SlideShare a Scribd company logo

A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript

Achim D. Brucker
Achim D. Brucker

The document outlines security challenges in JavaScript applications, including examples from SAP UI5, Apache Cordova, and HANA XS Engine. It discusses common vulnerabilities like cross-site scripting, insecure functions, and secrets stored in source code. Specific issues addressed include prototype-based inheritance risks in SAP UI5, the JavaScript to Java bridge in Cordova exposing more than intended, and SQL injection risks in HANA XS Engine applications. The goal is to help detect security problems during development for these application types.

Technology
1 of 19
Download to read offline
A Collection of Real World (JavaScript) Security Problems Examples from 21/2 Applications Areas of JavaScript Achim D. Brucker achim.brucker@sap.com SAP AG, Central Code Analysis Team July 2, 2014
A Collection of Real World (JavaScript) Security Problems Abstract JavaScript is gaining more and more popularity as an implementation language for various applications types such as Web applications (client-side), mobile applications, or server-side applications. We outline a few security challenges that need to be prevented in such applications and, thus, for which there is a demand for analysis methods that help to detect them during during development. © 2014 SAP AG. All Rights Reserved. Page 2 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 3 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 4 of 18
What We Want to Find Programming Patterns That May Cause Security Vulnerabilities Mainly two patterns Local issues (no data-flow dependency), e. g., • Insecure functions 1 var x = Math.random(); • Secrets stored in the source code 1 var password = ’secret’; Data-flow related issues, e. g., • Cross-site Scripting (XSS) 1 var docref = document.location.href; 2 var input = docref.substring( 3 docref.indexOf("default=")+8); 4 var fake = function (x) {return x;} 5 var cleanse = function (x) { 6 return ’hello world’;} 7 document.write(fake(input)); 8 document.write(cleanse(uinput)); • Secrets stored in the source code 1 var foo = ’secret’; 2 var x = decrypt(foo,data); © 2014 SAP AG. All Rights Reserved. Page 5 of 18
Functions as First-Class Objects 1 var href = document.location.href; 2 var unsafeInput = href.substring(href.indexOf("default=")+8) // unsafe input 3 var safeInput = "1+2"; // safe input 4 5 // aliasing eval 6 var exec = eval; 7 var doit = exec; 8 9 var func_eval1 = function (x) {eval(x);}; 10 var func_eval2 = function (x,y) {eVaL(y);}; 11 12 var func_eval_eval = function (x) {func_eval1(x);}; 13 var func_doit = function (x) {doit(x);}; 14 var func_exec = function (x) {exec(y);}; 15 var run = func_eval1; 16 var inject_code = func_exec; 17 18 doit(safeInput); // secure 19 doit(unsafeInput); // code injection © 2014 SAP AG. All Rights Reserved. Page 6 of 18
Where is The Code of my Application? 1 var input = document.location.href.substring(document.location..indexOf("default=")+8); 2 var fake = function (x) {return x;} 3 var cleanse = function (x) {return ’hello world’;} 4 5 var uinput = unknown(input); // unknown is nowhere defined 6 document.write(uinput); // secure!? 7 8 var finput = fake(input); 9 document.write(finput); // not secure 10 11 var cinput = cleanse(input); 12 document.write(cinput); // secure 13 14 var extfinput = extfake(input); // defined externally (part of scan) 15 document.write(extfinput); // not secure 16 17 var extcinput = extcleanse(input); defined externally (part of scan) 18 document.write(extcinput); // secure 19 20 var nobodyKnows = toCleanOrNotToCleanse(input); multiply defined (underspecified) 21 document.write(nobodyKnows); // not secure!? © 2014 SAP AG. All Rights Reserved. Page 7 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 8 of 18
The SAP UI5 Architecture © 2014 SAP AG. All Rights Reserved. Page 9 of 18
