Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byTabitha Lindsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation 6 th OWASP AppSec Conference Milan - May 2007 http://www.owasp.org/ Brian Chess, Ph.D. Chief Scientist Fortify Software Brian@fortifysoftware.com Brian@fortifysoftware.com The Dark Side of Ajax

2 6 th OWASP AppSec Conference – Milan – May 2007 Mashup Pink Floyd Dark Side of the Moon AJAX all purpose cleaner

3 6 th OWASP AppSec Conference – Milan – May 2007 Ajax Fancier and easier-to-use web applications using open standards A synchronous J avaScript A nd X ML Ajax is a matter of degree, not kind Security implications? Server (smart) Web page (dumb) Server (smart) Web page (smart) Web 1.0 Ajax

4 6 th OWASP AppSec Conference – Milan – May 2007 Success is foreseeing failure. – Henry Petroski

5 6 th OWASP AppSec Conference – Milan – May 2007 What’s wrong with Ajax? Something smells funny... Today’s programming craze is tomorrow’s security disaster Could more JavaScript possibly be better? A sampling of the almost 400 CVE entries that mention JavaScript: CVE-2007-1794 The Javascript engine in Mozilla 1.7 and earlier on Sun Solaris 8, 9, and 10 might allow remote attackers to execute arbitrary code via vectors involving garbage collection that causes deletion of a temporary object that is still being used. CVE-2006-4571 Multiple unspecified vulnerabilities in Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allow remote attackers to cause a denial of service (crash), corrupt memory, and possibly execute arbitrary code via unspecified vectors, some of which involve JavaScript, and possibly large images or plugin data. CVE-1999-0793 Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. CVE-1999-0790 A remote attacker can read from a Netscape user's cache via JavaScript. CVE-1999-0347 Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character

6 6 th OWASP AppSec Conference – Milan – May 2007 Developers say the darndest things Hello ${param.name}! “ We never intended the code that's in there to actually be production-ready code. ” Ryan Asleson

7 6 th OWASP AppSec Conference – Milan – May 2007 Overview Ajax from the programmer’s perspective Ajax for malware Old risks reconsidered New risks on the horizon The future of Ajax

8 6 th OWASP AppSec Conference – Milan – May 2007 Ajax From the Programmer’s Perspective Increased complexity makes frameworks attractive Popular toolkits for Ajax development include Google Web Toolkit (GWT) Direct Web Remoting (DWR) Microsoft ASP.net AJAX (formerly known as Microsoft Atlas) Client-side libraries such as Prototype and Dojo Also popular: ad-hoc (roll your own) Ajax

9 6 th OWASP AppSec Conference – Milan – May 2007 Analysis of AJAX Frameworks Ad-hoc Very flexible, but hardest to get right Client-side toolkits help GWT Very strict, but easy to get right Atlas Very flexible and easy to get right Uses regular ASP.NET features: controls, authentication, authorization Uses regular.NET web service calls DWR Quite flexible, but not easy to get right By default, all methods are exposed Ad-hoc Atlas GWT DWR high low

10 6 th OWASP AppSec Conference – Milan – May 2007 The Case of the Vanishing “X” XML is disappearing from Ajax Replaced by transporting data using JavaScript syntax JavaScript Object Notation (JSON) { "book": { "title":"JavaScript, the Definitive Guide", "publisher":"O'Reilly", "author":"David Flanagan", "cover":"/images/cover_defguide.jpg", "blurb":”elit." } JavaScript, the Definitive Guide O'Reilly David Flanagan elit. XML JSON

11 6 th OWASP AppSec Conference – Milan – May 2007 Example: DWR HTTP request GET /servlets/examples/dwr/exec/ApartmentDAO.findApartments.dwr?c allCount=1&c0-scriptName=ApartmentDAO&c0- methodName=findApartments&c0-id=3412_1178137104170&c0- param0=string%3A2&c0-param1=string%3A2&c0- param2=string%3A1500&xml=true& HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0. 9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://localhost:8080/servlets-examples/dwr- example/dwr.html

