SlideShare ist ein Scribd-Unternehmen logo

(In)Security Implication in the JS Universe

Als PPT, PDF herunterladen
Stefano Di Paola
Stefano Di Paola

JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.

Internet
1 von 49
Cyber Camp 2014 (In)Security Implications in JavaScript Universe Stefano Di Paola, CTO Minded Security
$ whoami Stefano Di Paola @WisecWisec Research (Spare Time)  Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)  Software Security Since '99  Dealing with JavaScript since 2006 Work CTO @ Minded Security Application Security Consulting Director of Minded Security Research Labs
What’s this talk about  Birth and Raise of an important language.  The security implication around it  Try to use the JavaScript phenomenon to understand some things about Security and Real World  I won’t say JavaScript is unsecure. It’d be a complete nonsense.
Brief History Of JS – 1990 - 2000 1990 Only HTML 1996 Javascript is in the browser 1999 Ajax
Brief History 2000-2009 Something’s Happening Can you see it?
Brief History 2009-2014  Browser Vendors are pushing new features:  improving speed  graphics capabilities  sound  Sounds Like a plan!  …and guess what’s the glue? JavaScript of course!
Brief History The big picture
PAST 1996-2012
1996 - Why JS became so important?  Improve user experience during browsing.  On the other side gives a way to:  read  create  modify  delete page content.
Browser with new Powers I mean.  Without JavaScript a Browser was just a HTML Parser (Not only I know..).  With JavaScript a Browser has a whole new playground.  Can those features be abused?
Browser with new Powers - Risks  Browser now has to protect some way:  User Remote Data: WebSite A (evil) to read/modify/etc content using WebSite B (victim) abusing the victim’s browser.  User Local Data: A malicious site could try to access disk files. User Data is gone
Browser with new Powers - SOP  Concept of same-origin policy (SOP) dates back to Netscape Navigator 2 in 1995  Same Origin Policy: http://evil.com :80  Implementation of access control rules in hostile environment is also known as Sandbox
Subverting the SandBox – The old style “<html>..+ <html>.. taintedInput+”..</html>” <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script>
Subverting the SandBox – The old-new style Abuse the functionalities of a plugin that  behaves differently from the browser  gives too much power without controls.  in order to access data. whatever the browser rules are. Universal Cross Site Scripting
Subverting the SandBox – Acrobat Reader Plugin Example: Acrobat Reader Plugin UXSS 2006  Suppose a pdf is reachable from: http://www.google.com/doc.pdf Attacker adds http://www.google.com/doc.pdf?fdf=javascript:evilJS... And forces a browser’s victim to visit the url. The plugin executes the JavaScript as it originated from google.com  What happens when a user just have some pdf on it’s PC ?  an attacker could access to the whole filesystem!
Subverting the SandBox – The old-new-new style  Browser Extensions :  JavaScript running in extensions has much more power than on HTML pages.  can be developed by anyone  Could be malicious  ..or simply badly written (vulnerable to external attacks)  Very similar to plugin model but easier to develop.  Any user can install them  Useful for lot of stuff (Gmail Inbox Checking, Ad Block etc.)
Meantime.. On the Server Side..
Yay! Look Ma’ I’m on the Server Side! An early implementation of JavaScript on the server side but the results where not so nice: var year=eval("date['"+request["params"]["year"]+"'];");  Became a Remote Code Execution! http://host/?year='+response.write(system("cat /etc/passwd"))+‘ Was a bank Web Application (implemented in 2003 tested by me in 2008).
Meantime.. On users PC
Mo’ Money Mo’ Trouble  It’s around 2005.  A new interesting thing happens.  JavaScript + Ajax increase the number of commercial web applications  The cost of computers lowers  The platforms are converging to a common one. The browser.  Big user base > Big money > Crime > Profit
What would a naive user do?
Man In The Browser - Banking Malware  In 2005 it was theorized for the first time the use of virus to hook browsers interaction with banking websites.  Takes advantage of the common interface the browser gives  Changes the page on the fly.  It’s a win-win. Browsers Rules are completely subverted!  Perfect Sandbox Bypass
Man In The Browser  Configuration Example:
Meantime.. On the Mobile..
Yay! Look Ma’ I’m in a telephone!  Every Mobile OS gives developers to use a so called webview. It’s 2011: iOS Skype HTML Injection on the username visualization. Lead to access to whatever the app can access. https://www.superevr.com/blog/2011/xss-in-skype-for-ios/
Just Before the Present – The JavaScript Situation It's 2011  WebSites are full of JavaScript coming from:  Advertising,  Web analytics,  User Interaction,  Helper libraries.
