Ga!Ng Javascript Mistakes Using HTML5

QUALYS SECURITY CONFERENCE 2012

LAS VEGAS MUNICH LONDON PARIS OCT 25-26 NOV 06 NOV 08 NOV 13

Migang JavaScript Mistakes Using HTML5

Mike Shema Qualys, Inc. Aria Resort & Casino, Las Vegas, October 25th

1 JavaScript, JScript, ECMAScript, *.exe

• Cross-plaorm, vendor-neutral liability

• Easy to use, easier to misuse

• Challenging to maintain

• Achieving peace of mind from piece of code

2 QUALYS SECURITY CONFERENCE 2012

LAS VEGAS MUNICH LONDON PARIS OCT 25-26 NOV 06 NOV 08 NOV 13 try { security() } catch(err) { }

3 let me = count(ways);

jsfunfuzz -- “It has found about 280 bugs in Firefox's JavaScript engine... About two dozen were memory safety bugs that we believe were likely to be exploitable to run arbitrary code.”

http://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/

4 { var Pwn2Own = $money; }

5 MS12-063 Event-Driven, Non-Blocking Vulns

</p><p><head><script> functionfuncB() { document.execCommand("selectAll"); }; functionfuncA() { document.write("L"); parent.arrr[0].src="YMjf\\u0c08\ \u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKS OQJGH"; } </script></head> <body onload='funcB();' onselect='funcA()'> <div contenteditable='true'>a</div> 6 For�fying the User Agent</p><p>• Execu�on • Experience • Auto-updates • Link reputa�on • Download tain�ng • Phishing warnings • Process separa�on • SSL/TLS indicators • Sandboxed plugins • XSS auditors</p><p>7 QUALYS SECURITY CONFERENCE 2012</p><p>LAS VEGAS MUNICH LONDON PARIS OCT 25-26 NOV 06 NOV 08 NOV 13</p><p>Design Pa�erns & Dangerous Territory</p><p>8 HTML Injec�on (XSS)</p><p>• The 20+ year-old vuln that refuses to die. • But JavaScript makes the situa�on be�er! • No, JavaScript makes the situa�on worse! • HTML5 to the rescue!(?)</p><p>9 Stop Building HTML on the Server • "String concatenation " + "is an " + $insecure " + "design pattern." • SQL injec�on • Command injec�on • ... injec�on</p><p>• JSON messages for a dynamic DOM • DOM node inser�on/modifica�on isn’t necessarily safer. • .textContent vs. .innerHTML</p><p>10 Careful Building HTML in the Browser</p><p>• The URL is evil. • h�p://web.site/safe.page#<script>alert(9)</script> • JavaScript func�ons are unsafe • document.write(), eval()</p><p>11 A�ack of the Invisible Fragment</p><p> h�p://web.site/dynamic#</p><p><script type="text/javascript"> $(document).ready(function() { var x = (window.location.hash.match(/^#([^\/].+)$/)||[])[1]; var w = $('a[name="' + x + '"], [id="' + x + '"]'); }); </script></p><p>12 Serialize vs. Sani�ze [ h�p://bit.ly/amazonxss ]</p><p>…>Page 16</span> ... t {...,"totalResults":4, require spaces to delimit "results":[[...],[...], their attributes. src=\".\"alt=\"\"onerror= JavaScript doesn't have \"alert('<b>zombie</b>') to… \"/> JavaScript doesnt have to rely on quotes to establish strings, nor do ...",...]]}</p><p>13 NoSQL/Comand Injec�on, Parsing</p><p>• Using JavaScript to create queries, filters, etc. • String concatena�on & JSON injec�on • Server-side JavaScript requires server-side security principles. http://web.site/calendar?year=1984’;while(1);var%20foo=‘bar</p><p> var data1 = '\ufffd1\ufffda'; var data2 = '\ufffd-1\ufffdhello'; var data3 = '\ufffd1<script>alert(9)</script>\ufffda'; var data4 = '\ufffd-27<script>alert(9)</script>\ufffda'; var data5 = '\ufffd-25\ufffda<script>alert(9)</script>';</p><p>14 Understanding the Language</p><p>• Same Origin Policy • Data access • Context • Percent encoding, HTML en��es, a�ributes, values • Scope pollu�on with misplaced var or shadow variables typeof(null) == "object"; typeof(undefined) == "undefined" null == undefined; null === undefined; // no!</p><p>15 Scope of Explora�on</p><p><head> <script> var x = 1; (function(){ var x = 2; }); var y = 1; function scopeBar() { doSomething(x); } function scopeBaz() { var x = 0; doSomething(x); } </script> </head> <body> <script> var z = 3 function scopeFoo() { doSomething(y); } var x = 4; scopeBar(); </script> </body></p><p>16 var BeefJS = { ... }; Scope & Precedence window.beef = BeefJS;</p><p><html> <html> <head> <body> <script> ...[ hook.js ]... BeefJS = {}; ... </script> <script> </head> beef.execute = <body> function(fn){ ... alert(n); ...[ hook.js ]... } ... </script> </body> </body> </html> </html></p><p>17 JavaScript Everywhere</p><p><head> <script> BeefJS = { commands: new Array(), execute: function() {}, regCmp: function() {}, version: "<script>alert(9)</script>" }; </script> </head> ...