12 6 th OWASP AppSec Conference – Milan – May 2007 Example: DWR HTTP response HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/plain;charset=ISO-8859-1 Date: Wed, 02 May 2007 20:18:24 GMT Content-Length: 1906 var s0=[];var s1={};var s2="93 Lombard St.";s1.address=s2; var s3=2;s1.bathrooms=s3;var s4=2;s1.bedrooms=s4;var s5="Toronto";s1.city=s5;var s6=16010;s1.id=s6;var s7=1050;s1.price=s7;var s8="ON";s1.province=s8; s0[0]=s1;var s9={};var s10="27 Winchester St.";s9.address=s10; var s11=2;s9.bathrooms=s11;var s12=2;s9.bedrooms=s12;var s13="Toronto";s9.city=s13;var s14=16003;s9.id=s14;var s15=1050;s9.price=s15;var s16="ON";s9.province=s16; s0[1]=s9;var s17={};var s18="352 Dufferin St";s17.address=s18;... DWREngine._handleResponse('3412_1178137104170', s0);

13 6 th OWASP AppSec Conference – Milan – May 2007 Example: DWR client code... function updateResults() { DWRUtil.removeAllRows("apartmentsbody"); var bedrooms = document.getElementById("bedrooms").value; var baths = document.getElementById("bathrooms").value; var price = document.getElementById("price").value; ApartmentDAO.findApartments(fill, bedrooms, baths, price); $("resultTable").style.display = ''; }

14 6 th OWASP AppSec Conference – Milan – May 2007 Example: DWR server configuration <create creator="new" javascript="ApartmentDAO" class="dwr.sample.ApartmentDAO">

15 6 th OWASP AppSec Conference – Milan – May 2007 Example: Atlas server code [System.Web.Script.Services.ScriptService] [WebService(Namespace = "http://tempuri.org/")] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] public class ApartmentDAO : System.Web.Services.WebService { [WebMethod] public ArrayList findApartments(int bedrooms, int bathrooms, int price) { // implementation... }...

16 6 th OWASP AppSec Conference – Milan – May 2007 Ajax For Malware Exploit writers buy JavaScript books too Web 2.0 exploits for Web 1.0 vulnerabilities MySpace worm Port scanning behind your firewall Jikto Cross-site scripting looks more and more like buffer overflow Buffer Overflow Allows Arbitrary Code Execution Exploit is hard to write Easy mistake to make in C/C++ Well known problem for decades Cross-site Scripting Allows Arbitrary Code Execution Exploit is easy to write Easy mistake to make in any language Well known problem for a decade

17 6 th OWASP AppSec Conference – Milan – May 2007 MySpace Worm MySpace does bad input validation Users to post a subset of HTML on their pages no tags, no use of the word “javascript”, etc Users to add other users as “friends” User “Samy” discovers some holes Some browsers allow JavaScript in style attributes Some browsers interpret “java\nscript” as “javascript”... All of the MySpace efforts to prevent JavaScript can be circumvented Samy adds JavaScript to his page Any visitor to his page automatically adds Samy as a friend: “Samy is my hero” Any visitor to a page where Samy is a friend will add Samy to their page Worm! MySpace goes down

18 6 th OWASP AppSec Conference – Milan – May 2007 Port scanning behind your firewall JavaScript can: Request images from internal IP addresses, e.g. Use timeout/onerror to determine success/failure Fingerprint webapps using known image names Server Malicious Web page Firewall 1) “show me dancing pigs!” 2) “check this out” Browser scan 3) port scan results

19 6 th OWASP AppSec Conference – Milan – May 2007 Jikto JavaScript vulnerability scanner Written by Billy Hoffman (with credit to Petko Petkov) Capable of spreading like a worm through new XSS vulnerabilities it discovers Uses proxy to bypass same origin policy Target Site Malicious Site Google Translate Mal page attack response analyzer

20 6 th OWASP AppSec Conference – Milan – May 2007 Moral to the story No new vulnerabilities here, just better exploits Good offense makes good defense more important Good offense is making fast progress

21 6 th OWASP AppSec Conference – Milan – May 2007 Defending Ajax Applications: Old Risks Reconsidered A new name for the same game Same vulnerabilities, new programming language Input validation Exposing the server

22 6 th OWASP AppSec Conference – Milan – May 2007 Same Vulnerabilities, New Programming Language A cross-site scripting vulnerability entirely in JavaScript q = location.search.split(“q=“)[1]; q = unescape(q); div.innerHTML = “searching for “ + q;

23 6 th OWASP AppSec Conference – Milan – May 2007 Old Risks Reconsidered: Input validation Possible to lose track of where validation is performed More entry points on the server More, smaller, requests Decentralized design Easy to over-expose More subtle entry points on the server Looks like Web services Hard to tell if method call initiated locally (safe) or remotely (dangerous) Harder to tell what can be trusted ClientServer

