Presentation is loading. Please wait.

Presentation is loading. Please wait.

Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.

Published byClarissa Potter Modified over 9 years ago

Similar presentations

Presentation on theme: "Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman."— Presentation transcript:

1 Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman

2 About Me Maty Siman Founder and CTO of Checkmarx – Static Application Security Testing (AKA – Source Code Analysis)

3 Agenda Same old XSS becomes a monster Broken sandbox Client side JS “I know where you were last summer”

4 New Tricks, Old Dog We will see how a single XSSed page can be used to take screenshots of other non-XSSed page.

5 Technique – Step A – use XSS to embed self http://server/page.aspx?xss= Iframe border (left visible for demo purposes) http://localhost/bookstore/Login.aspx?Name=

6 Technique – Step B – the outer page remains the same while the user browses inside the inner frame. The outer page’s scripts can access the inner’s data Iframe border (left visible for demo purposes) The user went to the admin page, but the URL is still the XSS’ed login page

7 Technique – Step C – HTML5 introduced the concept of Canvas … … which can be used to take screenshots What is Canvas? (w3schools) The HTML5 element is used to draw graphics, on the fly, via scripting (usually JavaScript). Html2canvas (html2canvas.hertzen.com) This script allows you to take "screenshots" of webpages or parts of it, directly on the users browser. The screenshot is based on the DOM and as such may not be 100% accurate to the real representation as it does not make an actual screenshot, but builds the screenshot based on the information available on the page.

8 XSS that takes base64 screenshots http://localhost/bookstore/Login.aspx?Name=

9 Technique – Step D – Since Html2canvas is open-sourced which builds screenshots based on DOM information, we can modify it a bit – to reveal passwords

10

11 New Tricks, Old Dog Now we will see how an XSS can be used as an agent to map the structure of a network behind a firewall Super-charged XSS – Advanced port scanning (WebSockets) http://www.andlabs.org/tools/jsrecon.html

12 Same Origin Policy http://www.cnn.com/main main page Iframe / same origin “Change background to green” http://www.cnn.com/story1

13 Same Origin Policy http://www.cnn.com/main main page Iframe / different origin “Change background to green” http://www.fox.com

14 Same Origin Policy http://www.hacker.com main page Iframe / different origin http://www.bank.com Acct_to Sum OK “Fill in the acct_to and sum fields, and then btn_click that OK button “

15 SOP Same Origin Policy permits scripts running on pages originating from the same site based on combination of scheme, hostname and port number.

16 Markets Recently, companies started offering markets of extensions for their cloud offerings, like Salesforce.com, Microsoft 365, etc… This means the javascript is written by a 3 rd party but hosted and delivered from the very same server as the main page So SOP doesn’t play well

17 Sandbox – pitfalls?

18 Same Origin Policy alert(1) http://www.server.com main page Iframe / same origin http://www.server.com/iframe 1 Click

19 Same Origin Policy alert(1) http://www.server.com main page Sandboxed Iframe Default permissions Same Origin http://www.server.com/iframe Click

20 Same Origin Policy alert(1) http://www.server.com main page Sandboxed Iframe Allowing Scripts and SOP Same Origin http://www.server.com/iframe 1 Click

21 Same Origin Policy top.navigate(…) http://www.server.com main page Sandboxed Iframe Allowing Scripts and SOP Same Origin http://www.server.com/iframe Click

22 Same Origin Policy top.find(myself) addPermission(myself, top_nav) Refresh() navigate(…) http://www.server.com main page Sandboxed Iframe Allowing Scripts and SOP Same Origin http://www.server.com/iframe http://www.hacker.com Click

23 SourceDemoActionPermission Host Embedded ClickAlertIFrame Host Embedded ClickAlertIFrame + Full SB Host Embedded ClickAlertIframe + SB allowing Scripts and SameOrigin Host Embedded ClickTop Navigation Iframe + SB allowing Scripts and SameOrigin Host Embedded Click“Tricky” top navigation Iframe + SB allowing Scripts and SameOrigin

24

25 New Tricks, New Dogs Demo http://localhost/bookstore/k2.html

Download ppt "Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman."

Similar presentations

Chapter 08: Adding Adding Interactivity Interactivity With With Behaviors Behaviors By Bill Bennett Associate Professor MSJC CIS MVC.

Chapter 08: Adding Adding Interactivity Interactivity With With Behaviors Behaviors By Bill Bennett Associate Professor MSJC CIS MVC.
KompoZer. This is what KompoZer will look like with a blank document open. As you can see, there are a lot of icons for beginning users. But don't be.

KompoZer. This is what KompoZer will look like with a blank document open. As you can see, there are a lot of icons for beginning users. But don't be.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.

Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
Warning Ahead: Security Storms are Brewing in Your JavaScript Yuval Idan, Technical Director, APAC Checkmarx

Warning Ahead: Security Storms are Brewing in Your JavaScript Yuval Idan, Technical Director, APAC Checkmarx
Languages for Dynamic Web Documents

Languages for Dynamic Web Documents
AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.

AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.
WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.

WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.
Old Business https://jshare.johnshopkins.edu/kchurch4/public_html/teaching/103/Spring2011/ https://jshare.johnshopkins.edu/kchurch4/public_html/teaching/103/Spring2011/

Old Business
Dynamic Web Pages Bert Wachsmuth. Review  Internet, IP addresses, ports, client-server, http, smtp  HTML, XHTML, XML  Style Sheets, external, internal,

Dynamic Web Pages Bert Wachsmuth. Review  Internet, IP addresses, ports, client-server, http, smtp  HTML, XHTML, XML  Style Sheets, external, internal,
Macromedia Dreamweaver 4 Advanced Level Course. Add Rollovers Rollovers or mouseovers are possibly the most popular effects used in designing Web pages.

Macromedia Dreamweaver 4 Advanced Level Course. Add Rollovers Rollovers or mouseovers are possibly the most popular effects used in designing Web pages.
Website Development with PHP and MySQL Introduction.

Website Development with PHP and MySQL Introduction.
DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.

DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.
Design factors Content –Fig.s 4-49, 5-4, 6-3 Organization –Fig.s 2-10, 2-11, 2-12, 2-14, 2-15, 5-17 Performance Aesthetic Security.

Design factors Content –Fig.s 4-49, 5-4, 6-3 Organization –Fig.s 2-10, 2-11, 2-12, 2-14, 2-15, 5-17 Performance Aesthetic Security.
The easy way to a nice looking website design By a total non-designer (Me!)

The easy way to a nice looking website design By a total non-designer (Me!)
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Similar presentations

Ads by Google