(In)Security Implications in JavaScript Universe

Cyber Camp 2014

Stefano Di Paola, CTO Minded Security

$ whoamiStefano Di Paola @WisecWisec

Research (Spare Time) Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) Software Security Since '99 Dealing with JavaScript since 2006

WorkCTO @ Minded Security Application Security ConsultingDirector of Minded Security Research Labs

What’s this talk about

Birth and Raise of an important language.

The security implication around it

Try to use the JavaScript phenomenon to understand some things about Security and Real World

I won’t say JavaScript is unsecure. It’d be a complete nonsense.

Brief History Of JS – 1990 - 2000

1996 Javascript is in the browser 1990 Only HTML 1999 Ajax

Brief History 2000-2009

Something’s Happening

Can you see it?

Brief History 2009-2014 Browser Vendors are pushing new features:

improving speed graphics capabilities sound

Sounds Like a plan! …and guess what’s the glue?

JavaScript of course!

Brief History The big picture

PAST1996-2012

1996 - Why JS became so important?

Improve user experience during browsing.

On the other side gives a way to:

read

create

modify

delete page content.

Browser with new Powers

I mean.

Without JavaScript a Browser was just a HTML Parser (Not only I know..).

With JavaScript a Browser has a whole new playground.

Can those features be abused?

Browser with new Powers - Risks

Browser now has to protect some way: User Remote Data: WebSite A (evil) to read/modify/etc

content using WebSite B (victim) abusing the victim’s browser.

User Local Data: A malicious site could try to access disk files.

User Data is gone

Browser with new Powers - SOP

Concept of same-origin policy (SOP) dates back to Netscape Navigator 2 in 1995

Same Origin Policy:

Implementation of access control rules in hostile environment is also known as Sandbox

http://evil.com :80

Subverting the SandBox – The old style

“<html>..+taintedInput+”..</html>”<html>..

<script>evilJs</script>..</html>

taintedInput=<script>evilJs</script>

Subverting the SandBox – The old-new style

Abuse the functionalities of a plugin that

behaves differently from the browser

gives too much power without controls.

in order to access data.

whatever the browser rules are.

Universal Cross Site Scripting

Subverting the SandBox – Acrobat Reader Plugin

Example: Acrobat Reader Plugin UXSS 2006

Suppose a pdf is reachable from:

http://www.google.com/doc.pdf

Attacker adds

http://www.google.com/doc.pdf?fdf=javascript:evilJS...

And forces a browser’s victim to visit the url.

The plugin executes the JavaScript as it originated from google.com

What happens when a user just have some pdf on it’s PC ?

an attacker could access to the whole filesystem!

Subverting the SandBox – The old-new-new style

Browser Extensions :

JavaScript running in extensions has much more power than on HTML pages.

can be developed by anyone

Could be malicious

..or simply badly written (vulnerable to external attacks)

Very similar to plugin model but easier to develop.

Any user can install them

Useful for lot of stuff (Gmail Inbox Checking, Ad Block etc.)

On the Server Side..

Meantime..

Yay! Look Ma’ I’m on the Server Side!

An early implementation of JavaScript on the server side but the results where not so nice:

Became a Remote Code Execution!

Was a bank Web Application (implemented in 2003 tested by me in 2008).

var year=eval("date['"+request["params"]["year"]+"'];");

http://host/?year='+response.write(system("cat /etc/passwd"))+‘

On users PC

Meantime..

Mo’ Money Mo’ Trouble

It’s around 2005. A new interesting thing happens. JavaScript + Ajax increase the number of commercial web applications The cost of computers lowers The platforms are converging to a common one. The browser. Big user base > Big money > Crime > Profit

What would a naive user do?

Man In The Browser - Banking Malware

In 2005 it was theorized for the first time the use of virus to hook browsers interaction with banking websites. Takes advantage of the common interface the browser gives Changes the page on the fly. It’s a win-win. Browsers Rules are completely subverted! Perfect Sandbox Bypass

Man In The Browser

Configuration Example:

On the Mobile..

Meantime..

Yay! Look Ma’ I’m in a telephone!

Every Mobile OS gives developers to use a so called webview.

It’s 2011: iOS Skype HTML Injection on the username visualization. Lead to access to whatever the app can access.

https://www.superevr.com/blog/2011/xss-in-skype-for-ios/

Just Before the Present – The JavaScript Situation

It's 2011 WebSites are full of JavaScript coming from:

Advertising, Web analytics, User Interaction, Helper libraries.

Just Before the Present - DOMinator

I wrote tool called DOMinator:

Modification of Firefox

Helps to track JavaScript flow during its execution

Alerts if there's some potentially exploitable flaw in the code.

Took first top 100 most visited sites, analyzed with it:

57 had at least some weakness in their JavaScript code.

