JS Suicide: Using Javascript's security features to kill itself

Slide 1

Slide 1 text

JS Suicide: Using JavaScript Security Features to Kill JS Security Ahamed Nafeez @skeptic_fx

Slide 2

Slide 2 text

Agenda JavaScript of all things ! Objects and ECMAScript 5 ! The Principle of Unobtrusive JavaScript ! The sad story of OWASP CSRFGuard ! Hunting down insecure DOM Properties !

Slide 3

Slide 3 text

What to expect today? This talk is about: • Using JavaScript’s features to attack its implementations. • Bypassing OWASP CSRFGuard’s protection. • DOM Clobbering. ! This talk is NOT about, how to do • Cross site scripting • Cross site request forgery • Or the usual stuff you hear in JS Security like eval, Global Objects etc.

Slide 4

Slide 4 text

#whoami ! Ahamed Nafeez ! Security Engineer by day, with above average interest in Web and Networks. ! I believe, Defending and Building secure software is harder than attacking. ! blog.skepticfx.com ! This talk does not represent the view of my employer. !  

Slide 5

Slide 5 text

JavaScript of all things

Slide 6

Slide 6 text

Enough JS Primer for today Dynamic language ! Object-‐based ! Functions are first class citizens

Slide 7

Slide 7 text

Native Objects

Slide 8

Slide 8 text

Object Array Number

Slide 9

Slide 9 text

Host Objects

Slide 10

Slide 10 text

DOM -‐ Browsers http, dns -‐ Nodejs

Slide 11

Slide 11 text

ECMAScript 5

Slide 12

Slide 12 text

Tamper-‐Proof Objects ! var point =   { a: 1, b: 2 }

Slide 13

Slide 13 text

Object.defineProperty(point, 'a', { get: function() {return 'Always faked'} });

Slide 14

Slide 14 text

point.a; // ‘Always Faked’ point.a = 200; point.a; // ‘Always Faked’

Slide 15

Slide 15 text

Object.preventExtensions(point) ! point.c = 3;  // Error: Cannot set Property

Slide 16

Slide 16 text

Object.seal(point) ! delete point.a;  // Error: Cannot delete Property

Slide 17

Slide 17 text

Object.freeze(point) ! point.a = 100;  // Error: Cannot change Property

Slide 18

Slide 18 text

The principle of unobtrusive JavaScript

Slide 19

Slide 19 text

19 Going Unobtrusive

Slide 20

Slide 20 text

Almost Static HTML  Dynamic Data over JavaScript via XHR, JSON etc

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Cached HTML pages Non-‐Cached JavaScript pages

Slide 23

Slide 23 text

Where do I put my dynamic + secret artifacts?

Slide 24

Slide 24 text

OWASP CSRFGuard Synchroniser token pattern. ! Injects ANTI-‐CSRF tokens in to pages dynamically ! Completely compatible with the principle of UnObtrusive JavaScript

Slide 25

Slide 25 text

Where did they keep their tokens?

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Smells fishy !

Slide 28

Slide 28 text

An attacker could load this JS file from a Cross-‐Domain website and steal this token.

Slide 29

Slide 29 text

The library did protect against that

Slide 30

Slide 30 text

Lets introspect isValidDomain() If this returns True, the check is bypassed.

Slide 31

Slide 31 text

Custom String.prototype

Slide 32

Slide 32 text

Bypass 1 -‐ Prototype Overriding Always return True Freeze the String.prototype Object,   So CSRFGuard cannot redefine it. override.js

Slide 33

Slide 33 text

33 Bypass 1 -‐ Continued . . . Load the CSRFGuard JS File from good.com Walk the DOM and read the CSRF Token injected by the library.

Slide 34

Slide 34 text

Lets attempt to fix this Object.isFrozen() tells whether an Object is already frozen.

Slide 35

Slide 35 text

Did you know? !   Object.isFrozen() can be spoofed as well?

Slide 36

Slide 36 text

36 Attacker can return, ‘false’ always

Slide 37

Slide 37 text

37 Bypassing the isFrozen() Fix

Slide 38

Slide 38 text

38 ! ! Lets try another way to bypass this whole situation. ! Just for Fun.

Slide 39

Slide 39 text

39 Revisiting the Check The whole check depends on the value of document.domain

Slide 40

Slide 40 text

Wait ! document.domain is a lie

Slide 41

Slide 41 text

Bypass 2 41 Make document.domain always return good.com

Slide 42

Slide 42 text

How to deal with this situation?

Slide 43

Slide 43 text

Do not Hard Code the Dynamic + Secret artifacts. 1. Embed them inside your DOM such as META tags and read from JS 2. Send an XHR request and read it. So the token is protected by Same Origin Policy

Slide 44

Slide 44 text

Upgrade to CSRFGuard 3.1

Slide 45

Slide 45 text

DOM Clobbering

Slide 46

Slide 46 text

Names and IDs of form controls are treated as properties to the FORM Element.

Slide 47

Slide 47 text

Think about JS Frame Busters Used to prevent against UI Redressing attacks. Some people still use this alongside, the X-‐Frame-‐Options header.

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

If an Attacker can control form fields

Slide 50

Slide 50 text

The DOM is a Mess ! ! @garethheyes -‐ http://www.thespanner.co.uk/2013/05/16/dom-‐clobbering/

Slide 51

Slide 51 text

Hunting down Objects which can be tampered

Slide 52

Slide 52 text

52 Object.getOwnPropertyDescriptor Look for the ‘configurable’ property

Slide 53

Slide 53 text

53 Location Properties in Chrome

Slide 54

Slide 54 text

Things to keep in mind Today, a developer can only rely on  location.href, as the only trusted source of location. ! Every other location properties can be spoofed and played around with. ! You can try fuzzing various different properties and use them in your pen tests / research accordingly.

Slide 55

Slide 55 text

You should follow Mario, @0x6D6172696F ! Gareth Heyes, @garethheyes ! Yosuke Hasegawa, @hasegawayosuke ! Lavakumar, @lavakumark ! And a few more, that I don’t have space to mention here. !

Slide 56

Slide 56 text

THANK YOU ! @SKEPTIC_FX ! KEEP STORMING THE DOM :)