Security for javascript

Ajax Security
DouglasCrockford
Yahoo!
javascript.crockford.com/security.ppt

Security
Thenumber 1 biggest problem with
thewholeWorld WideWeb.

Thebrowser isnot asafe
programming environment.
It isinherently insecure.

What can an attacker do if he
getssomescript into your page?

An attacker can request additional
scriptsfrom any server in theworld.
Onceit getsafoothold, it can obtain
all of thescriptsit needs.

An attacker can makerequestsof
your server.
Your server cannot detect that the
request did not originatewith your
application.

An attacker can read the
document.
Theattacker can seeeverything the
user sees.

An attacker hascontrol over the
display and can request information
from theuser.
Theuser cannot detect that the
request did not originatewith your
application.

An attacker can send information to
serversanywherein theworld.

Thebrowser doesnot prevent
any of these.
That'swhy they happen.

Theconsequencesof asuccessful
attack arehorrible.
Harm to customers. Lossof trust.
Legal liabilities.
Possiblecriminal penalties.

Thisisnot aWeb 2.0 problem.
All of theseproblemscamewith
Netscape2 in 1995.

TheTurducken Problem
• Many Languages:
HTTP, HTML, URL, CSS, JavaScript, XML,
JSON, plaintext, SQL...
• Each languagehasdifferent quoting and
commenting conventions.
• Thelanguagescan benested insideeach other.

A text that isbenign in onecontext
might bedangerousin another.
Sloppy encoding allowsinjection of
evil scripts

A SimpleAttack
http://yourdomain.com/
<script>alert("XSS");</script>
<html><body>
<p>File not found:
</p></body></html>
• Thescript runswith theauthority of your site.

A SimpleAttack
http://yourdomain.com/
<html><body>
<p>File not found:
</p></body></html>
• Proper escapement providessomesafety.

Another Example
• Bad text
" + alert("XSS") + "
• Bad encoding
{"json": "" + alert("XSS") + ""}
• Good encoding
{"json": "" + alert("XSS") + ""}

Coding hygieneiscritical for
avoiding turducken attacks.
Usegood encoders. json.org/json2.js
Do not usesimpleconcatenation.
Never trust thebrowser.
Validateall input.

CrossSiteDataAccess
It isextremely useful to
obtain datafrom other
sitesand mash it up.

SameOrigin Policy
Preventsuseful things.
Allowsdangerousthings.

Script Tag Hack
• Scripts(strangely) areexempt from Same
Origin Policy.
• A dynamic script tag can makeaGET request
from aserver.
receiver(jsontext);
• Extremely dangerous. It isimpossibleto
assurethat theserver did not send an evil
script.

JavaScript'sGlobal Object
Theroot causeof XSSattacks.
All scriptsrun with thesame
authority.

JavaScript isan insecure
language.
TheES4 Proposal iseven worse.
It should beabandoned.

Document Object Model
All nodesarelinked to all other nodes
and to thenetwork.

Cookies
Ambient authority leadsto confusion
and impersonation (XSRF)

Remedy: Crumbs
An explicit secret should besent with
theambient cookie.
FrustratesXSRF attacks.
Not effectiveagainst XSSattacks.

Excellent CodeQuality
If codeisclean and readable, it isless
likely to contain insecurities.

JSLint
• JSLint definesaprofessional subset of
JavaScript.
• It imposesaprogramming disciplinethat
makesmemuch moreconfident in adynamic,
loosely-typed environment.
http://www.JSLint.com/

Warning!
JSLint will hurt your
feelings.

If theweb asbeen totally screwed up
from thebeginning, why should we
worry about it now?
1. Escalating legal penalties
2. Mashups
3. Competition

Mashups
Themost interesting innovation in
softwaredevelopment in 20 years.

Mashupsareinsecure.
Mashupsmust not haveaccessto
any confidential information.

If thereisscript from two or more
sources, theapplication isnot secure.
Period.

Competition to displacetheweb.
Silverlight.
AIR.
JavaFX.

That wouldn't betheend of the
world.
It would just betheend of theWWW.

A ThreeProng Strategy to
Fix theWeb
1. SafeJavaScript subsets.
2. Small browser improvements.
3. Massivebrowser improvements.
Thiscould takeawhile, so weshould proceed on
all threeimmediately.

