Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

Similar documents
but all was not good Same Origin Policy

WEB SECURITY: XSS & CSRF

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Security. CSC309 TA: Sukwon Oh

Web basics: HTTP cookies

Application vulnerabilities and defences

Chrome Extension Security Architecture

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

25 Million Flows Later Large-scale Detection of DOM-based XSS. CCS 2013, Berlin Sebastian Lekies, Ben Stock, Martin Johns

RKN 2015 Application Layer Short Summary

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Code-Reuse Attacks for the Web: Breaking XSS mitigations via Script Gadgets

CIS 4360 Secure Computer Systems XSS

WHY CSRF WORKS. Implicit authentication by Web browsers

So we broke all CSPs. You won't guess what happened next!

Content Security Policy

Robust Defenses for Cross-Site Request Forgery Review

Secure Coding and Code Review. Berlin : 2012

Protecting users against XSS-based password manager abuse. AsiaCCS 2014, Kyoto Ben Stock, Martin Johns

Eradicating DNS Rebinding with the Extended Same-Origin Policy

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

CSC 482/582: Computer Security. Cross-Site Security

Web Security. Aggelos Kiayias Justin Neumann

Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft

More attacks on clients: Click-jacking/UI redressing, CSRF

Web Security. Thierry Sans

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

CS 161 Computer Security

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Exploiting and Defending: Common Web Application Vulnerabilities

ESORICS September Martin Johns

Robust Defenses for Cross-Site Request Forgery

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web Security: Vulnerabilities & Attacks

HTTP Security Headers Explained


Extending the browser to secure applications

Browser code isolation

Information Security CS 526 Topic 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Penetration Test Report

Human vs Artificial intelligence Battle of Trust

EasyCrypt passes an independent security audit

Information Security CS 526 Topic 8

Web Security Computer Security Peter Reiher December 9, 2014

Real-world security analyses of OAuth 2.0 and OpenID Connect

Web Security II. Slides from M. Hicks, University of Maryland

CSCE 813 Internet Security Case Study II: XSS

s642 web security computer security adam everspaugh

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

last time: command injection

Application Security through a Hacker s Eyes James Walden Northern Kentucky University


Standard 1 The student will author web pages using the HyperText Markup Language (HTML)

CS 142 Winter Session Management. Dan Boneh

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

HTML5: Something wicked this way comes. Krzysztof Kotowicz Securing

Web security: an introduction to attack techniques and defense methods

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Web Application Security. Philippe Bogaerts

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

XSSFor the win! What can be really done with Cross-Site Scripting.

CSCD 303 Essential Computer Security Fall 2018

OWASP TOP 10. By: Ilia

Web Security: Loose Ends

Computer Security CS 426 Lecture 41

Robust Defenses for Cross-Site Request Forgery

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

OpenID Security Analysis and Evaluation

RIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO

Security for the Web. Thanks to Dave Levin for some slides

Lecture Notes on Safety and Information Flow on the Web: II

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Match the attack to its description:

Cookie Security. Myths and Misconceptions. David Johansson OWASP London 30 Nov. 2017

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Security for the Web. Thanks to Dave Levin for some slides

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

Build Native-like Experiences in HTML5

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web Security. Luke Anderson. 26 th May University Of Sydney.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Contents. xvii xix xxiil. xxvii

F5 Application Security. Radovan Gibala Field Systems Engineer

Transcription:

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies (@slekies) / Ben Stock (@kcotsneb) Martin Johns (@datenkeller)

Agenda The Same-Origin Policy Cross-Site Script Inclusion (XSSI) Generalizing XSSI Dynamic JavaScript files Leaking sensitive data from a JS file Empirical Study Methodology Results Conclusion

The Same-Origin Policy http://attacker.org/ http://gmail.com/ Server Client Browser http://attacker.org/ HTML JavaScript Same-Origin Policy The Same-Origin policy restricts communication of active content to objects that share the same origin. The origin is, hereby, defined by the protocol, the port and the host used to retrieve the object.

