SlideShare una empresa de Scribd logo

JavaScript Security Risks XSS CSRF Clickjacking

Mark Stanton
Mark Stanton

This document discusses common JavaScript security vulnerabilities like cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. It defines these issues and provides examples of real attacks. The document also outlines solutions for developers, including sanitizing input, escaping output, minimizing the attack surface, and designing with the assumption of breaches. Overall it stresses the importance of a holistic, multi-layered approach to JavaScript security.

Tecnología
1 de 53
Be Afraid, Be Very Afraid JavaScript Security, XSS, CSRF and Clickjacking Mark Stanton - Gruden
Definitions •  XSS – Cross Site Scripting •  CSRF – Cross Site Request Forgery
Cross Site Scripting
Cross Site Scripting: MySpace How Samy became very popular Samy’s script made everyone who viewed his profile: •  Add him as a friend •  Embed the script in their profiles
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace
Cross Site Scripting: MySpace How did it work? <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;...lots of JS here...quot; > •  JS inside CSS URL •  Line break in the word “javascript” •  Evaluation of a expression
Cross Site Scripting What is Cross Site Scripting? •  Untrusted data enters the system –  URL, Form or Cookie data –  HTTP Header –  Syndicated feed –  other offline system •  Data then presented to the user & executed in their browser •  Interferes with the intended interaction between a user and a site
Cross Site Scripting How is it possible? •  Browser environment is insecure by design –  Multiple contexts, multiple parsers –  XML, HTML, CSS, JavaScript, DOM, Cookie, URI, VBScript –  All interacting in semi-structured ways •  This makes AJAX and Web 2.0 Mash ups so powerful
Cross Site Scripting Context Switching •  HTML to JS <script>alert(‘XSS’)</script> <body onload=alert(‘XSS’)> •  URL to JS <iframe src=javascript:alert(‘XSS’)> •  CSS to JS background:url(javascript:alert(‘XSS’))
Cross Site Scripting Same-origin Policy •  Prevents document from one site setting or getting properties of a document from another •  Same origin means same protocol, port and host •  So if I frame another site - I can’t modify or read it
Cross Site Scripting But... •  Included JS runs in the context of the current page •  Scripts running in the page context have “root” access to a site
Cross Site Scripting What can happen if an attacker gets a script on your page? •  Perform action against website as if they are the user •  Read the contents of pages and cookies •  Control the display & show fake content to user •  Send information to any server in the world •  Request additional scripts from anywhere
Cross Site Scripting What can happen if an attacker gets a script on your page? •  SSL is no protection •  Logins are no protection
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo
Cross Site Scripting: Demo What happened? •  Cookies stolen •  Interface vandalised •  Users prompted to download malware •  DB poisoned - other users affected
Cross Site Request Forgery
Cross Site Request Forgery: GMail GMail vulnerability used to steal a domain •  Visits evil site while logged into GMail •  Evil site POSTs to GMail creating a new filter •  Filter forwards all mail to attacker and deletes mail •  Attacker initiates domain transfer process
Cross Site Request Forgery Session riding •  Uses persistent sessions to execute actions against a service •  Many Web 2.0 services are vulnerable
Clickjacking
Clickjacking UI Redressing •  User is tricked into inadvertent actions –  A dummy button is shown, then target page is loaded over the top in a transparent iframe –  User thinks they are clicking the dummy button, but are interacting with a site they can’t see
Clickjacking: Twitter Don’t Click •  Mischievous page loads transparent iframe containing Twitter post •  User shown a button saying “Don’t Click” •  Click takes place in iframe and results in tweet being sent •  Grows exponentially •  Twitter implements frame buster
Solutions
Solutions Sanitise Input •  Whitelists –  Allow <strong>, <em> and <br> only –  Does help, but not 100% •  Blacklists –  Block <script> and friends –  Extremely common attack vector –  Extremely difficult to block most attacks –  Coldfusion’s XSS protection = FAIL!
Solutions Escape Output •  HTML Entity Encoding - HTMLEditFormat() •  Doesn’t always work –  In <script> –  In onmouseover= –  In CSS –  In URLs •  Need to be aware of your context
Solutions The OWASP ESAPI •  5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes •  Java API that implements these rules •  100% safe?
Solutions The OWASP ESAPI <cfset ESAPI = createObject('Java','org.owasp.esapi.ESAPI')> <cfsavecontent variable=quot;evilStringquot;> <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;alert('XSSed')quot;> </cfsavecontent> <cfoutput> #evilString# #ESAPI.encoder().encodeForHTML(evilString)# #ESAPI.encoder().encodeForHTMLAttribute(evilString)# #ESAPI.encoder().encodeForCSS(evilString)# #ESAPI.encoder().encodeForJavascript(evilString)# #ESAPI.encoder().encodeForURL(evilString)# </cfoutput>
Solutions Minimise Attack Surface •  Don’t allow GET to modify data •  Strict server-side validation of all input •  Check referrer •  Use transaction tokens or “crumbs” - derived from timestamp & user id •  Double submit cookies •  Use frame busting scripts •  Short session timeouts / in-memory cookies
Solutions Design for a breach •  Assume some portion of your users’ accounts will be hijacked at some point •  What if a users email account is hacked? •  Forgotten password functions should use secret question •  Two factor authentication where appropriate •  Can you rollback or recover? •  Do you have an audit trail?
Solutions Think very carefully about 3rd party scripts •  Google Analytics •  Hosted Libraries •  Digg •  AddThis Would you give Telstra the keys to your house? What about your cleaner?
Solutions Must allow untrusted 3rd party JavaScript? Use safe sub-sets: •  Adsafe •  Caja
Solutions Browsers are getting better •  Many exploits depend on bugs in browser parsers •  Holes are being rapidly closed •  IE6 is still horribly broken and has market share
Using Flash and PDF? They each have their own issues to consider •  Certain version of the Acrobat Reader have serious vulnerabilities http://path/to/pdf/file.pdf#foo=javascript:code_here •  Flash is also some potential weak points: <cross-domain-policy> <allow-access-from domain=quot;*quot;/> </cross-domain-policy>
Conclusion •  A lot of responsibility lies with developers •  Use a holistic, multi-pronged approach
Thanks Links •  http://blog.gruden.com/category/js-security •  http://delicious.com/markstanton/js-security •  http://twitter.com/MarkStanto Thanks to pierre_tourigny (http://www.flickr.com/photos/pierre_tourigny/367078204/)

