Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.

Published byEdmund Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo."— Presentation transcript:

1 AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo

2 2 About Me Helen Bravo Product Manager of Checkmarx Static Application Security Testing (AKA – Source Code Analysis)

3 3 Agenda Broken sandbox Same old XSS becomes a monster Watch out for your client side “I know where you were last summer”

4 4 HTML5 is booming Report released in August 2013 has shown that 153 of the Fortune 500 U.S. companies already implemented HTML5 on their corporate websites.Fortune 500

5 5 Some of the additions in HTML5 WEB storage WEB SQL database Indexed DB Application cache Web workers Web socket CORS Web messaging Sandbox attribute New HTTP headers Server sent events New and better semantic tags New form types Audio and video tags Canvas Inline SVG New onevent attributes Geolocation New CSS selectors New javascipt selectors Custom data-* attributes

6 6 The Sandbox Attribute

7 7 Same Origin Policy http://www.cnn.com/main main page “Change background to green” http://www.cnn.com/story1 Iframe same origin

8 8 Same Origin Policy http://www.cnn.com/main main page “Change background to green” http://www.fox.com Iframe different origin

9 9 SOP Same Origin Policy permits scripts running on pages originating from the same site based on combination of schemescheme, hostname, and port number [hostnameport number [

10 10 Markets Recent trend - markets of extensions Salesforce.com, Microsoft 365, etc… Extension is Javascript code written by a 3 rd party but hosted and delivered from the very same server So SOP doesn’t play well

11 11 Sandbox concept Sandbox concept? Sandbox is a hardening of the basic SOP – so that any content running in the sandboxed iframe is treated as if it comes from a different origin, and it gives fine-grained control over what restrictions apply.

12 12 Sandbox syntax Syntax Attribute Values ValueDescription ""Applies all restrictions below allow-same-originAllows the iframe content to be treated as being from the same origin as the containing document allow-top-navigationAllows the iframe content to navigate (load) content from the containing document allow-formsAllows form submission allow-scriptsAllows script execution

13 13 http://www.server.com http://www.server.com/iframe main page alert(1) 1 Iframe / same origin

14 14 http://www.server.com http://www.server.com/iframe main page alert(1) Sandboxed Iframe Default permissions Same Origin

15 15 http://www.server.com http://www.server.com/iframe main page alert(1) 1 Sandboxed Iframe Allowing Scripts and SOP(Same Origin)

16 16 http://www.server.com http://www.server.com/iframe main page top.navigate(…) Sandboxed Iframe Allowing Scripts and SOP(Same Origin)

17 17 http://www.server.com http://www.server.com/iframe main page top.find(myself) addPermission(myself, top_nav) Refresh() navigate(…) Sandboxed Iframe Allowing Scripts and SOP(Same Origin)

18 18 http://www.server.com Sandboxed Iframe Allowing Scripts, SOP(Same Origin) And Top Navigation http://www.server.com/iframe main page top.find(myself) addPermission(myself, top_nav) Refresh() Navigate(http://www.hacker.com) http://www.hacker.com

19 19 Don’t just count on Sanbox! Don’t assume that just because an iFrame is sandboxed, your code is secure. Avoid granting a sandboxed iFrame with scripting and SOP capabilities.

20 20 XSS - New Tricks, Old Dog How a single XSSed page can be used to take screenshots of other non-XSSed page ?

21 21 Monster XSS – Attack Steps Step A – Use Bookstore project Login page vulnerable to Reflected XSS to embed itself in an iframe http://server/page.aspx?xss= Iframe border (left visible for demo purposes)

22 22 Monster XSS – Attack steps Step B – The user logs in and browses the inside frame. The outer page remains the same while it’s scripts can access the inner’s data Iframe border (left visible for demo purposes) The user went to the admin page, but the URL is still the XSS’ed login page

23 23 The attacker gets set of pictures representing all user activity( yes, including user name and password!) Monster XSS – The result

24 24 Monster XSS – The technique HTML5 introduced the concept of Canvas, which can be used to take screenshots What is Canvas? (w3schools) The HTML5 element is used to draw graphics, on the fly, via scripting (usually JavaScript).

25 25 Monster XSS – The technique Html2canvas - open-source script which builds screenshots based on DOM information. We modify it a bit – to reveal passwords

26 26 Monster XSS – The technique Modified HTML2Canvas runs at the outer page and every 2 seconds takes screenshots of the iframe XSS that takes base64 screenshots

27 27 Monster XSS – The technique

28 28 New Tricks, Old Dog Live – Just an XSS http://localhost/bookstore/Login.aspx?name= alert('hi') – Sticky http://localhost/bookstore/Login.aspx?Name= http://localhost/bookstore/Login.aspx?Name=<iframe src="http://localhost/bookstore/login.aspx" width="100%" height="100%“> – Now, we can use a component called HTML2Canvas to take screenshots http://localhost/bookstore/TakePicture.js – This gives the following: http://localhost/bookstore/Login.aspx?Name= http://localhost/bookstore/Login.aspx?Name=<script src='http://localhost/bookstore/hijackpage.js'> – But we can further manipulate the component to even…. (Login page)

29 29 Monster XSS – bottom line So, what can I do ? Get rid of XSS!!!

30 30 Web Socket WebSocket – allows persistent connection between the client and the server, when both parties can start sending data at any time.

31 31 New Tricks, Old Dog Now we will see how an XSS can be used as an agent to map the structure of a network behind a firewall Super-charged XSS – Advanced port scanning (WebSockets) http://www.andlabs.org/tools/jsrecon.html

32 32 Super-charged XSS http://www.andlabs.org/tools/jsrecon.html

33 33 Websoket – Fast and efficient network mapping process – Firewall bypass into organization.

34 34 Packman - winning the odds Client site business logic helps to gain efficiency. Efficiency brings along security costs.

35 35 Packman Demo

36 36 Packman – recommendations Don’t trust the client: validate user input! Do not ever store business logic on the client!

37 37 A Variant of Clickjaking How to turn on user’s camera while the victim actively agrees without even noticing?

38 38 A Variant of Clickjaking Demo http://localhost/bookstore/k2.html

39 39 A Variant of Clickjaking For attacks focused on social engineering There is only one solution Awareness

40 40 Summary HTML5 brings enhancements to Web development …which comes with some great enhancements to security vulnerabilities

41 41 Thank you! Helen Bravo helen.bravo@checkmarx.com

Download ppt "AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo."

Similar presentations

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Warning Ahead: Security Storms are Brewing in Your JavaScript Yuval Idan, Technical Director, APAC Checkmarx

Warning Ahead: Security Storms are Brewing in Your JavaScript Yuval Idan, Technical Director, APAC Checkmarx
Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.

Warning Ahead: Security Storms are Brewing in Your JavaScript Maty Siman.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Creating Web Page Forms

Creating Web Page Forms
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Forms, Validation Week 7 INFM 603. Announcements Try placing today’s example in htdocs (XAMPP). This will allow you to execute examples that rely on PHP.

Forms, Validation Week 7 INFM 603. Announcements Try placing today’s example in htdocs (XAMPP). This will allow you to execute examples that rely on PHP.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
HTML 5 New Standardization of HTML. I NTRODUCTION HTML5 is The New HTML Standard, New Elements New Attributes Full CSS3 Support Video and Audio 2D/3D.

HTML 5 New Standardization of HTML. I NTRODUCTION HTML5 is The New HTML Standard, New Elements New Attributes Full CSS3 Support Video and Audio 2D/3D.
Josh

Josh
DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.

DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.

Similar presentations

Ads by Google