The Same-Origin Policy for JavaScript Inclusion of third-party scripts necessary Advertisement, jquery,... Same-Origin Policy relaxed for script inclusion Included code inherits origin of including site both work on same global scope

JSON aka JavaScript Hijacking (2006) https://attacker.org https://gmail.com Browser http://attacker.org/ <script> // Override Array constructor. function Array() { // Steal data here. } </script> <script src="//gmail.com/contact.json ></script> [ ] [ "ct, John Doe", "foo@gmail.com ], [ "ct, Jane Doe", "bar@gmail.com ] contacts.json

Cross-Site Script Inclusion (XSSI) Previous attacks enabled by browser quirks Idea: find other ways to leak private data Are there dynamic JavaScript files? If so, do these files contain user data? Can this data be leaked in a similar way?

Methodology Detection of dynamic JavaScript files Browser http://vuln.com/ http://vuln.com <script src= /dynamic.js ></script>

Methodology Registered accounts with 150 popular sites We investigated each site by seeding the accounts with personalized data thoroughly interacting with the site with our extension manually investigating the dynamic scripts

Empirical Study Are there JavaScript files that contain user data? No. of Domains Total data set 150 Dynamic scripts based on cookies 49 Contained unique identifiers 34 Contained other personal data 15 Contained CSRF or auth tokens 7

Cross-Site Script Inclusion http://attacker.org/ Browser http://attacker.org/ http://vuln.com/ <script src="//vuln.com/dynamic.js ></script>

Cross-Site Script Inclusion Leaking data stored in global variables // local variable at top level var first_name = "John"; dynamic.js // variable missing the "var" keyword last_name = "Doe"; // global variable window.user_email = "john@doe.com"; attacker.js console.log(first_name); // John console.log(last_name); // Doe console.log(user_email); // john@doe.com

Cross-Site Script Inclusion Leaking data via global functions function example() { var email = john@doe.com"; dynamic.js window.mylibrary.dosomething(email); }; example(); attacker.js window.mylibrary = {}; window.mylibrary.dosomething = function(email) { console.log(email); };

Empirical Study - Analysis Can data within JavaScript files be leaked across origin? No. of Domains Dynamic scripts based on cookies 49 40 Contained unique identifiers 34 28 Contained other personal data 15 11 Contained CSRF or auth tokens 7 4 Exploitable

DEMO a.k.a. we are feeling lucky

Empirical Study - Case Studies XSSI -> CSRF -> XSS -> Facebook post A news site hosted a script containing the CSRF token The CSRF token enabled us to send profile change requests In the profile page there was a XSS A Facebook auth token was stored inside a cookie Taking over an account at a file hosting service Utilized an Ajax driven Web UI An authentication token was required for these XHRs The token was provided inside a script file

Preventing XSSI Vulnerabilities Our attacks are not based on browser-quirks Hence, they cannot be fixed on a browser level It is very difficult to craft a dynamic script not prone to the attack Prevent script files from being included by a third-party Solution 1: Strict referrer checking (error-prone) Solution 2: Use secret tokens Separate JavaScript code from sensitive data Create static JS files and load data dynamically at run time The data service can be protected via the SOP

XSSI and Content Security Policy Recap: CSP is a mechanism for preventing XSS by white listing trusted JavaScript requires all inline scripts to be externalized into script includes Dynamic inline scripts are not prone to XSSI Externalizing the script makes it vulnerable to XSSI Do not blindly move script to external files CSP might make XSSI more wide-spread

Conclusion We investigated the security of dynamic JavaScript files Dynamic generation of JS is wide-spread Many dynamic JS files include information based on a user s session Data contained inside script files can be accessed across origins We conducted a study on 150 popular sites One third of these sites use dynamic scripts 80% of these sites were vulnerable to XSSI Consequences range from privacy issues up to full account compromise Introducing CSP will likely make the problem worse

Questions? kittenpics.org Sebastian Lekies @slekies Ben Stock @kcotsneb Martin Johns @datenkeller

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback