Client-side JavaScript Vulnerabilities
Download as pptx, pdf12 likes28,095 views
The document discusses the evolution of client-side JavaScript and its related security vulnerabilities, particularly focusing on techniques such as DOM-based cross-site scripting and client-side open redirects. A significant finding is that 14.5% of analyzed web pages in a Fortune 500 study were found to have vulnerabilities, highlighting the growing risk as application logic shifts to client-side processing. It introduces a JavaScript Security Analyzer (JSA) designed to automatically detect various client-side issues, offering a more efficient way to uncover vulnerabilities compared to traditional manual reviews.
![(Lack of) Statistics on Client-Side JS IssuesTwo options for gathering statisticsAutomated discoveryManual discoveryAutomated toolsDynamic analysis tools only uncover ~30%Static analysis tools struggle with dynamic code (AJAX)Manual code review is hell – have you seen JavaScript lately?dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}}dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(\.xd)?\.js(\W|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl){d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion,tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome){d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();](https://image.slidesharecdn.com/jsafinal15311-110728140708-phpapp02/85/Client-side-JavaScript-Vulnerabilities-12-320.jpg)
Client-side JavaScript Vulnerabilities
- 1. Client-side JavaScriptSecurity vulnerabilitiesThe Twilight Zone of Web Application Security Ory SegalSecurity Products Architect, Rational
- 2. ORY SEGALSecurity products architect, RationalAppScan product managerWeb Application Security Consortium officerContributor (WASC, MITRE, NIST, OWASP)Renowned application security expertAppScan
- 3. From server to client side – The migration story of web application logic
- 4. 1990<HTML>Capable of presenting only text and hyperlinks1993<IMG>Embedded images in web pages (3rd. Party allowed)1995<SCRIPT>JavaScript enables programmatic modifications to HTML1996<IFRAME>Embeds a page within a page (3rd party contents)<EMBED>Embed an Adobe Flash file for animation1999Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire pageXHRFetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feelAJAX2005Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, …HTML5 & APIs2011
- 5. Logic is Migrating from Server to Client…We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
- 6. Client-side JavaScript Security Issues
- 7. DOM-Based Cross-site ScriptingA type of XSS (the third type after “Reflected” & “Stored”)Application doesn’t need to echo back user input like in Type I & Type IIWe poison a DOM element, which is used in JavaScript codeExamplehttp://www.vuln.site/welcome.html?name=Ory1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9:</HTML>Source : document.URLSink : document.write()Results : document.write("Ory")
- 8. DOM-Based Cross-site ScriptingAttack Examplehttp://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script>1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9: </HTML>Source : document.URLSink : document.write()Results : document.write("<script>alert('hacked')</script>")The attack took place entirely on the client-side (# fragment identifier)
- 9. Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.Client-side Open RedirectJavaScript code automatically redirects the browser to a new locationNew location is taken from a DOM element (URL, Query, Referrer, etc.)Examplehttp://www.vuln.site/redirect.html?a=5&url=http://www.some.site...12: varsData = document.location.search.substring(1);13: varsPos = sData.indexOf("url=") + 4;14: varePos = sData.indexOf("&", sPos);15: varnewURL;16: if (ePos< 0) { newURL = sData.substring(sPos);} 17: else { newURL = sData.substring(sPos, ePos);}18:window.location.href = newURL;Source : document.locationSink : window.location.hrefResults : window.location.href = "http://www.some.site";
- 10. Stored DOM-Based Cross-Site ScriptingExploiting HTML5 localStorage API...17: var pos = document.URL.indexOf("name=") + 5;18: varyourName = document.URL.substring(pos,document.URL.length)19: decodeURI(yourName);20: window.localStorage.name = yourName;21: }...welcomeregister...3: <div id="header"></div>4: <script>5: varelem = document.getElementById("header");6: varname = window.localStorage.name;7: elem.innerHTML = "Hello, " + name;8: </script>...Source : document.URLStorage : window.localStorage.nameSink : elem.innerHTMLResults : elem.innerHTML = <value_of_name_parameter>
- 11. So, how common are client-side JavaScript issues?
- 12. (Lack of) Statistics on Client-Side JS IssuesTwo options for gathering statisticsAutomated discoveryManual discoveryAutomated toolsDynamic analysis tools only uncover ~30%Static analysis tools struggle with dynamic code (AJAX)Manual code review is hell – have you seen JavaScript lately?dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}}dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(\.xd)?\.js(\W|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl){d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion,tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome){d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
- 13. Introducing JavaScript Security Analyzer
- 14. What is JSA?1st and only to auto-detect client-side issues such as:DOM-based XSSPhishing through Open RedirectHTML5 Notification API PhishingHTML5 Web Storage API PoisoningHTML5 Client-side SQL InjectionHTML5 Client-side Stored XSSHTML5 Web Worker Script URL ManipulationEmail Attribute Spoofing\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x2x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpasDE-OBFUSCATIONSTRING/* analysis */HTML5AnalysisHybrid
- 15. Using JavaScript Security AnalyzerZero configuration requiredSuper-simpleSuper-fast
- 16. 16Viewing JSA Results in AppScan StandardAppScan Standard – Scan ResultsVulnerable URL and line of codeTainted data flow information
- 17. Lets try again…How common are client-side JavaScript issues?
- 18. Using JSA we ran a research on real sitesFortune 500175 Most popular sitesNon-obtrusive automated reviewManually verified resultsScary outcome…
- 19. 14.5% Vulnerable169,443 Total Pages90,929 Unique Pages1659 Pages with VulnerabilitiesLikelihood for a web page to be vulnerable is 1 : 55
- 20. Who wrote these vulnerabilities?62%In house38%3rd PartyMarketing campaign JavaScript snippets
- 21. Flash embedding JavaScript snippets
- 22. Social networking JavaScript snippets
- 23. Deep linking JavaScript libraries for Flash and AJAX applicationsIssue DistributionDOM-based XSSOpen Redirect
- 24. JavaScript is becoming prominent Modern applications HTML5 AJAX Web2.0Application logic is shifting to client-sideMore code == more vulnerabilitiesHappens when code relies on parts of the DOM that are hacker-controlledDetection requires tedious manual workAppScan with JSA can automate client-side issues detection
- 25. Q & A
- 26. Thank YouYou can download the full whitepaper at:http://tinyurl.com/5w6koqj