Web 2.

0 and Security
MySQL Webcast| 9.11.2006 | Johann-Peter Hartmann
Agenda

❙ JavaScript-Injections(XSS) and Ajax

❙ Importance and Distribution of XSS
❙ What‘s exactly XSS?
❙ Why XSS hurts even more in the Web 2.0.
❙ AJAX Security
❙ XmlHTTPRequest, Toolkits, JSON, Flash
❙ Web 2.0 Malware: XSS Worms and Viruses
❙ How the MySpace Worm worked
❙ AJAX based Malware: Web 2.0 Attacks
❙ Browser Zombies
❙ Toolkits
❙ Securing AJAX applications

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 2
Quotes about XSS

❙ Symantec Internet Security Thread Report:

❙ 69% of all intranet vulnerabilities are web application based
❙ new risks emerge from Web 2.0 and AJAX applications

❙ Mitre Corporation Common Weakness Enumeration

❙ 21.5 % - XSS is number one for second year now

❙ Risk level: moving from low to medium to high

❙ Web Application Security Experts: XSS is the new hotness!

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 3
Who is affected?

❙ Actually everybody:
❙ MySpace today, Hotmail last week
❙ Resignation of the german chancellor
❙ Official Site of the government
❙ Political Newspaper no 1
❙ Financial Times Germany
❙ Lots of other news sites …

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 4
Why JavaScript Security matters in Web 2.0

❙ There is more logic in the client

❙ The V and the C of MVC can happen in the browser
❙ HTML becomes JavaScript Component based
❙ The bad guys learn JavaScript, too
❙ More and new possibilities for attacks
❙ New exploit vectors
❙ JavaScript Toolkits
❙ JavaScript Object Notation
❙ RSS and ATOM
❙ REST and SOAP
❙ Flash!

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 5
What Cross Site Scripting is all about

❙ JavaScript uses the Same Origin Policy

❙ A html page contains JavaScript
❙ It can access to all data from the same host
❙ It can change the current page

❙ XSS breaches this policy

❙ JavaScript can be introduced in the current page
context
❙ It can trigger GET and POST requests using the
current browser trust
❙ Data from the current host can be read and disclosed

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 6
Advanced XSS Exploits

❙ Sniffing passwords from the firefox password safe

❙ The firefox password safe
saves passwords by (host, fieldname)
❙ One XSS on any page of the host
❙ Allows the Injection of a HTML Form
❙ Where the automatically inserted data can be read

❙ Data Espionage
❙ CSS History Hack
visited link not yet visited
❙ Detect Firefox Plugins using chrome://
<img src=“chrome://google-toolbar/skin/icon.jpg“
onLoad=“alert(‘Google Toolbar installed!‘)“>
❙ Detect existing Logins using images
src=“http://victim.com/admin/images/logo.gif“
MySQL: Web 2.0 and Security
© MAYFLOWER GmbH 2006 7
How to get around XSS filters

❙ There are plenty of XSS filters out there

❙ Problem: You want HTML, but not JavaScript
❙ Typical filter evasions
❙ <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
❙ <META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD
5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
❙ Code page based filter evasions
❙ UTF-7 (Google XSS-Hack)
+ADw-SCRIPT+AD4-alert('XSS');+ADw-
/SCRIPT+AD4-
❙ Variable-width encoding evasions
❙ Toolkit based filter evasions
❙ Dojo: dojotype / dojoAttachEvent

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 8
Exploiting Ajax

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 9
xmlHTTPRequest-Security

❙ xmlHTTPRequest-Security
❙ same-host-origin police
❙ Similar to java applets
❙ Cross-Domain-AJAX I: the DNS way
❙ DNS pinning to avoid IP changes
❙ But: re-request if ip does not answer
❙ Request to www.evil.com
❙ www.evil.com answers
❙ www.evil.com closes port 80 to client
❙ dns.evil.com changes www.evil.com to 192.168.0.1
❙ Next request to www.evil.com
❙ No connection, so a new dns request is made
❙ Answer: 192.168.0.1
❙ We got JavaScript to read any page from 192.168.0.1
MySQL: Web 2.0 and Security
© MAYFLOWER GmbH 2006 10
Cross-Domain-AJAX II :Proxy Request
Spoofing
GET http://evil.com/1.html 1.html
Client m /1.htm
l Proxy evil.com
i l .co
turn h ttp://ev
re

GET http://evil.com/2.html
GET http://evil.com/3.html 2.html
3.html
tm l
m /2.h
/e v il.co
:/
rn http
retu
GET http://victim.com/adm/ adm/
victim.com
l
tm
.h
/1
m
co
il.
ev
://
tp
ht
ET
G

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 11
Cross-Domain-AJAX III: using flash

❙ Flash allows cross domain requests

❙ the web 2.0 people use it for cross-domain AJAX
❙ Secured by crossdomain.xml on target
<cross-domain-policy>
<allow-access-from domain="*.mydomain.com" />
</cross-domain-policy>
❙ allows access to all pages from flash at mydomain.com
❙ Reality: lots of bad configuration containing
<allow-access-from domain="*“ />
❙ Name and url can be set in flash:
System.security.loadPolicyFile()
❙ Even a simple image upload can be used to provide a
fake crossdomain.xml

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 12
JavaScript Manipulation

❙ A JavaScript injection is a complete loss of trust

❙ user variables, functions and methods
❙ browser properties, functions and methods
❙ form variables and hidden data
❙ content, cookie and flash storage
❙ Example: alert Man-in-the-middle
old_alert = alert;
function myalert(str) {
old_alert('myalert: '+str);
}
alert = myalert;
alert('Test');
❙ Now imagine doing that in prototype
Ajax.Request = myRequestMITM;