Prototype-based Inheritance 1 var vl = new sap.ui.commons.layout.VerticalLayout(); 2 sap.ui.core.Control.extend("foo.Label", { 3 metadata : { 4 properties : { 5 "text" : "string" 6 } 7 }, 8 renderer : function(oRm, oControl) { 9 oRm.write("<span>XSSLabel: "); 10 oRm.write(oControl.getText()); 11 oRm.write("</span>"); 12 } 13 }); 14 var p = jQuery.sap.getUriParameters().get("xss"); 15 vl.addContent(new foo.Label({text:p})); 16 return vl; © 2014 SAP AG. All Rights Reserved. Page 10 of 18
CSRF Prevention You need to know your frameworks 1 var request = { 2 headers : { 3 "X-Requested-With" : "XMLHttpRequest", 4 "Content-Type" : "application/atom+xml", 5 "X-CSRF-Token" : "Fetch" 6 }, 7 }; 8 if (Appcc.CSRFToken) 9 var request = { 10 headers : { 11 "X-Requested-With" : "XMLHttpRequest", 12 "Content-Type" : "application/atom+xml", 13 "X-CSRF-Token" : Appcc.CSRFToken 14 }, 15 }; 16 else var request = { 17 headers : { 18 "X-Requested-With" : "XMLHttpRequest", 19 "Content-Type" : "application/atom+xml", 20 "X-CSRF-Token" : "etch" // secure? 21 }, 22 }; 23 var response = this.oServiceManager.read(request, this, this.batch, this.busy); © 2014 SAP AG. All Rights Reserved. Page 11 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 12 of 18
Apache Cordova (SAP Kapsel): Overall Idea An integrated platform for developing hybrid mobile apps • Apache Cordova plus • App management • Encrypted Storage • Authentication • Logging • . . . • Application management (SMP) • Can be used with device management solutions © 2014 SAP AG. All Rights Reserved. Page 13 of 18
Exploiting the JavaScript to Java Bridge • We can expose Java methods in JavaScript foo.addJavascriptInterface(new FileUtils(), "FUtil"); • And use them in JavaScript easily 1 <script type="text/javascript">// <![CDATA[ 2 filename = ’/data/data/com.livingsocial.www/’ + id +’_cache.txt’; 3 FUtil.write(filename, data, false); 4 // ]]></script> • Which might expose much more than expected 1 function execute(cmd){ 2 return 3 window._cordovaNative.getClass().forName(’java.lang.Runtime’). 4 getMethod(’getRuntime’,null).invoke(null,null).exec(cmd); 5 } © 2014 SAP AG. All Rights Reserved. Page 14 of 18
Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 15 of 18
The HANA XS Engine Architecture Overview © 2014 SAP AG. All Rights Reserved. Page 16 of 18
History Repeats: SQL Injection 1 $.response.contentType = "text/html"; 2 var userInput = $.request.parameters.get(’userStuff’); 3 4 // We assume 5 // - $.db.getConnection().prepareStatement(x0, ..., xn) is secure iff x0 is *not* 6 // influenced by user input 7 // - sql_sanitize() safeguards us against SQL injections. 8 // - any other preparedStatement call is evil regardless if it is influenced by 9 // user input or not 10 11 if (userInput) { 12 13 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 14 + userInput + "’"; 15 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 16 + sql_sanitize(userInput) + "’"; 17 18 var db_object = $.db; 19 var conn = db_object.getConnection(); 20 21 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 23 _ © 2014 SAP AG. All Rights Reserved. Page 17 of 18
History Repeats: SQL Injection 1 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 2 + userInput + "’"; 3 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 4 + sql_sanitize(userInput) + "’"; 5 6 var db_object = $.db; 7 var conn = db_object.getConnection(); 8 9 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 10 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 11 12 var pstmt02 = db_object.getConnection().prepareStatement(sql); // SQL injection 13 var pstmt03 = db_object.getConnection().prepareStatement(safe_sql); // secure 14 15 var pstmt04 = conn.prepareStatement(sql); // SQL injection 16 var pstmt05 = conn.prepareStatement(safe_sql); // secure 17 18 var pstmt06 = conn.prepareStatement("... where ID = ’$1’",userInput); // secure 19 var pstmt07 = myconn.prepareStatement("... where ID = ’$1’",userInput); // SQL injection 20 21 var pstmt08 = $.mydb.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt09 = $.mydb.getConnection().prepareStatement(safe_sql); // SQL injection © 2014 SAP AG. All Rights Reserved. Page 18 of 18
© 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 19 of 18

Recommended

Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...
Aniketos EU FP7 Project
 
Federated identity and trust management redp3678
Federated identity and trust management redp3678Federated identity and trust management redp3678
Federated identity and trust management redp3678
Banking at Ho Chi Minh city
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
Achim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
GlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScriptGlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScript
Jonathan Baker
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 

Recommended

Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...Privacy identity and trust challenges for the future internet citizen fabio...
Privacy identity and trust challenges for the future internet citizen fabio...
Aniketos EU FP7 Project
 
Federated identity and trust management redp3678
Federated identity and trust management redp3678Federated identity and trust management redp3678
Federated identity and trust management redp3678
Banking at Ho Chi Minh city
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
Achim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
GlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScriptGlueCon 2016 - Threading in JavaScript
GlueCon 2016 - Threading in JavaScript
Jonathan Baker
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
Mist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache SparkMist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache Spark
Вадим Челышов
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Provectus
 
Java Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languagesJava Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languages
Erik Gur
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
Max Kleiner
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Codemotion
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Zend by Rogue Wave Software
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
Ayesh Karunaratne
 
Java vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris BaileyJava vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris Bailey
JAXLondon_Conference
 
Ascs virtual
Ascs virtualAscs virtual
Ascs virtual
wistwiser
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and more
WSO2
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Chetan Khatri
 
InterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsInterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring Nodejs
Chris Bailey
 
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Tom Diederich
 
JAX London 2015: Java vs Nodejs
JAX London 2015: Java vs NodejsJAX London 2015: Java vs Nodejs
JAX London 2015: Java vs Nodejs
Chris Bailey
 
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A GrzesikApache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
mfrancis
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 

More Related Content

Similar to A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
InterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsInterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring Nodejs
Chris Bailey
 
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Tom Diederich
 
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A GrzesikApache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
mfrancis
 

Similar to A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Mist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache SparkMist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache Spark
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
 
Java Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languagesJava Magazine : The JAVA Virtual Machine alternative languages
Java Magazine : The JAVA Virtual Machine alternative languages
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
 
Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...Maxim Salnikov - Service Worker: taking the best from the past experience for...
Maxim Salnikov - Service Worker: taking the best from the past experience for...
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
Java vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris BaileyJava vs. Java Script for enterprise web applications - Chris Bailey
Java vs. Java Script for enterprise web applications - Chris Bailey
 
Ascs virtual
Ascs virtualAscs virtual
Ascs virtual
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and more
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
InterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring NodejsInterConnect2016 Monitoring Nodejs
InterConnect2016 Monitoring Nodejs
 
Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)Ingesting streaming data for analysis in apache ignite (stream sets theme)
Ingesting streaming data for analysis in apache ignite (stream sets theme)
 
JAX London 2015: Java vs Nodejs
JAX London 2015: Java vs NodejsJAX London 2015: Java vs Nodejs
JAX London 2015: Java vs Nodejs
 
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A GrzesikApache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
Apache Karaf - Building OSGi applications on Apache Karaf - T Frank & A Grzesik
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 

More from Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
Achim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
Achim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
Achim D. Brucker
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
 

More from Achim D. Brucker (20)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript

  • 1. A Collection of Real World (JavaScript) Security Problems Examples from 21/2 Applications Areas of JavaScript Achim D. Brucker achim.brucker@sap.com SAP AG, Central Code Analysis Team July 2, 2014
  • 2. A Collection of Real World (JavaScript) Security Problems Abstract JavaScript is gaining more and more popularity as an implementation language for various applications types such as Web applications (client-side), mobile applications, or server-side applications. We outline a few security challenges that need to be prevented in such applications and, thus, for which there is a demand for analysis methods that help to detect them during during development. © 2014 SAP AG. All Rights Reserved. Page 2 of 18
  • 3. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 3 of 18
  • 4. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 4 of 18
  • 5. What We Want to Find Programming Patterns That May Cause Security Vulnerabilities Mainly two patterns Local issues (no data-flow dependency), e. g., • Insecure functions 1 var x = Math.random(); • Secrets stored in the source code 1 var password = ’secret’; Data-flow related issues, e. g., • Cross-site Scripting (XSS) 1 var docref = document.location.href; 2 var input = docref.substring( 3 docref.indexOf("default=")+8); 4 var fake = function (x) {return x;} 5 var cleanse = function (x) { 6 return ’hello world’;} 7 document.write(fake(input)); 8 document.write(cleanse(uinput)); • Secrets stored in the source code 1 var foo = ’secret’; 2 var x = decrypt(foo,data); © 2014 SAP AG. All Rights Reserved. Page 5 of 18
  • 6. Functions as First-Class Objects 1 var href = document.location.href; 2 var unsafeInput = href.substring(href.indexOf("default=")+8) // unsafe input 3 var safeInput = "1+2"; // safe input 4 5 // aliasing eval 6 var exec = eval; 7 var doit = exec; 8 9 var func_eval1 = function (x) {eval(x);}; 10 var func_eval2 = function (x,y) {eVaL(y);}; 11 12 var func_eval_eval = function (x) {func_eval1(x);}; 13 var func_doit = function (x) {doit(x);}; 14 var func_exec = function (x) {exec(y);}; 15 var run = func_eval1; 16 var inject_code = func_exec; 17 18 doit(safeInput); // secure 19 doit(unsafeInput); // code injection © 2014 SAP AG. All Rights Reserved. Page 6 of 18
  • 7. Where is The Code of my Application? 1 var input = document.location.href.substring(document.location..indexOf("default=")+8); 2 var fake = function (x) {return x;} 3 var cleanse = function (x) {return ’hello world’;} 4 5 var uinput = unknown(input); // unknown is nowhere defined 6 document.write(uinput); // secure!? 7 8 var finput = fake(input); 9 document.write(finput); // not secure 10 11 var cinput = cleanse(input); 12 document.write(cinput); // secure 13 14 var extfinput = extfake(input); // defined externally (part of scan) 15 document.write(extfinput); // not secure 16 17 var extcinput = extcleanse(input); defined externally (part of scan) 18 document.write(extcinput); // secure 19 20 var nobodyKnows = toCleanOrNotToCleanse(input); multiply defined (underspecified) 21 document.write(nobodyKnows); // not secure!? © 2014 SAP AG. All Rights Reserved. Page 7 of 18
  • 8. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 8 of 18
  • 9. The SAP UI5 Architecture © 2014 SAP AG. All Rights Reserved. Page 9 of 18
  • 10. Prototype-based Inheritance 1 var vl = new sap.ui.commons.layout.VerticalLayout(); 2 sap.ui.core.Control.extend("foo.Label", { 3 metadata : { 4 properties : { 5 "text" : "string" 6 } 7 }, 8 renderer : function(oRm, oControl) { 9 oRm.write("<span>XSSLabel: "); 10 oRm.write(oControl.getText()); 11 oRm.write("</span>"); 12 } 13 }); 14 var p = jQuery.sap.getUriParameters().get("xss"); 15 vl.addContent(new foo.Label({text:p})); 16 return vl; © 2014 SAP AG. All Rights Reserved. Page 10 of 18
