SlideShare une entreprise Scribd logo

Client-side JavaScript Vulnerabilities

Télécharger en tant que PPTX, PDF
Ory Segal
Ory Segal

Automatically detecting client side JavaScript vulnerabilities using IBM Rational AppScan and JavaScript Security Analyzer (hybrid analysis)

Technologie
1  sur  24
Client-side JavaScript Security vulnerabilities The Twilight Zone of Web Application Security Ory Segal Security Products Architect, Rational
ORY SEGAL Security products architect, Rational AppScan product manager Web Application Security Consortium officer Contributor (WASC, MITRE, NIST, OWASP) Renowned application security expert AppScan
From server to client side – The migration story of web application logic
1990 <HTML> Capable of presenting only text and hyperlinks 1993 <IMG> Embedded images in web pages (3rd. Party allowed) 1995 <SCRIPT> JavaScript enables programmatic modifications to HTML 1996 <IFRAME> Embeds a page within a page (3rd party contents) <EMBED> Embed an Adobe Flash file for animation 1999 Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire page XHR Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feel AJAX 2005 Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, … HTML5 & APIs 2011
Logic is Migrating from Server to Client… We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
Client-side JavaScript Security Issues
DOM-Based Cross-site Scripting A type of XSS (the third type after “Reflected” & “Stored”) Application doesn’t need to echo back user input like in Type I & Type II We poison a DOM element, which is used in JavaScript code Example http://www.vuln.site/welcome.html?name=Ory 1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5; 6: document.write(document.URL.substring(pos,document.URL.length)); 7: </SCRIPT> <BR/>8: Welcome to our system 9:</HTML> Source : document.URL Sink : document.write() Results : document.write("Ory")
DOM-Based Cross-site Scripting Attack Example http://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script> 1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5; 6: document.write(document.URL.substring(pos,document.URL.length)); 7: </SCRIPT> <BR/>8: Welcome to our system 9: </HTML> Source : document.URL Sink : document.write() Results : document.write("<script>alert('hacked')</script>") ,[object Object]
Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.,[object Object]
Stored DOM-Based Cross-Site Scripting Exploiting HTML5 localStorage API ... 17: var pos = document.URL.indexOf("name=") + 5; 18: varyourName = document.URL.substring(pos,document.URL.length) 19: decodeURI(yourName); 20: window.localStorage.name = yourName; 21: } ... welcome register ... 3: <div id="header"></div> 4: <script> 5: varelem = document.getElementById("header"); 6: varname = window.localStorage.name; 7: elem.innerHTML = "Hello, " + name; 8: </script> ... Source : document.URL Storage : window.localStorage.name Sink : elem.innerHTML Results : elem.innerHTML = <value_of_name_parameter>
So, how common are client-side JavaScript issues?
(Lack of) Statistics on Client-Side JS Issues Two options for gathering statistics Automated discovery Manual discovery Automated tools Dynamic analysis tools only uncover ~30% Static analysis tools struggle with dynamic code (AJAX) Manual code review is hell – have you seen JavaScript lately? dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}} dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(xd)?js(|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl) {d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion, tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome) {d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
Introducing JavaScript Security Analyzer
What is JSA? 1st and only to auto-detect client-side issues such as: DOM-based XSS Phishing through Open Redirect HTML5 Notification API Phishing HTML5 Web Storage API Poisoning HTML5 Client-side SQL Injection HTML5 Client-side Stored XSS HTML5 Web Worker Script URL Manipulation Email Attribute Spoofing 48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642x48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C6421asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas DE-OBFUSCATION STRING /* analysis */ HTML5 Analysis Hybrid
Using JavaScript Security Analyzer Zero configuration required Super-simple Super-fast
16 Viewing JSA Results in AppScan Standard AppScan Standard – Scan Results Vulnerable URL and line of code Tainted data flow information
Lets try again…How common are client-side JavaScript issues?
Using JSA we ran a research on real sites Fortune 500 175 Most popular sites Non-obtrusive automated review Manually verified results Scary outcome…
14.5% Vulnerable 169,443 Total Pages 90,929 Unique Pages 1659 Pages with Vulnerabilities Likelihood for a web page to be vulnerable is 1 : 55
Who wrote these vulnerabilities? 62% In house 38% 3rd Party ,[object Object]
Flash embedding JavaScript snippets
Social networking JavaScript snippets
Deep linking JavaScript libraries for Flash and AJAX applications,[object Object]
JavaScript is becoming prominent Modern applications HTML5 AJAX Web2.0 Application logic is shifting to client-side More code == more vulnerabilities Happens when code relies on parts of the DOM that are hacker-controlled Detection requires tedious manual work AppScan with JSA can automate client-side issues detection

Recommandé

Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 

Recommandé

Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Positive Hack Days
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developersJohann-Peter Hartmann
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyOry Segal
 

Contenu connexe

Tendances

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Positive Hack Days
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 

Tendances (20)

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 

En vedette

Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developersJohann-Peter Hartmann
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyOry Segal
 
Kyberterorismus a hacktivismus
Kyberterorismus a hacktivismusKyberterorismus a hacktivismus
Kyberterorismus a hacktivismusTereza Simandlová
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeNishant Das Patnaik
 
Jsme vidět? Česká open access komunita
Jsme vidět? Česká open access komunitaJsme vidět? Česká open access komunita
Jsme vidět? Česká open access komunitaTereza Simandlová
 
Exploiting Php With Php
Exploiting Php With PhpExploiting Php With Php
Exploiting Php With PhpJeremy Coates
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applicationsDinis Cruz
 
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm
 

En vedette (15)

Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developers
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracy
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
 
Kyberterorismus a hacktivismus
Kyberterorismus a hacktivismusKyberterorismus a hacktivismus
Kyberterorismus a hacktivismus
 
JavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrimeJavaScript Static Security Analysis made easy with JSPrime
JavaScript Static Security Analysis made easy with JSPrime
 
Jsme vidět? Česká open access komunita
Jsme vidět? Česká open access komunitaJsme vidět? Česká open access komunita
Jsme vidět? Česká open access komunita
 
Exploiting Php With Php
Exploiting Php With PhpExploiting Php With Php
Exploiting Php With Php
 
App Retargeting and Re-engagement Success Stories
App Retargeting and Re-engagement Success StoriesApp Retargeting and Re-engagement Success Stories
App Retargeting and Re-engagement Success Stories
 
Client Side Exploits using PDF
Client Side Exploits using PDFClient Side Exploits using PDF
Client Side Exploits using PDF
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Zalora
ZaloraZalora
Zalora
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
 
WeChat
WeChatWeChat
WeChat
 
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentiel
 

Similaire à Client-side JavaScript Vulnerabilities

Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersAccelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersTodd Anglin
 
IPhone Web Development With Grails from CodeMash 2009
IPhone Web Development With Grails from CodeMash 2009IPhone Web Development With Grails from CodeMash 2009
IPhone Web Development With Grails from CodeMash 2009Christopher Judd
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros DeveloperNyros Technologies
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing frameworkIndicThreads
 
ActiveWeb: Chicago Java User Group Presentation
ActiveWeb: Chicago Java User Group PresentationActiveWeb: Chicago Java User Group Presentation
ActiveWeb: Chicago Java User Group Presentationipolevoy
 
Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09Steve Souders
 
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NCAndroid Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NCJim Tochterman
 
Widget Summit 2008
Widget Summit 2008Widget Summit 2008
Widget Summit 2008Volkan Unsal
 
Non Conventional Android Programming (English)
Non Conventional Android Programming (English)Non Conventional Android Programming (English)
Non Conventional Android Programming (English)Davide Cerbo
 
Non Conventional Android Programming En
Non Conventional Android Programming EnNon Conventional Android Programming En
Non Conventional Android Programming Enguest9bcef2f
 
Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersAndreCharland
 
Grails Introduction - IJTC 2007
Grails Introduction - IJTC 2007Grails Introduction - IJTC 2007
Grails Introduction - IJTC 2007Guillaume Laforge
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009marpierc
 
HTML5 Introduction
HTML5 IntroductionHTML5 Introduction
HTML5 Introductionbeforeach
 
Flash Security, OWASP Chennai
Flash Security, OWASP ChennaiFlash Security, OWASP Chennai
Flash Security, OWASP Chennailavakumark
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyChristian Thilmany
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Speed up your developments with Symfony2
Speed up your developments with Symfony2Speed up your developments with Symfony2
Speed up your developments with Symfony2Hugo Hamon
 
Building apps for multiple devices
Building apps for multiple devicesBuilding apps for multiple devices
Building apps for multiple devicesTerry Ryan
 

Similaire à Client-side JavaScript Vulnerabilities (20)

Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET DevelopersAccelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
Accelerated Adoption: HTML5 and CSS3 for ASP.NET Developers
 
Grails and Dojo
Grails and DojoGrails and Dojo
Grails and Dojo
 
IPhone Web Development With Grails from CodeMash 2009
IPhone Web Development With Grails from CodeMash 2009IPhone Web Development With Grails from CodeMash 2009
IPhone Web Development With Grails from CodeMash 2009
 
Silver Light By Nyros Developer
Silver Light By Nyros DeveloperSilver Light By Nyros Developer
Silver Light By Nyros Developer
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing framework
 
ActiveWeb: Chicago Java User Group Presentation
ActiveWeb: Chicago Java User Group PresentationActiveWeb: Chicago Java User Group Presentation
ActiveWeb: Chicago Java User Group Presentation
 
Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09Even Faster Web Sites at jQuery Conference '09
Even Faster Web Sites at jQuery Conference '09
 
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NCAndroid Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
Android Development w/ ArcGIS Server - Esri Dev Meetup - Charlotte, NC
 
Widget Summit 2008
Widget Summit 2008Widget Summit 2008
Widget Summit 2008
 
Non Conventional Android Programming (English)
Non Conventional Android Programming (English)Non Conventional Android Programming (English)
Non Conventional Android Programming (English)
 
Non Conventional Android Programming En
Non Conventional Android Programming EnNon Conventional Android Programming En
Non Conventional Android Programming En
 
Enterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript DevelopersEnterprise AIR Development for JavaScript Developers
Enterprise AIR Development for JavaScript Developers
 
Grails Introduction - IJTC 2007
Grails Introduction - IJTC 2007Grails Introduction - IJTC 2007
Grails Introduction - IJTC 2007
 
GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009GTLAB Installation Tutorial for SciDAC 2009
GTLAB Installation Tutorial for SciDAC 2009
 
HTML5 Introduction
HTML5 IntroductionHTML5 Introduction
HTML5 Introduction
 
Flash Security, OWASP Chennai
Flash Security, OWASP ChennaiFlash Security, OWASP Chennai
Flash Security, OWASP Chennai
 
Internet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian ThilmanyInternet Explorer 8 for Developers by Christian Thilmany
Internet Explorer 8 for Developers by Christian Thilmany
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Speed up your developments with Symfony2
Speed up your developments with Symfony2Speed up your developments with Symfony2
Speed up your developments with Symfony2
 
Building apps for multiple devices
Building apps for multiple devicesBuilding apps for multiple devices
Building apps for multiple devices
 

Dernier

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Dernier (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Client-side JavaScript Vulnerabilities

  • 1. Client-side JavaScript Security vulnerabilities The Twilight Zone of Web Application Security Ory Segal Security Products Architect, Rational
  • 2. ORY SEGAL Security products architect, Rational AppScan product manager Web Application Security Consortium officer Contributor (WASC, MITRE, NIST, OWASP) Renowned application security expert AppScan
  • 3. From server to client side – The migration story of web application logic
  • 4. 1990 <HTML> Capable of presenting only text and hyperlinks 1993 <IMG> Embedded images in web pages (3rd. Party allowed) 1995 <SCRIPT> JavaScript enables programmatic modifications to HTML 1996 <IFRAME> Embeds a page within a page (3rd party contents) <EMBED> Embed an Adobe Flash file for animation 1999 Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire page XHR Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feel AJAX 2005 Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, … HTML5 & APIs 2011
  • 5. Logic is Migrating from Server to Client… We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
  • 7. DOM-Based Cross-site Scripting A type of XSS (the third type after “Reflected” & “Stored”) Application doesn’t need to echo back user input like in Type I & Type II We poison a DOM element, which is used in JavaScript code Example http://www.vuln.site/welcome.html?name=Ory 1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5; 6: document.write(document.URL.substring(pos,document.URL.length)); 7: </SCRIPT> <BR/>8: Welcome to our system 9:</HTML> Source : document.URL Sink : document.write() Results : document.write("Ory")
  • 8.
  • 9.
  • 10. Stored DOM-Based Cross-Site Scripting Exploiting HTML5 localStorage API ... 17: var pos = document.URL.indexOf("name=") + 5; 18: varyourName = document.URL.substring(pos,document.URL.length) 19: decodeURI(yourName); 20: window.localStorage.name = yourName; 21: } ... welcome register ... 3: <div id="header"></div> 4: <script> 5: varelem = document.getElementById("header"); 6: varname = window.localStorage.name; 7: elem.innerHTML = "Hello, " + name; 8: </script> ... Source : document.URL Storage : window.localStorage.name Sink : elem.innerHTML Results : elem.innerHTML = <value_of_name_parameter>
  • 11. So, how common are client-side JavaScript issues?
  • 12. (Lack of) Statistics on Client-Side JS Issues Two options for gathering statistics Automated discovery Manual discovery Automated tools Dynamic analysis tools only uncover ~30% Static analysis tools struggle with dynamic code (AJAX) Manual code review is hell – have you seen JavaScript lately? dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeofdojo._xdInFlight[_99]=="boolean"){return;}} dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(xd)?js(|$)/i;for(vari=0;i<_9a.length;i++){varsrc=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl) {d.config.baseUrl=src.substring(0,m.index);}varcfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;vardua=n.userAgent,dav=n.appVersion, tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome) {d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
  • 14. What is JSA? 1st and only to auto-detect client-side issues such as: DOM-based XSS Phishing through Open Redirect HTML5 Notification API Phishing HTML5 Web Storage API Poisoning HTML5 Client-side SQL Injection HTML5 Client-side Stored XSS HTML5 Web Worker Script URL Manipulation Email Attribute Spoofing 48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642x48656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C642148656C6C6F20576F726C6421asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas DE-OBFUSCATION STRING /* analysis */ HTML5 Analysis Hybrid
  • 15. Using JavaScript Security Analyzer Zero configuration required Super-simple Super-fast
  • 16. 16 Viewing JSA Results in AppScan Standard AppScan Standard – Scan Results Vulnerable URL and line of code Tainted data flow information
  • 17. Lets try again…How common are client-side JavaScript issues?
  • 18. Using JSA we ran a research on real sites Fortune 500 175 Most popular sites Non-obtrusive automated review Manually verified results Scary outcome…
  • 19. 14.5% Vulnerable 169,443 Total Pages 90,929 Unique Pages 1659 Pages with Vulnerabilities Likelihood for a web page to be vulnerable is 1 : 55
  • 20.
  • 23.
  • 24. JavaScript is becoming prominent Modern applications HTML5 AJAX Web2.0 Application logic is shifting to client-side More code == more vulnerabilities Happens when code relies on parts of the DOM that are hacker-controlled Detection requires tedious manual work AppScan with JSA can automate client-side issues detection
  • 25. Q & A
  • 26. Thank You You can download the full whitepaper at: http://tinyurl.com/5w6koqj