Ory Segal, profile picture
Uploaded byOry Segal
PPTX, PDF28,103 views

Client-side JavaScript Vulnerabilities

The document discusses the evolution of client-side JavaScript and its related security vulnerabilities, particularly focusing on techniques such as DOM-based cross-site scripting and client-side open redirects. A significant finding is that 14.5% of analyzed web pages in a Fortune 500 study were found to have vulnerabilities, highlighting the growing risk as application logic shifts to client-side processing. It introduces a JavaScript Security Analyzer (JSA) designed to automatically detect various client-side issues, offering a more efficient way to uncover vulnerabilities compared to traditional manual reviews.

Embed presentation

Downloaded 293 times
Client-side JavaScriptSecurity vulnerabilitiesThe Twilight Zone of Web Application Security Ory SegalSecurity Products Architect, Rational
ORY SEGALSecurity products architect, RationalAppScan product managerWeb Application Security Consortium officerContributor (WASC, MITRE, NIST, OWASP)Renowned application security expertAppScan
From server to client side – The migration story of web application logic
1990<HTML>Capable of presenting only text and hyperlinks1993<IMG>Embedded images in web pages (3rd. Party allowed)1995<SCRIPT>JavaScript enables programmatic modifications to HTML1996<IFRAME>Embeds a page within a page (3rd party contents)<EMBED>Embed an Adobe Flash file for animation1999Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire pageXHRFetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feelAJAX2005Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, …HTML5 & APIs2011
Logic is Migrating from Server to Client…We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
Client-side JavaScript Security Issues
DOM-Based Cross-site ScriptingA type of XSS (the third type after “Reflected” & “Stored”)Application doesn’t need to echo back user input like in Type I & Type IIWe poison a DOM element, which is used in JavaScript codeExamplehttp://www.vuln.site/welcome.html?name=Ory1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9:</HTML>Source : document.URLSink : document.write()Results : document.write("Ory")
DOM-Based Cross-site ScriptingAttack Examplehttp://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script>1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9: </HTML>Source : document.URLSink : document.write()Results : document.write("<script>alert('hacked')</script>")The attack took place entirely on the client-side (# fragment identifier)
Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.Client-side Open RedirectJavaScript code automatically redirects the browser to a new locationNew location is taken from a DOM element (URL, Query, Referrer, etc.)Examplehttp://www.vuln.site/redirect.html?a=5&url=http://www.some.site...12: varsData = document.location.search.substring(1);13: varsPos = sData.indexOf("url=") + 4;14: varePos = sData.indexOf("&", sPos);15: varnewURL;16: if (ePos< 0) { newURL = sData.substring(sPos);} 17: else { newURL = sData.substring(sPos, ePos);}18:window.location.href = newURL;Source : document.locationSink : window.location.hrefResults : window.location.href = "http://www.some.site";
Stored DOM-Based Cross-Site ScriptingExploiting HTML5 localStorage API...17: var pos = document.URL.indexOf("name=") + 5;18: varyourName = document.URL.substring(pos,document.URL.length)19: decodeURI(yourName);20: window.localStorage.name = yourName;21: }...welcomeregister...3: <div id="header"></div>4: <script>5: varelem = document.getElementById("header");6: varname = window.localStorage.name;7: elem.innerHTML = "Hello, " + name;8: </script>...Source : document.URLStorage : window.localStorage.nameSink : elem.innerHTMLResults : elem.innerHTML = <value_of_name_parameter>
So, how common are client-side JavaScript issues?
(Lack of) Statistics on Client-Side JS IssuesTwo options for gathering statisticsAutomated discoveryManual discoveryAutomated toolsDynamic analysis tools only uncover ~30%Static analysis tools struggle with dynamic code (AJAX)Manual code review is hell – have you seen JavaScript lately?dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}}dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(\.xd)?\.js(\W|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl){d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion,tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome){d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
Introducing JavaScript Security Analyzer
What is JSA?1st and only to auto-detect client-side issues such as:DOM-based XSSPhishing through Open RedirectHTML5 Notification API PhishingHTML5 Web Storage API PoisoningHTML5 Client-side SQL InjectionHTML5 Client-side Stored XSSHTML5 Web Worker Script URL ManipulationEmail Attribute Spoofing\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x2x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpasDE-OBFUSCATIONSTRING/* analysis */HTML5AnalysisHybrid
Using JavaScript Security AnalyzerZero configuration requiredSuper-simpleSuper-fast
16Viewing JSA Results in AppScan StandardAppScan Standard – Scan ResultsVulnerable URL and line of codeTainted data flow information
Lets try again…How common are client-side JavaScript issues?
Using JSA we ran a research on real sitesFortune 500175 Most popular sitesNon-obtrusive automated reviewManually verified resultsScary outcome…
14.5% Vulnerable169,443 Total Pages90,929 Unique Pages1659 Pages with VulnerabilitiesLikelihood for a web page to be vulnerable is 1 : 55
Who wrote these vulnerabilities?62%In house38%3rd PartyMarketing campaign JavaScript snippets
Flash embedding JavaScript snippets
Social networking JavaScript snippets
Deep linking JavaScript libraries for Flash and AJAX applicationsIssue DistributionDOM-based XSSOpen Redirect
JavaScript is becoming prominent Modern applications HTML5 AJAX Web2.0Application logic is shifting to client-sideMore code == more vulnerabilitiesHappens when code relies on parts of the DOM that are hacker-controlledDetection requires tedious manual workAppScan with JSA can automate client-side issues detection