SlideShare a Scribd company logo

Appsec usa2013 js_libinsecurity_stefanodipaola

D
drewz lin

This document summarizes Stefano di Paola's talk on security issues with JavaScript libraries. It discusses how jQuery's $() method can be considered a "sink" that executes HTML passed to it, including examples of XSS via jQuery selectors and AJAX calls. It also covers problems with JSON parsing regular expressions, AngularJS expression injection, and credentials exposed in URLs. Solutions proposed include validating all input, auditing third-party libraries, and moving away from approaches like eval() that execute untrusted code.

Technology
1 of 41
Download to read offline
JS Libraries Insecurity Appsec USA 2013 Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
/me whois • Research – OWASP-Italy Senior Member – Testing Guide Contributor – OWASP SWFIntruder – DOMinator (JavaScript Runtime Taint Engine) – Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) – Security Since '99 • Work – CTO @ Minded Security Application Security Consulting – Director of Minded Security Research Labs – Blog: http://blog.mindedsecurity.com – Twitter: @wisecwisec
Agenda • • • • • Intro JQuery JSON.js (OBG) AngularJS JS Libraries Management
About this talk • A wrap up of some interesting JS snippets • Reckless use of common libraries and third party scripts • Some unwitting one as well • Comes after 2.5 years developing/using DOMinator and DOMinatorPro
JQuery() is a Sink(?) • What's a Sink in Application Security? “..a function or method that can be considered unsecure when one of its arguments come from an untrusted input and is not correctly validated according to the layer the function is going to communicate to.“ • C's strcpy is a sink. strcpy(dst,src) • Java's jdbc.executeQuery is a sink executeQuery('select * from t where id='+str) • JQuery.html is a sink (and no one complains)
JQuery() more than a Sink • JQuery is More than a Sink! • Other sinks do only one thing. JQuery was designed to perform different operations based on the argument type and content. ● http://api.jquery.com/jQuery/
JQuery() more than a Sink • JQuery was written with flexibility in mind • But introduced a design issue that could be called a 'developer trust boundary violation'. – The principal use is for selecting elements (trusted) – ...and 'onload' callback execution(trusted) – The least one used is the actual sink method: jQuery( html [, ownerDocument ] ) Enough Words! Show Me The Code
JQuery() Concerns History • http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html http://bugs.jquery.com/ticket/9521 «XSS with $(location.hash) and $(#<tag>) is needed?» ("fixed" (?)) • http://bugs.jquery.com/ticket/11773 « jQuery needs HTML escaping functionality » (undecided) • From reddit's jquery-migrate-is-sink-too: http://www.reddit.com/r/programming/comments/1cqno2/ «.. geocar - This is one of my biggest gripes about jQuery: Using the same interface for query and executing is a Bad Idea, that is, $ ("<script>alert(69)</script>") simply shouldn't do anything at all. ..» Actually doesn't but he got the point..) -> $("<img src='dd' onerror='alert(1)'>")
JQuery() as a Selector? • Might be considered as a potentially dangerous method ? – depends on how its results are further used. • It's more than querySelectorAll because there are features like: $("div:contains(" + word + ")") What if: word=),div[id=secret]:contains(cycleForDataExtr).. • If the results will affect something that is observable by an attacker, then we got a problem!
JQuery() Solution • JQuery Users: – Never Use jQuery() or $() with an unvalidated argument – No matter which version you are using! – Read the whole documentation, please! – And since the doc is never really complete, take some time to read the code! • JQuery Developers, please: – remove old versions (zip them all for reference) – Plan to change the jQuery do-everything behaviour to a dosimply-one-thing behavior.
JQuery.Ajax → HPP • $.ajax json(p) allows three ways to create a callback parameter: a. Explicit Callback Parameter in the url b. Explicit Callback Parameter in the object c. Callback Placeholder in the url $.ajax({url:"//host/index.html", data: "kwrds=ss&cb=test", //{cb:'test', kwrds: 'ss' } dataType:'jsonp', cache:true, success:function(){} }) $.ajax({url: '//host/index.html?kwrds=ss', jsonp: "cb", dataType: "jsonp", success: function() { } }) $.ajax({url: '//host/?kwrds=ss&cb=?', dataType: "jsonp", success: function() { } })
JQuery.Ajax Priority map • If there's HPP we can force the callback in the following cases: a(url) b(object) c(placehld) a(url) a c+'&'+a a+c b(object) b+'&'+a b c c(placehld) a+c c c Enough Words! Show Me The Code
