Living in the RIA World

Similar documents
RKN 2015 Application Layer Short Summary

The goal of this book is to teach you how to use Adobe Integrated

Chrome Extension Security Architecture

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Exploring Chrome Internals. Darin Fisher May 28, 2009

Browser code isolation

Kaazing Gateway. Open Source HTML 5 Web Socket Server

The security of Mozilla Firefox s Extensions. Kristjan Krips

Writing Secure Chrome Apps and Extensions

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Web 2.0 Käyttöliittymätekniikat

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys

Firefox OS App Days. Overview and High Level Architecture. Author: José M. Cantera Last update: March 2013 TELEFÓNICA I+D

Content Security Policy

Build Native-like Experiences in HTML5

Eradicating DNS Rebinding with the Extended Same-Origin Policy

Adobe Flash Player Plugin Manual Install For Mac 10.2

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Web Application Penetration Testing

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Information Security CS 526 Topic 11

JOE WIPING OUT CSRF

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

PLATO Learning Environment (v2.0) System and Configuration Requirements

Tabular Presentation of the Application Software Extended Package for Web Browsers

Cross Site Request Forgery

W3Conf, November 15 & 16, Brad Scott

Neat tricks to bypass CSRF-protection. Mikhail

CSRF in the Modern Age

HTML5 VS NATIVE APP IS I

Chrome Conceptual Architecture Report

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Human vs Artificial intelligence Battle of Trust

Copyright is owned by the Author of the thesis. Permission is given for a copy to be downloaded by an individual for the purpose of research and

Founded the web application security lab

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

WHY CSRF WORKS. Implicit authentication by Web browsers

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Data Management CS 4720 Mobile Application Development

The Road to the Native Mobile Web. Kenneth Rohde Christiansen

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Acknowledgments... xix

Resources required by the Bidders & Department Officials to access the e-tendering System

vfire 9.9 Prerequisites Guide Version 1.1

RIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO

CS 155 Final Exam. CS 155: Spring 2012 June 11, 2012

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Salesforce1 Mobile Security White Paper. Revised: April 2014

PLATO Learning Environment System and Configuration Requirements

Match the attack to its description:

Flash Player Update Guide Windows 7 64 Bit Google Chrome

Adobe Flash Player Manual Firefox Mozilla Opera Chrome) 32-bit

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Sandboxing untrusted code: policies and mechanisms

JOE WIPING OUT CSRF

Fundamentals of Website Development

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Information Security CS 526 Topic 8

QuestionPoint chat The Guide to IE browser setup Last updated: 2013 Nov 12

AJAX: Rich Internet Applications

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

October 08: Introduction to Web Security

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Review of Mobile Web Application Frameworks

Version Release Date: September 5, Release Client Version: Release Overview 7 Resolved Issues 8 Known Issues 8

Case study on PhoneGap / Apache Cordova

Common Websites Security Issues. Ziv Perry

An Evaluation of the Google Chrome Extension Security Architecture

Chrome and IE comparisons

Origin Policy Enforcement in Modern Browsers

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Flex 3 Pre-release Tour

C1: Define Security Requirements

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Beyond Cookies: Persistent Storage for Web Applications. Brad Neuberg Google

Hacking with WebSockets. Mike Shema Sergey Shekyan Vaagn Toukharian

EasyCrypt passes an independent security audit

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Base64 The Security Killer

SSL Connect Admin guide

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Trouble shooting. In case of any further queries / issues, please call our support team on the numbers provided below.

Q & A Support Document

Proposal for Virtual Web Browser by Using HTML5

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Windows 10 Azure AD / EMS

Adobe Flash Player Bit Windows 7 Google Chrome

HTML5 Evolution and Development. Matt Spencer UI & Browser Marketing Manager

WebApp development. Outline. Web app structure. HTML basics. 1. Fundamentals of a web app / website. Tiberiu Vilcu

COMP9321 Web Application Engineering

Amadeus Selling Platform Connect

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Security Philosophy. Humans have difficulty understanding risk

Transcription:

Living in the RIA World Blurring the Line between Web and Desktop Security Andrew Becherer April 28, 2011 https://www.isecpartners.com

Agenda Introduction What is RIA? Why Use RIA? Frameworks Adobe AIR MS Silverlight An Aside on HTML 5 Attack Scenarios RIA vs the OS RIA vs the Web RIA vs RIA 2

Special Thanks Alex Stamos David Thiel Justine Osborne 3

Introduction Who am I? What is RIA? Why Use RIA?

Introduction Who are you? Senior Security Consultant at isec Partners Work in our application security consulting practice Based in Seattle 5

What Is RIA? As with much of Web 2.0 an ill defined category May contain some of the following features: AJAXy Flashiness Local Storage Machanisms Offline Mode Decoupling from the browser Access to lower level OS resources (sockets, hardware, devices) Our research has shown a huge disparity in features and security design 6

What Is RIA? Party like it s 1999 Constantly updating content Push! No more browsers 7

Why Use RIA? Web 2.0 no longer gets you VC funding Never learned any real programming languages To increase responsiveness distribute data stores between server and client Desktop integration take advantage of OS UI functionality In short, web developers can now write full desktop apps. This could be good or bad. 8

Why Use RIA? Make it possible to build desktop applications with Web technologies. -- Mozilla Chromeless Developers 9

RIA Frameworks? Adobe Air Microsoft Silverlight Google Gears (Now Defunct) Mozilla Chromeless (Successor to Mozilla Prism) 10

Frameworks Adobe Air Microsoft Silverlight HTML 5

Adobe Air Feature Runs Disconnected Standalone Application Privileged OS Access Can Launch Itself Local Data Storage Has an Installer Raw Network Sockets Cross-domain XHR Dedicated Session Management Can Talk to Calling DOM IPC Mechanisms Proper SSL Security Support Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported 12

Adobe Air Full-featured desktop runtime based upon Adobe Flash technology Cross-browser, cross-platform Applications can be created with: Adobe Flex 3 Adobe Flash CS3 HTML and JS using free tools AIR intended to be more powerful than a browserbased RIA There is no sandbox around the application AIR apps run with the full powers of the user 13

Adobe Air So it s just like a Win32 program in the eyes of a security analyst? Um, not really Power of AIR is the I in RIA Can be invoked by browser with arguments, like ActiveX or Flash Has many native mechanisms for loading external content Highly likely that developers will utilize Internet content That s the point. 14

Adobe Air AIR is best thought of as an ActiveX analogue and not like Flash++ Code runs with full privileges, can install malware Native mechanisms allow for interaction with untrusted world Fortunately, Adobe has seemed to learn some lessons from ActiveX 15

Adobe Air By default, code included in AIR application has full rights New functionality in privileged APIs added to JavaScript and ActionScript Some restrictions on interacting with desktop in AIR 1.0 Existing capabilities can be chained to run native code Rumors of additional native code capabilities in future releases 16

Adobe Air AIR Applications are identified by an appid and pubid pubid calculated from developer personal information and certificate 17

Adobe Air SWF files can import functionality that allows them to interact with AIR applications. From Adobe: airswfloader.load(new URLRequest("http://airdownload.adobe.com/ browserapi/air.swf"), loadercontext); 18

Adobe Air With airswf classes, the SWF can check on the application s install status and version airswf.getapplicationversion(appid, pubid, versiondetectcallback); 19

Adobe Air Now that we know the version, we can instantiate airswf.launchapplication(appid, pubid, arguments); 20

Adobe Air By default, code included in AIR application has full rights New functionality in privileged APIs added to JavaScript and ActionScript Some restrictions on interacting with desktop in AIR 1.0 Existing capabilities can be chained to run native code Rumors of additional native code capabilities in future releases 21

Adobe Air No code access security model as understood on other systems, such as Java or.net Instead, five pre-defined sandboxes with fixed capabilities Application Full perms. Default for code included with AIR app Remote Code downloaded from internet. Browserlike permissions Three intermediate permissions for local SWFs 22

Adobe Air AIR has many ways of loading executable content to run, such as HTML/JS and SWFs Also many ways of getting external untrusted data Network traffic Arguments from browser invocation Command line arguments Application Sandbox Is not supposed to be able to dynamically generate code eval() is best example in JS Goal is to eliminate XSS and injection attacks that have plagued Flash apps that have more kick with local privileges 23

Adobe Air Default for remotely loaded code is Remote sandbox Cannot access new dangerous classes, like FileStream() Can access eval() and other dynamic methods Can be granted cross-domain XHR Should be sufficient for most of the content developers would want from Internet, such as HTML or movie SWFs 24

Adobe Air Seems like a reasonable security precaution. How will web developers circumvent it? They can look for mistakes in Adobe s classification of methods Better yet, use a Sandbox Bridge Official method of moving data between sandboxes An application can attach functions or variables to an object available from multiple sandboxes Documented as passing by value, not reference, although this doesn t jive with how functions work 25

Adobe Air First parent sets up Sandbox Bridge Var highrightsstuff = {}; highrightsstuff.writetofile = function(name, content) { //Write to f i l e with air.filestream } document.getelementbyid("child").contentw indow.parentsandboxbridge = highrightsstuff ; 26

Adobe Air Then child code (in a IFRAME) can access the function window.parentsandboxbridge.writetofile(name, content); 27

Adobe Air Can be installed via external binary or inside of Flash: 28

Adobe Air AIR applications can be bundled as binaries (*.air) Can also be installed by a web page from inside a SWF var url:string = "http://www.cybervillains.com/malware.air"; var runtimeversion:string = "1.0" ; var arguments:array = ["launchfrombrowser"]; airswf.installapplication(url, runtimeversion, arguments); Creates an Open/Save prompt 29

Adobe Air Adobe supports signing AIR applications with commercial certificates Gives you this prompt: 30

Adobe Air Unfortunately, they also support self-signed certificates Gives you this prompt: 31

Adobe Air Actually, looks more like pre-ie7 ActiveX What am I complaining about? They give the correct information True, but so did ActiveX Allowing users to install signed applets is dangerous enough Allowing self-signed (which is same as unsigned) is terrifying The popularity of ActiveX in IE5 and IE6 and the ability of web sites to pop open infinite prompts made it the premier malware seeding mechanism Adobe Flash is more popular than IE ever was It s almost impossible to install ActiveX now. That s not an accident. 32

Silverlight Feature Runs Disconnected Standalone Application Privileged OS Access Can Launch Itself Local Data Storage Has an Installer Raw Network Sockets Cross-domain XHR Dedicated Session Management Can Talk to Calling DOM IPC Mechanisms Proper SSL Security Support Supported Not Supported Not Supported Not Supported Supported Supported Supported Supported Not Supported Supported Not Supported Supported 33

Silverlight Cross browser plugin comparable in functionality to Flash Subset of the.net framework 34

Silverlight Silverlight Bits.XAP.ZIP container for Silverlight apps XAML Extensible Application Markup Language CoreCLR CLR for.net lite (simplified CAS) XBAP XAML Browser Applications (CAS) Managed Controls System.Windows.Forms UserControl subclasses (CAS) 35

Silverlight 36

Silverlight 37

Silverlight Silverlight s simplified Code Access Security SecurityTransparent Silverlight developer code, code sans attribute SecuritySafeCritical New bridge code from Microsoft SecurityCritical Slimmed.NET 3 38

Silverlight This code will fail 39

Silverlight This code will work 40

Silverlight This code will fail 41

Silverlight Isolated Storage The default storage quota is 1 MB per application Storage is isolated per AppDomain 42

Silverlight Administrators can deny local storage 43

Silverlight Network Sockets TCP socket connections, limited port range 4502-4534 Requires clientaccesspolicy.xml (even to host of origin) 44

Silverlight Crossdomain access and access to hosting DOM can be configured: clientaccesspolicy.xml and crossdomain.xml Application manifest Object parameters passed to plugin enablehtmlacess = false (default setting for cross-domain) 45

HTML 5 Feature Runs Disconnected Standalone Application Privileged OS Access Can Launch Itself Local Data Storage Has an Installer Raw Network Sockets Cross-domain XHR Dedicated Session Management Can Talk to Calling DOM IPC Mechanisms Proper SSL Security Support Not Supported Not Supported Not Supported Not Supported Supported Not Supported Supported Supported Not Supported Supported Not Supported Supported 46

HTML 5 The standards-based approach Introduces DOM storage sessionstorage and localstorage sessionstorage stores arbitrary amounts of data for a single session localstorage persists beyond the session never expires, limited to 5M Database storage via opendatabase() All expected to be same-origin 47

HTML 5 The major goals of DOM storage more storage space and real persistence Cookies considered too small Users delete cookies, or won t accept them DOM storage bypasses pesky users However, pesky users can use: about:config dom.storage.enabled = false 48

