Client-side JavaScript Vulnerabilities

© 2011 IBM Corporation

IBM Rational AppScan

Client-side JavaScriptSecurity vulnerabilitiesThe Twilight Zone of Web Application Security

Ory SegalSecurity Products Architect, Rational



• Security products architect, Rational

• AppScan product manager

• Web Application Security Consortium officer

• Contributor (WASC, MITRE, NIST, OWASP)

• Renowned application security expert

AppScan

ORY SEGAL



From server to client side – The migration story of web application logic



1990 <HTML> Capable of presenting only text and hyperlinks

1993 <IMG> Embedded images in web pages (3rd. Party allowed)

1995 <SCRIPT> JavaScript enables programmatic modifications to HTML

1996 <IFRAME> Embeds a page within a page (3rd party contents)

Embed an Adobe Flash file for animation<EMBED>

1999 XHR Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire page

2005 AJAX Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feel

HTML5 & APIs

2011 Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, …



Logic is Migrating from Server to Client…• We counted server-side vs. client-side LoC in popular web applications in

2005 and in 2010



Client-side JavaScript Security Issues



DOM-Based Cross-site Scripting• A type of XSS (the third type after “Reflected” & “Stored”)

• Application doesn’t need to echo back user input like in Type I & Type II

• We poison a DOM element, which is used in JavaScript code

• Example

1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9:</HTML>

http://www.vuln.site/welcome.html?name=Ory

Source : document.URLSink : document.write()Results : document.write("Ory")



DOM-Based Cross-site Scripting

http://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script>

• Attack Example

• The attack took place entirely on the client-side (# fragment identifier)

• Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.

1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9: </HTML>

Source : document.URLSink : document.write()Results : document.write("<script>alert('hacked')</script>")



Client-side Open Redirect• JavaScript code automatically redirects the browser to a new location

• New location is taken from a DOM element (URL, Query, Referrer, etc.)

• Example

...12: var sData = document.location.search.substring(1);13: var sPos = sData.indexOf("url=") + 4;14: var ePos = sData.indexOf("&", sPos);15: var newURL;16: if (ePos< 0) { newURL = sData.substring(sPos);} 17: else { newURL = sData.substring(sPos, ePos);}18: window.location.href = newURL;

http://www.vuln.site/redirect.html?a=5&url=http://www.some.site

Source : document.locationSink : window.location.hrefResults : window.location.href = "http://www.some.site";



Stored DOM-Based Cross-Site Scripting

...17: var pos = document.URL.indexOf("name=") + 5;18: var yourName = document.URL.substring(pos,document.URL.length)19: decodeURI(yourName);20: window.localStorage.name = yourName;21: }...

...3: <div id="header"></div>4: <script>5: var elem = document.getElementById("header");6: var name = window.localStorage.name;7: elem.innerHTML = "Hello, " + name;8: </script>...

register

welcome

Source : document.URLStorage : window.localStorage.nameSink : elem.innerHTMLResults : elem.innerHTML = <value_of_name_parameter>

Exploiting HTML5 localStorage API



So, how common are client-side JavaScript issues?



(Lack of) Statistics on Client-Side JS Issues• Two options for gathering statistics

–Automated discovery–Manual discovery

• Automated tools–Dynamic analysis tools only uncover ~30%–Static analysis tools struggle with dynamic code (AJAX)

• Manual code review is hell – have you seen JavaScript lately?

dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeof dojo._xdInFlight[_99]=="boolean"){return;}}dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(\.xd)?\.js(\W|$)/i;for(var i=0;i<_9a.length;i++){var src=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl){d.config.baseUrl=src.substring(0,m.index);}var cfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;var dua=n.userAgent,dav=n.appVersion,tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome){d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();



Introducing JavaScript Security Analyzer



What is JSA?

1st and only to auto-detect client-side issues such as:

DOM-based XSS

Phishing through Open Redirect

HTML5 Notification API Phishing

HTML5 Web Storage API Poisoning

HTML5 Client-side SQL Injection

HTML5 Client-side Stored XSS

HTML5 Web Worker Script URL Manipulation

Email Attribute Spoofing

\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x2x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas

DE-OBFUSCATION HTML5STRING/* analysis */



Using JavaScript Security Analyzer

Zero configuration required

Super-simple

Super-fast



16

Vulnerable URL and line of code

Tainted data flow information

Viewing JSA Results in AppScan StandardAppScan Standard – Scan Results



Lets try again…

How common are client-side JavaScript issues?



Using JSA we ran a research on real sites

Fortune 500

175 Most popular sites

Non-obtrusive automated review

Manually verified results

Scary outcome…



169,443 Total Pages

90,929 Unique Pages

1659 Pages with Vulnerabilities

Likelihood for a web page to be vulnerable is 1 : 55

14.5% Vulnerable



Who wrote these vulnerabilities?

* Marketing campaign JavaScript snippets

* Flash embedding JavaScript snippets

* Social networking JavaScript snippets

* Deep linking JavaScript libraries for Flash and AJAX applications

62%In house

38%3rd Party



92

11

2370

221

Sites VulnerableTotal Issues

Issue Distribution

DOM-based XSS

Open Redirect



JavaScript is becoming prominent

Modern applications HTML5 AJAX Web2.0

Application logic is shifting to client-sideMore code == more vulnerabilities

Happens when code relies on parts of the DOM that are hacker-controlled

Detection requires tedious manual work

AppScan with JSA can automate client-side issues detection



Q & A



Thank Youhttp://tinyurl.com/5w6koqj

You can download the full whitepaper at:

Client-side JavaScript Vulnerabilities

Technology

Transcript of Client-side JavaScript Vulnerabilities