</p><p>18 H�pOnly?</p><p><head> <script> document.cookie = "BEEFHOOK="; </script> </head> ...</p><p>19 Prototype Chains</p><p><script> WebSocket.prototype._s = WebSocket.prototype.send; WebSocket.prototype.send = function(data) { // data = "."; console.log("\u2192 " + data); this._s(data); this.addEventListener('message', function(msg) { console.log("\u2190 " + msg.data); }, false); this.send = function(data) { this._s(data); console.log("\u2192 " + data); }; } </script></p><p>20 data = ".";</p><p>[22:49:57][*] BeEF server started (press control+<a href="/tags/C_(programming_language)/" rel="tag">c</a> to stop) /opt/local/lib/ruby1.9/gems/1.9.1/ gems/<a href="/tags/JSON/" rel="tag">json</a>-1.7.5/lib/json/common.rb: 155:in ìnitialize': A JSON text must at least contain two octets! (JSON::ParserError)</p><p>21 QUALYS SECURITY CONFERENCE 2012</p><p>LAS VEGAS MUNICH LONDON PARIS OCT 25-26 NOV 06 NOV 08 NOV 13</p><p>JavaScript Libraries</p><p>22 JavaScript Libraries</p><p>• Should be... • O�en are... • More op�mal • More disparate • More universal • Highly variant in quality • Stylis�cally different</p><p>• Shi� security burden to • Have to... patch management • Play nice with others • Clear <a href="/tags/API/" rel="tag">APIs</a> (variable scope, • Auto versioning prototype chains) Hosted on CDNs • Balance performance • with style</p><p>23 <a href="/tags/Angular_(web_framework)/" rel="tag">Angular</a> Developing With JavaScript Batman JS Closure CoffeeScript Dojo Ember JS • Challenges of an interpreted language Ext JS Facebook Connect jQuery jsmd <a href="/tags/Knockout_(web_framework)/" rel="tag">Knockout</a> Midori JS • Simple language, complex behaviors Modernizr MooTools MooTools More • h�p://<a href="/tags/JSLint/" rel="tag">jslint</a>.com ObjectiveJ Prototype • h�p://www.quirksmode.org Pusher <a href="/tags/Qooxdoo/" rel="tag">Qooxdoo</a> h�p://webreflec�on.blogspot.com Raphael • Rico Sammy Scriptaculous Socket.io Spine Browser tools improving, but imperfect. Spry • TypeKit twttr • h�p://bit.ly/QJ4g0C Underscore JS UIZE YUI YAHOO</p><p>24 There’s a Dark Side to Everything</p><p>• Poisoning • Cache, CDN • Intermedia�on, HTTP & public Wi-Fi</p><p>• Func�ons for HTML injec�on payloads • More bad news for blacklis�ng</p><p>• Server-side JavaScript • Reimplemen�ng HTTP servers with reimplemented bugs • Fingerprint, DoS, directory traversal</p><p>25 JavaScript Crypto ☣ • Stanford JS Crypto Library [ h�p://crypto.stanford.edu/sjcl/ ] • CryptoCat [ h�ps://crypto.cat ] • Shi�ed from .js to browser plugin • Use TLS for channel security • Be�er yet, use HSTS and DNSSEC. • There is no trusted execu�on environment • ...in the current prototype-style language • ...in an HTTP connec�on that can be intercepted • ...in a site with an HTML injec�on vuln</p><p>26 QUALYS SECURITY CONFERENCE 2012</p><p>LAS VEGAS MUNICH LONDON PARIS OCT 25-26 NOV 06 NOV 08 NOV 13</p><p>HTML5 & Countermeasures</p><p>27 Programming</p><p>• Abstrac�ng development to another language • Closure • Emscripten, compile C & C++ to JavaScript • TypeScript</p><p>• Sta�c code analysis</p><p>• New specs</p><p>28 Cross Origin Resource Sharing</p><p>• Defines read-access trust of another Origin • Expresses trust, not security • But s�ll contributes to secure design • Principle of Least Privilege • Beware of Access-Control-Allow-Origin: * • Short Access-Control-Max-Age • Minimal Access-Control-Allow-{Methods | Headers} • Check the Origin • Prevent CSRF from this browser</p><p>29 Domain-Based Separa�on of Trust</p><p>• Leverage the Same Origin Policy • Use one domain for trusted content • Use another domain for user content • Another for ads • etc.</p><p>30 HTML5 Sandboxes</p><p><iframe * src="infected.html"></p><p>* (empty)</p><p> sandbox JavaScript not executed</p><p>JavaScript executed sandbox="allow-scripts" document.cookie Set-Cookie header</p><p> text/html-sandboxed Waiting for browser support</p><p>31 Content-Security-Policy</p><p>• Provide granular access control to SOP • Choose monitor or enforce • Header only • Probably few code changes required, or unsafe-eval • (h�p-equiv has lower precedence) • Wai�ng for universal implementa�on • X-Content-Security-Policy • X-WebKit-CSP • h�p://www.w3.org/TR/CSP/</p><p>32 Content-Security-Policy</p><p>X-CSP: default-src 'self'; frame-src 'none'</p><p><!doctype html> <html> <body> <iframe src="./infected.html">

