(In)Security Implication in the JS Universe

Cyber Camp 2014
(In)Security Implications in
JavaScript Universe
Stefano Di Paola, CTO Minded Security

$ whoami
Stefano Di Paola @WisecWisec
Research (Spare Time)
 Bug Hunter & Sec Research (Pdf Uxss, Flash Security,
HPP)
 Software Security Since '99
 Dealing with JavaScript since 2006
Work
CTO @ Minded Security Application Security Consulting
Director of Minded Security Research Labs

What’s this talk about
 Birth and Raise of an important language.
 The security implication around it
 Try to use the JavaScript phenomenon to
understand some things about Security and Real World
 I won’t say JavaScript is unsecure. It’d be a
complete nonsense.

Brief History Of JS – 1990 - 2000
1990 Only HTML 1996 Javascript is in the browser 1999 Ajax

Brief History 2000-2009
Something’s
Happening
Can you
see it?

Brief History 2009-2014
 Browser Vendors are pushing
new features:
 improving speed
 graphics capabilities
 sound
 Sounds Like a plan!
 …and guess what’s the glue?
JavaScript of course!

1996 - Why JS became so important?
 Improve user experience during browsing.
 On the other side gives a way to:
 read
 create
 modify
 delete page content.

Browser with new Powers
I mean.
 Without JavaScript a Browser was just a HTML
Parser (Not only I know..).
 With JavaScript a Browser has a whole new
playground.
 Can those features be abused?

Browser with new Powers - Risks
 Browser now has to protect some way:
 User Remote Data: WebSite A (evil) to read/modify/etc
content using WebSite B (victim) abusing the victim’s
browser.
 User Local Data: A malicious site
could try to access disk files.
User Data
is gone

Browser with new Powers - SOP
 Concept of same-origin policy (SOP) dates back to
Netscape Navigator 2 in 1995
 Same Origin Policy:
http://evil.com :80
 Implementation of access control rules in hostile environment
is also known as Sandbox

Subverting the SandBox – The old style
“<html>..+
<html>.. taintedInput+”..</html>”
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>

Subverting the SandBox – The old-new style
Abuse the functionalities of a plugin that
 behaves differently from the browser
 gives too much power without controls.
 in order to access data.
whatever the browser rules are.
Universal Cross Site Scripting

Subverting the SandBox – Acrobat Reader Plugin
Example: Acrobat Reader Plugin UXSS 2006
 Suppose a pdf is reachable from:
http://www.google.com/doc.pdf
Attacker adds
http://www.google.com/doc.pdf?fdf=javascript:evilJS...
And forces a browser’s victim to visit the url.
The plugin executes the JavaScript as it originated from
google.com
 What happens when a user just have some pdf on it’s PC ?
 an attacker could access to the whole filesystem!

Subverting the SandBox – The old-new-new style
 Browser Extensions :
 JavaScript running in extensions has much more power
than on HTML pages.
 can be developed by anyone
 Could be malicious
 ..or simply badly written (vulnerable to external
attacks)
 Very similar to plugin model but easier to develop.
 Any user can install them
 Useful for lot of stuff (Gmail Inbox Checking, Ad Block
etc.)

Meantime..
On the Server Side..

Yay! Look Ma’ I’m on the Server Side!
An early implementation of JavaScript on the server side but
the results where not so nice:
var year=eval("date['"+request["params"]["year"]+"'];");
 Became a Remote Code Execution!
http://host/?year='+response.write(system("cat /etc/passwd"))+‘
Was a bank Web Application
(implemented in 2003 tested by me in 2008).

Mo’ Money Mo’ Trouble
 It’s around 2005.
 A new interesting thing happens.
 JavaScript + Ajax increase the number of
commercial web applications
 The cost of computers lowers
 The platforms are converging to a common
one. The browser.
 Big user base > Big money > Crime > Profit

Man In The Browser - Banking Malware
 In 2005 it was theorized for the first time the
use of virus to hook browsers interaction with
banking websites.
 Takes advantage of the common interface
the browser gives
 Changes the page on the fly.
 It’s a win-win. Browsers Rules are
completely subverted!
 Perfect Sandbox Bypass

Man In The Browser
 Configuration Example:

Yay! Look Ma’ I’m in a telephone!
 Every Mobile OS gives developers to use a so called
webview.
It’s 2011: iOS Skype HTML Injection on the username
visualization. Lead to access to whatever the app can access.
https://www.superevr.com/blog/2011/xss-in-skype-for-ios/

Just Before the Present – The JavaScript Situation
It's 2011
 WebSites are full of JavaScript coming from:
 Advertising,
 Web analytics,
 User Interaction,
 Helper libraries.

Just Before the Present - DOMinator
 I wrote tool called DOMinator:
 Modification of Firefox
 Helps to track JavaScript flow during its
execution
 Alerts if there's some potentially exploitable
flaw in the code.
 Took first top 100 most visited sites, analyzed with it:
 57 had at least some weakness in their
JavaScript code.

Present + Past
 Past stuff is actually (Mostly) still here :)
 Some effort from browser vendors to improve SOP:
 Content Security Policy
 Implemented by all browsers
 Not widely used by web applications.
 Unfortunately everything is happening on top of an
old model.
There’s more! New JavaScript frameworks and
models are gaining interest.

HTML Templating – Complex JS Models
 Welcome to a new way to dynamically
generate HTML page on the fly on the browser
side!
 Welcome HTML Templates
 Welcome Client Side Full Dynamic Content
 Welcome AngularJS and siblings!

AngularJS – a New Sandbox to Escape From
{{ qty * cost }}
not directly executed by the browser’s JS Parser.
 A Expression parser is implemented on top of JS.
 It’s actually a Sandbox around JS implemented in JS.

AngularJS – a New Sandbox to Escape From
 Try to run {{alert(1)}}
 Sandbox removes access to “dangerous
objects” and their attributes.
 Still often the Sandbox security is a long
process to be refined in time.
 Here’s a (mindblowing) Sandbox bypass
(fixed):
''.sub.call.call(
({})["constructor"].getOwnPropertyDescriptor(
''.sub.__proto__, "constructor").value,
null,
"alert(1)" )()
https://code.google.com/p/mustache-security/wiki/AngularJS

AngularJS – a New Problem to Face
 User content is completely generated on the
client.
 How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreat the
graphics
4.Convert it to PDF.

AngularJS – a New Problem to Face
 User content is completely generated on the
client.
 How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreated the
graphics

PDF Generation from Complex Content
 WebKit – Webkit2PDF
 Other Browser Based Solution.
 What could go wrong with the following content?
<iframe src=“http://internalRouter/”></iframe>
 Parsed by a browser on the server side?
 Write access to the whole internal network as if you
had access with your browser to Web Server Network!
 Arbitrary Server Side Requests

(In)Security Implication in the JS Universe

JavaScript
in
the
full
Web
Stack!

JavaScript on the Server Side.. Again!
 JavaScript is used by hundreds of thousands of
developers.
 It's too popular.
There's a new breakthrough.
 NodeJS - JS on the server side. - Welcome Back
2003.
 MongoDB JavaScript on the DBMS Layer

 Request the following to a node application:
Client: http://127.0.0.1:49090/?parameter=sss&parameter=fff
Node: { parameter: [ 'sss', 'fff' ] }
Client: http://127.0.0.1:49090/?parameter[XX]=sss&parameter[YYY]=fff
Node: { parameter: { XX: 'sss', YYY: 'fff' } }
 Node gets the query string and transform it in
JavaScript Object Notation (JSON).
 Completely Different from all other Web Servers!

JavaScript on a DB! SQL Injection?KindOf
 Is still possible some other fancy server side
attack?
Let’s See.
1. Create a simple nodeJS + MongoDB Application
//MongoDB Access from NodeJS
User.findOne({user: req.body.user, pass: req.body.pass},...
2.Test the environment
Client Request: user=aUserName&pass=aPassword
Node sees as: { user: 'aUserName', pass: 'aPassword' }

JavaScript on a DB! SQL Injection?KindOf
3. Now look at MongoDB Manual and find the
interesting parts.
http://docs.mongodb.org/manual/reference/sql-comparison/
4. Identify one of many attacks that can be
performed:
Client Request: user[$ne]=aUserName&pass[$ne]=aPassword
Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne':
'aPassword' } }
MongoDB Sees as: SELECT * from users where user != ‘aUsername’
and pass != ‘aPassword’;

What’s going on?
 Web as Gaming Platform No Plugins (QuakeJs)
 Possibile to “compile” games written in C/C++ in
asm.js. (Speed 1.5 respect to native ones!)

What’s going on? Mobile?
 FirefoxOS (Mobile Applications in HTML5 + JS)

What’s going on? Anything Left?
 JS Internet Of Things (JS Interpreter in a chip).
Projects about creating an operative system on top of
nodeJS.

Conclusions
 We live in a world that changes faster than before.
 New interesting technologies could get a huge user base in
few months
 When happens Can everything you moves even See faster
it
 Without giving the right time to understand the implications
or the subtleties underneath Now?
them.
 JavaScript seems easy but as usually happens quality code
means more than basic JS skills.
 Thing are getting even harder.
 Yet we need talented people to break and build code and
innovate as much as possible!

Future??
I cant even imagine how much intricate
Will be next years!
And This is only one Language!

Thank you!
/*Go and Exploit Ethically */
Q&A
Twitter: @wisecwisec
https://www.mindedsecurity.com
Mail: stefano.dipaola@mindedsecurity.com

(In)Security Implication in the JS Universe

More Related Content

What's hot (20)

Similar to (In)Security Implication in the JS Universe (20)

Recently uploaded (20)

(In)Security Implication in the JS Universe