Just Before the Present - DOMinator  I wrote tool called DOMinator:  Modification of Firefox  Helps to track JavaScript flow during its execution  Alerts if there's some potentially exploitable flaw in the code.  Took first top 100 most visited sites, analyzed with it:  57 had at least some weakness in their JavaScript code.
Present 2012-2014
Present + Past  Past stuff is actually (Mostly) still here :)  Some effort from browser vendors to improve SOP:  Content Security Policy  Implemented by all browsers  Not widely used by web applications.  Unfortunately everything is happening on top of an old model. There’s more! New JavaScript frameworks and models are gaining interest.
HTML Templating – Complex JS Models  Welcome to a new way to dynamically generate HTML page on the fly on the browser side!  Welcome HTML Templates  Welcome Client Side Full Dynamic Content  Welcome AngularJS and siblings!
AngularJS – a New Sandbox to Escape From {{ qty * cost }} not directly executed by the browser’s JS Parser.  A Expression parser is implemented on top of JS.  It’s actually a Sandbox around JS implemented in JS.
AngularJS – a New Sandbox to Escape From  Try to run {{alert(1)}}  Sandbox removes access to “dangerous objects” and their attributes.  Still often the Sandbox security is a long process to be refined in time.  Here’s a (mindblowing) Sandbox bypass (fixed): ''.sub.call.call( ({})["constructor"].getOwnPropertyDescriptor( ''.sub.__proto__, "constructor").value, null, "alert(1)" )() https://code.google.com/p/mustache-security/wiki/AngularJS
AngularJS – a New Problem to Face  User content is completely generated on the client.  How can we create a pdf on the server side using the user page? 1.Extract the generated HTML 2.Send it to the server 3.Use a browser on the server to recreat the graphics 4.Convert it to PDF.
AngularJS – a New Problem to Face  User content is completely generated on the client.  How can we create a pdf on the server side using the user page? 1.Extract the generated HTML 2.Send it to the server 3.Use a browser on the server to recreated the graphics
PDF Generation from Complex Content  WebKit – Webkit2PDF  Other Browser Based Solution.  What could go wrong with the following content? <iframe src=“http://internalRouter/”></iframe>  Parsed by a browser on the server side?  Write access to the whole internal network as if you had access with your browser to Web Server Network!  Arbitrary Server Side Requests
JavaScript in the full Web Stack!
JavaScript on the Server Side.. Again!  JavaScript is used by hundreds of thousands of developers.  It's too popular. There's a new breakthrough.  NodeJS - JS on the server side. - Welcome Back 2003.  MongoDB JavaScript on the DBMS Layer
JavaScript on the Server Side.. Again!
JavaScript on the Server Side.. Again!  Request the following to a node application: Client: http://127.0.0.1:49090/?parameter=sss&parameter=fff Node: { parameter: [ 'sss', 'fff' ] } Client: http://127.0.0.1:49090/?parameter[XX]=sss&parameter[YYY]=fff Node: { parameter: { XX: 'sss', YYY: 'fff' } }  Node gets the query string and transform it in JavaScript Object Notation (JSON).  Completely Different from all other Web Servers!
JavaScript on a DB! SQL Injection?KindOf  Is still possible some other fancy server side attack? Let’s See. 1. Create a simple nodeJS + MongoDB Application //MongoDB Access from NodeJS User.findOne({user: req.body.user, pass: req.body.pass},... 2.Test the environment Client Request: user=aUserName&pass=aPassword Node sees as: { user: 'aUserName', pass: 'aPassword' }
JavaScript on a DB! SQL Injection?KindOf 3. Now look at MongoDB Manual and find the interesting parts. http://docs.mongodb.org/manual/reference/sql-comparison/ 4. Identify one of many attacks that can be performed: Client Request: user[$ne]=aUserName&pass[$ne]=aPassword Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne': 'aPassword' } } MongoDB Sees as: SELECT * from users where user != ‘aUsername’ and pass != ‘aPassword’;
Future 2015-?
What’s going on?  Web as Gaming Platform No Plugins (QuakeJs)  Possibile to “compile” games written in C/C++ in asm.js. (Speed 1.5 respect to native ones!)
What’s going on? Mobile?  FirefoxOS (Mobile Applications in HTML5 + JS)
What’s going on? Anything Left?  JS Internet Of Things (JS Interpreter in a chip). Projects about creating an operative system on top of nodeJS.
Conclusions  We live in a world that changes faster than before.  New interesting technologies could get a huge user base in few months  When happens Can everything you moves even See faster it  Without giving the right time to understand the implications or the subtleties underneath Now? them.  JavaScript seems easy but as usually happens quality code means more than basic JS skills.  Thing are getting even harder.  Yet we need talented people to break and build code and innovate as much as possible!
Future?? I cant even imagine how much intricate Will be next years! And This is only one Language!
Thank you! /*Go and Exploit Ethically */ Q&A Twitter: @wisecwisec https://www.mindedsecurity.com Mail: stefano.dipaola@mindedsecurity.com

