Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ajax Security


Published on

This talk highlights potential attacks against web application using Ajax and XHR technology. The first part of the talk introduces Ajax and related technologies. Second part of the talk focuses on potential attacks and consequences, including some scenario where SOP (Same of origin) policy is bypassed.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Ajax Security

  1. 1. OWASP – Ajax Security Roberto Suggi Liverani Security Consultant 5 December 2007
  2. 2. Who am I? <ul><li>Roberto Suggi Liverani </li></ul><ul><li>Security Consultant, CISSP </li></ul><ul><li> </li></ul><ul><li>4 + years on Information Security focusing on web and network security </li></ul><ul><li>OWASP New Zealand leader </li></ul>
  3. 3. Agenda <ul><li>Ajax </li></ul><ul><li>What is Ajax? </li></ul><ul><li>Ajax Components </li></ul><ul><li>Traditional Web Model vs Ajax Web Model </li></ul><ul><li>Why Ajax is used? </li></ul><ul><li>Who is using Ajax? </li></ul><ul><li>Ajax Security </li></ul><ul><li>Ajax and Security – Server of origin policy </li></ul><ul><li>Real Attack examples (Samy worm, Yammaner, Nduja - Webmail XSS worm) </li></ul><ul><li>Web worms – Comparison </li></ul>
  4. 4. Introduction <ul><li>What is Ajax? </li></ul><ul><li>- Ajax is not synonymous of WEB 2.0 </li></ul><ul><li>- Ajax = Asynchronous Javascript And XML </li></ul><ul><li>- Ajax is a group of technologies combined together to create new ways of interaction. </li></ul><ul><li>- Term coined by Jesse James Garrett of Adaptive Path (Feb 2005) </li></ul><ul><li>Before AJAX: </li></ul><ul><li>- DHTML </li></ul><ul><li>- Macromedia Flash 4 </li></ul><ul><li>- Microsoft Remote Scripting </li></ul><ul><li>- Microsoft XMLHttpRequest object </li></ul><ul><li>- Object element in HTML 4 </li></ul><ul><li>- Document Object Model Level 3 </li></ul>
  5. 5. Ajax Components (cont.) <ul><li>HTML/XHTML </li></ul><ul><li>- Necessary to display the information </li></ul><ul><li>JavaScript </li></ul><ul><li>- Necessary to initiate the client-server communication and manipulate the DOM to update the web page </li></ul><ul><li>Document Object Model (DOM) </li></ul><ul><li>- Necessary to change portions of an XHTML page without reloading it. </li></ul><ul><li>Server-side processing </li></ul><ul><li>- There is no Ajax without a stable, responsive server waiting to send content to the engine </li></ul>
  6. 6. Ajax Components <ul><li>Cascading Style Sheet (CSS) </li></ul><ul><li>- In an Ajax application, the styling of a user interface may be modified interactively through CSS </li></ul><ul><li>Extensible Markup Language (XML) </li></ul><ul><li>- Data exchange format </li></ul><ul><li>Extensible Stylesheet Language Transformations (XSLT) </li></ul><ul><li>- Transforms XML to XHTML </li></ul><ul><li>XMLHttpRequest object </li></ul><ul><li>- XMLHttpRequest object allows retrieving data from the web server as a background activity </li></ul>
  7. 7. Ajax Components – Simple Diagram
  8. 8. Let’s define Ajax: <ul><li>The browser hosts an application, not content </li></ul><ul><li>- A “rich” client application is delivered to the browser and it is able to handle input, respond or wait for requests </li></ul><ul><li>The server delivers data, not content </li></ul><ul><li>- The role of the server is only to send data. The client is a “rich” client and process the data </li></ul><ul><li>User interaction with the application can be fluid and continuous </li></ul><ul><li>- Asynchronous data transfers allows new way of interaction like drag and drop and double clicking. Traditional web = click-and-wait </li></ul><ul><li>This is real coding and requires discipline </li></ul><ul><li>- High-performance and maintainable code are the main requirements for Ajax applications </li></ul>
  9. 9. Traditional Web Model vs Ajax Web Model
  10. 10. Classic Web Model – Usability/Time
  11. 11. Ajax Web Model – Usability/Time
