9. For Root Cause #1. Let’s go back a few decades.
The telecom of 60’s – 80’s used in-band signaling.
i.e. sending control info and data on same channel.
Then came the free long distance calls.
17. The Golden Rule. Defensive Coding.
Everything has bad parts. Did you subset the language
you use?
18. Adopt/Build app frameworks that can bear the attack.
One’s that auto-defend. Auto Sanitize.
Like MVC templates with auto-encoding.
Like NoSQL DBs, free of SQL Injection.
19. Learn and Implement New Techniques.
(CSP, ES5, HTML5 Sandbox, PostMessage)
WARNING: Watch production readiness at http://www.browserscope.org/?category=security&v=top
The web is extremely colorful but it was never meant to be what it is. Its inherent flexibility and popularity has just kept it growing. Over the years, number of pieces of technologies got cobbled to make it incredibly powerful app delivery platform. Something that can achieve unbelievable things today.However it grew in a hotchypotchy manner not accounting for things that make it inherently vulnerable to plethora of attacks.
On frontend, HTML print documents on screen, CSS renders styles, DOM allows on the fly modification and the undisputed leader of the pack – JavaScript, makes the web dynamic. On the backend, you have NodeJS/PHP/Java/.Net or the likes that provide the business logic and provide persistence through databases like MongoDB Oracle, MySQL.Together they make today’s web happen.
Attackers on the Web (and generally on any system, including Internet) are of 3 kinds:Script Kiddies – the kind who lives on the power of others (2&3). They piggyback their tools, techniques, scripts and methods in their attacks (Like Boss Wolf)Crackers – they are smart, gifted, in some cases even blessed. They are mostly either behind money or fame (like Tai Lung behind the scroll).Unethical 3rd parties. They want all you have. Your users(cookies and private data). Your sites trust (phishing). They are like Lord Shen. They are obsessed with ruling all over.
In-band signaling was used intelcos that sent metadata and control information in the same band used for data like in the web sending punctuation with data.It was inherently insecure because it exposes control signals, protocols and management systems to the users, which resulted in falsing. In 1960’s the blue boxes were used for falsingto make free long-distance calls using a 2600Hz cereal whistle.
Web is built on in-band signaling. The user input which is mostly meant for data CAN also carry commands, better known as punctuation. The issue is further compounded as HTML can have embedded in it URLs, CSS, and JavaScript. AndJavaScript can be embedded in URLs and CSSMore so, each of these languages have different encoding conventions leading to another set of edge case security issues.It is the model of in-band signaling and the semantic & contextual difference of each of these sub-languages that cause tremendous complexity, leading to a class of vulnerability called XSS, amongst other issues.
In-band signaling also leads to another class of vulnerability in the backend- the database. It has several categories but the most exploited one is SQL Injection.
Mashup is an app that combines services from multiple origins to create new experiences.Mostly based on DHTML. The most popular approach is client-side where browser retrieves and aggregates as per the provided template. Why need?1/ Ads2/ Analytics3/ Social plug-ins /3rd party widgets (FB Like) help drive engagement4/ Rich user experience – maps5/ App platforms. The ultimate manifestation of user generated content in mashups – FB iframe tabs, YAP, iGoogle GadgetsTwo solutions: Scripts and iframesScript basedOffers NO separation but provides FULL interactionInteraction not authenticated, nor can confidentiality or integrity be ensuredIframe basedFULL separation between cross originsNO separation within the same originNO provision for interaction between components
Mashup Vulnerabilities: iframe based1. Malicious Redirectiontop.location = http://s0m3phishing.com2. Fake / Malicious UI<form method=…>, window.open()3. Drive-by Downloads/MalwareContent-Disposition: attachment4. Denial of Service (DoS) and NoiseInfinite alert()and while loops5. History Sniffing/MininggetComputedStyle()6. Referrer LeakReferrer: http://<ip>/r.html?a=secret&b=private7. LAN Scanning<imgsrc=http://10.0.0.1 onerror=...>
Mashup Vulnerabilities: Script based1. Steal Username, Password and other secret data by calling, intercepting or spoofing DOM events like onsumbit2. Steal cookies via document.cookie3. Malicious GET and POST via xhr.open4. Abuse features like autocomplete5. All iframe vulnerabilities like drive by downloads / malware6. And, many more……
Separation: Iframe sandboxWhen set, enables new restrictions on any content hosted by the iframeBy default, the content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts, and plugins are disabledInteraction: postMessageSecure & improved replacement of Fragment Identifier Messaging (FIM) Provides controlled and safe cross-document messaging between iframesEnables authentication, other than confidentiality and integrity that FIM provided tooAuthentication achieved by browser validating the destination when sending a message and the recipients ability to validate sender on message receive.Content Security Policy (CSP)Primarily designed to defend against XSS, as a side-effect, enables better mashupsProvides better granularity over authority of components by restricting their capabilities that make certain attacks possibleeval(), setTimeout(), javascript:, new Function(), onclick() and the likes are restricted3rd Party PartnersKeep doing what you are doing to sanitize at the server-sideIframe Ads, Widgets and other content. Avoid scriptingKeep signing/updating legal and security agreements3rd Party DevelopersYour choice!Minimal policing, low learning, high portability (iframe) leads to high growth and viral networksPolicing (Caja, FBJS), high learning curve, low portability - low growth3rd Party PartnersOne day. Some day. Once those are dead and buried. Yes, you can leave it to them - Sandbox, postMessage, CSP.Some would still need exceptionsIframe Ads, Widgets and other content. Avoid scriptingKeep signing/updating legal and security agreements3rd Party DevelopersIframe sandbox + postMessage + CSP + <?> In addition to the obvious benefits to program reliability and readability, strict mode is helping to solve the Mashup Problem.
The road is not easy. But when you know your problems well. And start solving them one by one. You can rest in peace. Well, till the next one arrives.
