Advanced Ajax Security - active
-
Upload
sampetruda -
Category
Documents
-
view
869 -
download
2
Transcript of Advanced Ajax Security - active
![Page 1: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/1.jpg)
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Advanced Ajax Security
Billy Hoffman ([email protected])
Manager, HP Security Labs
![Page 2: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/2.jpg)
2
Who am I?• Manager HP Security Labs• In security space for 6 years• CS Degree from Georgia
Tech• Areas of focus
−Crawling and sampling
−JavaScript static analysis
−XSS
• Frequent presenter at hacker/security conferences
![Page 3: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/3.jpg)
Presentation Overview• Manipulating Client-side logic• Defeating logic protection techniques• Function Hijacking• JSON Hijacking• Hacking Google Gears
3 April 12, 2023
![Page 4: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/4.jpg)
4 April 12, 2023
“Boring” Ajax Security• Increased attack surface• Direct API access• Easier to reverse
engineer• Amplifying web attacks• Offline attacks
• “Surely no one actually does this right?”
![Page 5: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/5.jpg)
5 April 12, 2023
• Sample Ajax travel website
• Built using “expert” advice−Popular books
−Articles/How-tos
− Forums
• Riddled with security defects
Sexy Ajax Security
![Page 6: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/6.jpg)
6 April 12, 2023
API Domino Effect
holdSeat(flightID)
makeOffer(price, flightID)
debitAccount(price)
bookSeat(flightID)
![Page 7: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/7.jpg)
7 April 12, 2023
Overly Granular Application API
Insecure
More secure
![Page 8: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/8.jpg)
8 April 12, 2023
Polling Status Call
![Page 9: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/9.jpg)
9 April 12, 2023
Real-world Example
![Page 10: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/10.jpg)
10 April 12, 2023
Web 1.0 to Web 2.0 Conversion
![Page 11: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/11.jpg)
11 April 12, 2023
Premature Ajax-ulation!
![Page 12: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/12.jpg)
12 April 12, 2023
Exposed Administrative API
Malicious use
Intended use
![Page 13: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/13.jpg)
Defeating Logic Protection• Obfuscation• Lazy Loading
13 April 12, 2023
![Page 14: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/14.jpg)
All Your Obfuscation Are Belong To Us!
![Page 15: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/15.jpg)
• How to debug code if you don’t have it all?• Firebug cannot debug dynamic code
−JSON responses
−Remote scripting
−Lazy loading
•“View Source” vs “View Generated Source”
• Need a way to monitor JavaScript environment
On-Demand JavaScript
![Page 16: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/16.jpg)
Understanding JavaScript Variable Scope• Everything is a object
−Primitives (Strings, numbers, regexp)
−Functions• All global variables and functions are
properties of global object• Provided by environment• Web browser = window• Can we enumerate?
![Page 17: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/17.jpg)
Example Codefunction BogusFunction1() { //empty function}function BogusFunction2() { //empty function}var ret = "";for(var i in window) { if(typeof(window[i]) == "function") { ret += i + "\n"; }}alert(ret);
![Page 18: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/18.jpg)
Enumerating All Functions
![Page 19: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/19.jpg)
HOOK: JavaScript Monitoring Framework• Enumerates the environment and traps on-
demand code.• Side-steps obfuscation• Reads from the environment itself
• Demo
![Page 20: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/20.jpg)
20 April 12, 2023
Take Aways: Client-side Code• Client-side code is just a suggestion!• Client-side code cannot be protected,
encrypted, or obfuscated• Store all secrets on the server• Enforce control flow on the server• Always match allocations with frees in the
same method• Use Server-side locking to prevent race
condition vulnerabilities
![Page 21: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/21.jpg)
JavaScript Function Clobbering• Highly dynamics language• Typeless, dynamic execution paths• Can redefine itself at runtime
21 April 12, 2023
![Page 22: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/22.jpg)
JavaScript Namespaces• Namespaces prevent collisions• Solution: Make functions properties of objects
var com.SomeSite.common = {};
com.SomeSite.common.debug
= function () { … };
com.SomeSite.common.debug();
var com.SexyWidgets = {};
com.SexyWidgets.debug = function() {…};
com.SexyWidgets.debug();
![Page 23: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/23.jpg)
JavaScript Namespaces
![Page 24: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/24.jpg)
Intentional Function Clobbering• Attacker deliberately clobbers functions• What kind of functions can you clobber?
−User defined functions?
−System functions?
• Demo
![Page 25: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/25.jpg)
Clobbering System Functions: alert()
![Page 26: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/26.jpg)
Prototype’s Ajax.Request()
![Page 27: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/27.jpg)
• Can clobber anything• Automatic Man In The Middle• Other things
−Dojo.Storage
−Callback functions
−Encryption functions?
Limitless Clobbering Possibilities
![Page 28: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/28.jpg)
The Myth of the Same Origin Policy• Myth: Same Origin Restricts prevent
JavaScript from seeing 3rd party content• Fact: Kind of prevents
−Remote Scripting
−Image and Iframe events (JavaScript port scanning)
−3rd party plug-in communications
![Page 29: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/29.jpg)
JSON Hijacking• JSON is a valid subset of JavaScript•eval() can be used to “see” the response• Could use remoting scripting to read JSON
web services?
29 April 12, 2023
![Page 30: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/30.jpg)
JSON Hijacking• <script type="text/javascript">• [["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],
• 95120657, true],• ["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],
• 19200435, false],• ["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],
• 74905862, true],• ["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],
• 90398623, true]];• </script>
![Page 31: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/31.jpg)
JSON Hijacking• How does JS interpreter handle literals?
[9,4,3,1,33,7,2].sort();
• Creates temporary Array object• Executed sort() function• Never assigned to variable• Garbage collected away
![Page 32: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/32.jpg)
JSON Hijacking• How does JS interpreter handle literals?
[9,4,3,1,33,7,2].sort();
• Creates temporary Array object−Invokes Array() constructor function
• Executed sort() function• Never assigned to variable• Garbage collected away
![Page 33: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/33.jpg)
JSON Hijacking• Clobber the Array() function with malicious version• Use <SCRIPT SRC> to point to JSON web service• Malicious Array() function harvests the data that comes back!function Array() {var foo = this; var bar = function() { var ret = "Captured array items are: ["; for(var x in foo) { ret += foo[x] + ", "; } ret += "]"; //notify an attacker here
}; setTimeout(bar, 100);}
![Page 34: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/34.jpg)
JSON Hijacking Example
![Page 35: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/35.jpg)
JSON Hijacking Example
![Page 36: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/36.jpg)
JSON Hijacking Defense• XMLHttpRequest can see the response and
perform operations on it before eval()ing• <SCRIPT SRC> cannot!• Make the JSON response non-valid
JavaScript• XHR removes it!• <SCRIPT SRC> fails!
![Page 37: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/37.jpg)
Bad Approach #1<script type="text/javascript">
I'/\/\ a bl0ck of inva1id $ynT4x! WHOO!
[["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],
95120657, true],
["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],
19200435, false],
["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],
74905862, true],
["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],
90398623, true]];
</script>
![Page 38: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/38.jpg)
<script type="text/javascript">
/*
["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]
*/
</script>
Bad Approch #2
![Page 39: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/39.jpg)
Bad Approach #2<script type="text/javascript">
/*
["Eve*/["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"]/*Nidhi"]
*/
</script>
<script type="text/javascript">
/*
["Eve*/["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"]/*Nidhi"]
*/
</script>
![Page 40: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/40.jpg)
Correct Approach<script type="text/javascript">
for(;;);
["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]
</script>
![Page 41: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/41.jpg)
Correct Approachfunction defangJSON(json) {
if(json.substring(0,8) == "for(;;);") {
json = json.substring(8);
}
Return json;
}
var safeJSONString = defangJSON(xhr.responseText);
var jsonObject = safeJSONString.parseJSON();
![Page 42: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/42.jpg)
42 April 12, 2023
Securing Ajax Applications• Perform authentication/authorization
checks on both web pages and web services
• Group code libraries by function• Validate all input for your application
−HTTP headers, cookies, query string, POST data
• Verify data type, length and format• Always use parameterized queries• Always encoded output appropriately
![Page 43: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/43.jpg)
43 April 12, 2023
Salvation Is Here!• Ajax Security
Addison-Wesley
"Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't.”
-Jesse James Garret
• In stores now!
![Page 44: Advanced Ajax Security - active](https://reader036.fdocuments.us/reader036/viewer/2022062307/555b6743d8b42a66338b50bd/html5/thumbnails/44.jpg)
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Advanced Ajax Security
Billy Hoffman ([email protected])
Manager, HP Security Labs