  12. 12. Why Ajax is used? <ul><li>Speed </li></ul><ul><li>Only the data (or parameters) required are posted </li></ul><ul><li>Reduced network traffic </li></ul><ul><li>- Less data exchanged between client and server </li></ul><ul><li>Interactivity </li></ul><ul><li>- User doesn’t click and wait. User drags and drops </li></ul><ul><li>Functionality </li></ul><ul><li>- Richer client with more features available </li></ul><ul><li>Usability </li></ul><ul><li>- Easy to use -> friendly interface and content updated “on-the-fly” </li></ul>
  13. 13. Who is using Ajax? And many others…
  14. 14. Let’s talk about Ajax and security… <ul><li>Many of the security issues that an Ajax application faces are the same as for a classical web application </li></ul><ul><li>So let’s talk about a specific security issue which relates to Ajax applications: Server of origin policy </li></ul><ul><li>Server of origin policy </li></ul><ul><li>The JavaScript security model prevents scripts from different domains from interacting with one another </li></ul><ul><li>An Ajax application can’t read or write to the local filesystem </li></ul>
  15. 15. Ajax and Security – Server of origin policy <ul><li>Examples of cross browser security policy: </li></ul>URLs Cross – Scripting allowed? Comments No Port number doesn’t match. No Protocol type doesn’t match. No Browser will not perform domain name resolution. No Subdomains treated as separate domains. YES Domain name is the same. NO Different domain names.
  16. 16. Ajax and Security – Server of origin policy <ul><li>So is it possible to bypass or avoid this security control? </li></ul><ul><li>Yes – there are multiple ways </li></ul><ul><li>Developer workaround: Proxing remote services </li></ul><ul><li>Make a call to the remote server from our own server rather than from the client, and then forward it on to the client </li></ul><ul><li>Example: http://website1/proxy?url=http://website2/ </li></ul><ul><li>User workaround: Change browser security settings </li></ul><ul><li>IE: allow permission of executing code from a security zone to another. The user is presented with a popup security warning. </li></ul><ul><li>Firefox: PrivilegeManager need to be configured accordingly. The value signed.applets.codebase_principal_support should be set to “true” </li></ul><ul><li>Attacker workaround: Sending an email </li></ul><ul><li>This technique is showed in the case study of the Nduja - the webmail XSS worm of Rosario Valotta </li></ul>
  17. 17. Real attacks examples <ul><li>Ajax seen by an attacker: </li></ul><ul><li>Group technologies means there are more elements to attack - increased attack surface </li></ul><ul><li>New ways of interaction means more complexity. Consequently, there are more chances developers commit mistakes like exposing internal functions of the application </li></ul><ul><li>Application is delivered to the browser. The attacker controls the functionality of the application </li></ul><ul><li>Ajax application is still a web application – traditional web attack techniques can be used </li></ul><ul><li>Let’s go through three real examples of attack involving Ajax: </li></ul><ul><li>Samy worm </li></ul><ul><li>Jammanner worm </li></ul><ul><li>Nduja - Webmail XSS worm </li></ul>
  18. 18. Ajax Security – Case Study – Samy worm <ul><li>Started as a joke </li></ul><ul><li>Inserted HTML and JavaScript through MySpace’s profile editor. </li></ul><ul><li>Automated the friend selection process. Instead of someone selecting Samy as a friend, the worm automated the procedure with JavaScript. </li></ul><ul><li>The result of the code injection made the visitor and all visitor friends to befriend Samy when visiting Samy’s page. Samy automatically also became their “hero”. </li></ul>
  19. 19. Ajax – Case Study – Samy worm (cont) <ul><li>Impact: “In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community” </li></ul>
  20. 20. Screenshot showing list of Myspace profiles infected by Samy Worm
  21. 21. And today there are still Myspace accounts with Samy as a hero! 532 results with
  22. 22. Ajax – Case Study – Samy worm <ul><li>What we learnt from Samy worm technique? </li></ul><ul><li>Embedding JavaScript in CSS tags </li></ul><ul><li>Used “java script” to avoid Myspace’s stripping of the string “javascript”. </li></ul><ul><li>Used JavaScript String.fromCharCode to convert quotes (‘’) to avoid restrictions </li></ul><ul><li>Used the XML-HTTP object with the use of both HTTP GETs and POSTs from/to the victim’s profile. </li></ul><ul><li>Worm Source Code: </li></ul><ul><li> </li></ul>