24 6 th OWASP AppSec Conference – Milan – May 2007 Exposing Yourself with DWR … <create creator=”new” javascript=”ApartmentDAO” class=”dwr.sample.ApartmentDAO”>

25 6 th OWASP AppSec Conference – Milan – May 2007 Exposing Yourself with DWR … <create creator=”new” javascript=”ApartmentDAO” class=”dwr.sample.ApartmentDAO”>

26 6 th OWASP AppSec Conference – Milan – May 2007 New Problem: Harder to Test Dirty data shooters rely on Web 1.0 conventions HTTP HTML forms 1 parameter = 1 application variable Ajax = more complex data structures Ajax requires sophisticated browser emulation How do you spider an Ajax application? Looks much more like testing conventional software

27 6 th OWASP AppSec Conference – Milan – May 2007 New Risk: JavaScript Hijacking Basic Web browser security: Same Origin Policy Can’t use JavaScript to peek at HTML from other domains Protects Web sites from each other Fundamental to Web security Cross-site request forgery (CSRF) JavaScript can submit a form request to another site Not prevented by Same Origin policy Weakness of cookie-based session management Pervasive vulnerability Attack against data integrity JavaScript Hijacking breaks confidentiality too If server responds to HTTP GET requests If response is JavaScript syntax (arrays, function calls) Attacker can use a tag and witness execution of JavaScript First vulnerability specific to Ajax

28 6 th OWASP AppSec Conference – Milan – May 2007 JavaScript Hijacking in Action Malicious Server Mal page { witness code } 1) “show me dancing pigs!” 2) “check this out” Browser GET 3) confidential data Firewall JavaScript Ajax app server

29 6 th OWASP AppSec Conference – Milan – May 2007 How the Popular Frameworks Stack Up

30 6 th OWASP AppSec Conference – Milan – May 2007 JavaScript Hijacking Exploit function Object() { this.province setter = captureObject; } function captureObject(x) { var index = 0; for (fld in this) { var comma = (index != 0) ? ", " : ""; var value = ('province' == fld) ? x : this[fld]; objString += comma + fld + ": " + value; index++; } objString +=" "; // add code to send data to attacker here } if (DWREngine == null) var DWREngine = {}; DWREngine._handleResponse = function(a, b) {}

31 6 th OWASP AppSec Conference – Milan – May 2007 Two Defenses Against JavaScript Hijacking 1. Prevent CSRF Default to POST not enough Developers add GET so that result can be cached Checking for a known HTTP header is not enough (Flash CSRF vulnerability) 2. Prevent execution of JavaScript while(1); /*... */ Relying on object notation {} rather than array notation [] is silly calling parseJSON() rather than eval() does not help

32 6 th OWASP AppSec Conference – Milan – May 2007 How the Popular Frameworks Responded Head-in-the-sand defense

33 6 th OWASP AppSec Conference – Milan – May 2007 JavaScript Hijacking Myths and Misunderstandings This is a server administration problem. It’s a programming problem. Yeah yeah, but somebody could just do ‘view source’ and accomplish the same thing. The attacker is not the one running the web browser But if you’ve got CSRF vulns, you’re toast anyway. CSRF is bad, but this is worse: it adds breach of confidentiality This relies on some XSS vuln or a bug in the browser. Not so, this is how the browser is supposed to work!

34 6 th OWASP AppSec Conference – Milan – May 2007 Mashups Aren’t Secure Scripts from multiple domains == security problem Often use JavaScript callbacks and auto-generated tags Might be fine for Google maps, but not okay for confidential data Pink Floyd Dark Side of the Moon AJAX all purpose cleaner

35 6 th OWASP AppSec Conference – Milan – May 2007 The Future of Ajax Better frameworks offer a chance to build security in Prevent CSRF Provide secure defaults Opportunity for better validation Better separation between display and controller Better definition for browser/server interaction Better Web standards Cookies: broken, need *working* HTTP only cookies Browsers: broken, need to distinguish between scripts from different domains Flash? Documented security best-practices Hard to mistake data and code Well-defined system for cross-domain communication

36 6 th OWASP AppSec Conference – Milan – May 2007 Summary Ajax: a difference of degree Attack techniques improving quickly Technology pushed well past original design goals Old best practices still apply Don’t trust the client Protect the client New challenges Harder to test More complexity == more room for error A new ally Good opportunity to build security into Ajax frameworks

Download ppt "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
MWD1001 – Website Production Web Browsers Week 11.

MWD1001 – Website Production Web Browsers Week 11.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google