Transcript Advanced Ajax Security

Advanced Ajax
Security
Billy Hoffman
([email protected])
Manager, HP Security Labs
© 2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
Who am I?
•
Manager HP Security Labs
•
In security space for 6 years
•
CS Degree from Georgia Tech
•
Areas of focus
− Crawling and sampling
− JavaScript static analysis
− XSS
•
Frequent presenter at
hacker/security conferences
2
Presentation Overview
•
Manipulating Client-side logic
•
Defeating logic protection techniques
•
Function Hijacking
•
JSON Hijacking
•
Hacking Google Gears
3
17 July 2015
“Boring” Ajax Security
•
Increased attack surface
•
Direct API access
•
Easier to reverse engineer
•
Amplifying web attacks
•
Offline attacks
•
“Surely no one actually does
this right?”
4
17 July 2015
Sexy Ajax Security
•
Sample Ajax
travel website
•
Built using
“expert” advice
− Popular books
− Articles/How-tos
− Forums
•
5
Riddled with
security defects
17 July 2015
API Domino Effect
holdSeat(flightID)
makeOffer(price, flightID)
bookSeat(flightID)
debitAccount(price)
6
17 July 2015
Overly Granular Application API
Insecure
More secure
7
17 July 2015
Polling Status Call
8
17 July 2015
Real-world Example
9
17 July 2015
Web 1.0 to Web 2.0 Conversion
10
17 July 2015
Premature Ajax-ulation!
11
17 July 2015
Exposed Administrative API
Intended use
Malicious use
12
17 July 2015
Defeating Logic Protection
•
Obfuscation
•
Lazy Loading
13
17 July 2015
All Your Obfuscation Are Belong To Us!
On-Demand JavaScript
•
How to debug code if you don’t have it all?
•
Firebug cannot debug dynamic code
−JSON responses
−Remote scripting
−Lazy loading
•
“View Source” vs “View Generated Source”
•
Need a way to monitor JavaScript environment
Understanding JavaScript Variable
Scope
•
Everything is a object
−Primitives (Strings, numbers, regexp)
−Functions
•
All global variables and functions are properties
of global object
•
Provided by environment
• Web browser = window
•
Can we enumerate?
Example Code
function BogusFunction1() {
//empty function
}
function BogusFunction2() {
//empty function
}
var ret = "";
for(var i in window) {
if(typeof(window[i]) == "function") {
ret += i + "\n";
}
}
alert(ret);
Enumerating All Functions
HOOK: JavaScript Monitoring
Framework
•
Enumerates the environment and traps ondemand code.
•
Side-steps obfuscation
•
Reads from the environment itself
•
Demo
Take Aways: Client-side Code
20
•
Client-side code is just a suggestion!
•
Client-side code cannot be protected, encrypted,
or obfuscated
•
Store all secrets on the server
•
Enforce control flow on the server
•
Always match allocations with frees in the same
method
•
Use Server-side locking to prevent race
condition vulnerabilities
17 July 2015
JavaScript Function Clobbering
•
Highly dynamics language
•
Typeless, dynamic execution paths
•
Can redefine itself at runtime
21
17 July 2015
JavaScript Namespaces
•
Namespaces prevent collisions
•
Solution: Make functions properties of objects
var com.SomeSite.common = {};
com.SomeSite.common.debug
= function () { … };
com.SomeSite.common.debug();
var com.SexyWidgets = {};
com.SexyWidgets.debug = function() {…};
com.SexyWidgets.debug();
JavaScript Namespaces
Intentional Function Clobbering
•
Attacker deliberately clobbers functions
•
What kind of functions can you clobber?
− User defined functions?
− System functions?
•
Demo
Clobbering System Functions:
alert()
Prototype’s Ajax.Request()
Limitless Clobbering Possibilities
•
Can clobber anything
•
Automatic Man In The Middle
•
Other things
−Dojo.Storage
−Callback functions
−Encryption functions?
The Myth of the Same Origin Policy
•
Myth: Same Origin Restricts prevent JavaScript
from seeing 3rd party content
•
Fact: Kind of prevents
− Remote Scripting
− Image and Iframe events (JavaScript port scanning)
− 3rd party plug-in communications
JSON Hijacking
•
JSON is a valid subset of JavaScript
• eval() can be used to “see” the response
•
29
Could use remoting scripting to read JSON web
services?