Recomendados

Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Revisited
RevisitedRevisited
RevisitedShunsaku Kudo
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 

Recomendados

Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Revisited
RevisitedRevisited
RevisitedShunsaku Kudo
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Understanding Web Services
Understanding Web ServicesUnderstanding Web Services
Understanding Web Servicesaru85
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
C E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N EC E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N Eguest70f0f3dc
 
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesWeb Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesPaul Calvano
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbsChris x-MS
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008mvitor
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
 
2009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 20092009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 2009IWATA Susumu
 
Digital certificates
Digital certificatesDigital certificates
Digital certificatesDouglasPickett
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介Amazon Web Services Japan
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Makezine
MakezineMakezine
MakezineKelly Thejitternews
 
Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Amazon Web Services Japan
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
 
High-Quality JavaScript
High-Quality JavaScriptHigh-Quality JavaScript
High-Quality JavaScriptMarc Bächinger
 
Augmの裏側
Augmの裏側Augmの裏側
Augmの裏側Tomohiko Himura
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Cryptohannob
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 

Más contenido relacionado

La actualidad más candente

C E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N EC E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N Eguest70f0f3dc
 
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesWeb Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesPaul Calvano
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbsChris x-MS
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008mvitor
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
 
2009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 20092009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 2009IWATA Susumu
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Amazon Web Services Japan
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersSaumil Shah
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Cryptohannob
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 

La actualidad más candente (19)

C E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N EC E N T R A R E L´ I M M A G G I N E
C E N T R A R E L´ I M M A G G I N E
 
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesWeb Unleashed '19 - Measuring the Adoption of Web Performance Techniques
Web Unleashed '19 - Measuring the Adoption of Web Performance Techniques
 
Real howto vbs
Real howto vbsReal howto vbs
Real howto vbs
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackers
 
2009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 20092009-09-11 / YAPC::Asia 2009
2009-09-11 / YAPC::Asia 2009
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介AWS IoT Greengrass V2 の紹介
AWS IoT Greengrass V2 の紹介
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Makezine
MakezineMakezine
Makezine
 
Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介Fleet Hub for AWS IoT Device Management のご紹介
Fleet Hub for AWS IoT Device Management のご紹介
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
 
