(In)Security Implication in the JS Universe

Cyber Camp 2014
(In)Security Implications in
JavaScript Universe
Stefano Di Paola, CTO Minded Security

$ whoami
Stefano Di Paola @WisecWisec
Research (Spare Time)
 Bug Hunter & Sec Research (Pdf Uxss, Flash Security,
HPP)
 Software Security Since '99
 Dealing with JavaScript since 2006
Work
CTO @ Minded Security Application Security Consulting
Director of Minded Security Research Labs

What’s this talk about
 Birth and Raise of an important language.
 The security implication around it
 Try to use the JavaScript phenomenon to
understand some things about Security and Real World
 I won’t say JavaScript is unsecure. It’d be a
complete nonsense.

Brief History Of JS – 1990 - 2000
1990 Only HTML 1996 Javascript is in the browser 1999 Ajax

Brief History 2000-2009
Something’s
Happening
Can you
see it?

Brief History 2009-2014
 Browser Vendors are pushing
new features:
 improving speed
 graphics capabilities
 sound
 Sounds Like a plan!
 …and guess what’s the glue?
JavaScript of course!

1996 - Why JS became so important?
 Improve user experience during browsing.
 On the other side gives a way to:
 read
 create
 modify
 delete page content.

Browser with new Powers
I mean.
 Without JavaScript a Browser was just a HTML
Parser (Not only I know..).
 With JavaScript a Browser has a whole new
playground.
 Can those features be abused?

Browser with new Powers - Risks
 Browser now has to protect some way:
 User Remote Data: WebSite A (evil) to read/modify/etc
content using WebSite B (victim) abusing the victim’s
browser.
 User Local Data: A malicious site
could try to access disk files.
User Data
is gone

Browser with new Powers - SOP
 Concept of same-origin policy (SOP) dates back to
Netscape Navigator 2 in 1995
 Same Origin Policy:
http://evil.com :80
 Implementation of access control rules in hostile environment
is also known as Sandbox

Subverting the SandBox – The old style
“<html>..+
<html>.. taintedInput+”..</html>”
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>

Subverting the SandBox – The old-new style
Abuse the functionalities of a plugin that
 behaves differently from the browser
 gives too much power without controls.
 in order to access data.
whatever the browser rules are.
Universal Cross Site Scripting

Subverting the SandBox – Acrobat Reader Plugin
Example: Acrobat Reader Plugin UXSS 2006
 Suppose a pdf is reachable from:
http://www.google.com/doc.pdf
Attacker adds
http://www.google.com/doc.pdf?fdf=javascript:evilJS...
And forces a browser’s victim to visit the url.
The plugin executes the JavaScript as it originated from
google.com
 What happens when a user just have some pdf on it’s PC ?
 an attacker could access to the whole filesystem!

Subverting the SandBox – The old-new-new style
 Browser Extensions :
 JavaScript running in extensions has much more power
than on HTML pages.
 can be developed by anyone
 Could be malicious
 ..or simply badly written (vulnerable to external
attacks)
 Very similar to plugin model but easier to develop.
 Any user can install them
 Useful for lot of stuff (Gmail Inbox Checking, Ad Block
etc.)

Meantime..
On the Server Side..

Yay! Look Ma’ I’m on the Server Side!
An early implementation of JavaScript on the server side but
the results where not so nice:
var year=eval("date['"+request["params"]["year"]+"'];");
 Became a Remote Code Execution!
http://host/?year='+response.write(system("cat /etc/passwd"))+‘
Was a bank Web Application
(implemented in 2003 tested by me in 2008).

Mo’ Money Mo’ Trouble
 It’s around 2005.
 A new interesting thing happens.
 JavaScript + Ajax increase the number of
commercial web applications
 The cost of computers lowers
 The platforms are converging to a common
one. The browser.
 Big user base > Big money > Crime > Profit

Man In The Browser - Banking Malware
 In 2005 it was theorized for the first time the
use of virus to hook browsers interaction with
banking websites.
 Takes advantage of the common interface
the browser gives
 Changes the page on the fly.
 It’s a win-win. Browsers Rules are
completely subverted!
 Perfect Sandbox Bypass

Man In The Browser
 Configuration Example:

Yay! Look Ma’ I’m in a telephone!
 Every Mobile OS gives developers to use a so called
webview.
It’s 2011: iOS Skype HTML Injection on the username
visualization. Lead to access to whatever the app can access.
https://www.superevr.com/blog/2011/xss-in-skype-for-ios/

Just Before the Present – The JavaScript Situation
It's 2011
 WebSites are full of JavaScript coming from:
 Advertising,
 Web analytics,
 User Interaction,
 Helper libraries.

Just Before the Present - DOMinator
 I wrote tool called DOMinator:
 Modification of Firefox
 Helps to track JavaScript flow during its
execution
 Alerts if there's some potentially exploitable
flaw in the code.
 Took first top 100 most visited sites, analyzed with it:
 57 had at least some weakness in their
JavaScript code.

