JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
1. Cyber Camp 2014
(In)Security Implications in
JavaScript Universe
Stefano Di Paola, CTO Minded Security
2. $ whoami
Stefano Di Paola @WisecWisec
Research (Spare Time)
Bug Hunter & Sec Research (Pdf Uxss, Flash Security,
HPP)
Software Security Since '99
Dealing with JavaScript since 2006
Work
CTO @ Minded Security Application Security Consulting
Director of Minded Security Research Labs
3. What’s this talk about
Birth and Raise of an important language.
The security implication around it
Try to use the JavaScript phenomenon to
understand some things about Security and Real World
I won’t say JavaScript is unsecure. It’d be a
complete nonsense.
4. Brief History Of JS – 1990 - 2000
1990 Only HTML 1996 Javascript is in the browser 1999 Ajax
6. Brief History 2009-2014
Browser Vendors are pushing
new features:
improving speed
graphics capabilities
sound
Sounds Like a plan!
…and guess what’s the glue?
JavaScript of course!
9. 1996 - Why JS became so important?
Improve user experience during browsing.
On the other side gives a way to:
read
create
modify
delete page content.
10. Browser with new Powers
I mean.
Without JavaScript a Browser was just a HTML
Parser (Not only I know..).
With JavaScript a Browser has a whole new
playground.
Can those features be abused?
11. Browser with new Powers - Risks
Browser now has to protect some way:
User Remote Data: WebSite A (evil) to read/modify/etc
content using WebSite B (victim) abusing the victim’s
browser.
User Local Data: A malicious site
could try to access disk files.
User Data
is gone
12. Browser with new Powers - SOP
Concept of same-origin policy (SOP) dates back to
Netscape Navigator 2 in 1995
Same Origin Policy:
http://evil.com :80
Implementation of access control rules in hostile environment
is also known as Sandbox
13. Subverting the SandBox – The old style
“<html>..+
<html>.. taintedInput+”..</html>”
<script>evilJs</script>
..</html>
taintedInput=<script>evilJs</script>
14. Subverting the SandBox – The old-new style
Abuse the functionalities of a plugin that
behaves differently from the browser
gives too much power without controls.
in order to access data.
whatever the browser rules are.
Universal Cross Site Scripting
15. Subverting the SandBox – Acrobat Reader Plugin
Example: Acrobat Reader Plugin UXSS 2006
Suppose a pdf is reachable from:
http://www.google.com/doc.pdf
Attacker adds
http://www.google.com/doc.pdf?fdf=javascript:evilJS...
And forces a browser’s victim to visit the url.
The plugin executes the JavaScript as it originated from
google.com
What happens when a user just have some pdf on it’s PC ?
an attacker could access to the whole filesystem!
16. Subverting the SandBox – The old-new-new style
Browser Extensions :
JavaScript running in extensions has much more power
than on HTML pages.
can be developed by anyone
Could be malicious
..or simply badly written (vulnerable to external
attacks)
Very similar to plugin model but easier to develop.
Any user can install them
Useful for lot of stuff (Gmail Inbox Checking, Ad Block
etc.)
18. Yay! Look Ma’ I’m on the Server Side!
An early implementation of JavaScript on the server side but
the results where not so nice:
var year=eval("date['"+request["params"]["year"]+"'];");
Became a Remote Code Execution!
http://host/?year='+response.write(system("cat /etc/passwd"))+‘
Was a bank Web Application
(implemented in 2003 tested by me in 2008).
20. Mo’ Money Mo’ Trouble
It’s around 2005.
A new interesting thing happens.
JavaScript + Ajax increase the number of
commercial web applications
The cost of computers lowers
The platforms are converging to a common
one. The browser.
Big user base > Big money > Crime > Profit
22. Man In The Browser - Banking Malware
In 2005 it was theorized for the first time the
use of virus to hook browsers interaction with
banking websites.
Takes advantage of the common interface
the browser gives
Changes the page on the fly.
It’s a win-win. Browsers Rules are
completely subverted!
Perfect Sandbox Bypass
25. Yay! Look Ma’ I’m in a telephone!
Every Mobile OS gives developers to use a so called
webview.
It’s 2011: iOS Skype HTML Injection on the username
visualization. Lead to access to whatever the app can access.
https://www.superevr.com/blog/2011/xss-in-skype-for-ios/
26. Just Before the Present – The JavaScript Situation
It's 2011
WebSites are full of JavaScript coming from:
Advertising,
Web analytics,
User Interaction,
Helper libraries.
27. Just Before the Present - DOMinator
I wrote tool called DOMinator:
Modification of Firefox
Helps to track JavaScript flow during its
execution
Alerts if there's some potentially exploitable
flaw in the code.
Took first top 100 most visited sites, analyzed with it:
57 had at least some weakness in their
JavaScript code.
29. Present + Past
Past stuff is actually (Mostly) still here :)
Some effort from browser vendors to improve SOP:
Content Security Policy
Implemented by all browsers
Not widely used by web applications.
Unfortunately everything is happening on top of an
old model.
There’s more! New JavaScript frameworks and
models are gaining interest.
30. HTML Templating – Complex JS Models
Welcome to a new way to dynamically
generate HTML page on the fly on the browser
side!
Welcome HTML Templates
Welcome Client Side Full Dynamic Content
Welcome AngularJS and siblings!
31. AngularJS – a New Sandbox to Escape From
{{ qty * cost }}
not directly executed by the browser’s JS Parser.
A Expression parser is implemented on top of JS.
It’s actually a Sandbox around JS implemented in JS.
32. AngularJS – a New Sandbox to Escape From
Try to run {{alert(1)}}
Sandbox removes access to “dangerous
objects” and their attributes.
Still often the Sandbox security is a long
process to be refined in time.
Here’s a (mindblowing) Sandbox bypass
(fixed):
''.sub.call.call(
({})["constructor"].getOwnPropertyDescriptor(
''.sub.__proto__, "constructor").value,
null,
"alert(1)" )()
https://code.google.com/p/mustache-security/wiki/AngularJS
33. AngularJS – a New Problem to Face
User content is completely generated on the
client.
How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreat the
graphics
4.Convert it to PDF.
34. AngularJS – a New Problem to Face
User content is completely generated on the
client.
How can we create a pdf on the server side
using the user page?
1.Extract the generated HTML
2.Send it to the server
3.Use a browser on the server to recreated the
graphics
35. PDF Generation from Complex Content
WebKit – Webkit2PDF
Other Browser Based Solution.
What could go wrong with the following content?
<iframe src=“http://internalRouter/”></iframe>
Parsed by a browser on the server side?
Write access to the whole internal network as if you
had access with your browser to Web Server Network!
Arbitrary Server Side Requests
38. JavaScript on the Server Side.. Again!
JavaScript is used by hundreds of thousands of
developers.
It's too popular.
There's a new breakthrough.
NodeJS - JS on the server side. - Welcome Back
2003.
MongoDB JavaScript on the DBMS Layer
40. JavaScript on the Server Side.. Again!
Request the following to a node application:
Client: http://127.0.0.1:49090/?parameter=sss¶meter=fff
Node: { parameter: [ 'sss', 'fff' ] }
Client: http://127.0.0.1:49090/?parameter[XX]=sss¶meter[YYY]=fff
Node: { parameter: { XX: 'sss', YYY: 'fff' } }
Node gets the query string and transform it in
JavaScript Object Notation (JSON).
Completely Different from all other Web Servers!
41. JavaScript on a DB! SQL Injection?KindOf
Is still possible some other fancy server side
attack?
Let’s See.
1. Create a simple nodeJS + MongoDB Application
//MongoDB Access from NodeJS
User.findOne({user: req.body.user, pass: req.body.pass},...
2.Test the environment
Client Request: user=aUserName&pass=aPassword
Node sees as: { user: 'aUserName', pass: 'aPassword' }
42. JavaScript on a DB! SQL Injection?KindOf
3. Now look at MongoDB Manual and find the
interesting parts.
http://docs.mongodb.org/manual/reference/sql-comparison/
4. Identify one of many attacks that can be
performed:
Client Request: user[$ne]=aUserName&pass[$ne]=aPassword
Node sees as: { user: { '$ne': 'aUserName' }, pass: { '$ne':
'aPassword' } }
MongoDB Sees as: SELECT * from users where user != ‘aUsername’
and pass != ‘aPassword’;
44. What’s going on?
Web as Gaming Platform No Plugins (QuakeJs)
Possibile to “compile” games written in C/C++ in
asm.js. (Speed 1.5 respect to native ones!)
46. What’s going on? Anything Left?
JS Internet Of Things (JS Interpreter in a chip).
Projects about creating an operative system on top of
nodeJS.
47. Conclusions
We live in a world that changes faster than before.
New interesting technologies could get a huge user base in
few months
When happens Can everything you moves even See faster
it
Without giving the right time to understand the implications
or the subtleties underneath Now?
them.
JavaScript seems easy but as usually happens quality code
means more than basic JS skills.
Thing are getting even harder.
Yet we need talented people to break and build code and
innovate as much as possible!
48. Future??
I cant even imagine how much intricate
Will be next years!
And This is only one Language!