17 July 2015
JSON Hijacking
•
•
•
•
•
•
•
•
•
•
<script type="text/javascript">
[["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL",
"JFK", "ATL"],
95120657, true],
["Honeymoon", "2007-04-30", "2007-05-13", ["ATL",
"VAN", "SEA", "ATL"],
19200435, false],
["MS Trip", "2007-07-01", "2007-07-04", ["ATL",
"SEA", "ATL"],
74905862, true],
["Black Hat USA", "2007-07-29" "2007-08-03",
["ATL", "LAS", "ATL"],
90398623, true]];
</script>
JSON Hijacking
•
How does JS interpreter handle literals?
[9,4,3,1,33,7,2].sort();
•
Creates temporary Array object
• Executed sort() function
•
Never assigned to variable
•
Garbage collected away
JSON Hijacking
•
How does JS interpreter handle literals?
[9,4,3,1,33,7,2].sort();
•
Creates temporary Array object
− Invokes Array() constructor function
•
Executed sort() function
•
Never assigned to variable
•
Garbage collected away
JSON Hijacking
Clobber the Array() function with malicious version
• Use <SCRIPT SRC> to point to JSON web service
• Malicious Array() function harvests the data that comes back!
function Array() {
var foo = this;
var bar = function() {
var ret = "Captured array items are: [";
for(var x in foo) {
ret += foo[x] + ", ";
}
ret += "]";
//notify an attacker here
};
setTimeout(bar, 100);
}
•
JSON Hijacking Example
JSON Hijacking Example
JSON Hijacking Defense
•
XMLHttpRequest can see the response and
perform operations on it before eval()ing
•
<SCRIPT SRC> cannot!
•
Make the JSON response non-valid JavaScript
•
XHR removes it!
•
<SCRIPT SRC> fails!
Bad Approach #1
<script type="text/javascript">
I'/\/\ a bl0ck of inva1id $ynT4x! WHOO!
[["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL",
"JFK", "ATL"],
95120657, true],
["Honeymoon", "2007-04-30", "2007-05-13", ["ATL",
"VAN", "SEA", "ATL"],
19200435, false],
["MS Trip", "2007-07-01", "2007-07-04", ["ATL",
"SEA", "ATL"],
74905862, true],
["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL",
"LAS", "ATL"],
90398623, true]];
</script>
Bad Approch #2
<script type="text/javascript">
/*
["Eve", "Jill", "Mary", "Jen", "Ashley",
"Nidhi"]
*/
</script>
Bad Approach #2
<script type="text/javascript">
/*
["Eve*/["bogus", "Jill", "Mary", "Jen",
"Ashley", "bogus"]/*Nidhi"]
*/
</script>
<script type="text/javascript">
/*
["Eve*/["bogus", "Jill", "Mary", "Jen",
"Ashley", "bogus"]/*Nidhi"]
*/
</script>
Correct Approach
<script type="text/javascript">
for(;;);
["Eve", "Jill", "Mary", "Jen", "Ashley",
"Nidhi"]
</script>
Correct Approach
function defangJSON(json) {
if(json.substring(0,8) == "for(;;);") {
json = json.substring(8);
}
Return json;
}
var safeJSONString =
defangJSON(xhr.responseText);
var jsonObject = safeJSONString.parseJSON();
Securing Ajax Applications
•
Perform authentication/authorization checks on
both web pages and web services
•
Group code libraries by function
•
Validate all input for your application
− HTTP headers, cookies, query string, POST data
42
•
Verify data type, length and format
•
Always use parameterized queries
•
Always encoded output appropriately
17 July 2015
Salvation Is Here!
•
Ajax Security
Addison-Wesley
"Ajax Security is a remarkably rigorous
and thorough examination of an
underexplored subject. Every Ajax
engineer needs to have the
knowledge contained in this book or be able to explain why they don't.”
-Jesse James Garret
•
43
In stores now!
17 July 2015
Advanced Ajax
Security
Billy Hoffman
([email protected])
Manager, HP Security Labs
© 2007 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice