© 2011 IBM Corporation
IBM Rational AppScan
Client-side JavaScriptSecurity vulnerabilitiesThe Twilight Zone of Web Application Security
Ory SegalSecurity Products Architect, Rational
© 2011 IBM Corporation
IBM Rational AppScan
• Security products architect, Rational
• AppScan product manager
• Web Application Security Consortium officer
• Contributor (WASC, MITRE, NIST, OWASP)
• Renowned application security expert
AppScan
ORY SEGAL
© 2011 IBM Corporation
IBM Rational AppScan
From server to client side – The migration story of web application logic
© 2011 IBM Corporation
IBM Rational AppScan
1990 <HTML> Capable of presenting only text and hyperlinks
1993 <IMG> Embedded images in web pages (3rd. Party allowed)
1995 <SCRIPT> JavaScript enables programmatic modifications to HTML
1996 <IFRAME> Embeds a page within a page (3rd party contents)
Embed an Adobe Flash file for animation<EMBED>
1999 XHR Client-side API (e.g. JS). Send & receive HTTP traffic programmatically, without refreshing the entire page
2005 AJAX Fetch data asynchronously using XHR reducing the time spent waiting on page loads. Desktop app look & feel
HTML5 & APIs
2011 Canvas, Media, Offline storage, D&D, Geolocation, Local SQL, …
© 2011 IBM Corporation
IBM Rational AppScan
Logic is Migrating from Server to Client…• We counted server-side vs. client-side LoC in popular web applications in
2005 and in 2010
© 2011 IBM Corporation
IBM Rational AppScan
Client-side JavaScript Security Issues
© 2011 IBM Corporation
IBM Rational AppScan
DOM-Based Cross-site Scripting• A type of XSS (the third type after “Reflected” & “Stored”)
• Application doesn’t need to echo back user input like in Type I & Type II
• We poison a DOM element, which is used in JavaScript code
• Example
1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9:</HTML>
http://www.vuln.site/welcome.html?name=Ory
Source : document.URLSink : document.write()Results : document.write("Ory")
© 2011 IBM Corporation
IBM Rational AppScan
DOM-Based Cross-site Scripting
http://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script>
• Attack Example
• The attack took place entirely on the client-side (# fragment identifier)
• Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.
1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9: </HTML>
Source : document.URLSink : document.write()Results : document.write("<script>alert('hacked')</script>")
© 2011 IBM Corporation
IBM Rational AppScan
Client-side Open Redirect• JavaScript code automatically redirects the browser to a new location
• New location is taken from a DOM element (URL, Query, Referrer, etc.)
• Example
...12: var sData = document.location.search.substring(1);13: var sPos = sData.indexOf("url=") + 4;14: var ePos = sData.indexOf("&", sPos);15: var newURL;16: if (ePos< 0) { newURL = sData.substring(sPos);} 17: else { newURL = sData.substring(sPos, ePos);}18: window.location.href = newURL;
http://www.vuln.site/redirect.html?a=5&url=http://www.some.site
Source : document.locationSink : window.location.hrefResults : window.location.href = "http://www.some.site";
© 2011 IBM Corporation
IBM Rational AppScan
Stored DOM-Based Cross-Site Scripting
...17: var pos = document.URL.indexOf("name=") + 5;18: var yourName = document.URL.substring(pos,document.URL.length)19: decodeURI(yourName);20: window.localStorage.name = yourName;21: }...
...3: <div id="header"></div>4: <script>5: var elem = document.getElementById("header");6: var name = window.localStorage.name;7: elem.innerHTML = "Hello, " + name;8: </script>...
register
welcome
Source : document.URLStorage : window.localStorage.nameSink : elem.innerHTMLResults : elem.innerHTML = <value_of_name_parameter>
Exploiting HTML5 localStorage API
© 2011 IBM Corporation
IBM Rational AppScan
So, how common are client-side JavaScript issues?
© 2011 IBM Corporation
IBM Rational AppScan
(Lack of) Statistics on Client-Side JS Issues• Two options for gathering statistics
–Automated discovery–Manual discovery
• Automated tools–Dynamic analysis tools only uncover ~30%–Static analysis tools struggle with dynamic code (AJAX)
• Manual code review is hell – have you seen JavaScript lately?
dojo._xdReset();if(dojo["_xdDebugQueue"]&&dojo._xdDebugQueue.length>0){dojo._xdDebugFileLoaded();}else{dojo._xdNotifyLoaded();}};dojo._xdNotifyLoaded=function(){for(var _99 in dojo._xdInFlight){if(typeof dojo._xdInFlight[_99]=="boolean"){return;}}dojo._inFlightCount=0;if(dojo._initFired&&!dojo._loadNotifying){dojo._callLoaded();}};if(typeof window!="undefined"){dojo.isBrowser=true;dojo._name="browser";(function(){var d=dojo;if(document&&document.getElementsByTagName){var _9a=document.getElementsByTagName("script");var _9b=/dojo(\.xd)?\.js(\W|$)/i;for(var i=0;i<_9a.length;i++){var src=_9a[i].getAttribute("src");if(!src){continue;}var m=src.match(_9b);if(m){if(!d.config.baseUrl){d.config.baseUrl=src.substring(0,m.index);}var cfg=_9a[i].getAttribute("djConfig");if(cfg){var _9c=eval("({ "+cfg+" })");for(var x in _9c){dojo.config[x]=_9c[x];}}break;}}}d.baseUrl=d.config.baseUrl;var n=navigator;var dua=n.userAgent,dav=n.appVersion,tv=parseFloat(dav);if(dua.indexOf("Opera")>=0){d.isOpera=tv;}if(dua.indexOf("AdobeAIR")>=0){d.isAIR=1;}d.isKhtml=(dav.indexOf("Konqueror")>=0)?tv:0;d.isWebKit=parseFloat(dua.split("WebKit/")[1])||undefined;d.isChrome=parseFloat(dua.split("Chrome/")[1])||undefined;d.isMac=dav.indexOf("Macintosh")>=0;var _9d=Math.max(dav.indexOf("WebKit"),dav.indexOf("Safari"),0);if(_9d&&!dojo.isChrome){d.isSafari=parseFloat(dav.split("Version/")[1]);if(!d.isSafari||parseFloat(dav.substr(_9d+7))<=419.3){d.isSafari=2;}}if(dua.indexOf("Gecko")>=0&&!d.isKhtml&&!d.isWebKit){d.isMozilla=d.isMoz=tv;}if(d.isMoz){d.isFF=parseFloat(dua.split("Firefox/")[1]||dua.split("Minefield/")[1])||undefined;}if(document.all&&!d.isOpera){d.isIE=parseFloat(dav.split("MSIE ")[1])||undefined;var _9e=document.documentMode;if(_9e&&_9e!=5&&Math.floor(d.isIE)!=_9e){d.isIE=_9e;}}if(dojo.isIE&&window.location.protocol==="file:") {dojo.config.ieForceActiveXXhr=true;}d.isQuirks=document.compatMode=="BackCompat";d.locale=dojo.config.locale||(d.isIE?n.userLanguage:n.language).toLowerCase();
© 2011 IBM Corporation
IBM Rational AppScan
Introducing JavaScript Security Analyzer
© 2011 IBM Corporation
IBM Rational AppScan
What is JSA?
1st and only to auto-detect client-side issues such as:
DOM-based XSS
Phishing through Open Redirect
HTML5 Notification API Phishing
HTML5 Web Storage API Poisoning
HTML5 Client-side SQL Injection
HTML5 Client-side Stored XSS
HTML5 Web Worker Script URL Manipulation
Email Attribute Spoofing
\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x2x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21asiudasdfiuashdofuiashdofuiashdfoiasuhdfoasuidfhoasdufhasodfuihasodfuihasodfiuhasdofiuahsdfouiashdfouashdfoasuidhfoasiudhfasoidf[‘epqwkrqpw9k45032452309450we09f9c90asdkf0q9wkerq2w34123aspasdfoiasdpfoiasjdfpoiasjdfpoaisjdfp;asoidfjas;dfoijasd;fioajsdf;ioasjdf;aosidfja;soidfjasd;fiajsdf;asijdf;asidfjas;dfiojasd;fijdsf;oaisjdf;asifdjas;difjas;dfioajsd;foiasjdf;iasojdf;asiodfjas;dfoijasoifjpas
DE-OBFUSCATION HTML5STRING/* analysis */
© 2011 IBM Corporation
IBM Rational AppScan
Using JavaScript Security Analyzer
Zero configuration required
Super-simple
Super-fast
© 2011 IBM Corporation
IBM Rational AppScan
16
Vulnerable URL and line of code
Tainted data flow information
Viewing JSA Results in AppScan StandardAppScan Standard – Scan Results
© 2011 IBM Corporation
IBM Rational AppScan
Lets try again…
How common are client-side JavaScript issues?
© 2011 IBM Corporation
IBM Rational AppScan
Using JSA we ran a research on real sites
Fortune 500
175 Most popular sites
Non-obtrusive automated review
Manually verified results
Scary outcome…
© 2011 IBM Corporation
IBM Rational AppScan
169,443 Total Pages
90,929 Unique Pages
1659 Pages with Vulnerabilities
Likelihood for a web page to be vulnerable is 1 : 55
14.5% Vulnerable
© 2011 IBM Corporation
IBM Rational AppScan
Who wrote these vulnerabilities?
* Marketing campaign JavaScript snippets
* Flash embedding JavaScript snippets
* Social networking JavaScript snippets
* Deep linking JavaScript libraries for Flash and AJAX applications
62%In house
38%3rd Party
© 2011 IBM Corporation
IBM Rational AppScan
92
11
2370
221
Sites VulnerableTotal Issues
Issue Distribution
DOM-based XSS
Open Redirect
© 2011 IBM Corporation
IBM Rational AppScan
JavaScript is becoming prominent
Modern applications HTML5 AJAX Web2.0
Application logic is shifting to client-sideMore code == more vulnerabilities
Happens when code relies on parts of the DOM that are hacker-controlled
Detection requires tedious manual work
AppScan with JSA can automate client-side issues detection
© 2011 IBM Corporation
IBM Rational AppScan
Q & A
© 2011 IBM Corporation
IBM Rational AppScan
Thank Youhttp://tinyurl.com/5w6koqj
You can download the full whitepaper at: