Date post: | 09-Dec-2014 |
Category: |
Technology |
Upload: | roberto-suggi-liverani |
View: | 2,363 times |
Download: | 1 times |
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP – Ajax Security
Roberto Suggi LiveraniSecurity ConsultantSecurity-Assessment.com
5 December 2007
OWASP
Who am I?
Roberto Suggi Liverani
Security Consultant, CISSPSecurity-Assessment.com
4 + years on Information Security focusing on web and network security
OWASP New Zealand leader
2
OWASP
Agenda
Ajax- What is Ajax?- Ajax Components - Traditional Web Model vs Ajax Web Model- Why Ajax is used?- Who is using Ajax?
Ajax Security- Ajax and Security – Server of origin policy- Real Attack examples (Samy worm, Yammaner, Nduja -
Webmail XSS worm)- Web worms – Comparison
3
OWASP 4
Introduction What is Ajax?
- Ajax is not synonymous of WEB 2.0- Ajax = Asynchronous Javascript And XML- Ajax is a group of technologies combined together to create new ways of interaction.- Term coined by Jesse James Garrett of Adaptive Path (Feb 2005)
Before AJAX:- DHTML- Macromedia Flash 4- Microsoft Remote Scripting- Microsoft XMLHttpRequest object- Object element in HTML 4- Document Object Model Level 3
OWASP
Ajax Components (cont.)
5
HTML/XHTML- Necessary to display the information
JavaScript- Necessary to initiate the client-server communication and manipulate the DOM to update the web page
Document Object Model (DOM)- Necessary to change portions of an XHTML page without reloading it.
Server-side processing- There is no Ajax without a stable, responsive server waiting to send content to the engine
OWASP
Ajax Components
Cascading Style Sheet (CSS)- In an Ajax application, the styling of a user interface may be modified interactively through CSS
Extensible Markup Language (XML)- Data exchange format
Extensible Stylesheet Language Transformations (XSLT)- Transforms XML to XHTML
XMLHttpRequest object- XMLHttpRequest object allows retrieving data from the web server as a background activity
6
OWASP
Ajax Components – Simple Diagram
7
OWASP
Let’s define Ajax:
The browser hosts an application, not content- A “rich” client application is delivered to the browser and it is able to handle input, respond or wait for requests
The server delivers data, not content- The role of the server is only to send data. The client is a “rich” client and process the data
User interaction with the application can be fluid and continuous- Asynchronous data transfers allows new way of interaction like drag and drop and double clicking. Traditional web = click-and-wait
This is real coding and requires discipline- High-performance and maintainable code are the main requirements for Ajax applications
8
OWASP
Traditional Web Model vs Ajax Web Model
9
OWASP
Classic Web Model – Usability/Time
10
OWASP
Ajax Web Model – Usability/Time
11
OWASP
Why Ajax is used?
Speed- Only the data (or parameters) required are posted
Reduced network traffic- Less data exchanged between client and server
Interactivity- User doesn’t click and wait. User drags and drops
Functionality- Richer client with more features available
Usability- Easy to use -> friendly interface and content updated “on-
the-fly”12
OWASP
Who is using Ajax?
13
And many others…
OWASP
Let’s talk about Ajax and security…
Many of the security issues that an Ajax application faces are the same as for a classical web application
So let’s talk about a specific security issue which relates to Ajax applications: Server of origin policy
Server of origin policy- The JavaScript security model prevents scripts from
different domains from interacting with one another- An Ajax application can’t read or write to the local
filesystem
14
OWASP
Ajax and Security – Server of origin policy Examples of cross browser security policy:
15
URLs Cross – Scripting allowed?
Comments
http://www.example.com:8080/script1.js No Port number doesn’t match.http://www.example.com/script2.js
http://www.example.com/script1.js No Protocol type doesn’t match.https://www.example.com/script2.js
http://www.example.com/script1.js No Browser will not perform domain name resolution.
http://192.168.0.10/script2.js
http://sub.example.com/script1.js No Subdomains treated as separate domains.http://www.example.com/script2.js
http://www.example.com/hello/script1.js YES Domain name is the same.http://www.example.com/bye/script.2.js
http://www.example2.com/script1.js NO Different domain names.http://www.example1.com/script2.js
OWASP
Ajax and Security – Server of origin policy
So is it possible to bypass or avoid this security control?
Yes – there are multiple ways Developer workaround: Proxing remote services- Make a call to the remote server from our own server rather than from
the client, and then forward it on to the client- Example: http://website1/proxy?url=http://website2/
User workaround: Change browser security settings- IE: allow permission of executing code from a security zone to another.
The user is presented with a popup security warning.- Firefox: PrivilegeManager need to be configured accordingly. The value
signed.applets.codebase_principal_support should be set to “true”
Attacker workaround: Sending an email- This technique is showed in the case study of the Nduja - the webmail
XSS worm of Rosario Valotta16
OWASP
Real attacks examples Ajax seen by an attacker:- Group technologies means there are more elements to attack -
increased attack surface- New ways of interaction means more complexity. Consequently,
there are more chances developers commit mistakes like exposing internal functions of the application
- Application is delivered to the browser. The attacker controls the functionality of the application
- Ajax application is still a web application – traditional web attack techniques can be used
Let’s go through three real examples of attack involving Ajax:
- Samy worm- Jammanner worm- Nduja - Webmail XSS worm
17
OWASP
Ajax Security – Case Study – Samy worm
Started as a joke Inserted HTML and JavaScript through
MySpace’s profile editor. Automated the friend selection process.
Instead of someone selecting Samy as a friend, the worm automated the procedure with JavaScript.
The result of the code injection made the visitor and all visitor friends to befriend Samy when visiting Samy’s page. Samy automatically also became their “hero”.
18
OWASP
Ajax – Case Study – Samy worm (cont)
Impact: “In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community”
19
OWASP 20
Screenshot showing list of Myspace profiles infected by Samy Worm
OWASP 21
And today there are still Myspace accounts with Samy as a hero!
532 results with live.com
OWASP
Ajax – Case Study – Samy worm
What we learnt from Samy worm technique?
- Embedding JavaScript in CSS tags- Used “java\nscript” to avoid Myspace’s stripping of the
string “javascript”.- Used JavaScript String.fromCharCode to convert quotes (‘’)
to avoid restrictions- Used the XML-HTTP object with the use of both HTTP GETs
and POSTs from/to the victim’s profile.
Worm Source Code: - http://namb.la/popular/tech.html
22
OWASP
Exploits a vulnerability in the onload event handling of Yahoo! Mail and then executes a script
Scans emails in the personal folders of the Yahoo! Mail account
Sends a copy of itself to the email addresses gathered
Redirects the Web browser from Yahoo! Mail to the following Web site: [http://]www.av3.net/index.htm
Sends the list of gathered email addresses to the above URL
Ajax – Case Study – Yamanner worm
23
OWASP
Ajax – Case Study – Yamanner worm
Impact: It is unknown the number of yahoo users hit by this worm. Harvested addresses from the address book have then been submitted to a remote URL, which is likely that was used for a spam database
What we learnt?- Large email provider does not guarantee security – Yahoo!
Mail software vulnerability was exploited in this case.- XML GET to retrieve contact addresses and use of
window.navigate to send data to third party site
Source Code Example:- http://archives.neohapsis.com/archives/incidents/2006-
06/0028.html- http://groovin.net/stuff/yammer.txt
24
OWASP
Ajax – Case Study – Nduja - Webmail XSS worm Probably the first cross domain worm Worm developed as PoC by Rosario Valotta Tested on four webmail services in Italy: - Libero.it- Tiscali.it- Lycos.it- Excite.com
Exploit XSS vulnerabilities in the webmail applications and then:
- Steal e-mails from the Inbox- Steal email addresses from Contact List- Self propagation to contacts
25
OWASP
Ajax Security – Case Study – Nduja - Webmail XSS Worm
Impact: the worm is able to capture emails, contact addresses from four different domains and post them to third party site.
What we learnt?- It is possible to create cross domain worms exploiting
multiple XSS vulnerabilities at the same time in different domains. The server of origin policy is bypassed using a feature of the application targeted (email function)
- The malicious script checks the domain and then applies the relative XSS attack
Extracts of source code: http://rosario.valotta.googlepages.com/home
26
OWASP
Nduja - Webmail XSS Worm Demo
27
OWASP
Web worms – Comparison
Worm Target Domain(s)
Cross Domain?
Impact
Samy worm Myspace.com No 1 million of users affected
Yannamer worm
Yahoo.com No Unknown number of yahoo users affected
Nduja worm Tiscali.itLibero.itLycos.itExcite.com
Yes N/A – This is a PoC
28
So the question is: Can you think about the impact of the next cross domain web worm?
OWASP
References – Misc.
Stefano Di Paola, Giorgio Fedon – Subverting Ajax – Whitepaper
Andrew Van Der Stock – Ajax Security - Presentation
Billy Hoffman – Ajax Security Dangers - Whitepaper
Billy Hoffman – Analysis of Web Application Worms and Viruses - Whitepaer
Alex Stamos, Zane Lackey – Attacking AJAX Web Applications - Presentation
30
OWASP
References – Misc.
AJAX Security - http://www.cgisecurity.com/ajax/ Ajax Security Basics -
http://www.securityfocus.com/infocus/1868/2 MySpace Worm Explanation -
http://namb.la/popular/tech.html Adaptive Path -
http://www.adaptivepath.com/ideas/essays/archives/000385.php
Nduja Connection - http://rosario.valotta.googlepages.com/home
Yamanner Worm - http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99
31
OWASP
References – Books
Christopher Wells – Securing Ajax Applications – O’Reilly - Book
V.A. – The Professional Ajax – 2nd edition – Wrox - Book
V.A. – Ajax In Action – Manning - Book
32
OWASP
Table of Figures
Slide 7 – From Ajax In Action, Manning Slide 9 – The Professional Ajax – 2nd edition –
Wrox Slide 10 – Adaptive web site -
http://www.adaptivepath.com/ideas/essays/archives/000385.php
Slide 11 – Adaptive web site - http://www.adaptivepath.com/ideas/essays/archives/000385.php
Slide 19 – Rsnake web site - http://ha.ckers.org/blog/20070319/samy-worm-analysis/
33