Caja "Ka-ha" Introduction

•

2 likes•546 views

yiming he

Technology

Outline Background Caja Introduction Caja Internal Learn By Example

Expose all information See what it should not see

Load viral script Can load any number viral scripts as it want

Forge id Ask for information from user as your id

Finnally Leak Send what it got to remote server

Caja Comes HTML , CSS , JavaScript Security Object Capability Javascript Safe subset of javascript Related Microsoft Web Sandbox FBJS YAHOO! Adsafe

Object Capabilty Caja use object-capability security model

What does it mean other callee caller Caller can call callee by reference Caller can not call other in global namespace

How to get reference creation or introduction

backend Rewrite source code to allow runtime check

frontend Runtime check at browser Object properties descriptor enhance Global prevent Wrap native DOM Iframed isolation

Simple example Sourcecode this.x=1;window.alert(2); Issues ?

$Compiled code: ___.loadModule({ 'instantiate':function(___, IMPORTS___){ vardis___ = IMPORTS___; varmoduleResult___, x0___; moduleResult___ = ___.NO_RESULT; dis___.x_w___ ===dis___?(dis___.x= 1):dis___.w___('x', 1); moduleResult___ =(x0___ =IMPORTS___.window_v___?IMPORTS___.window: ___.ri(IMPORTS___,'window'), x0___.alert_m___? x0___.alert(2): x0___.m___('alert',[ 2 ])); returnmoduleResult___; },$

Little note IMPORTS__ : runtime environment *_w__ : whether allowed to write w__ : intercept writing v__ : intercept getting *_m__ : whether allowed to call method m__ : intercept method

DOM example Source code document.body.style=‘color:red’; Issues ?

compiled vardis___ = IMPORTS___; varmoduleResult___, x0___, x1___; moduleResult___ = ___.NO_RESULT; moduleResult___ =(x1___ =(x0___ =IMPORTS___.document_v___? IMPORTS___.document: ___.ri(IMPORTS___,'document'), x0___.body_v___? x0___.body: x0___.v___('body')), x1___.style_w___ === x1___?(x1___.style ='color:red'): x1___.w___('style', 'color:red')); returnmoduleResult___;

Import KISSY Inject KISSY into IMPORT__ Source: KISSY.DOM.addClass(el,"x");

compiled vardis___ = IMPORTS___; varmoduleResult___, x0___, x1___, x2___; moduleResult___ = ___.NO_RESULT; moduleResult___ =(x1___ =(x0___ =IMPORTS___.KISSY_v___? IMPORTS___.KISSY: ___.ri(IMPORTS___,'KISSY'), x0___.DOM_v___? x0___.DOM: x0___.v___('DOM')), x2___ =IMPORTS___.el_v___? IMPORTS___.el: ___.ri(IMPORTS___,'el'), x1___.addClass_m___? x1___.addClass(x2___,'x'): x1___.m___('addClass',[ x2___,'x'])); returnmoduleResult___;

$How Tell IMPORTS__ to recognize KISSY.DOM.addClass as a function frameGroup.makeES5Frame(document.getElementById("theGadget2"), {/* Grant this gadget no network access */}, function(frame){ // Load and run the gadget frame.contentCajoled(code) .run({ KISSY:frameGroup.tame({ DOM:frameGroup.markFunction(function(){}) }) }); });$

Import others Class : Anim Instance method : Anim.proto.run Class : EventObject Intance member : EventObject.proto.target …etc

Refer Caja http://code.google.com/p/google-caja/ YAP http://developer.yahoo.com/yap/guide/caja-support.html http://developer.yahoo.com/yap/guide/what-are-cajas-limitations.html TAOBAO SHOP http://shopxxx.taobao.com