33 Content-Security-Policy vs. XSS

X-CSP: default-src 'self'

X-CSP: default-src 'self' 'unsafe-inline'

34 Content-Security-Policy vs. XSS

X-CSP: default-src 'self'

X-CSP: script-src evil.site

35 Content-Security-Policy vs. DOM XSS

$(document).ready(function() { var x = (window.location.hash.match(/^#([^\/].+)$/)||[])[1]; var w = $('a[name="' + x + '"], [id="' + x + '"]'); });

// This is an unsafe inline event handler var click = $('#main').attr('onclick', 'alert(9)');

// doesn't trigger unsafe-inline var click = $('#main').click(function(e) { alert(9) });

// doesn't trigger unsafe-inline ]var click = $('#main').bind("click", function(e) { alert(9) });

36 On the Other Hand...

• Awesome DoS if CSP headers are absent and XSS vuln is present:

37 Careful with those Improvements

• Some trade-oﬀs between more objects, more APIs, and less privacy • WebGL, baery status • Browser ﬁngerprinng • AppCache • Web Storage

38 String Concatenaon Checklist

• Normalize the data • Character set conversions (e.g. ⇄ UTF-8, reject or replace bad sequences) • Character encoding conversion (e.g. %xx) • Idenfy the output context • DOM node, aribute name, aribute value, script, etc. • Apply controls at security boundaries • Time of Check, Time of Use -- Idenfy where data will be modiﬁed, stored, or rendered • Strip characters (carefully! prefer inclusion list to exclusion list) • Replace characters appropriate for context

39 Some Web Security Principles

• Always be suspicious of string concatenaon • Abstract development to a more strongly-typed language, compile to JavaScript • Protect Web Storage data • Don’t use it for security-sensive data, • Pay aenon to DOM context • HTML enty, percent encoding, String object, text node • Apply CORS and CSP headers to protect browsers from applicaon mistakes • And X-Frame-Opons

40 JavaScript

• Audit string concatenaon • Avoid inline event handlers • $(#id).bind(...) • $(#id).click(...) • $(#id).on(...) • Embrace "use strict"; • Encounter errors more quickly, more loudly • Avoid implicit global scope problems • Remember to apply to each “code unit”

41 Security Loop

• Encourage users to update browsers • Supporng old browsers is a pain anyway

• Adopt established JavaScript libraries rather than custom implementaons • Shi from pure development to patch management

• Adopt HTML5 security features • ...to protect users with HTML5-enabled browsers

42 QUALYS SECURITY CONFERENCE 2012

LAS VEGAS MUNICH LONDON PARIS OCT 25-26 NOV 06 NOV 08 NOV 13

Thank You!