Advanced Ajax Security

Advanced Ajax Security Billy Hoffman ( [email_address] ) Manager, HP Security Labs

Who am I? Manager HP Security Labs In security space for 6 years CS Degree from Georgia Tech Areas of focus Crawling and sampling JavaScript static analysis XSS Frequent presenter at hacker/security conferences

Presentation Overview Manipulating Client-side logic Defeating logic protection techniques Function Hijacking JSON Hijacking Hacking Google Gears June 2, 2009

“ Boring” Ajax Security Increased attack surface Direct API access Easier to reverse engineer Amplifying web attacks Offline attacks “ Surely no one actually does this right?” June 2, 2009

Sample Ajax travel website Built using “expert” advice Popular books Articles/How-tos Forums Riddled with security defects Sexy Ajax Security June 2, 2009

API Domino Effect June 2, 2009 holdSeat(flightID) makeOffer(price, flightID) debitAccount(price) bookSeat(flightID)

Overly Granular Application API June 2, 2009 Insecure More secure

Polling Status Call June 2, 2009

Real-world Example June 2, 2009

Web 1.0 to Web 2.0 Conversion June 2, 2009

Premature Ajax-ulation! June 2, 2009

Exposed Administrative API June 2, 2009 Malicious use Intended use

Defeating Logic Protection Obfuscation Lazy Loading June 2, 2009

All Your Obfuscation Are Belong To Us!

How to debug code if you don’t have it all? Firebug cannot debug dynamic code JSON responses Remote scripting Lazy loading “ View Source” vs “View Generated Source” Need a way to monitor JavaScript environment On-Demand JavaScript

Understanding JavaScript Variable Scope Everything is a object Primitives (Strings, numbers, regexp) Functions All global variables and functions are properties of global object Provided by environment Web browser = window Can we enumerate?

Example Code function BogusFunction1() { //empty function } function BogusFunction2() { //empty function } var ret = ""; for(var i in window) { if(typeof(window[i]) == "function") { ret += i + "\n"; } } alert(ret);

HOOK: JavaScript Monitoring Framework Enumerates the environment and traps on-demand code. Side-steps obfuscation Reads from the environment itself Demo

Take Aways: Client-side Code Client-side code is just a suggestion! Client-side code cannot be protected, encrypted, or obfuscated Store all secrets on the server Enforce control flow on the server Always match allocations with frees in the same method Use Server-side locking to prevent race condition vulnerabilities June 2, 2009

JavaScript Function Clobbering Highly dynamics language Typeless, dynamic execution paths Can redefine itself at runtime June 2, 2009

JavaScript Namespaces Namespaces prevent collisions Solution: Make functions properties of objects var com.SomeSite.common = {}; com.SomeSite.common.debug = function () { … }; com.SomeSite.common.debug(); var com.SexyWidgets = {}; com.SexyWidgets.debug = function() {…}; com.SexyWidgets.debug();

Intentional Function Clobbering Attacker deliberately clobbers functions What kind of functions can you clobber? User defined functions? System functions? Demo

Clobbering System Functions: alert()

Can clobber anything Automatic Man In The Middle Other things Dojo.Storage Callback functions Encryption functions? Limitless Clobbering Possibilities

The Myth of the Same Origin Policy Myth: Same Origin Restricts prevent JavaScript from seeing 3 rd party content Fact: Kind of prevents Remote Scripting Image and Iframe events (JavaScript port scanning) 3 rd party plug-in communications

JSON Hijacking JSON is a valid subset of JavaScript eval() can be used to “see” the response Could use remoting scripting to read JSON web services? June 2, 2009

JSON Hijacking <script type="text/javascript"> [["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"], 95120657, true], ["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"], 19200435, false], ["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"], 74905862, true], ["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"], 90398623, true]]; </script>

JSON Hijacking How does JS interpreter handle literals? [9,4,3,1,33,7,2].sort(); Creates temporary Array object Executed sort() function Never assigned to variable Garbage collected away

JSON Hijacking How does JS interpreter handle literals? [9,4,3,1,33,7,2].sort(); Creates temporary Array object Invokes Array() constructor function Executed sort() function Never assigned to variable Garbage collected away

JSON Hijacking Clobber the Array() function with malicious version Use <SCRIPT SRC> to point to JSON web service Malicious Array() function harvests the data that comes back! function Array() { var foo = this; var bar = function() { var ret = "Captured array items are: ["; for(var x in foo) { ret += foo[x] + ", "; } ret += "]"; //notify an attacker here }; setTimeout(bar, 100); }

JSON Hijacking Defense XMLHttpRequest can see the response and perform operations on it before eval() ing <SCRIPT SRC> cannot! Make the JSON response non-valid JavaScript XHR removes it! <SCRIPT SRC> fails!

Bad Approach #1 <script type="text/javascript"> I'/\/\ a bl0ck of inva1id $ynT4x! WHOO! [["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"], 95120657, true], ["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"], 19200435, false], ["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"], 74905862, true], ["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"], 90398623, true]]; </script>

Bad Approach #2 <script type="text/javascript"> /* [" Eve*/["bogus ", "Jill", "Mary", "Jen", "Ashley", " bogus"]/*Nidhi "] */ </script> <script type="text/javascript"> /* ["Eve*/ ["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"] /*Nidhi"] */ </script>

Correct Approach <script type="text/javascript"> for(;;); ["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"] </script>

Correct Approach function defangJSON(json) { if(json.substring(0,8) == "for(;;);") { json = json.substring(8); } Return json; } var safeJSONString = defangJSON(xhr.responseText); var jsonObject = safeJSONString.parseJSON();

Securing Ajax Applications Perform authentication/authorization checks on both web pages and web services Group code libraries by function Validate all input for your application HTTP headers, cookies, query string, POST data Verify data type, length and format Always use parameterized queries Always encoded output appropriately June 2, 2009

Salvation Is Here! Ajax Security Addison-Wesley " Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't.” -Jesse James Garret In stores now! June 2, 2009

Advanced Ajax Security

More Related Content

What's hot (9)

Similar to Advanced Ajax Security (20)

More from amiable_indian (20)

Recently uploaded (20)

Advanced Ajax Security