Dynamic JavaScript Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Sebastian lekies, Ben Stock, Martin Wentzel, Martin Johns USENIX Security 2016
Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ JS 11 Same-Origin Policy • Restricts communication of active content to objects that share the same origin • Origin: protocol, port, and the host
California, Berkeley. Cross-Site Script Inclusion • A handful of attack vectors – mostly based on browser quirks • To leak data from non-JavaScript files – JSON, CSV, etc. • Most vectors are fixed in modern browsers
California, Berkeley. Motivation • Why is there no research on JS files? • Are there JS files which contain user data? • Can such data be leaked in a similar way?
California, Berkeley. Empirical Study Are there JS files which contain user data? • Sensitive data may be bound to session • JS files may be dynamically generated based on cookies. Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results
California, Berkeley. Empirical Study Are there JS files which contain user data? • Sensitive data may be bound to session • JS files may be dynamically generated based on cookies. Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results
California, Berkeley. Empirical Study Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results Registered accounts on the first 150 Alexa top sites Investigate each site: • Seed the accounts with personalized data • Thoroughly interact with the site (thru extension) • Manually analyze the dynamic JS scripts
California, Berkeley. Empirical Study Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results Registered accounts on the first 150 Alexa top sites Investigate each site: • Seed the accounts with personalized data • Thoroughly interact with the site (thru extension) • Manually analyze the dynamic JS scripts
California, Berkeley. Empirical Study Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results Registered accounts on the first 150 Alexa top sites Investigate each site: • Seed the accounts with personalized data • Thoroughly interact with the site (thru extension) • Manually analyze the dynamic JS scripts
California, Berkeley. State-dependent JS Scripts Scripts generated based on info in cookies • 209 scripts from 49 domains • 40 domains do not have CSRF tokens for scripts Script purpose: • User-specific data: contains email addr, preference etc. • Service bootstrapping: contains data API tokens • Cross-service data sharing: single sign-on
& Computer Science, University of California, Berkeley. e.g., set a variable to true for login CSRF or auth tokens Name, user id, email addr birthday, location, real name
California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ // 1. insert the script tag
California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ <script src="//voln.com/dynamic.js" /> // 1. insert the script tag
California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ <script src="//voln.com/dynamic.js" /> // 1. insert the script tag
California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ <script src="//voln.com/dynamic.js" /> // 1. insert the script tag
California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ <script src="//voln.com/dynamic.js" /> // 1. insert the script tag // 2. observe side effect
California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data stored in global variables: // local variable at top level var first_name = "John"; // variable missing the "var" keyword last_name = "Doe"; // global variable window.user_email = "[email protected]"; console.log(first_name); console.log(last_name); Console.log(user_email); dynamic.js evil.js
California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via global functions: function example() { var email = "[email protected]"; window.MyLibrary.doSomething(email); } window.MyLibrary = {}; window.MyLibrary.doSomething = function(email) { console.log(email); } dynamic.js evil.js
California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via built-in APIs: function example() { var email = "[email protected]"; JSON.stringify(email); } JSON.stringify = function (data) { sendToAttackerBackend(data); } dynamic.js evil.js
California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via the this reference: (function () { var secret_values = ["[email protected]", "top secret"]; secret_values.forEach(function (secret) { // do something secret here }) })(); Array.prototype.forEach = function(callback) { console.log(this); // this points to the array } dynamic.js evil.js
Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via the this reference: (function () { var secret_values = ["[email protected]", "top secret"]; secret_values.forEach(function (secret) { // do something secret here }) })(); Array.prototype.forEach = function(callback) { console.log(this); // this points to the array } dynamic.js evil.js Other APIs: String.prototype.concat String.prototype.substring String.prototype.toString String.prototype.replace Array.prototype.join Array.prototype.map Array.prototype.forEach ... 46
University of California, Berkeley. Some scripts are not exploitable because the URL contains CSRF and therefore cannot be inserted in the attack page. Dynamic scripts based on cookies CSRF or auth tokens Name, user id, email addr birthday, location, school
California, Berkeley. A Loophole Found on G+ http://attacker.org/ http://attacker.org/ <script src="//googleplus.api.com/dynamic.js" /> isLoggedIn = ... isPlusUser = ... userFirstPartyAuthV2 = ... Show some phishing link aimed at Google users.
California, Berkeley. Other Leaked Info Email address (14 domains) Phone number (1 domain) Real first name (10 domains) Calendar data (1 domain) These info can be used for: • User tracking • Personalized phishing attack • Spam email • Personalized Advertisement
California, Berkeley. Other Leaked Info Email address (14 domains) Phone number (1 domain) Real first name (10 domains) Calendar data (1 domain) These info can be used for: • User tracking • Personalized phishing attack • Spam email • Personalized Advertisement
California, Berkeley. Leaking Detailed Email Info From a email services domain: • The main page previewed the last 5 emails • Subject, sender, date and msgId
California, Berkeley. Session Hijacking on File Storage Services http://attacker.org/ http://vuln.com/ http://attacker.org/ <script src="//voln.com/dynamic.js" /> The script leaked the Username and session ID. The session ID can be used to access all files on vuln.com.
California, Berkeley. A More Interesting Attack XSSI CSRF XSS Facebook post • A news site hosted a script containing the CSRF token • The CSRF token enabled us to send profile change requests • In the profile page there was a XSS • A Facebook auth token was stored inside a cookie.
California, Berkeley. XSSI CSRF XSS Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile Name: John Doe Email: <script>JS code</script> Search for Facebook tokens on this page This site is SSO through Facebook API.
California, Berkeley. XSSI CSRF XSS Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile Name: John Doe Email: <script>JS code</script> Got token, and interact with Facebook with the token http://facebook.com/
California, Berkeley. Empirical Study Taking over an account at a file hoster • Utilized an Ajax driven Web UI • An authentication token was required for these XHRs • The Token was provided inside a script file • Change the user’s password only requires the email (does not require the old password) • The email is leaked via script.
California, Berkeley. How to prevent? Prevent the script from being included by a third-party • Solution 1: Strict referrer checking (error-prone) • Solution 2: Randomize the script’s URL for each users (include tokens) Separate JavaScript code from sensitive data: • Create static JS files and load data dynamically at run time • The data services can be protected via the SOP Or inline the script with sensitive data into the web page.
jacksongl
niftycorp
kg_wakate
masatoto
mkimura
yuyay
tanichu
kentaitakura
mickey_kubo
yuta0306
momoseoyama
tsantalis
moda0
phodgson
rmw
nonsquared
sachag
robhawkes
marktimemedia
csswizardry
bcantrill
morganepeng
aarron
mojombo
pauljervisheath
