SlideShare una empresa de Scribd logo

Client-side JavaScript Vulnerabilities

Descargar como PPTX, PDF
Ory Segal
Ory Segal

Automatically detecting client side JavaScript vulnerabilities using IBM Rational AppScan and JavaScript Security Analyzer (hybrid analysis)

Tecnología
1 de 24
Client-side JavaScript Security vulnerabilities The Twilight Zone of Web Application Security Ory Segal Security Products Architect, Rational
ORY SEGAL Security products architect, Rational AppScan product manager Web Application Security Consortium officer Contributor (WASC, MITRE, NIST, OWASP) Renowned application security expert AppScan
From server to client side – The migration story of web application logic
1990 <HTML> Capable of presenting only text and hyperlinks 1993 <IMG> Embedded images in web pages (3rd. Party allowed) 1995 <SCRIPT> JavaScript enables programmatic modifications to HTML 1996 <IFRAME> Embeds a page within a page (3rd party contents) <EMBED> Embed an Adobe Flash file for animation 1999 Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire page XHR Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feel AJAX 2005 Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, … HTML5 & APIs 2011
Logic is Migrating from Server to Client… We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
Client-side JavaScript Security Issues
DOM-Based Cross-site Scripting A type of XSS (the third type after “Reflected” & “Stored”) Application doesn’t need to echo back user input like in Type I & Type II We poison a DOM element, which is used in JavaScript code Example http://www.vuln.site/welcome.html?name=Ory 1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5; 6: document.write(document.URL.substring(pos,document.URL.length)); 7: </SCRIPT> <BR/>8: Welcome to our system 9:</HTML> Source : document.URL Sink : document.write() Results : document.write("Ory")
DOM-Based Cross-site Scripting Attack Example http://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script> 1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5; 6: document.write(document.URL.substring(pos,document.URL.length)); 7: </SCRIPT> <BR/>8: Welcome to our system 9: </HTML> Source : document.URL Sink : document.write() Results : document.write("<script>alert('hacked')</script>") ,[object Object]
Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.,[object Object]
Stored DOM-Based Cross-Site Scripting Exploiting HTML5 localStorage API ... 17: var pos = document.URL.indexOf("name=") + 5; 18: varyourName = document.URL.substring(pos,document.URL.length) 19: decodeURI(yourName); 20: window.localStorage.name = yourName; 21: } ... welcome register ... 3: <div id="header"></div> 4: <script> 5: varelem = document.getElementById("header"); 6: varname = window.localStorage.name; 7: elem.innerHTML = "Hello, " + name; 8: </script> ... Source : document.URL Storage : window.localStorage.name Sink : elem.innerHTML Results : elem.innerHTML = <value_of_name_parameter>
So, how common are client-side JavaScript issues?
(Lack of) Statistics on Client-Side JS Issues Two options for gathering statistics Automated discovery Manual discovery Automated tools Dynamic analysis tools only uncover ~30% Static analysis tools struggle with dynamic code (AJAX) Manual code review is hell – have you seen JavaScript lately? dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}} dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(xd)?js(|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl) {d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion, tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome) {d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
Introducing JavaScript Security Analyzer
What is JSA? 1st and only to auto-detect client-side issues such as: DOM-based XSS Phishing through Open Redirect HTML5 Notification API Phishing HTML5 Web Storage API Poisoning HTML5 Client-side SQL Injection HTML5 Client-side Stored XSS HTML5 Web Worker Script URL Manipulation Email Attribute Spoofing 48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642x48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C6421asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas DE-OBFUSCATION STRING /* analysis */ HTML5 Analysis Hybrid
Using JavaScript Security Analyzer Zero configuration required Super-simple Super-fast
16 Viewing JSA Results in AppScan Standard AppScan Standard – Scan Results Vulnerable URL and line of code Tainted data flow information
Lets try again…How common are client-side JavaScript issues?
Using JSA we ran a research on real sites Fortune 500 175 Most popular sites Non-obtrusive automated review Manually verified results Scary outcome…
14.5% Vulnerable 169,443 Total Pages 90,929 Unique Pages 1659 Pages with Vulnerabilities Likelihood for a web page to be vulnerable is 1 : 55
Who wrote these vulnerabilities? 62% In house 38% 3rd Party ,[object Object]
Flash embedding JavaScript snippets
Social networking JavaScript snippets
Deep linking JavaScript libraries for Flash and AJAX applications,[object Object]
JavaScript is becoming prominent Modern applications HTML5 AJAX Web2.0 Application logic is shifting to client-side More code == more vulnerabilities Happens when code relies on parts of the DOM that are hacker-controlled Detection requires tedious manual work AppScan with JSA can automate client-side issues detection