JQuery.Ajax Solution • Be sure you're not allowing Client side HPP by: – Encoding tainted values with encodeURIComponent (remember it may trigger exception) try{ kw= encodeURIComponent(location.hash.slice(1)) url = 'kwrds='+kw $.ajax({ url: url, jsonp:'callback', …. }) }catch(e){ /*stop execution..blahblah*/ }
JQuery.html(RegEx pd) • Devs often use $.html() with untrusted input. • Sometimes they validate that using wrong regexps patterns. http://go.imgsmail.ru/js/unity.js?1308 h = /</?(.+?)/?>/ig; w.striptags = function(a, b) { var c = Array.isArray(b) ? b : null; return a.replace(h, c ? function(a, b) { return c.contains(b) ? a : "" } : "") }; • Fixed with: /</?([sS]+?)/?>/gi
JQuery.html(RegEx pd) • ..Or they unfortunately don't work as expected... http://ots.optimize.webtrends.com/ots/lib/3.2/wt_lib.js ... var test = z7696.location.search; } catch (z392c) { z82c5 = document; } ….. var z43ac = (zbea6.length - 1); var z33f9 = {}; for (var z205e = 0; z205e <= z43ac; z205e++) { var z6b05 = zbea6[z205e].split("="); z6b05[0] = unescape(z6b05[0]); z6b05[1] = unescape(z6b05[1]); z6b05[0] = z6b05[0].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/<.*?>/g, ""); z33f9[z6b05[0]] = z6b05[1]; ….
JQuery.html(RegEx pd) • ..Or they fortunately don't work as expected... var evil=false; var p1=/[";'<>@(){}!$^*-+|~`]/; // Regexp 4 special chars var p2=/(javascripts*:)|(alert)|/; // Regexp against XSS var url = location.href; if(url.match(p1) && url.match(p2)) // Fortunately Wrong!! evil=true; if(evil==false) div.innerHTML = url Enough Words! Show Me the Stuff!
JQuery.html(RegEx pd) solution Test those f#@#g RegExps!!!
JQuery.html(RegEx pd) solution Test those f#@#g RegExps!!! … OR NOT (if you are damn lucky!) Tip: If you're not a RegEx guru give a try to: http://www.debuggex.com
JQuery.ajax(Proxifyme) • Client Request Proxy – Feature of MS's LyncWeb – https://vi.ct.im/XXX/XFrame/XFrame.html – Yes, it's framable by design window.onmessage = function(e) { var requestInput = JSON.parse(e.data); var request = buildRequest(requestInput, e.source, e.origin); $.ajax(request); } – Let's have a look at the code!
JQuery.ajax(Proxifyme) • Attacker might just try to ask politely.. frame.location= "https://xxx/Autodiscover/XFrame/XFrame.html" var ob={ url:"/" } frame.postMessage(JSON.stringify(ob),"*") The code adds this unfriendly header: X-Ms-Origin: http://at.tack.er ..and the server unbelievably checks it! And returns 403.
JQuery.ajax(Proxifyme) • Attacker now asks less politely.. frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", headers:{'X-Ms.Origin':'https://vi.ct.im'} } frame.postMessage(JSON.stringify(ob),"*") aaand... X-Ms-Origin: http://at.tack.er No success! Returns 403.
JQuery.ajax(Proxifyme) • Attacker now is a bit frustrated but wait...read the jQ doc! var ob={ accepts:, // cache:, // contentType:, // Whatever data:, // "p1=v1&p2=v2.." headers:, An object of additional header key/value pairs to send along with requests using the XMLHttpRequest transport. The header X-Requested-With: XMLHttpRequest is always added. but its default XMLHttpRequest value can be changed here. Values in the headers setting can also be overwritten from within the beforeSend function. (version added: 1.5) processData:, // urlencode or not. type, // GET , POST HEAD BLAH url, // Url. xhrFields:, //XMLHttpRequest.attr = val messageId: //Internal }
JQuery.ajax(Proxifyme) • Attacker now is less frustrated he can try something more: frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", XhrFields:{setRequestHeader:void} } frame.postMessage(JSON.stringify(ob),"*") aand ciao ciao custom headers! • .. but there's more..
JQuery.ajax(Proxifyme) • Why does it work? Why doesn't it break the code? // Need an extra try/catch for cross domain requests in Firefox 3 try { for ( i in headers ) { xhr.setRequestHeader( i, headers[ i ] ); } }catch( _ ) {} We can actually add custom headers and block the X-MsOrigin!
JSON.js (OBG) • http://www.ietf.org/rfc/rfc4627.txt Security considerations (D. Crockford): «Generally there are security issues with scripting languages. JSON is a subset of JavaScript, but it is a safe subset that excludes assignment and invocation. A JSON text can be safely passed into JavaScript's eval() function (which compiles and executes a string) if all the characters not enclosed in strings are in the set of characters that form JSON tokens. This can be quickly determined in JavaScript with two regular expressions and calls to the test and replace methods. var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); Interoperability considerations: n/a Published specification: RFC 4627»
