We can expose Java methods in JavaScript foo.addJavascriptInterface(new FileUtils(), "FUtil"); • And use them in JavaScript easily 1 <script type="text/javascript">// <![CDATA[ 2 filename = ’/data/data/com.livingsocial.www/’ + id +’_cache.txt’; 3 FUtil.write(filename, data, false); 4 // ]]></script> • Which might expose much more than expected 1 function execute(cmd){ 2 return 3 window._cordovaNative.getClass().forName(’java.lang.Runtime’). 4 getMethod(’getRuntime’,null).invoke(null,null).exec(cmd); 5 } © 2014 SAP AG. All Rights Reserved. Page 14 of 18
  • 15. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 15 of 18
  • 16. The HANA XS Engine Architecture Overview © 2014 SAP AG. All Rights Reserved. Page 16 of 18
  • 17. History Repeats: SQL Injection 1 $.response.contentType = "text/html"; 2 var userInput = $.request.parameters.get(’userStuff’); 3 4 // We assume 5 // - $.db.getConnection().prepareStatement(x0, ..., xn) is secure iff x0 is *not* 6 // influenced by user input 7 // - sql_sanitize() safeguards us against SQL injections. 8 // - any other preparedStatement call is evil regardless if it is influenced by 9 // user input or not 10 11 if (userInput) { 12 13 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 14 + userInput + "’"; 15 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 16 + sql_sanitize(userInput) + "’"; 17 18 var db_object = $.db; 19 var conn = db_object.getConnection(); 20 21 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 23 _ © 2014 SAP AG. All Rights Reserved. Page 17 of 18
  • 18. History Repeats: SQL Injection 1 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 2 + userInput + "’"; 3 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 4 + sql_sanitize(userInput) + "’"; 5 6 var db_object = $.db; 7 var conn = db_object.getConnection(); 8 9 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 10 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 11 12 var pstmt02 = db_object.getConnection().prepareStatement(sql); // SQL injection 13 var pstmt03 = db_object.getConnection().prepareStatement(safe_sql); // secure 14 15 var pstmt04 = conn.prepareStatement(sql); // SQL injection 16 var pstmt05 = conn.prepareStatement(safe_sql); // secure 17 18 var pstmt06 = conn.prepareStatement("... where ID = ’$1’",userInput); // secure 19 var pstmt07 = myconn.prepareStatement("... where ID = ’$1’",userInput); // SQL injection 20 21 var pstmt08 = $.mydb.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt09 = $.mydb.getConnection().prepareStatement(safe_sql); // SQL injection © 2014 SAP AG. All Rights Reserved. Page 18 of 18
  • 19. © 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 19 of 18