  23. 23. Ajax – Case Study – Yamanner worm <ul><li>Exploits a vulnerability in the onload event handling of Yahoo! Mail and then executes a script </li></ul><ul><li>Scans emails in the personal folders of the Yahoo! Mail account </li></ul><ul><li>Sends a copy of itself to the email addresses gathered </li></ul><ul><li>Redirects the Web browser from Yahoo! Mail to the following Web site: [http://] </li></ul><ul><li>Sends the list of gathered email addresses to the above URL </li></ul>
  24. 24. Ajax – Case Study – Yamanner worm <ul><li>Impact: It is unknown the number of yahoo users hit by this worm. Harvested addresses from the address book have then been submitted to a remote URL, which is likely that was used for a spam database </li></ul><ul><li>What we learnt? </li></ul><ul><li>Large email provider does not guarantee security – Yahoo! Mail software vulnerability was exploited in this case. </li></ul><ul><li>XML GET to retrieve contact addresses and use of window.navigate to send data to third party site </li></ul><ul><li>Source Code Example: </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  25. 25. Ajax – Case Study – Nduja - Webmail XSS worm <ul><li>Probably the first cross domain worm </li></ul><ul><li>Worm developed as PoC by Rosario Valotta </li></ul><ul><li>Tested on four webmail services in Italy: </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>Exploit XSS vulnerabilities in the webmail applications and then: </li></ul><ul><li>Steal e-mails from the Inbox </li></ul><ul><li>Steal email addresses from Contact List </li></ul><ul><li>Self propagation to contacts </li></ul>
  26. 26. Ajax Security – Case Study – Nduja - Webmail XSS Worm <ul><li>Impact: the worm is able to capture emails, contact addresses from four different domains and post them to third party site. </li></ul><ul><li>What we learnt? </li></ul><ul><li>It is possible to create cross domain worms exploiting multiple XSS vulnerabilities at the same time in different domains. The server of origin policy is bypassed using a feature of the application targeted (email function) </li></ul><ul><li>The malicious script checks the domain and then applies the relative XSS attack </li></ul><ul><li>Extracts of source code: </li></ul>
  27. 27. Nduja - Webmail XSS Worm Demo
  28. 28. Web worms – Comparison So the question is: Can you think about the impact of the next cross domain web worm? Worm Target Domain(s) Cross Domain? Impact Samy worm No 1 million of users affected Yannamer worm No Unknown number of yahoo users affected Nduja worm Yes N/A – This is a PoC
  29. 29. Questions/Conclusion <ul><li>Thank you! </li></ul><ul><li>[email_address] </li></ul>
  30. 30. References – Misc. <ul><li>Stefano Di Paola, Giorgio Fedon – Subverting Ajax – Whitepaper </li></ul><ul><li>Andrew Van Der Stock – Ajax Security - Presentation </li></ul><ul><li>Billy Hoffman – Ajax Security Dangers - Whitepaper </li></ul><ul><li>Billy Hoffman – Analysis of Web Application Worms and Viruses - Whitepaer </li></ul><ul><li>Alex Stamos, Zane Lackey – Attacking AJAX Web Applications - Presentation </li></ul>
  31. 31. References – Misc. <ul><li>AJAX Security - </li></ul><ul><li>Ajax Security Basics - </li></ul><ul><li>MySpace Worm Explanation - </li></ul><ul><li>Adaptive Path - </li></ul><ul><li>Nduja Connection - </li></ul><ul><li>Yamanner Worm - </li></ul>
  32. 32. References – Books <ul><li>Christopher Wells – Securing Ajax Applications – O’Reilly - Book </li></ul><ul><li>V.A. – The Professional Ajax – 2 nd edition – Wrox - Book </li></ul><ul><li>V.A. – Ajax In Action – Manning - Book </li></ul>
  33. 33. Table of Figures <ul><li>Slide 7 – From Ajax In Action, Manning </li></ul><ul><li>Slide 9 – The Professional Ajax – 2 nd edition – Wrox </li></ul><ul><li>Slide 10 – Adaptive web site - </li></ul><ul><li>Slide 11 – Adaptive web site - </li></ul><ul><li>Slide 19 – Rsnake web site - </li></ul>