JSON.js (OBG) • Old JSON.js implementation: function jsonParse(string, secure) { if (secure && !/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/.test( string.replace(/./g, "@"). replace(/"[^"nr]*"/g, "")) ){ return null; } return eval("(" + string + ")"); } http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
JSON.js (OBG) • parseJSON('a') is considered valid even if it's not JSON → a is actually eval'ed! • Eaeflnr-u part with no quotes let's you do this. • Next step is to see if there some standard object in window that matches the JSON regexp. for(var aa in window) if( aa.match(/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/)) console.log(""+aa) Results in: self status http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
JSON.js (OBG) • Still there's a lot of problems since () = cannot be used! • But on IE...: // Courtesy of Eduardo `sirdarckcat` Vela Nava +{ "valueOf": self["location"], "toString": []["join"], 0: "javascript:alert(1)", length: 1 } is seen as valid JSON and
JSON.js (OBG)
JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
JSON.js (OBG)
GWT's JSON safeToEval http://code.google.com/p/google-webtoolkit/source/browse/trunk/user/src/com/google/gwt/core/client/JsonUtils.java#78 /**    * Returns true if the given JSON string may be safely evaluated by {@code    * eval()} without undersired side effects or security risks. Note that a true    * result from this method does not guarantee that the input string is valid    * JSON.  This method does not consider the contents of quoted strings; it    * may still be necessary to perform escaping prior to evaluation for correct    * results.    *    * <p> The technique used is taken from <a href="http://www.ietf.org/rfc/rfc4627.txt">RFC 4627</a>.    */   public static native boolean safeToEval(String text) /*-{     // Remove quoted strings and disallow anything except:     //     // 1) symbols and brackets ,:{}[]     // 2) numbers: digits 0-9, ., -, +, e, and E     // 3) literal values: 'null', 'true' and 'false' = [aeflnr-u]     // 4) whitespace: ' ', 'n', 'r', and 't'     return !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test(text.replace(/"(.|[^"])*"/g, '')));   }-*/;  
JSON.js Solution • The new json.js uses a brand new regexp which "should" be safe • Or use json_parse.js which doesn't use eval. • ..or better use native methods JSON.parse / JSON.stringify if you can! • Finally, remember that after parsing you still have an unvalidated object! {"html":"<img src='s'onerror='XSSHere'>"}
3rd party services give 3rd party surprises • Omniture, Web Trends, Google Ads... • Several issues found and fixed • Web Trends is a web analytics service. • DEBUG version based on parameters → HTML Injection? http://www.microsoft.com/en-us/default.aspx? aaaa=11111111&gclid=1111&=&_wt.debug=2222&_wt.mode=preview&toJSON=4444&normal=9999&staging=a aaa&preview=bbbb&none=cccc&#bbbbb=2222222&%3Cs%3Essss (They know about it) + actually this requires popup blocker disabled Enough Words! Show Me The Code
3rd party services solution • Test and audit all the 3rd party libraries / js! • Do it periodically if they are external resources
Credentials in URL • http://user:pass@host.com/ • What can possibly go wrong with those? • Chrome is the last browser that transparently allows them • They are shown it to all location object
Credentials in URL • jQuery: rurl = /^([w+.-]+:)(?://([^/?#:]*)(?::(d+)|)|)/ – Nothing actually exploitable but: // A cross-domain request is in order when we have a protocol:host:port mismatch if ( s.crossDomain == null ) { parts = rurl.exec( s.url.toLowerCase() ) || false; s.crossDomain = parts && ( parts.join(":") + ( parts[ 3 ] ? "" : parts[ 1 ] === "http:" ? 80 : 443 ) ) !== ( ajaxLocParts.join(":") + ( ajaxLocParts[ 3 ] ? "" : ajaxLocParts[ 1 ] === "http:" ? 80 : 443 ) ); } Is kind of interesting.
AngularJS • Mustache + Expression Language → Interesting Injections • AngularJS uses stuff like: <div ng-init="some.js.code.here"> or {{constructor.constructor('alert(1)')()}} • AngularJS uses it's own parser (similar to Expression Language). • If there's an inection point, no actual antiXSS filter will be able to stop these attacks. • Credits to .Mario (MVCOMFG) and Kuza55 (https://communities.coverity.com/blogs/security/2013/04/23/angu lar-template-injection) as well for their awesome research on this topic!
Conclusions • JavaScript code can always be read so black box turns into white box analysis • JavaScript secure development is still not fully implemented even on companies that know about security. • JavaScript Developers can be super badass coders but also naives as well on some circumstances and their code is available for everyone. • Just scratched the surface of JavaScript security!
Thanks! Tnx! ^_^ Go and exploit /* ethically */ Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: wisecwisec