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)
 
High-Quality JavaScript
High-Quality JavaScriptHigh-Quality JavaScript
High-Quality JavaScript
 
Augmの裏側
Augmの裏側Augmの裏側
Augmの裏側
 
Crypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
 

Destacado

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRFPotato
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 

Destacado (14)

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 

Similar a JavaScript Security Risks XSS CSRF Clickjacking

High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)Stoyan Stefanov
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendMySQLConference
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAsjohnwilander
 
Performance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptPerformance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptjeresig
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptYusuf Motiwala
 
Basics of Rich Internet Applications
Basics of Rich Internet ApplicationsBasics of Rich Internet Applications
Basics of Rich Internet ApplicationsSubramanyan Murali
 
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesJazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesSimon Willison
 
yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909Yusuke Wada
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
Comet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called JabbifyComet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called JabbifyBrian Moschel
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Rails Deployment with NginX
Rails Deployment with NginXRails Deployment with NginX
Rails Deployment with NginXStoyan Zhekov
 

Similar a JavaScript Security Risks XSS CSRF Clickjacking (20)

High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)
 
Practical Web Attacks
Practical Web AttacksPractical Web Attacks
Practical Web Attacks
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service BackendWide Open Spaces Using My Sql As A Web Mapping Service Backend
Wide Open Spaces Using My Sql As A Web Mapping Service Backend
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
Performance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptPerformance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScript
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
 
Basics of Rich Internet Applications
Basics of Rich Internet ApplicationsBasics of Rich Internet Applications
Basics of Rich Internet Applications
 
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript librariesJazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
Jazz up your JavaScript: Unobtrusive scripting with JavaScript libraries
 
yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909yusukebe in Yokohama.pm 090909
yusukebe in Yokohama.pm 090909
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)
 
Comet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called JabbifyComet: an Overview and a New Solution Called Jabbify
Comet: an Overview and a New Solution Called Jabbify
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Rails Deployment with NginX
Rails Deployment with NginXRails Deployment with NginX
Rails Deployment with NginX
 
Javascript
JavascriptJavascript
Javascript
 

Último

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Último (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

