The Dark Side of Ajax Brian Chess, Ph.D. Chief Scientist Fortify Software [email protected] 6th OWASP AppSec Conference Milan - May 2007 Copyright © 2007 - The OWASP Foundation Permission is.
Download ReportTranscript The Dark Side of Ajax Brian Chess, Ph.D. Chief Scientist Fortify Software [email protected] 6th OWASP AppSec Conference Milan - May 2007 Copyright © 2007 - The OWASP Foundation Permission is.
The Dark Side of Ajax Brian Chess, Ph.D. Chief Scientist Fortify Software [email protected] 6th OWASP AppSec Conference Milan - May 2007 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/ Mashup Pink Floyd Dark Side of the Moon AJAX all purpose cleaner 6th OWASP AppSec Conference – Milan – May 2007 Ajax Fancier and easier-to-use web applications using open standards Asynchronous JavaScript And XML Web 1.0 Server (smart) Ajax is a matter of degree, not kind Security implications? Server (smart) Web page (dumb) Ajax Web page (smart) 6th OWASP AppSec Conference – Milan – May 2007 Success is foreseeing failure. – Henry Petroski 6th OWASP AppSec Conference – Milan – May 2007 What’s wrong with Ajax? Something smells funny ... Today’s programming craze is tomorrow’s security disaster Could more JavaScript possibly be better? A sampling of the almost 400 CVE entries that mention JavaScript: CVE-2007-1794 The Javascript engine in Mozilla 1.7 and earlier on Sun Solaris 8, 9, and 10 might allow remote attackers to execute arbitrary code via vectors involving garbage collection that causes deletion of a temporary object that is still being used. CVE-2006-4571 Multiple unspecified vulnerabilities in Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5 allow remote attackers to cause a denial of service (crash), corrupt memory, and possibly execute arbitrary code via unspecified vectors, some of which involve JavaScript, and possibly large images or plugin data. CVE-1999-0793 Internet Explorer allows remote attackers to read files by redirecting data to a Javascript applet. CVE-1999-0790 A remote attacker can read from a Netscape user's cache via JavaScript. CVE-1999-0347 Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character 6th OWASP AppSec Conference – Milan – May 2007 Developers say the darndest things <c:if test="${param.sayHello}"> <!-- Let's welcome the user ${param.name} --> Hello ${param.name}! </c:if> “We never intended the code that's in there to actually be production-ready code.” Ryan Asleson 6th OWASP AppSec Conference – Milan – May 2007 Overview Ajax from the programmer’s perspective Ajax for malware Old risks reconsidered New risks on the horizon The future of Ajax 6th OWASP AppSec Conference – Milan – May 2007 Ajax From the Programmer’s Perspective Increased complexity makes frameworks attractive Popular toolkits for Ajax development include Google Web Toolkit (GWT) Direct Web Remoting (DWR) Microsoft ASP.net AJAX (formerly known as Microsoft Atlas) Client-side libraries such as Prototype and Dojo Also popular: ad-hoc (roll your own) Ajax 6th OWASP AppSec Conference – Milan – May 2007 Analysis of AJAX Frameworks high Ad-hoc Very flexible, but hardest to get right Client-side toolkits help GWT Very strict, but easy to get right Flexibility Ad-hoc Atlas DWR Atlas GWT Very flexible and easy to get right low Ease of getting to work right Uses regular ASP.NET features: controls, authentication, authorization Uses regular .NET web service calls DWR Quite flexible, but not easy to get right By default, all methods are exposed 6th OWASP AppSec Conference – Milan – May 2007 high The Case of the Vanishing “X” XML is disappearing from Ajax Replaced by transporting data using JavaScript syntax JavaScript Object Notation (JSON) <book> <title>JavaScript, the Definitive Guide</title> <publisher>O'Reilly</publisher> <author>David Flanagan</author> <cover src="/images/cover_defguide.jpg" /> <blurb>elit.</blurb> XML </book> JSON { "book": { "title":"JavaScript, the Definitive Guide", "publisher":"O'Reilly", "author":"David Flanagan", "cover":"/images/cover_defguide.jpg", "blurb":”elit." } } 6th OWASP AppSec Conference – Milan – May 2007 Example: DWR HTTP request GET /servlets/examples/dwr/exec/ApartmentDAO.findApartments.dwr?c allCount=1&c0-scriptName=ApartmentDAO&c0methodName=findApartments&c0-id=3412_1178137104170&c0param0=string%3A2&c0-param1=string%3A2&c0param2=string%3A1500&xml=true& HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0. 9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://localhost:8080/servlets-examples/dwrexample/dwr.html 6th OWASP AppSec Conference – Milan – May 2007 Example: DWR HTTP response HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/plain;charset=ISO-8859-1 Date: Wed, 02 May 2007 20:18:24 GMT Content-Length: 1906 var s0=[];var s1={};var s2="93 Lombard St.";s1.address=s2; var s3=2;s1.bathrooms=s3;var s4=2;s1.bedrooms=s4;var s5="Toronto";s1.city=s5;var s6=16010;s1.id=s6;var s7=1050;s1.price=s7;var s8="ON";s1.province=s8; s0[0]=s1;var s9={};var s10="27 Winchester St.";s9.address=s10; var s11=2;s9.bathrooms=s11;var s12=2;s9.bedrooms=s12;var s13="Toronto";s9.city=s13;var s14=16003;s9.id=s14;var s15=1050;s9.price=s15;var s16="ON";s9.province=s16; s0[1]=s9;var s17={};var s18="352 Dufferin St";s17.address=s18; ... DWREngine._handleResponse('3412_1178137104170', s0); 6th OWASP AppSec Conference – Milan – May 2007 Example: DWR client code <script src='dwr/interface/ApartmentDAO.js'></script> <script src='dwr/engine.js'></script> <script src='dwr/util.js'></script> ... function updateResults() { DWRUtil.removeAllRows("apartmentsbody"); var bedrooms = document.getElementById("bedrooms").value; var baths = document.getElementById("bathrooms").value; var price = document.getElementById("price").value; ApartmentDAO.findApartments(fill, bedrooms, baths, price); $("resultTable").style.display = ''; } 6th OWASP AppSec Conference – Milan – May 2007 Example: DWR server configuration <dwr> <allow> <convert converter="bean” match="dwr.sample.Apartment"/> <create creator="new" javascript="ApartmentDAO" class="dwr.sample.ApartmentDAO"> <include method="findApartments"/> <include method="countApartments"/> </create> </allow> </dwr> 6th OWASP AppSec Conference – Milan – May 2007 Example: Atlas server code [System.Web.Script.Services.ScriptService] [WebService(Namespace = "http://tempuri.org/")] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] public class ApartmentDAO : System.Web.Services.WebService { [WebMethod] public ArrayList findApartments(int bedrooms, int bathrooms, int price) { // implementation ... } ... 6th OWASP AppSec Conference – Milan – May 2007 Ajax For Malware Exploit writers buy JavaScript books too Web 2.0 exploits for Web 1.0 vulnerabilities MySpace worm Port scanning behind your firewall Jikto Cross-site scripting looks more and more like buffer overflow Buffer Overflow Cross-site Scripting Allows Arbitrary Code Execution Exploit is hard to write Easy mistake to make in C/C++ Well known problem for decades Allows Arbitrary Code Execution Exploit is easy to write Easy mistake to make in any language Well known problem for a decade 6th OWASP AppSec Conference – Milan – May 2007 MySpace Worm MySpace does bad input validation Users to post a subset of HTML on their pages no <script> tags, no use of the word “javascript”, etc Users to add other users as “friends” User “Samy” discovers some holes Some browsers allow JavaScript in style attributes Some browsers interpret “java\nscript” as “javascript” ... All of the MySpace efforts to prevent JavaScript can be circumvented Samy adds JavaScript to his page Any visitor to his page automatically adds Samy as a friend: “Samy is my hero” Any visitor to a page where Samy is a friend will add Samy to their page Worm! MySpace goes down 6th OWASP AppSec Conference – Milan – May 2007 Port scanning behind your firewall JavaScript can: Request images from internal IP addresses, e.g. <img src=“192.168.0.4:8080”/> Use timeout/onerror to determine success/failure Fingerprint webapps using known image names Server 1) “show me dancing pigs!” Malicious Web page 2) “check this out” 3) port scan results scan Browser scan scan 6th OWASP AppSec Conference – Milan – May 2007 Firewall Jikto JavaScript vulnerability scanner Written by Billy Hoffman (with credit to Petko Petkov) Capable of spreading like a worm through new XSS vulnerabilities it discovers Uses proxy to bypass same origin policy Target Site attack Mal page Google Translate response analyzer Malicious Site 6th OWASP AppSec Conference – Milan – May 2007 Moral to the story No new vulnerabilities here, just better exploits Good offense makes good defense more important Good offense is making fast progress 6th OWASP AppSec Conference – Milan – May 2007 Defending Ajax Applications: Old Risks Reconsidered A new name for the same game Same vulnerabilities, new programming language Input validation Exposing the server 6th OWASP AppSec Conference – Milan – May 2007 Same Vulnerabilities, New Programming Language A cross-site scripting vulnerability entirely in JavaScript q = location.search.split(“q=“)[1]; q = unescape(q); div.innerHTML = “searching for “ + q; 6th OWASP AppSec Conference – Milan – May 2007 Old Risks Reconsidered: Input validation Possible to lose track of where validation is performed Server Client More entry points on the server More, smaller, requests Decentralized design Easy to over-expose More subtle entry points on the server Looks like Web services Hard to tell if method call initiated locally (safe) or remotely (dangerous) Harder to tell what can be trusted 6th OWASP AppSec Conference – Milan – May 2007 Exposing Yourself with DWR <dwr> <allow> … <create creator=”new” javascript=”ApartmentDAO” class=”dwr.sample.ApartmentDAO”> <exclude method=”countApartments”/> </create> </allow> </dwr> 6th OWASP AppSec Conference – Milan – May 2007 Exposing Yourself with DWR <dwr> <allow> … <create creator=”new” javascript=”ApartmentDAO” class=”dwr.sample.ApartmentDAO”> </create> </allow> </dwr> 6th OWASP AppSec Conference – Milan – May 2007 New Problem: Harder to Test Dirty data shooters rely on Web 1.0 conventions HTTP HTML forms 1 parameter = 1 application variable Ajax = more complex data structures Ajax requires sophisticated browser emulation How do you spider an Ajax application? Looks much more like testing conventional software 6th OWASP AppSec Conference – Milan – May 2007 New Risk: JavaScript Hijacking Basic Web browser security: Same Origin Policy Can’t use JavaScript to peek at HTML from other domains Protects Web sites from each other Fundamental to Web security Cross-site request forgery (CSRF) JavaScript can submit a form request to another site Not prevented by Same Origin policy Weakness of cookie-based session management Pervasive vulnerability Attack against data integrity JavaScript Hijacking breaks confidentiality too If server responds to HTTP GET requests If response is JavaScript syntax (arrays, function calls) Attacker can use a <script> tag and witness execution of JavaScript First vulnerability specific to Ajax 6th OWASP AppSec Conference – Milan – May 2007 JavaScript Hijacking in Action Ajax app server Malicious Server 1) “show me dancing pigs!” GET 2) “check this out” 3) confidential data Mal page { witness code } <script src=“...”> JavaScript Browser Firewall 6th OWASP AppSec Conference – Milan – May 2007 How the Popular Frameworks Stack Up Framework Dojo DWR 1.1.4 GWT jQuery Microsoft A tlas MochiKit Moo.fx Prototype Rico Script.aculo.us xajax Yahoo! UI Summary Supports JSON. Defaults to PO ST, but does not explicitly prev ent JavaScript Hijacking. Uses an expanded version of JSON. Does not implement any JavaScript Hijacking prevention mechanisms. Supports JSON. Uses POST by default; howev er, documentation describes how to mak e GET requests instead and does not mention any security ramifications. Supports JSON. Defaults to GET. Supports JSON. Uses POST by default, but allows programmers to easily change PO ST to GET and encourages doing so for performance and caching. Supports JSON. Defaults to GET. Supports JSON. Defaults to PO ST, but can easily be configured to use GET. Supports JSON. Defaults to PO ST when no method is specified, but is easily customizable for using either POST or GET. Does not currently support JSON, but will in the future. Supports XML as a data transfer format. Defaults to GET. Supports JSON. Prov ides additional UI controls and uses the Prototype library for generating requests. Does not currently support JSON, but will in the future. Supports XML as a data transfer format. Supports JSON. Responds to GET requests. Prevents JavaScript Hijack ing? No No No No No No No No N/A No N/A No 6th OWASP AppSec Conference – Milan – May 2007 JavaScript Hijacking Exploit function Object() { this.province setter = captureObject; } function captureObject(x) { var index = 0; for (fld in this) { var comma = (index != 0) ? ", " : ""; var value = ('province' == fld) ? x : this[fld]; objString += comma + fld + ": " + value; index++; } objString +="<br>"; // add code to send data to attacker here } if (DWREngine == null) var DWREngine = {}; DWREngine._handleResponse = function(a, b) {} <script src="http://localhost:8080/servletsexamples/dwr/exec/ApartmentDAO.findApartments.dwr?callCount=1&c0scriptName=ApartmentDAO&c0-methodName=findApartments&c0id=676_1176490045131&c0-param0=string%3A1&c0-param1=string%3A1&c0param2=string%3A1500&xml=true& HTTP/1.1"></script> 6th OWASP AppSec Conference – Milan – May 2007 Two Defenses Against JavaScript Hijacking 1. Prevent CSRF Default to POST not enough Developers add GET so that result can be cached Checking for a known HTTP header is not enough (Flash CSRF vulnerability) 2. Prevent execution of JavaScript while(1); /* ... */ Relying on object notation {} rather than array notation [] is silly calling parseJSON() rather than eval() does not help 6th OWASP AppSec Conference – Milan – May 2007 How the Popular Frameworks Responded Framew ork Dojo DWR 2.0 GWT jQuery Microsoft Atlas MochiKit Moo.fx Prototype Rico Script.aculo.us xajax Yahoo! UI Fixed in Next Release Yes Yes Yes No No Yes No Yes N/A Yes N/A added security docs Head-in-the-sand defense 6th OWASP AppSec Conference – Milan – May 2007 JavaScript Hijacking Myths and Misunderstandings This is a server administration problem. It’s a programming problem. Yeah yeah, but somebody could just do ‘view source’ and accomplish the same thing. The attacker is not the one running the web browser But if you’ve got CSRF vulns, you’re toast anyway. CSRF is bad, but this is worse: it adds breach of confidentiality This relies on some XSS vuln or a bug in the browser. Not so, this is how the browser is supposed to work! 6th OWASP AppSec Conference – Milan – May 2007 Mashups Aren’t Secure Scripts from multiple domains == security problem Often use JavaScript callbacks and auto-generated <script> tags Might be fine for Google maps, but not okay for confidential data Pink Floyd Dark Side of the Moon AJAX all purpose cleaner 6th OWASP AppSec Conference – Milan – May 2007 The Future of Ajax Better frameworks offer a chance to build security in Prevent CSRF Provide secure defaults Opportunity for better validation Better separation between display and controller Better definition for browser/server interaction Better Web standards Cookies: broken, need *working* HTTP only cookies Browsers: broken, need to distinguish between scripts from different domains Flash? Documented security best-practices Hard to mistake data and code Well-defined system for cross-domain communication 6th OWASP AppSec Conference – Milan – May 2007 Summary Ajax: a difference of degree Attack techniques improving quickly Technology pushed well past original design goals Old best practices still apply Don’t trust the client Protect the client New challenges Harder to test More complexity == more room for error A new ally Good opportunity to build security into Ajax frameworks 6th OWASP AppSec Conference – Milan – May 2007