  • 11. CSRF Prevention You need to know your frameworks 1 var request = { 2 headers : { 3 "X-Requested-With" : "XMLHttpRequest", 4 "Content-Type" : "application/atom+xml", 5 "X-CSRF-Token" : "Fetch" 6 }, 7 }; 8 if (Appcc.CSRFToken) 9 var request = { 10 headers : { 11 "X-Requested-With" : "XMLHttpRequest", 12 "Content-Type" : "application/atom+xml", 13 "X-CSRF-Token" : Appcc.CSRFToken 14 }, 15 }; 16 else var request = { 17 headers : { 18 "X-Requested-With" : "XMLHttpRequest", 19 "Content-Type" : "application/atom+xml", 20 "X-CSRF-Token" : "etch" // secure? 21 }, 22 }; 23 var response = this.oServiceManager.read(request, this, this.batch, this.busy); © 2014 SAP AG. All Rights Reserved. Page 11 of 18
  • 12. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 12 of 18
  • 13. Apache Cordova (SAP Kapsel): Overall Idea An integrated platform for developing hybrid mobile apps • Apache Cordova plus • App management • Encrypted Storage • Authentication • Logging • . . . • Application management (SMP) • Can be used with device management solutions © 2014 SAP AG. All Rights Reserved. Page 13 of 18
  • 14. Exploiting the JavaScript to Java Bridge • We can expose Java methods in JavaScript foo.addJavascriptInterface(new FileUtils(), "FUtil"); • And use them in JavaScript easily 1 <script type="text/javascript">// <![CDATA[ 2 filename = ’/data/data/com.livingsocial.www/’ + id +’_cache.txt’; 3 FUtil.write(filename, data, false); 4 // ]]></script> • Which might expose much more than expected 1 function execute(cmd){ 2 return 3 window._cordovaNative.getClass().forName(’java.lang.Runtime’). 4 getMethod(’getRuntime’,null).invoke(null,null).exec(cmd); 5 } © 2014 SAP AG. All Rights Reserved. Page 14 of 18
  • 15. Agenda 1 Motivation and Basics 2 SAP UI5: Client-side JavaScript 3 Apache Cordova: JavaScript on Mobile 4 HANA XS Engine: Server-side JavaScript © 2014 SAP AG. All Rights Reserved. Page 15 of 18
  • 16. The HANA XS Engine Architecture Overview © 2014 SAP AG. All Rights Reserved. Page 16 of 18
  • 17. History Repeats: SQL Injection 1 $.response.contentType = "text/html"; 2 var userInput = $.request.parameters.get(’userStuff’); 3 4 // We assume 5 // - $.db.getConnection().prepareStatement(x0, ..., xn) is secure iff x0 is *not* 6 // influenced by user input 7 // - sql_sanitize() safeguards us against SQL injections. 8 // - any other preparedStatement call is evil regardless if it is influenced by 9 // user input or not 10 11 if (userInput) { 12 13 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 14 + userInput + "’"; 15 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 16 + sql_sanitize(userInput) + "’"; 17 18 var db_object = $.db; 19 var conn = db_object.getConnection(); 20 21 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 23 _ © 2014 SAP AG. All Rights Reserved. Page 17 of 18
  • 18. History Repeats: SQL Injection 1 var sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 2 + userInput + "’"; 3 var safe_sql = "select * from SFLIGHT.SNVOICE where CustomID =’" 4 + sql_sanitize(userInput) + "’"; 5 6 var db_object = $.db; 7 var conn = db_object.getConnection(); 8 9 var pstmt00 = $.db.getConnection().prepareStatement(sql); // SQL injection 10 var pstmt01 = $.db.getConnection().prepareStatement(safe_sql); // secure 11 12 var pstmt02 = db_object.getConnection().prepareStatement(sql); // SQL injection 13 var pstmt03 = db_object.getConnection().prepareStatement(safe_sql); // secure 14 15 var pstmt04 = conn.prepareStatement(sql); // SQL injection 16 var pstmt05 = conn.prepareStatement(safe_sql); // secure 17 18 var pstmt06 = conn.prepareStatement("... where ID = ’$1’",userInput); // secure 19 var pstmt07 = myconn.prepareStatement("... where ID = ’$1’",userInput); // SQL injection 20 21 var pstmt08 = $.mydb.getConnection().prepareStatement(sql); // SQL injection 22 var pstmt09 = $.mydb.getConnection().prepareStatement(safe_sql); // SQL injection © 2014 SAP AG. All Rights Reserved. Page 18 of 18
  • 19. © 2014 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP AG. All Rights Reserved. Page 19 of 18