JavaScript Security Risks XSS CSRF Clickjacking

  • 1. Be Afraid, Be Very Afraid JavaScript Security, XSS, CSRF and Clickjacking Mark Stanton - Gruden
  • 2. Definitions •  XSS – Cross Site Scripting •  CSRF – Cross Site Request Forgery
  • 4. Cross Site Scripting: MySpace How Samy became very popular Samy’s script made everyone who viewed his profile: •  Add him as a friend •  Embed the script in their profiles
  • 10. Cross Site Scripting: MySpace How did it work? <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;...lots of JS here...quot; > •  JS inside CSS URL •  Line break in the word “javascript” •  Evaluation of a expression
  • 11. Cross Site Scripting What is Cross Site Scripting? •  Untrusted data enters the system –  URL, Form or Cookie data –  HTTP Header –  Syndicated feed –  other offline system •  Data then presented to the user & executed in their browser •  Interferes with the intended interaction between a user and a site
  • 12. Cross Site Scripting How is it possible? •  Browser environment is insecure by design –  Multiple contexts, multiple parsers –  XML, HTML, CSS, JavaScript, DOM, Cookie, URI, VBScript –  All interacting in semi-structured ways •  This makes AJAX and Web 2.0 Mash ups so powerful
  • 13. Cross Site Scripting Context Switching •  HTML to JS <script>alert(‘XSS’)</script> <body onload=alert(‘XSS’)> •  URL to JS <iframe src=javascript:alert(‘XSS’)> •  CSS to JS background:url(javascript:alert(‘XSS’))
  • 14. Cross Site Scripting Same-origin Policy •  Prevents document from one site setting or getting properties of a document from another •  Same origin means same protocol, port and host •  So if I frame another site - I can’t modify or read it
  • 15. Cross Site Scripting But... •  Included JS runs in the context of the current page •  Scripts running in the page context have “root” access to a site
  • 16. Cross Site Scripting What can happen if an attacker gets a script on your page? •  Perform action against website as if they are the user •  Read the contents of pages and cookies •  Control the display & show fake content to user •  Send information to any server in the world •  Request additional scripts from anywhere
  • 17. Cross Site Scripting What can happen if an attacker gets a script on your page? •  SSL is no protection •  Logins are no protection
  • 34. Cross Site Scripting: Demo What happened? •  Cookies stolen •  Interface vandalised •  Users prompted to download malware •  DB poisoned - other users affected
  • 36. Cross Site Request Forgery: GMail GMail vulnerability used to steal a domain •  Visits evil site while logged into GMail •  Evil site POSTs to GMail creating a new filter •  Filter forwards all mail to attacker and deletes mail •  Attacker initiates domain transfer process
  • 37. Cross Site Request Forgery Session riding •  Uses persistent sessions to execute actions against a service •  Many Web 2.0 services are vulnerable
  • 39. Clickjacking UI Redressing •  User is tricked into inadvertent actions –  A dummy button is shown, then target page is loaded over the top in a transparent iframe –  User thinks they are clicking the dummy button, but are interacting with a site they can’t see
  • 40. Clickjacking: Twitter Don’t Click •  Mischievous page loads transparent iframe containing Twitter post •  User shown a button saying “Don’t Click” •  Click takes place in iframe and results in tweet being sent •  Grows exponentially •  Twitter implements frame buster
  • 42. Solutions Sanitise Input •  Whitelists –  Allow <strong>, <em> and <br> only –  Does help, but not 100% •  Blacklists –  Block <script> and friends –  Extremely common attack vector –  Extremely difficult to block most attacks –  Coldfusion’s XSS protection = FAIL!
  • 43. Solutions Escape Output •  HTML Entity Encoding - HTMLEditFormat() •  Doesn’t always work –  In <script> –  In onmouseover= –  In CSS –  In URLs •  Need to be aware of your context
  • 44. Solutions The OWASP ESAPI •  5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes •  Java API that implements these rules •  100% safe?
  • 45. Solutions The OWASP ESAPI <cfset ESAPI = createObject('Java','org.owasp.esapi.ESAPI')> <cfsavecontent variable=quot;evilStringquot;> <div id=quot;mycodequot; style=quot;background:url('java script:eval(document.all.mycode.expr)')quot; expr=quot;alert('XSSed')quot;> </cfsavecontent> <cfoutput> #evilString# #ESAPI.encoder().encodeForHTML(evilString)# #ESAPI.encoder().encodeForHTMLAttribute(evilString)# #ESAPI.encoder().encodeForCSS(evilString)# #ESAPI.encoder().encodeForJavascript(evilString)# #ESAPI.encoder().encodeForURL(evilString)# </cfoutput>
  • 46. Solutions Minimise Attack Surface •  Don’t allow GET to modify data •  Strict server-side validation of all input •  Check referrer •  Use transaction tokens or “crumbs” - derived from timestamp & user id •  Double submit cookies •  Use frame busting scripts •  Short session timeouts / in-memory cookies
  • 47. Solutions Design for a breach •  Assume some portion of your users’ accounts will be hijacked at some point •  What if a users email account is hacked? •  Forgotten password functions should use secret question •  Two factor authentication where appropriate •  Can you rollback or recover? •  Do you have an audit trail?
  • 48. Solutions Think very carefully about 3rd party scripts •  Google Analytics •  Hosted Libraries •  Digg •  AddThis Would you give Telstra the keys to your house? What about your cleaner?
  • 49. Solutions Must allow untrusted 3rd party JavaScript? Use safe sub-sets: •  Adsafe •  Caja
  • 50. Solutions Browsers are getting better •  Many exploits depend on bugs in browser parsers •  Holes are being rapidly closed •  IE6 is still horribly broken and has market share
  • 51. Using Flash and PDF? They each have their own issues to consider •  Certain version of the Acrobat Reader have serious vulnerabilities http://path/to/pdf/file.pdf#foo=javascript:code_here •  Flash is also some potential weak points: <cross-domain-policy> <allow-access-from domain=quot;*quot;/> </cross-domain-policy>
  • 52. Conclusion •  A lot of responsibility lies with developers •  Use a holistic, multi-pronged approach
  • 53. Thanks Links •  http://blog.gruden.com/category/js-security •  http://delicious.com/markstanton/js-security •  http://twitter.com/MarkStanto Thanks to pierre_tourigny (http://www.flickr.com/photos/pierre_tourigny/367078204/)