Present + Past
 Past stuff is actually (Mostly) still here :)
 Some effort from browser vendors to improve SOP:
 Content Security Policy
 Implemented by all browsers
 Not widely used by web applications.
 Unfortunately everything is happening on top of an
old model.
There’s more! New JavaScript frameworks and
models are gaining interest.

HTML Templating – Complex JS Models
 Welcome to a new way to dynamically
generate HTML page on the fly on the browser
side!
 Welcome HTML Templates
 Welcome Client Side Full Dynamic Content
 Welcome AngularJS and siblings!

AngularJS – a New Sandbox to Escape From
{{ qty * cost }}
not directly executed by the browser’s JS Parser.
 A Expression parser is implemented on top of JS.
 It’s actually a Sandbox around JS implemented in JS.

AngularJS – a New Sandbox to Escape From
 Try to run {{alert(1)}}
 Sandbox removes access to “dangerous
objects” and their attributes.
 Still often the Sandbox security is a long
process to be refined in time.
 Here’s a (mindblowing) Sandbox bypass
(fixed):
''.sub.call.call(
({})["constructor"].getOwnPropertyDescriptor(
''.sub.__proto__, "constructor").value,
null,
"alert(1)" )()
https://code.google.com/p/mustache-security/wiki/AngularJS

AngularJS – a New Problem to Face
 User content is completely generated on the
client.
 How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreat the
graphics
4.Convert it to PDF.

AngularJS – a New Problem to Face
 User content is completely generated on the
client.
 How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreated the
graphics

PDF Generation from Complex Content
 WebKit – Webkit2PDF
 Other Browser Based Solution.
 What could go wrong with the following content?
<iframe src=“http://internalRouter/”></iframe>
 Parsed by a browser on the server side?
 Write access to the whole internal network as if you
had access with your browser to Web Server Network!
 Arbitrary Server Side Requests

JavaScript
in
the
full
Web
Stack!

JavaScript on the Server Side.. Again!
 JavaScript is used by hundreds of thousands of
developers.
 It's too popular.
There's a new breakthrough.
 NodeJS - JS on the server side. - Welcome Back
2003.
 MongoDB JavaScript on the DBMS Layer

 Request the following to a node application:
Client: http://127.0.0.1:49090/?parameter=sss&parameter=fff
Node: { parameter: [ 'sss', 'fff' ] }
Client: http://127.0.0.1:49090/?parameter[XX]=sss&parameter[YYY]=fff
Node: { parameter: { XX: 'sss', YYY: 'fff' } }
 Node gets the query string and transform it in
JavaScript Object Notation (JSON).
 Completely Different from all other Web Servers!

JavaScript on a DB! SQL Injection?KindOf
 Is still possible some other fancy server side
attack?
Let’s See.
1. Create a simple nodeJS + MongoDB Application
//MongoDB Access from NodeJS
User.findOne({user: req.body.user, pass: req.body.pass},...
2.Test the environment
Client Request: user=aUserName&pass=aPassword
Node sees as: { user: 'aUserName', pass: 'aPassword' }

JavaScript on a DB! SQL Injection?KindOf
3. Now look at MongoDB Manual and find the
interesting parts.
http://docs.mongodb.org/manual/reference/sql-comparison/
4. Identify one of many attacks that can be
performed:
Client Request: user[$ne]=aUserName&pass[$ne]=aPassword
Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne':
'aPassword' } }
MongoDB Sees as: SELECT * from users where user != ‘aUsername’
and pass != ‘aPassword’;

What’s going on?
 Web as Gaming Platform No Plugins (QuakeJs)
 Possibile to “compile” games written in C/C++ in
asm.js. (Speed 1.5 respect to native ones!)

What’s going on? Mobile?
 FirefoxOS (Mobile Applications in HTML5 + JS)

What’s going on? Anything Left?
 JS Internet Of Things (JS Interpreter in a chip).
Projects about creating an operative system on top of
nodeJS.

Conclusions
 We live in a world that changes faster than before.
 New interesting technologies could get a huge user base in
few months
 When happens Can everything you moves even See faster
it
 Without giving the right time to understand the implications
or the subtleties underneath Now?
them.
 JavaScript seems easy but as usually happens quality code
means more than basic JS skills.
 Thing are getting even harder.
 Yet we need talented people to break and build code and
innovate as much as possible!

Future??
I cant even imagine how much intricate
Will be next years!
And This is only one Language!

Thank you!
/*Go and Exploit Ethically */
Q&A
Twitter: @wisecwisec
https://www.mindedsecurity.com
Mail: stefano.dipaola@mindedsecurity.com

(In)Security Implication in the JS Universe

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a (In)Security Implication in the JS Universe

Semelhante a (In)Security Implication in the JS Universe (20)

Último

Último (20)

(In)Security Implication in the JS Universe