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 13
JSON

❙ Actually it should be AJAJ

❙ JavaScript Object Notation
❙ „If JSON were Food it would be Sushi“
❙ Example:
{ "type": "menu", "value": "File", "items": [ {"value": "New",
"action": "CreateNewDoc"}, {"value": "Open", "action":
"OpenDoc"}, {"value": "Close", "action": "CloseDoc"} ] }
❙ Advantage: can be executed in JavaScript
❙ Disadvantage: actually is executed in JavaScript
❙ Additional vector to infiltrate JavaScript

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 14
JavaScript-Malware

❙ The browser is the platform

❙ … so we got
❙ Viruses
❙ Backdoors
❙ Spyware
❙ Trojan horses

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 15
Ajax / JavaScript Worms
❙ Place: Web Application(s) and Browser
❙ Infection happens by XSS and Ajax
❙ Distribution by XHR, Forms, RSS, MicroFormats…
❙ The browser does the replication
❙ The web applications holds the data
❙ Finally there is a cross platform virus
❙ Critical payloads are possible
❙ Data modification
❙ Credit card data espionage
❙ Online transactions (stock investments)

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 16
Web 2.0 and Worms, translated

❙ Web 2.0: LAW – Let others work

Worm: replication by user induced content
❙ Web 2.0:Mash-Ups – mix several services
Worm: distributed replication vector
❙ Web 2.0: SOA – distributed Applications
Worm: distributed replication vector
❙ Web 2.0: Content sharing-RSS, MicroFormats
Worm: distributed replication vector
❙ Web 2.0: powerful JavaScript allows rich applications
Worm: powerful JavaScript allows rich virii
❙ When everything is network, replication can always
happen

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 17
Real live example: the MySpace worm

❙ MySpace, at this time No 5 with 37 m users

❙ Samy got only 73 friends
❙ But he knew JavaScript…
❙ so he could force people into adding him as a friend
❙ and propagate the worm using their profile pages
❙ The people at MySpace were prepared
❙ a rather good XSS Filter
❙ … that allowed some filter evasions
❙ a protection against CSRF
❙ … that could be circumvented using XHR
❙ 20 hours later 1.000.000 people wanted to be Samys
friend.

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 18
XSS-Shells and Browser Backdoors

❙ JavaScript execution allows browser control

❙ JavaScript does not have to be static
❙ It could be created dynamically, or
controlled by a human
❙ XSS Shells allow to control the visitors
browser
❙ to disclose browser details
❙ execute JavaScript Actions
❙ steal the browser clipboard data
❙ scan the intranet
❙ COMET!
❙ Bidirectional javascript communication
allows realtime browser control
❙ Examples: BEEF, XSS-Shell, XSS-Proxy

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 19
Intranet Attacks

❙ Behind the firewall security is usually less important

❙ Unpatched Software
❙ Default Passwords
❙ Unprotected Services
❙ With JavaScript, the intranet can be scanned
❙ java applet can be used to detect ip address
❙ the local intranet can be scanned
❙ Everything that has HTTP can be discovered
❙ Individual attacks can be launched based on findings
❙ every HTTP POST or GET based exploit
❙ Example: Linksys WRT54G Buffer Overflow,
Cisco IOS HTTP Auth Bug
❙ even cross-protocol attacks could happen (IMAP)

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 20
State of Web 2.0 and AJAX Security

❙ XSS is not a small risk anymore

❙ More logic in JavaScript is more contact surface
❙ New technologies deliver new attack vectors
❙ the attacks grow as powerful as JavaScript grows
❙ JavaScript and AJAX-Toolkits are new technology
❙ And new technology has bugs
❙ A new XSS Filter evasion every 2 months
❙ „Security is a process, not a product“

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 21
Securing Ajax Applications

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 22
Strategies to secure web 2.0 applications

❙ Validate every data that crosses borders

❙ from server to client
❙ from client to other server
❙ between servers
❙ when exchanging content
❙ Don‘t trust JavaScript
❙ when you are doing transactions in javascript
❙ when you get data delivered by javascript

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 23
How to improve AJAX application security

❙ Active Security improvements

❙ use a web application firewall like mod_security
❙ use a security scanner to check for XSS
❙ do source code audits for every new piece of software
❙ train your developers in security awareness
❙ Reduce number of dangerous actions like
❙ allowing html input
❙ file uploads
❙ complete transactions in javascript

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 24
Check Incoming Data

❙ Check for usage of client data

❙ URL Data
❙ POST Data
❙ File Uploads
❙ Results of JavaScript functions
❙ HTTP Headers
❙ DNS names
❙ SOAP responses

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 25
Validation and Escaping

❙ Validate Input
❙ Check for certain characters
❙ Names, Numbers, Select boxes
❙ a known format ( +49 89 24 20 54 13)
❙ length limitations
❙ Compare with whitelist, if possible
❙ Escape data by type of usage
❙ Entities when displaying strings in HTML text
❙ Entities when using strings in HTML attributes
❙ SQL dialect based encoding when using sql without
binding
❙ Slashes to escape things in JavaScript and JSON
❙ URL encoding when used in URLs

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 26
Conclusions

❙ Javascript is an attack platform now

❙ There are going to be more attacks towards web
applications
❙ There are going to be more web application worms
❙ Worms can go cross domain
❙ Targeted XSS attacks will increase
❙ The Intranet will be a target for XSS attacks
❙ Security is more important to web development right now
❙ Security will be an important part of web development

MySQL: Web 2.0 and Security

© MAYFLOWER GmbH 2006 27
Please ask questions now! (or send a email
later)
Johann-Peter Hartmann
Mayflower GmbH
Sendlinger Tor. 42a
80331 München
+49 (89) 24 20 54 - 13
hartmann@mayflower.de