Recommended

New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Maintainable JavaScript 2012
Maintainable JavaScript 2012Maintainable JavaScript 2012
Maintainable JavaScript 2012Nicholas Zakas
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Performance patterns
Performance patternsPerformance patterns
Performance patternsStoyan Stefanov
 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with DjangoSimon Willison
 
Unit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsUnit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsYnon Perek
 

Recommended

New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Maintainable JavaScript 2012
Maintainable JavaScript 2012Maintainable JavaScript 2012
Maintainable JavaScript 2012Nicholas Zakas
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Performance patterns
Performance patternsPerformance patterns
Performance patternsStoyan Stefanov
 
Class-based views with Django
Class-based views with DjangoClass-based views with Django
Class-based views with DjangoSimon Willison
 
Unit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsUnit Testing JavaScript Applications
Unit Testing JavaScript ApplicationsYnon Perek
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KZepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KThomas Fuchs
 
Basic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersBasic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersDavid Rodenas
 
YSlow 2.0
YSlow 2.0YSlow 2.0
YSlow 2.0Stoyan Stefanov
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projectsMichelangelo van Dam
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questionsarchana singh
 
Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet QuickITDotNet Training and Services
 
jQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionjQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionPaul Irish
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudJonghyun Park
 
ERRest - Designing a good REST service
ERRest - Designing a good REST serviceERRest - Designing a good REST service
ERRest - Designing a good REST serviceWO Community
 
the 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIthe 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIDirk Ginader
 
Scalable vector ember
Scalable vector emberScalable vector ember
Scalable vector emberMatthew Beale
 
HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?Remy Sharp
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
The DOM is a Mess @ Yahoo
The DOM is a Mess @ YahooThe DOM is a Mess @ Yahoo
The DOM is a Mess @ Yahoojeresig
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013Michelangelo van Dam
 
iOS 7 SDK特訓班
iOS 7 SDK特訓班iOS 7 SDK特訓班
iOS 7 SDK特訓班彼得潘 Pan
 
How to write easy-to-test JavaScript
How to write easy-to-test JavaScriptHow to write easy-to-test JavaScript
How to write easy-to-test JavaScriptYnon Perek
 
High Performance Django
High Performance DjangoHigh Performance Django
High Performance DjangoDjangoCon2008
 
Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inalNathan Winters
 
Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Rodrigo Henriques
 

More Related Content

What's hot

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KZepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KThomas Fuchs
 
Basic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersBasic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersDavid Rodenas
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questionsarchana singh
 
jQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionjQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionPaul Irish
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudJonghyun Park
 
ERRest - Designing a good REST service
ERRest - Designing a good REST serviceERRest - Designing a good REST service
ERRest - Designing a good REST serviceWO Community
 
the 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIthe 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIDirk Ginader
 
Scalable vector ember
Scalable vector emberScalable vector ember
Scalable vector emberMatthew Beale
 
HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?Remy Sharp
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
The DOM is a Mess @ Yahoo
The DOM is a Mess @ YahooThe DOM is a Mess @ Yahoo
The DOM is a Mess @ Yahoojeresig
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013Michelangelo van Dam
 
How to write easy-to-test JavaScript
How to write easy-to-test JavaScriptHow to write easy-to-test JavaScript
How to write easy-to-test JavaScriptYnon Perek
 
High Performance Django
High Performance DjangoHigh Performance Django
High Performance DjangoDjangoCon2008
 

What's hot (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2KZepto.js, a jQuery-compatible mobile JavaScript framework in 2K
Zepto.js, a jQuery-compatible mobile JavaScript framework in 2K
 
Basic Tutorial of React for Programmers
Basic Tutorial of React for ProgrammersBasic Tutorial of React for Programmers
Basic Tutorial of React for Programmers
 
YSlow 2.0
YSlow 2.0YSlow 2.0
YSlow 2.0
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projects
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Experienced Selenium Interview questions
Experienced Selenium Interview questionsExperienced Selenium Interview questions
Experienced Selenium Interview questions
 
Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet Protractor Training in Pune by QuickITDotnet
Protractor Training in Pune by QuickITDotnet
 
jQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & CompressionjQuery Anti-Patterns for Performance & Compression
jQuery Anti-Patterns for Performance & Compression
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on Cloud
 
ERRest - Designing a good REST service
ERRest - Designing a good REST serviceERRest - Designing a good REST service
ERRest - Designing a good REST service
 
the 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp IIthe 5 layers of web accessibility - Open Web Camp II
the 5 layers of web accessibility - Open Web Camp II
 
Scalable vector ember
Scalable vector emberScalable vector ember
Scalable vector ember
 
HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?HTML5: friend or foe (to Flash)?
HTML5: friend or foe (to Flash)?
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
The DOM is a Mess @ Yahoo
The DOM is a Mess @ YahooThe DOM is a Mess @ Yahoo
The DOM is a Mess @ Yahoo
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
 
iOS 7 SDK特訓班
iOS 7 SDK特訓班iOS 7 SDK特訓班
iOS 7 SDK特訓班
 
How to write easy-to-test JavaScript
How to write easy-to-test JavaScriptHow to write easy-to-test JavaScript
How to write easy-to-test JavaScript
 
High Performance Django
High Performance DjangoHigh Performance Django
High Performance Django
 

Viewers also liked

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inalNathan Winters
 
Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Rodrigo Henriques
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Exchange online real world migration challenges
Exchange online real world migration challengesExchange online real world migration challenges
Exchange online real world migration challengesSteve Goodman
 
Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAFBrian A. McHenry
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)Ammar WK
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks
 
Mediapresentatie econopolis
Mediapresentatie econopolisMediapresentatie econopolis
Mediapresentatie econopolisimec.archive
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 

Viewers also liked (19)

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inal
 
Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0Kemp exchange 2010_deployment_guide _v2.0
Kemp exchange 2010_deployment_guide _v2.0
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPC
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Take a REST!
Take a REST!Take a REST!
Take a REST!
 
Exchange online real world migration challenges
Exchange online real world migration challengesExchange online real world migration challenges
Exchange online real world migration challenges
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAF
 
Configuration F5 BIG IP ASM v12
Configuration F5 BIG IP ASM v12Configuration F5 BIG IP ASM v12
Configuration F5 BIG IP ASM v12
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Mediapresentatie econopolis
Mediapresentatie econopolisMediapresentatie econopolis
Mediapresentatie econopolis
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
 

Similar to Appsec usa2013 js_libinsecurity_stefanodipaola

JavaScript Performance Patterns
JavaScript Performance PatternsJavaScript Performance Patterns
JavaScript Performance PatternsStoyan Stefanov
 
JavaScript performance patterns
JavaScript performance patternsJavaScript performance patterns
JavaScript performance patternsStoyan Stefanov
 
Server Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yetServer Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yetTom Croucher
 
Testing ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETTesting ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETBen Hall
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysru_Parallels
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchMats Bryntse
 
Java script unit testing
Java script unit testingJava script unit testing
Java script unit testingMats Bryntse
 
WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...Fabio Franzini
 
SharePoint and jQuery Essentials
SharePoint and jQuery EssentialsSharePoint and jQuery Essentials
SharePoint and jQuery EssentialsMark Rackley
 
Introduction to jQuery
Introduction to jQueryIntroduction to jQuery
Introduction to jQueryAlek Davis
 
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)Doris Chen
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!Ortus Solutions, Corp
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4alexsaves
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrationstakezoe
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVCAlive Kuo
 
SwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup GroupSwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup GroupErnest Jumbe
 

Similar to Appsec usa2013 js_libinsecurity_stefanodipaola (20)

JavaScript Performance Patterns
JavaScript Performance PatternsJavaScript Performance Patterns
JavaScript Performance Patterns
 
JavaScript performance patterns
JavaScript performance patternsJavaScript performance patterns
JavaScript performance patterns
 
Server Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yetServer Side JavaScript - You ain't seen nothing yet
Server Side JavaScript - You ain't seen nothing yet
 
Node azure
Node azureNode azure
Node azure
 
Testing ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NETTesting ASP.NET - Progressive.NET
Testing ASP.NET - Progressive.NET
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Доклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDaysДоклад Михаила Егорова на PHDays
Доклад Михаила Егорова на PHDays
 
Testing Ext JS and Sencha Touch
Testing Ext JS and Sencha TouchTesting Ext JS and Sencha Touch
Testing Ext JS and Sencha Touch
 
Java script unit testing
Java script unit testingJava script unit testing
Java script unit testing
 
WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...WebNet Conference 2012 - Designing complex applications using html5 and knock...
WebNet Conference 2012 - Designing complex applications using html5 and knock...
 
SharePoint and jQuery Essentials
SharePoint and jQuery EssentialsSharePoint and jQuery Essentials
SharePoint and jQuery Essentials
 
Introduction to jQuery
Introduction to jQueryIntroduction to jQuery
Introduction to jQuery
 
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
jQuery Makes Writing JavaScript Fun Again (for HTML5 User Group)
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4JavaScript 2.0 in Dreamweaver CS4
JavaScript 2.0 in Dreamweaver CS4
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrations
 
[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC[Coscup 2012] JavascriptMVC
[Coscup 2012] JavascriptMVC
 
SwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup GroupSwampDragon presentation: The Copenhagen Django Meetup Group
SwampDragon presentation: The Copenhagen Django Meetup Group
 

More from drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiudrewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)drewz lin
 

More from drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Appsec usa2013 js_libinsecurity_stefanodipaola