Present2012-2014

Present + Past

Past stuff is actually (Mostly) still here :)

Some effort from browser vendors to improve SOP:

Content Security Policy

Implemented by all browsers

Not widely used by web applications.

Unfortunately everything is happening on top of an old model.

There’s more! New JavaScript frameworks and models are gaining interest.

HTML Templating – Complex JS Models

Welcome to a new way to dynamically generate HTML page on the fly on the browser side!

Welcome HTML Templates

Welcome Client Side Full Dynamic Content

Welcome AngularJS and siblings!

AngularJS – a New Sandbox to Escape From

{{ qty * cost }}

not directly executed by the browser’s JS Parser.

A Expression parser is implemented on top of JS.

It’s actually a Sandbox around JS implemented in JS.

AngularJS – a New Sandbox to Escape From

Try to run {{alert(1)}}

Sandbox removes access to “dangerous objects” and their attributes.

Still often the Sandbox security is a long process to be refined in time.

Here’s a (mindblowing) Sandbox bypass (fixed):

''.sub.call.call( ({})["constructor"].getOwnPropertyDescriptor(

''.sub.__proto__, "constructor").value, null, "alert(1)" )()

https://code.google.com/p/mustache-security/wiki/AngularJS

AngularJS – a New Problem to Face

User content is completely generated on the client.

How can we create a pdf on the server side using the user page?

1.Extract the generated HTML

2.Send it to the server

3.Use a browser on the server to recreat the graphics

4.Convert it to PDF.

AngularJS – a New Problem to Face

User content is completely generated on the client.

How can we create a pdf on the server side using the user page?

1.Extract the generated HTML

2.Send it to the server

3.Use a browser on the server to recreated the graphics

PDF Generation from Complex Content

WebKit – Webkit2PDF

Other Browser Based Solution.

What could go wrong with the following content?

Parsed by a browser on the server side?

Write access to the whole internal network as if you had access with your browser to Web Server Network!

Arbitrary Server Side Requests

<iframe src=“http://internalRouter/”></iframe>

JavaScript

in

the

full

Web

Stack!

JavaScript on the Server Side.. Again!

JavaScript is used by hundreds of thousands of developers.

It's too popular.

There's a new breakthrough.

NodeJS - JS on the server side. - Welcome Back 2003.

MongoDB JavaScript on the DBMS Layer

JavaScript on the Server Side.. Again!

JavaScript on the Server Side.. Again!

Request the following to a node application:

Node gets the query string and transform it in JavaScript Object Notation (JSON).

Completely Different from all other Web Servers!

Client: http://127.0.0.1:49090/?parameter=sss&parameter=fff

Node: { parameter: [ 'sss', 'fff' ] }

Client: http://127.0.0.1:49090/?parameter[XX]=sss&parameter[YYY]=fff

Node: { parameter: { XX: 'sss', YYY: 'fff' } }

JavaScript on a DB! SQL Injection?KindOf

Is still possible some other fancy server side attack?

Let’s See.

1. Create a simple nodeJS + MongoDB Application

2.Test the environment

Client Request: user=aUserName&pass=aPassword

Node sees as: { user: 'aUserName', pass: 'aPassword' }

//MongoDB Access from NodeJS

User.findOne({user: req.body.user, pass: req.body.pass},...

JavaScript on a DB! SQL Injection?KindOf

3. Now look at MongoDB Manual and find the interesting parts. http://docs.mongodb.org/manual/reference/sql-comparison/

4. Identify one of many attacks that can be performed:

Client Request: user[$ne]=aUserName&pass[$ne]=aPassword

Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne': 'aPassword' } }

MongoDB Sees as: SELECT * from users where user != ‘aUsername’ and pass != ‘aPassword’;

Future2015-?

What’s going on?

Web as Gaming Platform No Plugins (QuakeJs)

Possibile to “compile” games written in C/C++ in asm.js. (Speed 1.5 respect to native ones!)

What’s going on? Mobile?

FirefoxOS (Mobile Applications in HTML5 + JS)

What’s going on? Anything Left?

JS Internet Of Things (JS Interpreter in a chip).

Projects about creating an operative system on top of nodeJS.

Conclusions

We live in a world that changes faster than before.

New interesting technologies could get a huge user base in few months

When happens everything moves even faster

Without giving the right time to understand the implications or the subtleties underneath them.

JavaScript seems easy but as usually happens quality code means more than basic JS skills.

Thing are getting even harder.

Yet we need talented people to break and build code and innovate as much as possible!

Can you See it Now?

Future??

I cant even imagine how much intricate Will be next years!

And This is only one Language!

Thank you!/*Go and Exploit

Ethically */Q&A

Twitter: @wisecwisechttps://www.mindedsecurity.com

Mail: stefano.dipaola@mindedsecurity.com