What's hot

Web HackingInformation Technology

MITM Attacks on HTTPS: Another PerspectiveGreenD0g

2013 OWASP Top 10bilcorry

Securing your AngularJS ApplicationPhilippe De Ryck

Cross Site Scripting Defense Presentation Ikhade Maro Igbape

Xss (cross site scripting)vinayh.vaghamshi _

Reflective and Stored XSS- Cross Site ScriptingInMobi Technology

Hacking the WebMike Crabb

Web Hacking IntroAditya Kamat

Top Ten Web Hacking Techniques (2008)Jeremiah Grossman

Web Application Security in front endErlend Oftedal

Dzhengis 93098 ajax - securitydzhengo44

Web Security 101Michael Peters

Secure Code Warrior - Local storageSecure Code Warrior

RSA Europe 2013 OWASP TrainingJim Manico

Cross site scripting attacks and defensesMohammed A. Imran

Secure code practicesHina Rawal

XSS and CSRF with HTML5Shreeraj Shah

API Security : Patterns and PracticesPrabath Siriwardena

Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff

What's hot (20)

Web Hacking

MITM Attacks on HTTPS: Another Perspective

2013 OWASP Top 10

Securing your AngularJS Application

Cross Site Scripting Defense Presentation

Xss (cross site scripting)

Reflective and Stored XSS- Cross Site Scripting

Hacking the Web

Web Hacking Intro

Top Ten Web Hacking Techniques (2008)

Web Application Security in front end

Dzhengis 93098 ajax - security

Web Security 101

Secure Code Warrior - Local storage

RSA Europe 2013 OWASP Training

Cross site scripting attacks and defenses

Secure code practices

XSS and CSRF with HTML5

API Security : Patterns and Practices

Top 10 Web Security Vulnerabilities (OWASP Top 10)

Similar to Caja "Ka-ha" Introduction

JSFoo Chennai 2012Krishna T

Secure web messaging in HTML5Krishna T

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE

Penetration testing web application web application (in) securityNahidul Kibria

4.Xssphanleson

Locking the Throneroom 2.0Mario Heiderich

Javascript Securityjgrahamc

[Poland] It's only about frontendOWASP EEE

Rich Web App Security - Keeping your application safeJeremiah Grossman

Starwest 2008Caleb Sima

eXploitable Markup Languagesghctoma

Everybody loves html5,h4ck3rs tooNahidul Kibria

Top Ten Web Hacking Techniques – 2008Jeremiah Grossman

Html5 hackingIftach Ian Amit

Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic

Talk about html5 securityHuang Toby

W3 conf hill-html5-security-realitiesBrad Hill

Hacking Client Side Insecuritiesamiable_indian

Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil

PHPUG PresentationDamon Cortesi

Similar to Caja "Ka-ha" Introduction (20)

JSFoo Chennai 2012

Secure web messaging in HTML5

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...

Penetration testing web application web application (in) security

4.Xss

Locking the Throneroom 2.0

Javascript Security

[Poland] It's only about frontend

Rich Web App Security - Keeping your application safe

Starwest 2008

eXploitable Markup Language

Everybody loves html5,h4ck3rs too

Top Ten Web Hacking Techniques – 2008

Html5 hacking

Drive By Downloads: How To Avoid Getting a Cap Popped in Your App

Talk about html5 security

W3 conf hill-html5-security-realities

Hacking Client Side Insecurities

Owasp Top 10 - Owasp Pune Chapter - January 2008

PHPUG Presentation

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal

Scaling API-first – The story of a global engineering organizationRadu Cotescu

Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi

Partners Life - Insurer Innovation Award 2024The Digital Insurer

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions

Automating Google Workspace (GWS) & more with Apps Scriptwesley chun

TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc

Real Time Object Detection Using Open CVKhem

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

Artificial Intelligence: Facts and MythsJoaquim Jorge

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j

Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez

Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

🐬 The future of MySQL is Postgres 🐘RTylerCroy

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Scaling API-first – The story of a global engineering organization

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Partners Life - Insurer Innovation Award 2024

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Top 10 Most Downloaded Games on Play Store in 2024

Automating Google Workspace (GWS) & more with Apps Script

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Real Time Object Detection Using Open CV

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Data Cloud, More than a CDP by Matt Robison

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Axa Assurance Maroc - Insurer Innovation Award 2024

Artificial Intelligence: Facts and Myths

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - The value of a flexible API Management solution for O...