  • 1. JS Libraries Insecurity Appsec USA 2013 Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
  • 2. /me whois • Research – OWASP-Italy Senior Member – Testing Guide Contributor – OWASP SWFIntruder – DOMinator (JavaScript Runtime Taint Engine) – Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) – Security Since '99 • Work – CTO @ Minded Security Application Security Consulting – Director of Minded Security Research Labs – Blog: http://blog.mindedsecurity.com – Twitter: @wisecwisec
  • 4. About this talk • A wrap up of some interesting JS snippets • Reckless use of common libraries and third party scripts • Some unwitting one as well • Comes after 2.5 years developing/using DOMinator and DOMinatorPro
  • 5. JQuery() is a Sink(?) • What's a Sink in Application Security? “..a function or method that can be considered unsecure when one of its arguments come from an untrusted input and is not correctly validated according to the layer the function is going to communicate to.“ • C's strcpy is a sink. strcpy(dst,src) • Java's jdbc.executeQuery is a sink executeQuery('select * from t where id='+str) • JQuery.html is a sink (and no one complains)
  • 6. JQuery() more than a Sink • JQuery is More than a Sink! • Other sinks do only one thing. JQuery was designed to perform different operations based on the argument type and content. ● http://api.jquery.com/jQuery/
  • 7. JQuery() more than a Sink • JQuery was written with flexibility in mind • But introduced a design issue that could be called a 'developer trust boundary violation'. – The principal use is for selecting elements (trusted) – ...and 'onload' callback execution(trusted) – The least one used is the actual sink method: jQuery( html [, ownerDocument ] ) Enough Words! Show Me The Code
  • 8. JQuery() Concerns History • http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html http://bugs.jquery.com/ticket/9521 «XSS with $(location.hash) and $(#<tag>) is needed?» ("fixed" (?)) • http://bugs.jquery.com/ticket/11773 « jQuery needs HTML escaping functionality » (undecided) • From reddit's jquery-migrate-is-sink-too: http://www.reddit.com/r/programming/comments/1cqno2/ «.. geocar - This is one of my biggest gripes about jQuery: Using the same interface for query and executing is a Bad Idea, that is, $ ("<script>alert(69)</script>") simply shouldn't do anything at all. ..» Actually doesn't but he got the point..) -> $("<img src='dd' onerror='alert(1)'>")
  • 9. JQuery() as a Selector? • Might be considered as a potentially dangerous method ? – depends on how its results are further used. • It's more than querySelectorAll because there are features like: $("div:contains(" + word + ")") What if: word=),div[id=secret]:contains(cycleForDataExtr).. • If the results will affect something that is observable by an attacker, then we got a problem!
  • 10. JQuery() Solution • JQuery Users: – Never Use jQuery() or $() with an unvalidated argument – No matter which version you are using! – Read the whole documentation, please! – And since the doc is never really complete, take some time to read the code! • JQuery Developers, please: – remove old versions (zip them all for reference) – Plan to change the jQuery do-everything behaviour to a dosimply-one-thing behavior.
  • 11. JQuery.Ajax → HPP • $.ajax json(p) allows three ways to create a callback parameter: a. Explicit Callback Parameter in the url b. Explicit Callback Parameter in the object c. Callback Placeholder in the url $.ajax({url:"//host/index.html", data: "kwrds=ss&cb=test", //{cb:'test', kwrds: 'ss' } dataType:'jsonp', cache:true, success:function(){} }) $.ajax({url: '//host/index.html?kwrds=ss', jsonp: "cb", dataType: "jsonp", success: function() { } }) $.ajax({url: '//host/?kwrds=ss&cb=?', dataType: "jsonp", success: function() { } })
  • 12. JQuery.Ajax Priority map • If there's HPP we can force the callback in the following cases: a(url) b(object) c(placehld) a(url) a c+'&'+a a+c b(object) b+'&'+a b c c(placehld) a+c c c Enough Words! Show Me The Code
  • 13. JQuery.Ajax Solution • Be sure you're not allowing Client side HPP by: – Encoding tainted values with encodeURIComponent (remember it may trigger exception) try{ kw= encodeURIComponent(location.hash.slice(1)) url = 'kwrds='+kw $.ajax({ url: url, jsonp:'callback', …. }) }catch(e){ /*stop execution..blahblah*/ }
  • 14. JQuery.html(RegEx pd) • Devs often use $.html() with untrusted input. • Sometimes they validate that using wrong regexps patterns. http://go.imgsmail.ru/js/unity.js?1308 h = /</?(.+?)/?>/ig; w.striptags = function(a, b) { var c = Array.isArray(b) ? b : null; return a.replace(h, c ? function(a, b) { return c.contains(b) ? a : "" } : "") }; • Fixed with: /</?([sS]+?)/?>/gi
  • 15. JQuery.html(RegEx pd) • ..Or they unfortunately don't work as expected... http://ots.optimize.webtrends.com/ots/lib/3.2/wt_lib.js ... var test = z7696.location.search; } catch (z392c) { z82c5 = document; } ….. var z43ac = (zbea6.length - 1); var z33f9 = {}; for (var z205e = 0; z205e <= z43ac; z205e++) { var z6b05 = zbea6[z205e].split("="); z6b05[0] = unescape(z6b05[0]); z6b05[1] = unescape(z6b05[1]); z6b05[0] = z6b05[0].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/+/g, " "); z6b05[1] = z6b05[1].replace(/<.*?>/g, ""); z33f9[z6b05[0]] = z6b05[1]; ….
  • 16. JQuery.html(RegEx pd) • ..Or they fortunately don't work as expected... var evil=false; var p1=/[";'<>@(){}!$^*-+|~`]/; // Regexp 4 special chars var p2=/(javascripts*:)|(alert)|/; // Regexp against XSS var url = location.href; if(url.match(p1) && url.match(p2)) // Fortunately Wrong!! evil=true; if(evil==false) div.innerHTML = url Enough Words! Show Me the Stuff!
  • 18. JQuery.html(RegEx pd) solution Test those f#@#g RegExps!!! … OR NOT (if you are damn lucky!) Tip: If you're not a RegEx guru give a try to: http://www.debuggex.com
  • 19. JQuery.ajax(Proxifyme) • Client Request Proxy – Feature of MS's LyncWeb – https://vi.ct.im/XXX/XFrame/XFrame.html – Yes, it's framable by design window.onmessage = function(e) { var requestInput = JSON.parse(e.data); var request = buildRequest(requestInput, e.source, e.origin); $.ajax(request); } – Let's have a look at the code!
  • 20. JQuery.ajax(Proxifyme) • Attacker might just try to ask politely.. frame.location= "https://xxx/Autodiscover/XFrame/XFrame.html" var ob={ url:"/" } frame.postMessage(JSON.stringify(ob),"*") The code adds this unfriendly header: X-Ms-Origin: http://at.tack.er ..and the server unbelievably checks it! And returns 403.
  • 21. JQuery.ajax(Proxifyme) • Attacker now asks less politely.. frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", headers:{'X-Ms.Origin':'https://vi.ct.im'} } frame.postMessage(JSON.stringify(ob),"*") aaand... X-Ms-Origin: http://at.tack.er No success! Returns 403.
  • 22. JQuery.ajax(Proxifyme) • Attacker now is a bit frustrated but wait...read the jQ doc! var ob={ accepts:, // cache:, // contentType:, // Whatever data:, // "p1=v1&p2=v2.." headers:, An object of additional header key/value pairs to send along with requests using the XMLHttpRequest transport. The header X-Requested-With: XMLHttpRequest is always added. but its default XMLHttpRequest value can be changed here. Values in the headers setting can also be overwritten from within the beforeSend function. (version added: 1.5) processData:, // urlencode or not. type, // GET , POST HEAD BLAH url, // Url. xhrFields:, //XMLHttpRequest.attr = val messageId: //Internal }
  • 23. JQuery.ajax(Proxifyme) • Attacker now is less frustrated he can try something more: frame.location= "https://vi.ct.im/XXX/XFrame/XFrame.html" var ob={ url:"/", XhrFields:{setRequestHeader:void} } frame.postMessage(JSON.stringify(ob),"*") aand ciao ciao custom headers! • .. but there's more..
  • 24. JQuery.ajax(Proxifyme) • Why does it work? Why doesn't it break the code? // Need an extra try/catch for cross domain requests in Firefox 3 try { for ( i in headers ) { xhr.setRequestHeader( i, headers[ i ] ); } }catch( _ ) {} We can actually add custom headers and block the X-MsOrigin!
  • 25. JSON.js (OBG) • http://www.ietf.org/rfc/rfc4627.txt Security considerations (D. Crockford): «Generally there are security issues with scripting languages. JSON is a subset of JavaScript, but it is a safe subset that excludes assignment and invocation. A JSON text can be safely passed into JavaScript's eval() function (which compiles and executes a string) if all the characters not enclosed in strings are in the set of characters that form JSON tokens. This can be quickly determined in JavaScript with two regular expressions and calls to the test and replace methods. var my_JSON_object = !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test( text.replace(/"(.|[^"])*"/g, ''))) && eval('(' + text + ')'); Interoperability considerations: n/a Published specification: RFC 4627»
  • 26. JSON.js (OBG) • Old JSON.js implementation: function jsonParse(string, secure) { if (secure && !/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/.test( string.replace(/./g, "@"). replace(/"[^"nr]*"/g, "")) ){ return null; } return eval("(" + string + ")"); } http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
  • 27. JSON.js (OBG) • parseJSON('a') is considered valid even if it's not JSON → a is actually eval'ed! • Eaeflnr-u part with no quotes let's you do this. • Next step is to see if there some standard object in window that matches the JSON regexp. for(var aa in window) if( aa.match(/^[,:{}[]0-9.-+Eaeflnr-u nrt]*$/)) console.log(""+aa) Results in: self status http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html
  • 28. JSON.js (OBG) • Still there's a lot of problems since () = cannot be used! • But on IE...: // Courtesy of Eduardo `sirdarckcat` Vela Nava +{ "valueOf": self["location"], "toString": []["join"], 0: "javascript:alert(1)", length: 1 } is seen as valid JSON and
  • 30. JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
  • 31. JSON.js (OBG) • '' Ok ok but it's old stuff...right? ''
  • 33. GWT's JSON safeToEval http://code.google.com/p/google-webtoolkit/source/browse/trunk/user/src/com/google/gwt/core/client/JsonUtils.java#78 /**    * Returns true if the given JSON string may be safely evaluated by {@code    * eval()} without undersired side effects or security risks. Note that a true    * result from this method does not guarantee that the input string is valid    * JSON.  This method does not consider the contents of quoted strings; it    * may still be necessary to perform escaping prior to evaluation for correct    * results.    *    * <p> The technique used is taken from <a href="http://www.ietf.org/rfc/rfc4627.txt">RFC 4627</a>.    */   public static native boolean safeToEval(String text) /*-{     // Remove quoted strings and disallow anything except:     //     // 1) symbols and brackets ,:{}[]     // 2) numbers: digits 0-9, ., -, +, e, and E     // 3) literal values: 'null', 'true' and 'false' = [aeflnr-u]     // 4) whitespace: ' ', 'n', 'r', and 't'     return !(/[^,:{}[]0-9.-+Eaeflnr-u nrt]/.test(text.replace(/"(.|[^"])*"/g, '')));   }-*/;  
  • 34. JSON.js Solution • The new json.js uses a brand new regexp which "should" be safe • Or use json_parse.js which doesn't use eval. • ..or better use native methods JSON.parse / JSON.stringify if you can! • Finally, remember that after parsing you still have an unvalidated object! {"html":"<img src='s'onerror='XSSHere'>"}
  • 35. 3rd party services give 3rd party surprises • Omniture, Web Trends, Google Ads... • Several issues found and fixed • Web Trends is a web analytics service. • DEBUG version based on parameters → HTML Injection? http://www.microsoft.com/en-us/default.aspx? aaaa=11111111&gclid=1111&=&_wt.debug=2222&_wt.mode=preview&toJSON=4444&normal=9999&staging=a aaa&preview=bbbb&none=cccc&#bbbbb=2222222&%3Cs%3Essss (They know about it) + actually this requires popup blocker disabled Enough Words! Show Me The Code
  • 36. 3rd party services solution • Test and audit all the 3rd party libraries / js! • Do it periodically if they are external resources
  • 37. Credentials in URL • http://user:pass@host.com/ • What can possibly go wrong with those? • Chrome is the last browser that transparently allows them • They are shown it to all location object
  • 38. Credentials in URL • jQuery: rurl = /^([w+.-]+:)(?://([^/?#:]*)(?::(d+)|)|)/ – Nothing actually exploitable but: // A cross-domain request is in order when we have a protocol:host:port mismatch if ( s.crossDomain == null ) { parts = rurl.exec( s.url.toLowerCase() ) || false; s.crossDomain = parts && ( parts.join(":") + ( parts[ 3 ] ? "" : parts[ 1 ] === "http:" ? 80 : 443 ) ) !== ( ajaxLocParts.join(":") + ( ajaxLocParts[ 3 ] ? "" : ajaxLocParts[ 1 ] === "http:" ? 80 : 443 ) ); } Is kind of interesting.
  • 39. AngularJS • Mustache + Expression Language → Interesting Injections • AngularJS uses stuff like: <div ng-init="some.js.code.here"> or {{constructor.constructor('alert(1)')()}} • AngularJS uses it's own parser (similar to Expression Language). • If there's an inection point, no actual antiXSS filter will be able to stop these attacks. • Credits to .Mario (MVCOMFG) and Kuza55 (https://communities.coverity.com/blogs/security/2013/04/23/angu lar-template-injection) as well for their awesome research on this topic!
  • 40. Conclusions • JavaScript code can always be read so black box turns into white box analysis • JavaScript secure development is still not fully implemented even on companies that know about security. • JavaScript Developers can be super badass coders but also naives as well on some circumstances and their code is available for everyone. • Just scratched the surface of JavaScript security!
  • 41. Thanks! Tnx! ^_^ Go and exploit /* ethically */ Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: wisecwisec