HTML 5 Injection attacks become far more damaging when you can insert code like this: 49

HTML 5 and Firefox Cross-Site XMLHttpRequest removed in late Firefox 3 betas, but returned in Firefox 3.5 and is in Firefox 4 globalstorage FF2 has weak same-origin restrictions FF2 and FF3 both omit any UI to view/change/delete Deprecated in HTML 5 for localstorage The RIA world is totally SQL-happy Downloads, cookies, form history, search history, etc, all stored in local SQLite databases Why?? This data isn t relational. 50

HTML 5 and Webkit Used in Chrome, Safari, iphone, Android, Konqueror, and AIR Supports HTML 5 DOM storage mechanisms Early adopter of local database objects Particularly crucial on mobile devices, where storage is at a premium 51

DoS Risk with HTML 5 5M per origin for database objects 5M per origin for localstorage 5M per origin for globalstorage (in Firefox) Thankfully, no one has hundreds of thousands of origins Except anyone with wildcard DNS Trivial storage exhaustion attacks possible Even more so for mobile devices based on WebKit plus, storage and RAM are often pooled on these Almost no exposed UI to disable this 52

DoS Risk with HTML 5 Attacker sets up or compromises web server with wildcard DNS Upon page visitation of the main virtual host, an IFRAME loads which runs Javascript like this: 53

DoS Risk with HTML 5 Each request loads a page instantiating globalstorage and/or localstorage and database objects Fill the victim s hard drive with incriminating evidence base64-encoded images/files, etc... 54

HTML 5 Future Features WebSocket is a technology providing for bidirectional, full-duplex communications channels, over a single Transmission Control Protocol (TCP) socket. Cross-document messaging Much, much more 55

Attack Scenarios RIA vs the OS RIA vs the Web RIA vs RIA

RIA vs the OS All of these frameworks expand the capabilities to store data locally Introduce privacy/tracking concerns DoS risk against desktops and mobile devices 57

RIA vs the OS Adobe AIR is a desktop application framework AIR can easily seed malware The effectiveness of malware attacks will be directly related to the popularity of the platform and the ease of install Large media attack surfaces pose another option 58

RIA vs the Web Most RIA frameworks and HTML 5 include mechanisms for SQL-based storage XSS now has access to huge, easily retrievable data stores, often pre-login Retrieving query parameters from untrusted sources can now leads to SQL injection CSRF from the RIA app to the browser usually still possible Silverlight and AIR accept input from calling sites, opening Flash-like XSS and XSF vulns 59

RIA vs RIA In the case of Mozilla Prism and Chromeless, sandboxed apps can affect each other, and the browser Done improperly, multiple frameworks allow for bridging apps, breaking outside of the sandbox Mozilla Prism and Chromeless allows for developer foot-shooting by letting web pages talk to Chrome[4] 60

RIA Checklist for Developers Prevent predictably named data stores use a peruser GUID embedded in dynamically generated page Parameterize SQL statements Lock your app to your domain if possible Beware of passed-in arguments. Don t use them in JavaScript or to fetch URLs Be very careful with sandbox bridging. Don t get cute about bypassing AIR security model or crossing Mozilla unprivileged/unprivileged code boundaries Use Flex or Flash if you don t need local power of AIR...and you probably don t 61

RIA Checklist for Administrators Disallow install of RIA frameworks without legitimate business need For Windows, GPO can disable per CLSID Once installed, IEAK becomes useless in enforcing policy in alternative installers Discourage development teams from using RIA unnecessarily Understand local framework settings that you can set remotely Disable self-signed AIR install Block blobs at border proxy if necessary 62

RIA Checklist for Users Don t install frameworks you don t need Use NoScript or equivalent to block JS/Flash/Silverlight instantiation except when you want it Read install boxes carefully Buy gold, guns, and canned food 63

RIA Checklist for Software Testers Identify parameters used on instantiation Ensure SQL statements are parameterized Data stores not subject to same-origin ensure proper GUIDs are used Check for limits on storage mechanism invocations Identify mechanisms used for letting the app framework talk directly to page content Make people use SSL! 64

Conclusion

Conclusion RIA frameworks widely differ in their security models It is highly likely that web developers will introduce interesting flaws into their desktop applications The Web is becoming less standardized, more complex, and much more dangerous 66

Thank you for coming! andrew@isecpartners.com 67

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback