© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Advanced Ajax Security

Billy Hoffman (billy.hoffman@hp.com)

Manager, HP Security Labs

2

Who am I?• Manager HP Security Labs• In security space for 6 years• CS Degree from Georgia

Tech• Areas of focus

−Crawling and sampling

−JavaScript static analysis

−XSS

• Frequent presenter at hacker/security conferences

Presentation Overview• Manipulating Client-side logic• Defeating logic protection techniques• Function Hijacking• JSON Hijacking• Hacking Google Gears

3 April 12, 2023

4 April 12, 2023

“Boring” Ajax Security• Increased attack surface• Direct API access• Easier to reverse

engineer• Amplifying web attacks• Offline attacks

• “Surely no one actually does this right?”

5 April 12, 2023

• Sample Ajax travel website

• Built using “expert” advice−Popular books

−Articles/How-tos

− Forums

• Riddled with security defects

Sexy Ajax Security

6 April 12, 2023

API Domino Effect

holdSeat(flightID)

makeOffer(price, flightID)

debitAccount(price)

bookSeat(flightID)

7 April 12, 2023

Overly Granular Application API

Insecure

More secure

8 April 12, 2023

Polling Status Call

9 April 12, 2023

Real-world Example

10 April 12, 2023

Web 1.0 to Web 2.0 Conversion

11 April 12, 2023

Premature Ajax-ulation!

12 April 12, 2023

Exposed Administrative API

Malicious use

Intended use

Defeating Logic Protection• Obfuscation• Lazy Loading

13 April 12, 2023

All Your Obfuscation Are Belong To Us!

• How to debug code if you don’t have it all?• Firebug cannot debug dynamic code

−JSON responses

−Remote scripting

−Lazy loading

•“View Source” vs “View Generated Source”

• Need a way to monitor JavaScript environment

On-Demand JavaScript

Understanding JavaScript Variable Scope• Everything is a object

−Primitives (Strings, numbers, regexp)

−Functions• All global variables and functions are

properties of global object• Provided by environment• Web browser = window• Can we enumerate?

Example Codefunction BogusFunction1() { //empty function}function BogusFunction2() { //empty function}var ret = "";for(var i in window) { if(typeof(window[i]) == "function") { ret += i + "\n"; }}alert(ret);

Enumerating All Functions

HOOK: JavaScript Monitoring Framework• Enumerates the environment and traps on-

demand code.• Side-steps obfuscation• Reads from the environment itself

• Demo

20 April 12, 2023

Take Aways: Client-side Code• Client-side code is just a suggestion!• Client-side code cannot be protected,

encrypted, or obfuscated• Store all secrets on the server• Enforce control flow on the server• Always match allocations with frees in the

same method• Use Server-side locking to prevent race

condition vulnerabilities

JavaScript Function Clobbering• Highly dynamics language• Typeless, dynamic execution paths• Can redefine itself at runtime

21 April 12, 2023

JavaScript Namespaces• Namespaces prevent collisions• Solution: Make functions properties of objects

var com.SomeSite.common = {};

com.SomeSite.common.debug

= function () { … };

com.SomeSite.common.debug();

var com.SexyWidgets = {};

com.SexyWidgets.debug = function() {…};

com.SexyWidgets.debug();

JavaScript Namespaces

Intentional Function Clobbering• Attacker deliberately clobbers functions• What kind of functions can you clobber?

−User defined functions?

−System functions?

• Demo

Clobbering System Functions: alert()

Prototype’s Ajax.Request()

• Can clobber anything• Automatic Man In The Middle• Other things

−Dojo.Storage

−Callback functions

−Encryption functions?

Limitless Clobbering Possibilities

The Myth of the Same Origin Policy• Myth: Same Origin Restricts prevent

JavaScript from seeing 3rd party content• Fact: Kind of prevents

−Remote Scripting

−Image and Iframe events (JavaScript port scanning)

−3rd party plug-in communications

JSON Hijacking• JSON is a valid subset of JavaScript•eval() can be used to “see” the response• Could use remoting scripting to read JSON

web services?

29 April 12, 2023

JSON Hijacking• <script type="text/javascript">• [["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],

• 95120657, true],• ["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],

• 19200435, false],• ["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],

• 74905862, true],• ["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],

• 90398623, true]];• </script>

JSON Hijacking• How does JS interpreter handle literals?

[9,4,3,1,33,7,2].sort();

• Creates temporary Array object• Executed sort() function• Never assigned to variable• Garbage collected away

JSON Hijacking• How does JS interpreter handle literals?

[9,4,3,1,33,7,2].sort();

• Creates temporary Array object−Invokes Array() constructor function

• Executed sort() function• Never assigned to variable• Garbage collected away

JSON Hijacking• Clobber the Array() function with malicious version• Use <SCRIPT SRC> to point to JSON web service• Malicious Array() function harvests the data that comes back!function Array() {var foo = this; var bar = function() { var ret = "Captured array items are: ["; for(var x in foo) { ret += foo[x] + ", "; } ret += "]"; //notify an attacker here

}; setTimeout(bar, 100);}

JSON Hijacking Example

JSON Hijacking Example

JSON Hijacking Defense• XMLHttpRequest can see the response and

perform operations on it before eval()ing• <SCRIPT SRC> cannot!• Make the JSON response non-valid

JavaScript• XHR removes it!• <SCRIPT SRC> fails!

Bad Approach #1<script type="text/javascript">

I'/\/\ a bl0ck of inva1id $ynT4x! WHOO!

[["AJAXWorld", "2007-04-15", "2007-04-19", ["ATL", "JFK", "ATL"],

95120657, true],

["Honeymoon", "2007-04-30", "2007-05-13", ["ATL", "VAN", "SEA", "ATL"],

19200435, false],

["MS Trip", "2007-07-01", "2007-07-04", ["ATL", "SEA", "ATL"],

74905862, true],

["Black Hat USA", "2007-07-29" "2007-08-03", ["ATL", "LAS", "ATL"],

90398623, true]];

</script>

<script type="text/javascript">

/*

["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]

*/

</script>

Bad Approch #2

Bad Approach #2<script type="text/javascript">

/*

["Eve*/["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"]/*Nidhi"]

*/

</script>

<script type="text/javascript">

/*

["Eve*/["bogus", "Jill", "Mary", "Jen", "Ashley", "bogus"]/*Nidhi"]

*/

</script>

Correct Approach<script type="text/javascript">

for(;;);

["Eve", "Jill", "Mary", "Jen", "Ashley", "Nidhi"]

</script>

Correct Approachfunction defangJSON(json) {

if(json.substring(0,8) == "for(;;);") {

json = json.substring(8);

}

Return json;

}

var safeJSONString = defangJSON(xhr.responseText);

var jsonObject = safeJSONString.parseJSON();

42 April 12, 2023

Securing Ajax Applications• Perform authentication/authorization

checks on both web pages and web services

• Group code libraries by function• Validate all input for your application

−HTTP headers, cookies, query string, POST data

• Verify data type, length and format• Always use parameterized queries• Always encoded output appropriately

43 April 12, 2023

Salvation Is Here!• Ajax Security

Addison-Wesley

"Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't.”

-Jesse James Garret

• In stores now!

© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Advanced Ajax Security

Billy Hoffman (billy.hoffman@hp.com)

Manager, HP Security Labs