Empfohlen

Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 

Empfohlen

Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
DOM-based XSS
DOM-based XSSDOM-based XSS
DOM-based XSSKrassen Deltchev
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpsF _
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developersn|u - The Open Security Community
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 
Isomorphic JavaScript: #DevBeat Master Class
Isomorphic JavaScript: #DevBeat Master ClassIsomorphic JavaScript: #DevBeat Master Class
Isomorphic JavaScript: #DevBeat Master ClassSpike Brehm
 

Weitere ähnliche Inhalte

Was ist angesagt?

When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filterkuza55
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpsF _
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 

Was ist angesagt? (20)

When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Examining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS FilterExamining And Bypassing The IE8 XSS Filter
Examining And Bypassing The IE8 XSS Filter
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
DOM-based XSS
DOM-based XSSDOM-based XSS
DOM-based XSS
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurps
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
Flashack
FlashackFlashack
Flashack
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 

Ähnlich wie (In)Security Implication in the JS Universe

Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 
Isomorphic JavaScript: #DevBeat Master Class
Isomorphic JavaScript: #DevBeat Master ClassIsomorphic JavaScript: #DevBeat Master Class
Isomorphic JavaScript: #DevBeat Master ClassSpike Brehm
 
Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Christian Heilmann
 
Front End Development | Introduction
Front End Development | IntroductionFront End Development | Introduction
Front End Development | IntroductionJohnTaieb
 
Bruce lawson-over-the-air
Bruce lawson-over-the-airBruce lawson-over-the-air
Bruce lawson-over-the-airbrucelawson
 
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript AppsIn Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript AppsSpike Brehm
 
Angular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayAngular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayLuciano Amodio
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientAngelo Dell'Aera
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and moreYan Shi
 
Web app and more
Web app and moreWeb app and more
Web app and morefaming su
 
Front-end. Global domination
Front-end. Global dominationFront-end. Global domination
Front-end. Global dominationStfalcon Meetups
 
Js foo - Sept 8 upload
Js foo - Sept 8 uploadJs foo - Sept 8 upload
Js foo - Sept 8 uploadDebnath Sinha
 
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SKJavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SKDavid Wesst
 
Developing Java Web Applications
Developing Java Web ApplicationsDeveloping Java Web Applications
Developing Java Web Applicationshchen1
 
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017ElifTech
 

Ähnlich wie (In)Security Implication in the JS Universe (20)

Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moible
 
Isomorphic JavaScript: #DevBeat Master Class
Isomorphic JavaScript: #DevBeat Master ClassIsomorphic JavaScript: #DevBeat Master Class
Isomorphic JavaScript: #DevBeat Master Class
 
Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010
 
Front End Development | Introduction
Front End Development | IntroductionFront End Development | Introduction
Front End Development | Introduction
 
Bruce lawson-over-the-air
Bruce lawson-over-the-airBruce lawson-over-the-air
Bruce lawson-over-the-air
 
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript AppsIn Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
In Pursuit of the Holy Grail: Building Isomorphic JavaScript Apps
 
Angular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 mayAngular js mobile jsday 2014 - Verona 14 may
Angular js mobile jsday 2014 - Verona 14 may
 
TPR4
TPR4TPR4
TPR4
 
TPR4
TPR4TPR4
TPR4
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do That
 
[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design[convergese] Adaptive Images in Responsive Web Design
[convergese] Adaptive Images in Responsive Web Design
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and more
 
Web app and more
Web app and moreWeb app and more
Web app and more
 
Front-end. Global domination
Front-end. Global dominationFront-end. Global domination
Front-end. Global domination
 
Frontend. Global domination.
Frontend. Global domination.Frontend. Global domination.
Frontend. Global domination.
 
Js foo - Sept 8 upload
Js foo - Sept 8 uploadJs foo - Sept 8 upload
Js foo - Sept 8 upload
 
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SKJavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
JavaScript Revolution - 5/Nov/13 - PrDC Saskatoon, SK
 
Developing Java Web Applications
Developing Java Web ApplicationsDeveloping Java Web Applications
Developing Java Web Applications
 
JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017JS digest. Mid-Summer 2017
JS digest. Mid-Summer 2017
 

Kürzlich hochgeladen

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 

Kürzlich hochgeladen (20)

Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 

(In)Security Implication in the JS Universe

  • 1. Cyber Camp 2014 (In)Security Implications in JavaScript Universe Stefano Di Paola, CTO Minded Security
  • 2. $ whoami Stefano Di Paola @WisecWisec Research (Spare Time)  Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP)  Software Security Since '99  Dealing with JavaScript since 2006 Work CTO @ Minded Security Application Security Consulting Director of Minded Security Research Labs
  • 3. What’s this talk about  Birth and Raise of an important language.  The security implication around it  Try to use the JavaScript phenomenon to understand some things about Security and Real World  I won’t say JavaScript is unsecure. It’d be a complete nonsense.
  • 4. Brief History Of JS – 1990 - 2000 1990 Only HTML 1996 Javascript is in the browser 1999 Ajax
  • 5. Brief History 2000-2009 Something’s Happening Can you see it?
  • 6. Brief History 2009-2014  Browser Vendors are pushing new features:  improving speed  graphics capabilities  sound  Sounds Like a plan!  …and guess what’s the glue? JavaScript of course!
  • 7. Brief History The big picture
  • 9. 1996 - Why JS became so important?  Improve user experience during browsing.  On the other side gives a way to:  read  create  modify  delete page content.
  • 10. Browser with new Powers I mean.  Without JavaScript a Browser was just a HTML Parser (Not only I know..).  With JavaScript a Browser has a whole new playground.  Can those features be abused?
  • 11. Browser with new Powers - Risks  Browser now has to protect some way:  User Remote Data: WebSite A (evil) to read/modify/etc content using WebSite B (victim) abusing the victim’s browser.  User Local Data: A malicious site could try to access disk files. User Data is gone
  • 12. Browser with new Powers - SOP  Concept of same-origin policy (SOP) dates back to Netscape Navigator 2 in 1995  Same Origin Policy: http://evil.com :80  Implementation of access control rules in hostile environment is also known as Sandbox
  • 13. Subverting the SandBox – The old style “<html>..+ <html>.. taintedInput+”..</html>” <script>evilJs</script> ..</html> taintedInput=<script>evilJs</script>
  • 14. Subverting the SandBox – The old-new style Abuse the functionalities of a plugin that  behaves differently from the browser  gives too much power without controls.  in order to access data. whatever the browser rules are. Universal Cross Site Scripting
  • 15. Subverting the SandBox – Acrobat Reader Plugin Example: Acrobat Reader Plugin UXSS 2006  Suppose a pdf is reachable from: http://www.google.com/doc.pdf Attacker adds http://www.google.com/doc.pdf?fdf=javascript:evilJS... And forces a browser’s victim to visit the url. The plugin executes the JavaScript as it originated from google.com  What happens when a user just have some pdf on it’s PC ?  an attacker could access to the whole filesystem!
  • 16. Subverting the SandBox – The old-new-new style  Browser Extensions :  JavaScript running in extensions has much more power than on HTML pages.  can be developed by anyone  Could be malicious  ..or simply badly written (vulnerable to external attacks)  Very similar to plugin model but easier to develop.  Any user can install them  Useful for lot of stuff (Gmail Inbox Checking, Ad Block etc.)
  • 17. Meantime.. On the Server Side..
  • 18. Yay! Look Ma’ I’m on the Server Side! An early implementation of JavaScript on the server side but the results where not so nice: var year=eval("date['"+request["params"]["year"]+"'];");  Became a Remote Code Execution! http://host/?year='+response.write(system("cat /etc/passwd"))+‘ Was a bank Web Application (implemented in 2003 tested by me in 2008).
  • 20. Mo’ Money Mo’ Trouble  It’s around 2005.  A new interesting thing happens.  JavaScript + Ajax increase the number of commercial web applications  The cost of computers lowers  The platforms are converging to a common one. The browser.  Big user base > Big money > Crime > Profit
  • 21. What would a naive user do?
  • 22. Man In The Browser - Banking Malware  In 2005 it was theorized for the first time the use of virus to hook browsers interaction with banking websites.  Takes advantage of the common interface the browser gives  Changes the page on the fly.  It’s a win-win. Browsers Rules are completely subverted!  Perfect Sandbox Bypass
  • 23. Man In The Browser  Configuration Example:
  • 24. Meantime.. On the Mobile..
  • 25. Yay! Look Ma’ I’m in a telephone!  Every Mobile OS gives developers to use a so called webview. It’s 2011: iOS Skype HTML Injection on the username visualization. Lead to access to whatever the app can access. https://www.superevr.com/blog/2011/xss-in-skype-for-ios/
  • 26. Just Before the Present – The JavaScript Situation It's 2011  WebSites are full of JavaScript coming from:  Advertising,  Web analytics,  User Interaction,  Helper libraries.
  • 27. Just Before the Present - DOMinator  I wrote tool called DOMinator:  Modification of Firefox  Helps to track JavaScript flow during its execution  Alerts if there's some potentially exploitable flaw in the code.  Took first top 100 most visited sites, analyzed with it:  57 had at least some weakness in their JavaScript code.
  • 29. Present + Past  Past stuff is actually (Mostly) still here :)  Some effort from browser vendors to improve SOP:  Content Security Policy  Implemented by all browsers  Not widely used by web applications.  Unfortunately everything is happening on top of an old model. There’s more! New JavaScript frameworks and models are gaining interest.
  • 30. HTML Templating – Complex JS Models  Welcome to a new way to dynamically generate HTML page on the fly on the browser side!  Welcome HTML Templates  Welcome Client Side Full Dynamic Content  Welcome AngularJS and siblings!
  • 31. AngularJS – a New Sandbox to Escape From {{ qty * cost }} not directly executed by the browser’s JS Parser.  A Expression parser is implemented on top of JS.  It’s actually a Sandbox around JS implemented in JS.
  • 32. AngularJS – a New Sandbox to Escape From  Try to run {{alert(1)}}  Sandbox removes access to “dangerous objects” and their attributes.  Still often the Sandbox security is a long process to be refined in time.  Here’s a (mindblowing) Sandbox bypass (fixed): ''.sub.call.call( ({})["constructor"].getOwnPropertyDescriptor( ''.sub.__proto__, "constructor").value, null, "alert(1)" )() https://code.google.com/p/mustache-security/wiki/AngularJS
  • 33. AngularJS – a New Problem to Face  User content is completely generated on the client.  How can we create a pdf on the server side using the user page? 1.Extract the generated HTML 2.Send it to the server 3.Use a browser on the server to recreat the graphics 4.Convert it to PDF.
  • 34. AngularJS – a New Problem to Face  User content is completely generated on the client.  How can we create a pdf on the server side using the user page? 1.Extract the generated HTML 2.Send it to the server 3.Use a browser on the server to recreated the graphics
  • 35. PDF Generation from Complex Content  WebKit – Webkit2PDF  Other Browser Based Solution.  What could go wrong with the following content? <iframe src=“http://internalRouter/”></iframe>  Parsed by a browser on the server side?  Write access to the whole internal network as if you had access with your browser to Web Server Network!  Arbitrary Server Side Requests
  • 36.
  • 37. JavaScript in the full Web Stack!
  • 38. JavaScript on the Server Side.. Again!  JavaScript is used by hundreds of thousands of developers.  It's too popular. There's a new breakthrough.  NodeJS - JS on the server side. - Welcome Back 2003.  MongoDB JavaScript on the DBMS Layer
  • 39. JavaScript on the Server Side.. Again!
  • 40. JavaScript on the Server Side.. Again!  Request the following to a node application: Client: http://127.0.0.1:49090/?parameter=sss&parameter=fff Node: { parameter: [ 'sss', 'fff' ] } Client: http://127.0.0.1:49090/?parameter[XX]=sss&parameter[YYY]=fff Node: { parameter: { XX: 'sss', YYY: 'fff' } }  Node gets the query string and transform it in JavaScript Object Notation (JSON).  Completely Different from all other Web Servers!
  • 41. JavaScript on a DB! SQL Injection?KindOf  Is still possible some other fancy server side attack? Let’s See. 1. Create a simple nodeJS + MongoDB Application //MongoDB Access from NodeJS User.findOne({user: req.body.user, pass: req.body.pass},... 2.Test the environment Client Request: user=aUserName&pass=aPassword Node sees as: { user: 'aUserName', pass: 'aPassword' }
  • 42. JavaScript on a DB! SQL Injection?KindOf 3. Now look at MongoDB Manual and find the interesting parts. http://docs.mongodb.org/manual/reference/sql-comparison/ 4. Identify one of many attacks that can be performed: Client Request: user[$ne]=aUserName&pass[$ne]=aPassword Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne': 'aPassword' } } MongoDB Sees as: SELECT * from users where user != ‘aUsername’ and pass != ‘aPassword’;
  • 44. What’s going on?  Web as Gaming Platform No Plugins (QuakeJs)  Possibile to “compile” games written in C/C++ in asm.js. (Speed 1.5 respect to native ones!)
  • 45. What’s going on? Mobile?  FirefoxOS (Mobile Applications in HTML5 + JS)
  • 46. What’s going on? Anything Left?  JS Internet Of Things (JS Interpreter in a chip). Projects about creating an operative system on top of nodeJS.
  • 47. Conclusions  We live in a world that changes faster than before.  New interesting technologies could get a huge user base in few months  When happens Can everything you moves even See faster it  Without giving the right time to understand the implications or the subtleties underneath Now? them.  JavaScript seems easy but as usually happens quality code means more than basic JS skills.  Thing are getting even harder.  Yet we need talented people to break and build code and innovate as much as possible!
  • 48. Future?? I cant even imagine how much intricate Will be next years! And This is only one Language!
  • 49. Thank you! /*Go and Exploit Ethically */ Q&A Twitter: @wisecwisec https://www.mindedsecurity.com Mail: stefano.dipaola@mindedsecurity.com