🐬 The future of MySQL is Postgres 🐘

Caja "Ka-ha" Introduction

1. Caja"KA-ha” yiminghe@gmail.com 承玉 2011-09-20 Draft

2. Outline Background Caja Introduction Caja Internal Learn By Example

3. Javascriptis dangerous ?

4. Stealing cookies

5. DDOS Make requests to your server

6. Expose all information See what it should not see

7. Load viral script Can load any number viral scripts as it want

8. Forge id Ask for information from user as your id

9. Finnally Leak Send what it got to remote server

10. So ?

11. But

12. Caja Comes HTML , CSS , JavaScript Security Object Capability Javascript Safe subset of javascript Related Microsoft Web Sandbox FBJS YAHOO! Adsafe

13. Sanitize

14. YAP

15. Make app safe

16. Object Capabilty Caja use object-capability security model

17. What does it mean other callee caller Caller can call callee by reference Caller can not call other in global namespace

18. How to get reference creation or introduction

19. Internals Backend frontend

20. backend Rewrite source code to allow runtime check

21. frontend Runtime check at browser Object properties descriptor enhance Global prevent Wrap native DOM Iframed isolation

22. Iframed isolation

23. frontend

24. Learn By Example

25. Simple example Sourcecode this.x=1;window.alert(2); Issues ?

26. Compiled code: ___.loadModule({ 'instantiate':function(___, IMPORTS___){ vardis___ = IMPORTS___; varmoduleResult___, x0___; moduleResult___ = ___.NO_RESULT; dis___.x_w___ ===dis___?(dis___.x= 1):dis___.w___('x', 1); moduleResult___ =(x0___ =IMPORTS___.window_v___?IMPORTS___.window: ___.ri(IMPORTS___,'window'), x0___.alert_m___? x0___.alert(2): x0___.m___('alert',[ 2 ])); returnmoduleResult___; },

27. Little note IMPORTS__ : runtime environment *_w__ : whether allowed to write w__ : intercept writing v__ : intercept getting *_m__ : whether allowed to call method m__ : intercept method

28. DOM example Source code document.body.style=‘color:red’; Issues ?

29. compiled vardis___ = IMPORTS___; varmoduleResult___, x0___, x1___; moduleResult___ = ___.NO_RESULT; moduleResult___ =(x1___ =(x0___ =IMPORTS___.document_v___? IMPORTS___.document: ___.ri(IMPORTS___,'document'), x0___.body_v___? x0___.body: x0___.v___('body')), x1___.style_w___ === x1___?(x1___.style ='color:red'): x1___.w___('style', 'color:red')); returnmoduleResult___;

30. Import KISSY Inject KISSY into IMPORT__ Source: KISSY.DOM.addClass(el,"x");

31. compiled vardis___ = IMPORTS___; varmoduleResult___, x0___, x1___, x2___; moduleResult___ = ___.NO_RESULT; moduleResult___ =(x1___ =(x0___ =IMPORTS___.KISSY_v___? IMPORTS___.KISSY: ___.ri(IMPORTS___,'KISSY'), x0___.DOM_v___? x0___.DOM: x0___.v___('DOM')), x2___ =IMPORTS___.el_v___? IMPORTS___.el: ___.ri(IMPORTS___,'el'), x1___.addClass_m___? x1___.addClass(x2___,'x'): x1___.m___('addClass',[ x2___,'x'])); returnmoduleResult___;

32. How Tell IMPORTS__ to recognize KISSY.DOM.addClass as a function frameGroup.makeES5Frame(document.getElementById("theGadget2"), {/* Grant this gadget no network access */}, function(frame){ // Load and run the gadget frame.contentCajoled(code) .run({ KISSY:frameGroup.tame({ DOM:frameGroup.markFunction(function(){}) }) }); });

33. Import others Class : Anim Instance method : Anim.proto.run Class : EventObject Intance member : EventObject.proto.target …etc

34. Demo

35. Refer Caja http://code.google.com/p/google-caja/ YAP http://developer.yahoo.com/yap/guide/caja-support.html http://developer.yahoo.com/yap/guide/what-are-cajas-limitations.html TAOBAO SHOP http://shopxxx.taobao.com

36. Thank you

Caja "Ka-ha" Introduction

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Caja "Ka-ha" Introduction

Similar to Caja "Ka-ha" Introduction (20)

More from yiming he

More from yiming he (20)

Recently uploaded

Recently uploaded (20)

Caja "Ka-ha" Introduction