Security for javascript
-
Upload
huu-dai -
Category
Technology
-
view
52 -
download
1
description
Transcript of Security for javascript
![Page 1: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/1.jpg)
Ajax Security
Douglas Crockford
Yahoo!
javascript.crockford.com/security.ppt
![Page 2: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/2.jpg)
Security
The number 1 biggest problem with the whole World
Wide Web.
![Page 3: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/3.jpg)
The browser is not a safe programming environment.
It is inherently insecure.
![Page 4: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/4.jpg)
What can an attacker do if he gets some script into
your page?
![Page 5: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/5.jpg)
An attacker can request additional scripts from any
server in the world.Once it gets a foothold, it can
obtain all of the scripts it needs.
![Page 6: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/6.jpg)
An attacker can make requests of your server.
Your server cannot detect that the request did not
originate with your application.
![Page 7: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/7.jpg)
An attacker can read the document.
The attacker can see everything the user sees.
![Page 8: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/8.jpg)
An attacker has control over the display and can request information from the user.
The user cannot detect that the request did not originate
with your application.
![Page 9: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/9.jpg)
An attacker can send information to servers anywhere in the world.
![Page 10: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/10.jpg)
The browser does not prevent any of these.
That's why they happen.
![Page 11: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/11.jpg)
The consequences of a successful attack are
horrible.
Harm to customers. Loss of trust.
Legal liabilities.
Possible criminal penalties.
![Page 12: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/12.jpg)
This is not a Web 2.0 problem.
All of these problems came with Netscape 2 in 1995.
![Page 13: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/13.jpg)
The Turducken Problem
• Many Languages:
HTTP, HTML, URL, CSS, JavaScript, XML, JSON, plaintext, SQL...
• Each language has different quoting and commenting conventions.
• The languages can be nested inside each other.
![Page 14: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/14.jpg)
A text that is benign in one context might be dangerous
in another.
Sloppy encoding allows injection of evil scripts
![Page 15: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/15.jpg)
A Simple Attack
http://yourdomain.com/
<script>alert("XSS");</script>
<html><body>
<p>File not found: <script>alert("XSS");</script>
</p></body></html>
• The script runs with the authority of your site.
![Page 16: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/16.jpg)
A Simple Attack
http://yourdomain.com/
<script>alert("XSS");</script>
<html><body>
<p>File not found: <script>alert("XSS");</script>
</p></body></html>
• Proper escapement provides some safety.
![Page 17: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/17.jpg)
Another Example
• Bad text
" + alert("XSS") + "
• Bad encoding
{"json": "" + alert("XSS") + ""}
• Good encoding
{"json": "\" + alert(\"XSS\") + \""}
![Page 18: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/18.jpg)
Coding hygiene is critical for avoiding turducken
attacks.Use good encoders. json.org/json2.js
Do not use simple concatenation.
Never trust the browser.
Validate all input.
![Page 19: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/19.jpg)
Cross Site Data Access
It is extremely useful to
obtain data from other
sites and mash it up.
![Page 20: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/20.jpg)
Same Origin Policy
Prevents useful things.Allows dangerous things.
![Page 21: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/21.jpg)
Script Tag Hack
• Scripts (strangely) are exempt from Same Origin Policy.
• A dynamic script tag can make a GET request from a server.
receiver(jsontext);
• Extremely dangerous. It is impossible to assure that the server did not send an evil script.
![Page 22: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/22.jpg)
JavaScript's Global Object
The root cause of XSS attacks.
All scripts run with the same authority.
![Page 23: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/23.jpg)
JavaScript is an insecure language.
The ES4 Proposal is even worse.
It should be abandoned.
![Page 24: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/24.jpg)
Document Object Model
All nodes are linked to all other nodes and to the
network.
![Page 25: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/25.jpg)
Cookies
Ambient authority leads to confusion and impersonation
(XSRF)
![Page 26: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/26.jpg)
Remedy: Crumbs
An explicit secret should be sent with the ambient cookie.
Frustrates XSRF attacks.
Not effective against XSS attacks.
![Page 27: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/27.jpg)
Excellent Code Quality
If code is clean and readable, it is less likely to contain
insecurities.
![Page 28: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/28.jpg)
JSLint
• JSLint defines a professional subset of JavaScript.
• It imposes a programming discipline that makes me much more confident in a dynamic, loosely-typed environment.
http://www.JSLint.com/
![Page 29: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/29.jpg)
Warning!JSLint will hurt your
feelings.
![Page 30: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/30.jpg)
If the web as been totally screwed up from the
beginning, why should we worry about it now?
1. Escalating legal penalties
2. Mashups
3. Competition
![Page 31: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/31.jpg)
Mashups
The most interesting innovation in software
development in 20 years.
![Page 32: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/32.jpg)
Mashups are insecure.
Mashups must not have access to any confidential
information.
![Page 33: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/33.jpg)
If there is script from two or more sources, the application
is not secure.
Period.
![Page 34: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/34.jpg)
Advertising is a mashup.
![Page 35: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/35.jpg)
Competition to displace the web.
Silverlight.
AIR.
JavaFX.
![Page 36: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/36.jpg)
That wouldn't be the end of the world.
It would just be the end of the WWW.
![Page 37: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/37.jpg)
A Three Prong Strategy to Fix the Web
1. Safe JavaScript subsets.
2. Small browser improvements.
3. Massive browser improvements.
This could take a while, so we should proceed on all three immediately.
![Page 38: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/38.jpg)
1. Safe JavaScript Subsets.
The easiest way to improve JavaScript is to make it
smaller.
![Page 39: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/39.jpg)
ADsafe
• A JSLint option.
• It defines a safe HTML/JavaScript subset.
• Removes from JavaScript all features that are unsafe or suspect.
• Allows foreign ads and widgets to safely interact.
![Page 40: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/40.jpg)
ADsafe
• No global variables or functions may be defined.
• No global variables or functions can be accessed except the ADSAFE object.
• The [] subscript operator may not be used.
• These words cannot be used: apply call callee caller constructor eval new prototype this watch
• Words starting with _ cannot be used.
![Page 41: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/41.jpg)
Dangers
• There may still be undiscovered weaknesses in ECMAScript and its many implementations.
• Browser implementations are changing, introducing new weaknesses.
• The DOM wrappers must be flawless.
• We are still subject to XSS attacks.
![Page 42: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/42.jpg)
2. Add Simple Features to the Browsers.
Even simple improvements can take a long time to
distribute.
![Page 43: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/43.jpg)
JSONRequest for safe data interchange.
![Page 44: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/44.jpg)
Vats
Communicating computational containment vessels
![Page 45: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/45.jpg)
HTML Provides No Modules
• It was conceived to be a document format.
• We are using it as an application format.
• Applications requires modules.
• Modules protect their contents.
• Modules communicate by exposing clean interfaces.
![Page 46: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/46.jpg)
Vats
• Adapting Google's Gears or Adobe's AIR to provide communicating containment.
• Provides cooperation under mutual suspicion.
• Heavyweight.
• Distribution is difficult.
• Still subject to XSS attacks.
![Page 47: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/47.jpg)
3. We need to replace JavaScript and the DOM.
As long as we are using insecure languages, we will be subject to XSS attacks.
![Page 48: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/48.jpg)
Start with the ADsafe subset, and then carefully add features to enhance
expressiveness.
![Page 49: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/49.jpg)
A is an Object.
Object A has state and behavior.
A
![Page 50: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/50.jpg)
Object A has a reference to
Object B.
A
B
An object can have references to other
objects.
has-a
![Page 51: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/51.jpg)
...because it has a
reference to Object B.
Object A can communicate with Object
B...A
B
![Page 52: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/52.jpg)
Object B provides an
interface that constrains
access to its own state and
references.
A
B
Every object is a micro vat.
![Page 53: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/53.jpg)
Object A does not have a reference to Object C, so Object A cannot communicate with Object
C.
A
BIn an Object
Capability System, an object can only
communicate with objects that it has
references to.
C
![Page 54: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/54.jpg)
An Object Capability System is produced by constraining the ways that references are
obtained.
A reference cannot be obtained simply by knowing
the name of a global variable or a public class.
![Page 55: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/55.jpg)
There are exactly three ways to obtain a reference.
1. By Creation.
2. By Construction.
3. By Introduction.
![Page 56: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/56.jpg)
1. By Creation
If a function creates an object, it gets a reference to
that object.
![Page 57: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/57.jpg)
2. By Construction
An object may be endowed by its constructor with references.
This can include references in the constructor's context and inherited
references.
![Page 58: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/58.jpg)
3. By Introduction
A
BC
A has a references to B and C.B has no references, so it cannot communicate with A or C.C has no references, so it cannot communicate with A or B.
![Page 59: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/59.jpg)
3. By Introduction
A
BC
A calls B, passing a reference to C.
![Page 60: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/60.jpg)
3. By Introduction
A
BC
B is now able to communicate with C.
It has the capability.
![Page 61: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/61.jpg)
Weaknesses to avoid include
1. Arrogation.
2. Corruption.
3. Confusion.
4. Collusion.
![Page 62: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/62.jpg)
There is no security in obscurity
Tricks and puzzles are not effective.
Speed bumps are not effective.
![Page 63: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/63.jpg)
False security increases the danger.
Ineffective measures make things worse.
![Page 64: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/64.jpg)
The security problems are not new.
The problems are getting harder to ignore.
![Page 65: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/65.jpg)
Ultimately
• We need to replace JavaScript with a secure language.
• The current ES4 proposal is not that language.
• We need to replace HTML and the DOM with a secure application delivery system.
• The current HTML5 proposal is not that either.
![Page 66: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/66.jpg)
Ultimately
• Secure programming language to replace JavaScript.
• A modular application framework to replace the DOM and CSS.
• A common text representation and protocol to replace HTTP and the Ajax stack.
• Otherwise, the web may fall to newer proprietary systems.
![Page 67: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/67.jpg)
Meanwhile
• Never trust the browser.
• Formally validate everything you receive from the browser.
• Properly encode everything you send to the browser or database.
• Do not circumvent what little security the browser offers.
• Never put data on the wire unless you want it to be delivered.
• Don't take ineffective measures.
![Page 68: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/68.jpg)
Be Rigorous
• Sloppiness aids the Enemy.
• Neatness counts.
• Use good encoders.
• Avoid concatenation.
• Be paranoid.
![Page 69: Security for javascript](https://reader035.fdocuments.us/reader035/viewer/2022070303/54b7a4e04a79592d048b467c/html5/thumbnails/69.jpg)
Turducken