1. SafeJavaScript Subsets.
Theeasiest way to improve
JavaScript isto makeit smaller.

ADsafe
• A JSLint option.
• It definesasafeHTML/JavaScript subset.
• Removesfrom JavaScript all featuresthat are
unsafeor suspect.
• Allowsforeign adsand widgetsto safely
interact.

ADsafe
• No global variablesor functionsmay be
defined.
• No global variablesor functionscan be
accessed except theADSAFE object.
• The[] subscript operator may not beused.
• Thesewordscannot beused: apply call
callee caller constructor eval
new prototype this watch
• Wordsstarting with _ cannot beused.

Dangers
• Theremay still beundiscovered weaknessesin
ECMAScript and itsmany implementations.
• Browser implementationsarechanging,
introducing new weaknesses.
• TheDOM wrappersmust beflawless.
• Wearestill subject to XSSattacks.

2. Add SimpleFeatures
to theBrowsers.
Even simpleimprovementscan takea
long timeto distribute.

JSONRequest for safedata
interchange.

Vats
Communicating computational containment vessels

HTML ProvidesNo Modules
• It wasconceived to beadocument format.
• Weareusing it asan application format.
• Applicationsrequiresmodules.
• Modulesprotect their contents.
• Modulescommunicateby exposing clean
interfaces.

Vats
• Adapting Google'sGearsor Adobe'sAIR to
providecommunicating containment.
• Providescooperation under mutual suspicion.
• Heavyweight.
• Distribution isdifficult.
• Still subject to XSSattacks.

3. Weneed to replaceJavaScript
and theDOM.
Aslong asweareusing insecure
languages, wewill besubject to XSS
attacks.

Start with theADsafesubset, and
then carefully add featuresto
enhanceexpressiveness.

A isan Object.
Object A hasstate
and behavior.

Object A hasa
referenceto
Object B.
An object can have
referencesto other objects.
has-a

...becauseit hasa
referenceto
Object B.
Object A can
communicatewith
Object B...

Object B provides
an interfacethat
constrainsaccess
to itsown state
and references.
Every object isamicro vat.

Object A doesnot haveareferenceto
Object C, so Object A cannot
communicatewith Object C.
In an Object Capability
System, an object can only
communicatewith objects
that it hasreferencesto.

An Object Capability System is
produced by constraining theways
that referencesareobtained.
A referencecannot beobtained
simply by knowing thenameof a
global variableor apublic class.

Thereareexactly threewaysto obtain
areference.
1. By Creation.
2. By Construction.
3. By Introduction.

1. By Creation
If afunction createsan object, it gets
areferenceto that object.

2. By Construction
An object may beendowed by itsconstructor with
references.
Thiscan includereferencesin theconstructor's
context and inherited references.

3. By Introduction
A hasareferencesto B and C.
B hasno references, so it cannot communicatewith A or C.
C hasno references, so it cannot communicatewith A or B.

3. By Introduction
A callsB, passing areferenceto C.

3. By Introduction
B isnow ableto communicatewith C.
It hasthecapability.

Weaknessesto avoid include
1. Arrogation.
2. Corruption.
3. Confusion.
4. Collusion.

Thereisno security in obscurity
Tricksand puzzlesarenot effective.
Speed bumpsarenot effective.

Falsesecurity increasesthe
danger.
Ineffectivemeasuresmakethings
worse.

Thesecurity problemsarenot
new.
Theproblemsaregetting harder to
ignore.

Ultimately
• Weneed to replaceJavaScript with asecure
language.
• Thecurrent ES4 proposal isnot that language.
• Weneed to replaceHTML and theDOM with
asecureapplication delivery system.
• Thecurrent HTML5 proposal isnot that either.

Ultimately
• Secureprogramming languageto replace
JavaScript.
• A modular application framework to replace
theDOM and CSS.
• A common text representation and protocol to
replaceHTTPand theAjax stack.
• Otherwise, theweb may fall to newer
proprietary systems.

Meanwhile
• Never trust thebrowser.
• Formally validateeverything you receivefrom the
browser.
• Properly encodeeverything you send to thebrowser
or database.
• Do not circumvent what littlesecurity thebrowser
offers.
• Never put dataon thewireunlessyou want it to be
delivered.
• Don't takeineffectivemeasures.

BeRigorous
• SloppinessaidstheEnemy.
• Neatnesscounts.
• Usegood encoders.
• Avoid concatenation.
• Beparanoid.

Security for javascript

More Related Content

What's hot (18)

Viewers also liked (20)

Similar to Security for javascript (20)

Recently uploaded (20)

Security for javascript