Recomendados

Javascript Security
Javascript SecurityJavascript Security
Javascript Security
jgrahamc
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 

Recomendados

Javascript Security
Javascript SecurityJavascript Security
Javascript Security
jgrahamc
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
Andy Dai
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
Stefano Di Paola
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
reza jalaluddin
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!
Positive Hack Days
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developers
Johann-Peter Hartmann
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracy
Ory Segal
 

Más contenido relacionado

La actualidad más candente

[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
reza jalaluddin
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 

La actualidad más candente (20)

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 

Destacado

Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
Dinis Cruz
 
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm
 

Destacado (15)

Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developers
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracy
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
 
Kyberterorismus a hacktivismus
Kyberterorismus a hacktivismusKyberterorismus a hacktivismus
Kyberterorismus a hacktivismus
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrime
 
Jsme vidět? Česká open access komunita
Jsme vidět? Česká open access komunitaJsme vidět? Česká open access komunita
Jsme vidět? Česká open access komunita
 
Exploiting Php With Php
Exploiting Php With PhpExploiting Php With Php
Exploiting Php With Php
 
App Retargeting and Re-engagement Success Stories
App Retargeting and Re-engagement Success StoriesApp Retargeting and Re-engagement Success Stories
App Retargeting and Re-engagement Success Stories
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDF
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Zalora
ZaloraZalora
Zalora
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
 
WeChat
WeChatWeChat
WeChat
 
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentiel
 

Similar a Client-side JavaScript Vulnerabilities

Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NCAndroid Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Jim Tochterman
 
Widget Summit 2008
Widget Summit 2008Widget Summit 2008
Widget Summit 2008
Volkan Unsal
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
marpierc
 
Flash Security, OWASP Chennai
Flash Security, OWASP ChennaiFlash Security, OWASP Chennai
Flash Security, OWASP Chennai
lavakumark
 
Speed up your developments with Symfony2
Speed up your developments with Symfony2Speed up your developments with Symfony2
Speed up your developments with Symfony2
Hugo Hamon
 

Similar a Client-side JavaScript Vulnerabilities (20)

Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersAccelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
 
Grails and Dojo
Grails and DojoGrails and Dojo
Grails and Dojo
 
IPhone Web Development With Grails from CodeMash 2009
IPhone Web Development With Grails from CodeMash 2009IPhone Web Development With Grails from CodeMash 2009
IPhone Web Development With Grails from CodeMash 2009
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros Developer
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing framework
 
ActiveWeb: Chicago Java User Group Presentation
ActiveWeb: Chicago Java User Group PresentationActiveWeb: Chicago Java User Group Presentation
ActiveWeb: Chicago Java User Group Presentation
 
Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09
 
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NCAndroid Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
 
Widget Summit 2008
Widget Summit 2008Widget Summit 2008
Widget Summit 2008
 
Non Conventional Android Programming (English)
Non Conventional Android Programming (English)Non Conventional Android Programming (English)
Non Conventional Android Programming (English)
 
Non Conventional Android Programming En
Non Conventional Android Programming EnNon Conventional Android Programming En
Non Conventional Android Programming En
 
Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript Developers
 
Grails Introduction - IJTC 2007
Grails Introduction - IJTC 2007Grails Introduction - IJTC 2007
Grails Introduction - IJTC 2007
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
 
HTML5 Introduction
HTML5 IntroductionHTML5 Introduction
HTML5 Introduction
 
Flash Security, OWASP Chennai
Flash Security, OWASP ChennaiFlash Security, OWASP Chennai
Flash Security, OWASP Chennai
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian Thilmany
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Speed up your developments with Symfony2
Speed up your developments with Symfony2Speed up your developments with Symfony2
Speed up your developments with Symfony2
 
Building apps for multiple devices
Building apps for multiple devicesBuilding apps for multiple devices
Building apps for multiple devices
 

Último

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Client-side JavaScript Vulnerabilities

  • 1. Client-side JavaScript Security vulnerabilities The Twilight Zone of Web Application Security Ory Segal Security Products Architect, Rational
  • 2. ORY SEGAL Security products architect, Rational AppScan product manager Web Application Security Consortium officer Contributor (WASC, MITRE, NIST, OWASP) Renowned application security expert AppScan
  • 3. From server to client side – The migration story of web application logic
  • 4. 1990 <HTML> Capable of presenting only text and hyperlinks 1993 <IMG> Embedded images in web pages (3rd. Party allowed) 1995 <SCRIPT> JavaScript enables programmatic modifications to HTML 1996 <IFRAME> Embeds a page within a page (3rd party contents) <EMBED> Embed an Adobe Flash file for animation 1999 Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire page XHR Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feel AJAX 2005 Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, … HTML5 & APIs 2011
  • 5. Logic is Migrating from Server to Client… We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
  • 7. DOM-Based Cross-site Scripting A type of XSS (the third type after “Reflected” & “Stored”) Application doesn’t need to echo back user input like in Type I & Type II We poison a DOM element, which is used in JavaScript code Example http://www.vuln.site/welcome.html?name=Ory 1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5; 6: document.write(document.URL.substring(pos,document.URL.length)); 7: </SCRIPT> <BR/>8: Welcome to our system 9:</HTML> Source : document.URL Sink : document.write() Results : document.write("Ory")
  • 8.
  • 9.
  • 10. Stored DOM-Based Cross-Site Scripting Exploiting HTML5 localStorage API ... 17: var pos = document.URL.indexOf("name=") + 5; 18: varyourName = document.URL.substring(pos,document.URL.length) 19: decodeURI(yourName); 20: window.localStorage.name = yourName; 21: } ... welcome register ... 3: <div id="header"></div> 4: <script> 5: varelem = document.getElementById("header"); 6: varname = window.localStorage.name; 7: elem.innerHTML = "Hello, " + name; 8: </script> ... Source : document.URL Storage : window.localStorage.name Sink : elem.innerHTML Results : elem.innerHTML = <value_of_name_parameter>
  • 11. So, how common are client-side JavaScript issues?
  • 12. (Lack of) Statistics on Client-Side JS Issues Two options for gathering statistics Automated discovery Manual discovery Automated tools Dynamic analysis tools only uncover ~30% Static analysis tools struggle with dynamic code (AJAX) Manual code review is hell – have you seen JavaScript lately? dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}} dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(xd)?js(|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl) {d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion, tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome) {d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
  • 14. What is JSA? 1st and only to auto-detect client-side issues such as: DOM-based XSS Phishing through Open Redirect HTML5 Notification API Phishing HTML5 Web Storage API Poisoning HTML5 Client-side SQL Injection HTML5 Client-side Stored XSS HTML5 Web Worker Script URL Manipulation Email Attribute Spoofing 48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642x48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C6421asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas DE-OBFUSCATION STRING /* analysis */ HTML5 Analysis Hybrid
  • 15. Using JavaScript Security Analyzer Zero configuration required Super-simple Super-fast
  • 16. 16 Viewing JSA Results in AppScan Standard AppScan Standard – Scan Results Vulnerable URL and line of code Tainted data flow information
  • 17. Lets try again…How common are client-side JavaScript issues?
  • 18. Using JSA we ran a research on real sites Fortune 500 175 Most popular sites Non-obtrusive automated review Manually verified results Scary outcome…
  • 19. 14.5% Vulnerable 169,443 Total Pages 90,929 Unique Pages 1659 Pages with Vulnerabilities Likelihood for a web page to be vulnerable is 1 : 55
  • 20.
  • 23.
  • 24. JavaScript is becoming prominent Modern applications HTML5 AJAX Web2.0 Application logic is shifting to client-side More code == more vulnerabilities Happens when code relies on parts of the DOM that are hacker-controlled Detection requires tedious manual work AppScan with JSA can automate client-side issues detection
  • 25. Q & A
  • 26. Thank You You can download the full whitepaper at: http://tinyurl.com/5w6koqj