JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Â
(In)Security Implication in the JS Universe
1. Cyber Camp 2014
(In)Security Implications in
JavaScript Universe
Stefano Di Paola, CTO Minded Security
2. $ whoami
Stefano Di Paola @WisecWisec
Research (Spare Time)
ïŽ Bug Hunter & Sec Research (Pdf Uxss, Flash Security,
HPP)
ïŽ Software Security Since '99
ïŽ Dealing with JavaScript since 2006
Work
ïŽCTO @ Minded Security Application Security Consulting
ïŽDirector of Minded Security Research Labs
3. Whatâs this talk about
ï± Birth and Raise of an important language.
ï± The security implication around it
ï± Try to use the JavaScript phenomenon to
understand some things about Security and Real World
ï± I wonât say JavaScript is unsecure. Itâd be a
complete nonsense.
4. Brief History Of JS â 1990 - 2000
1990 Only HTML 1996 Javascript is in the browser 1999 Ajax
6. Brief History 2009-2014
ï± Browser Vendors are pushing
new features:
ï± improving speed
ï± graphics capabilities
ï± sound
ï± Sounds Like a plan!
ï± âŠand guess whatâs the glue?
JavaScript of course!
9. 1996 - Why JS became so important?
ï± Improve user experience during browsing.
ï± On the other side gives a way to:
ï± read
ï± create
ï± modify
ï± delete page content.
10. Browser with new Powers
I mean.
ï± Without JavaScript a Browser was just a HTML
Parser (Not only I know..).
ï± With JavaScript a Browser has a whole new
playground.
ï± Can those features be abused?
11. Browser with new Powers - Risks
ï± Browser now has to protect some way:
ï± User Remote Data: WebSite A (evil) to read/modify/etc
content using WebSite B (victim) abusing the victimâs
browser.
ï± User Local Data: A malicious site
could try to access disk files.
User Data
is gone
12. Browser with new Powers - SOP
ï± Concept of same-origin policy (SOP) dates back to
Netscape Navigator 2 in 1995
ï± Same Origin Policy:
http://evil.com :80
ï± Implementation of access control rules in hostile environment
is also known as Sandbox
13. Subverting the SandBox â The old style
â<html>..+
<html>.. taintedInput+â..</html>â
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
14. Subverting the SandBox â The old-new style
ï±Abuse the functionalities of a plugin that
ï± behaves differently from the browser
ï± gives too much power without controls.
ï± in order to access data.
whatever the browser rules are.
Universal Cross Site Scripting
15. Subverting the SandBox â Acrobat Reader Plugin
ï±Example: Acrobat Reader Plugin UXSS 2006
ï± Suppose a pdf is reachable from:
http://www.google.com/doc.pdf
Attacker adds
http://www.google.com/doc.pdf?fdf=javascript:evilJS...
And forces a browserâs victim to visit the url.
The plugin executes the JavaScript as it originated from
google.com
ï± What happens when a user just have some pdf on itâs PC ?
ï± an attacker could access to the whole filesystem!
16. Subverting the SandBox â The old-new-new style
ï± Browser Extensions :
ï± JavaScript running in extensions has much more power
than on HTML pages.
ï± can be developed by anyone
ï± Could be malicious
ï± ..or simply badly written (vulnerable to external
attacks)
ï± Very similar to plugin model but easier to develop.
ï± Any user can install them
ï± Useful for lot of stuff (Gmail Inbox Checking, Ad Block
etc.)
18. Yay! Look Maâ Iâm on the Server Side!
ï±An early implementation of JavaScript on the server side but
the results where not so nice:
var year=eval("date['"+request["params"]["year"]+"'];");
ï± Became a Remote Code Execution!
http://host/?year='+response.write(system("cat /etc/passwd"))+â
Was a bank Web Application
(implemented in 2003 tested by me in 2008).
20. Moâ Money Moâ Trouble
ï± Itâs around 2005.
ï± A new interesting thing happens.
ï± JavaScript + Ajax increase the number of
commercial web applications
ï± The cost of computers lowers
ï± The platforms are converging to a common
one. The browser.
ï± Big user base > Big money > Crime > Profit
22. Man In The Browser - Banking Malware
ï± In 2005 it was theorized for the first time the
use of virus to hook browsers interaction with
banking websites.
ï± Takes advantage of the common interface
the browser gives
ï± Changes the page on the fly.
ï± Itâs a win-win. Browsers Rules are
completely subverted!
ï± Perfect Sandbox Bypass
25. Yay! Look Maâ Iâm in a telephone!
ï± Every Mobile OS gives developers to use a so called
webview.
ï±Itâs 2011: iOS Skype HTML Injection on the username
visualization. Lead to access to whatever the app can access.
https://www.superevr.com/blog/2011/xss-in-skype-for-ios/
26. Just Before the Present â The JavaScript Situation
ï±It's 2011
ï± WebSites are full of JavaScript coming from:
ï± Advertising,
ï± Web analytics,
ï± User Interaction,
ï± Helper libraries.
27. Just Before the Present - DOMinator
ï± I wrote tool called DOMinator:
ï± Modification of Firefox
ï± Helps to track JavaScript flow during its
execution
ï± Alerts if there's some potentially exploitable
flaw in the code.
ï± Took first top 100 most visited sites, analyzed with it:
ï± 57 had at least some weakness in their
JavaScript code.
29. Present + Past
ï± Past stuff is actually (Mostly) still here :)
ï± Some effort from browser vendors to improve SOP:
ï± Content Security Policy
ï± Implemented by all browsers
ï± Not widely used by web applications.
ï± Unfortunately everything is happening on top of an
old model.
ï±Thereâs more! New JavaScript frameworks and
models are gaining interest.
30. HTML Templating â Complex JS Models
ï± Welcome to a new way to dynamically
generate HTML page on the fly on the browser
side!
ï± Welcome HTML Templates
ï± Welcome Client Side Full Dynamic Content
ï± Welcome AngularJS and siblings!
31. AngularJS â a New Sandbox to Escape From
ï±{{ qty * cost }}
ï±not directly executed by the browserâs JS Parser.
ï± A Expression parser is implemented on top of JS.
ï± Itâs actually a Sandbox around JS implemented in JS.
32. AngularJS â a New Sandbox to Escape From
ï± Try to run {{alert(1)}}
ï± Sandbox removes access to âdangerous
objectsâ and their attributes.
ï± Still often the Sandbox security is a long
process to be refined in time.
ï± Hereâs a (mindblowing) Sandbox bypass
(fixed):
''.sub.call.call(
({})["constructor"].getOwnPropertyDescriptor(
''.sub.__proto__, "constructor").value,
null,
"alert(1)" )()
https://code.google.com/p/mustache-security/wiki/AngularJS
33. AngularJS â a New Problem to Face
ï± User content is completely generated on the
client.
ï± How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreat the
graphics
4.Convert it to PDF.
34. AngularJS â a New Problem to Face
ï± User content is completely generated on the
client.
ï± How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreated the
graphics
35. PDF Generation from Complex Content
ï± WebKit â Webkit2PDF
ï± Other Browser Based Solution.
ï± What could go wrong with the following content?
<iframe src=âhttp://internalRouter/â></iframe>
ï± Parsed by a browser on the server side?
ï± Write access to the whole internal network as if you
had access with your browser to Web Server Network!
ï± Arbitrary Server Side Requests
38. JavaScript on the Server Side.. Again!
ï± JavaScript is used by hundreds of thousands of
developers.
ï± It's too popular.
ï±There's a new breakthrough.
ï± NodeJS - JS on the server side. - Welcome Back
2003.
ï± MongoDB JavaScript on the DBMS Layer
40. JavaScript on the Server Side.. Again!
ï± Request the following to a node application:
Client: http://127.0.0.1:49090/?parameter=sss¶meter=fff
Node: { parameter: [ 'sss', 'fff' ] }
Client: http://127.0.0.1:49090/?parameter[XX]=sss¶meter[YYY]=fff
Node: { parameter: { XX: 'sss', YYY: 'fff' } }
ï± Node gets the query string and transform it in
JavaScript Object Notation (JSON).
ï± Completely Different from all other Web Servers!
41. JavaScript on a DB! SQL Injection?KindOf
ï± Is still possible some other fancy server side
attack?
ï±Letâs See.
1. Create a simple nodeJS + MongoDB Application
//MongoDB Access from NodeJS
User.findOne({user: req.body.user, pass: req.body.pass},...
2.Test the environment
Client Request: user=aUserName&pass=aPassword
Node sees as: { user: 'aUserName', pass: 'aPassword' }
42. JavaScript on a DB! SQL Injection?KindOf
3. Now look at MongoDB Manual and find the
interesting parts.
http://docs.mongodb.org/manual/reference/sql-comparison/
4. Identify one of many attacks that can be
performed:
Client Request: user[$ne]=aUserName&pass[$ne]=aPassword
Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne':
'aPassword' } }
MongoDB Sees as: SELECT * from users where user != âaUsernameâ
and pass != âaPasswordâ;
44. Whatâs going on?
ï± Web as Gaming Platform No Plugins (QuakeJs)
ï± Possibile to âcompileâ games written in C/C++ in
asm.js. (Speed 1.5 respect to native ones!)
46. Whatâs going on? Anything Left?
ï± JS Internet Of Things (JS Interpreter in a chip).
ï±Projects about creating an operative system on top of
nodeJS.
47. Conclusions
ï± We live in a world that changes faster than before.
ï± New interesting technologies could get a huge user base in
few months
ï± When happens Can everything you moves even See faster
it
ï± Without giving the right time to understand the implications
or the subtleties underneath Now?
them.
ï± JavaScript seems easy but as usually happens quality code
means more than basic JS skills.
ï± Thing are getting even harder.
ï± Yet we need talented people to break and build code and
innovate as much as possible!
48. Future??
I cant even imagine how much intricate
Will be next years!
And This is only one Language!