advanced ajax security - active
TRANSCRIPT
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Advanced Ajax Security
Billy Hoffman ([email protected])
Manager, HP Security Labs
2
Who am I?• Manager HP Security Labs• In security space for 6 years• CS Degree from Georgia
Tech• Areas of focus
−Crawling and sampling
−JavaScript static analysis
−XSS
• Frequent presenter at hacker/security conferences
Presentation Overview• Manipulating Client-side logic• Defeating logic protection techniques• Function Hijacking• JSON Hijacking• Hacking Google Gears
3 April 12, 2023
4 April 12, 2023
“Boring” Ajax Security• Increased attack surface• Direct API access• Easier to reverse
engineer• Amplifying web attacks• Offline attacks
• “Surely no one actually does this right?”
5 April 12, 2023
• Sample Ajax travel website
• Built using “expert” advice−Popular books
−Articles/How-tos
− Forums
• Riddled with security defects
Sexy Ajax Security
6 April 12, 2023
API Domino Effect
holdSeat(flightID)
makeOffer(price, flightID)
debitAccount(price)
bookSeat(flightID)
7 April 12, 2023
Overly Granular Application API
Insecure
More secure
8 April 12, 2023
Polling Status Call
9 April 12, 2023
Real-world Example
10 April 12, 2023
Web 1.0 to Web 2.0 Conversion
11 April 12, 2023
Premature Ajax-ulation!
12 April 12, 2023
Exposed Administrative API
Malicious use
Intended use
Defeating Logic Protection• Obfuscation• Lazy Loading
13 April 12, 2023
All Your Obfuscation Are Belong To Us!
• How to debug code if you don’t have it all?• Firebug cannot debug dynamic code
−JSON responses
−Remote scripting
−Lazy loading
•“View Source” vs “View Generated Source”
• Need a way to monitor JavaScript environment
On-Demand JavaScript
Understanding JavaScript Variable Scope• Everything is a object
−Primitives (Strings, numbers, regexp)
−Functions• All global variables and functions are
properties of global object• Provided by environment• Web browser = window• Can we enumerate?
Example Codefunction BogusFunction1() { //empty function}function BogusFunction2() { //empty function}var ret = "";for(var i in window) { if(typeof(window[i]) == "function") { ret += i + "\n"; }}alert(ret);
Enumerating All Functions
HOOK: JavaScript Monitoring Framework• Enumerates the environment and traps on-
demand code.• Side-steps obfuscation• Reads from the environment itself
• Demo
20 April 12, 2023
Take Aways: Client-side Code• Client-side code is just a suggestion!• Client-side code cannot be protected,
encrypted, or obfuscated• Store all secrets on the server• Enforce control flow on the server• Always match allocations with frees in the
same method• Use Server-side locking to prevent race
condition vulnerabilities
JavaScript Function Clobbering• Highly dynamics language• Typeless, dynamic execution paths• Can redefine itself at runtime
21 April 12, 2023
JavaScript Namespaces• Namespaces prevent collisions• Solution: Make functions properties of objects
var com.SomeSite.common = {};
com.SomeSite.common.debug
= function () { … };
com.SomeSite.common.debug();
var com.SexyWidgets = {};
com.SexyWidgets.debug = function() {…};
com.SexyWidgets.debug();
JavaScript Namespaces
Intentional Function Clobbering• Attacker deliberately clobbers functions• What kind of functions can you clobber?
−User defined functions?
−System functions?
• Demo
Clobbering System Functions: alert()
Prototype’s Ajax.Request()
• Can clobber anything• Automatic Man In The Middle• Other things
−Dojo.Storage
−Callback functions
−Encryption functions?
Limitless Clobbering Possibilities
The Myth of the Same Origin Policy• Myth: Same Origin Restricts prevent
JavaScript from seeing 3rd party content• Fact: Kind of prevents
−Remote Scripting
−Image and Iframe events (JavaScript port scanning)
−3rd party plug-in communications
JSON Hijacking• JSON is a valid subset of JavaScript•eval() can be used to “see” the response• Could use remoting scripting to read JSON
web services?
29 April 12, 2023
JSON Hijacking• <script type="text/javascript">• [["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],
• 95120657, true],• ["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],
• 19200435, false],• ["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],
• 74905862, true],• ["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],
• 90398623, true]];• </script>
JSON Hijacking• How does JS interpreter handle literals?
[9,4,3,1,33,7,2].sort();
• Creates temporary Array object• Executed sort() function• Never assigned to variable• Garbage collected away
JSON Hijacking• How does JS interpreter handle literals?
[9,4,3,1,33,7,2].sort();
• Creates temporary Array object−Invokes Array() constructor function
• Executed sort() function• Never assigned to variable• Garbage collected away
JSON Hijacking• Clobber the Array() function with malicious version• Use <SCRIPT SRC> to point to JSON web service• Malicious Array() function harvests the data that comes back!function Array() {var foo = this; var bar = function() { var ret = "Captured array items are: ["; for(var x in foo) { ret += foo[x] + ", "; } ret += "]"; //notify an attacker here
}; setTimeout(bar, 100);}
JSON Hijacking Example
JSON Hijacking Example
JSON Hijacking Defense• XMLHttpRequest can see the response and
perform operations on it before eval()ing• <SCRIPT SRC> cannot!• Make the JSON response non-valid
JavaScript• XHR removes it!• <SCRIPT SRC> fails!
Bad Approach #1<script type="text/javascript">
I'/\/\ a bl0ck of inva1id $ynT4x! WHOO!
[["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],
95120657, true],
["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],
19200435, false],
["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],
74905862, true],
["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],
90398623, true]];
</script>
<script type="text/javascript">
/*
["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]
*/
</script>
Bad Approch #2
Bad Approach #2<script type="text/javascript">
/*
["Eve*/["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"]/*Nidhi"]
*/
</script>
<script type="text/javascript">
/*
["Eve*/["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"]/*Nidhi"]
*/
</script>
Correct Approach<script type="text/javascript">
for(;;);
["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]
</script>
Correct Approachfunction defangJSON(json) {
if(json.substring(0,8) == "for(;;);") {
json = json.substring(8);
}
Return json;
}
var safeJSONString = defangJSON(xhr.responseText);
var jsonObject = safeJSONString.parseJSON();
42 April 12, 2023
Securing Ajax Applications• Perform authentication/authorization
checks on both web pages and web services
• Group code libraries by function• Validate all input for your application
−HTTP headers, cookies, query string, POST data
• Verify data type, length and format• Always use parameterized queries• Always encoded output appropriately
43 April 12, 2023
Salvation Is Here!• Ajax Security
Addison-Wesley
"Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't.”
-Jesse James Garret
• In stores now!
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Advanced Ajax Security
Billy Hoffman ([email protected])
Manager, HP Security Labs