A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/2 Applications Areas of JavaScript

A Collection of Real World (JavaScript) Security ProblemsExamples from 212 Applications Areas of JavaScript

Achim D Bruckerachimbruckersapcom

SAP AG Central Code Analysis Team

July 2 2014

A Collection of Real World (JavaScript) Security Problems

Abstract

JavaScript is gaining more and more popularity as an implementation language for various applications typessuch as Web applications (client-side) mobile applications or server-side applicationsWe outline a few security challenges that need to be prevented in such applications and thus for which thereis a demand for analysis methods that help to detect them during during development

Agenda

1 Motivation and Basics

2 SAP UI5 Client-side JavaScript

3 Apache Cordova JavaScript on Mobile

4 HANA XS Engine Server-side JavaScript

Agenda

What We Want to FindProgramming Patterns That May Cause Security Vulnerabilities

Mainly two patternsLocal issues (no data-flow dependency) e g

bull Insecure functions

1 var x = Mathrandom()

bull Secrets stored in the source code

1 var password = rsquosecretrsquo

Data-flow related issues e g

bull Cross-site Scripting (XSS)

1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))

1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)

Functions as First-Class Objects

1 var href = documentlocationhref2 var unsafeInput = hrefsubstring(hrefindexOf(default=)+8) unsafe input3 var safeInput = 1+2 safe input4

5 aliasing eval6 var exec = eval7 var doit = exec8

9 var func_eval1 = function (x) eval(x)10 var func_eval2 = function (xy) eVaL(y)11

12 var func_eval_eval = function (x) func_eval1(x)13 var func_doit = function (x) doit(x)14 var func_exec = function (x) exec(y)15 var run = func_eval116 var inject_code = func_exec17

18 doit(safeInput) secure19 doit(unsafeInput) code injection

Where is The Code of my Application

1 var input = documentlocationhrefsubstring(documentlocationindexOf(default=)+8)2 var fake = function (x) return x3 var cleanse = function (x) return rsquohello worldrsquo4

5 var uinput = unknown(input) unknown is nowhere defined6 documentwrite(uinput) secure7

8 var finput = fake(input)9 documentwrite(finput) not secure

11 var cinput = cleanse(input)12 documentwrite(cinput) secure13

14 var extfinput = extfake(input) defined externally (part of scan)15 documentwrite(extfinput) not secure16

17 var extcinput = extcleanse(input) defined externally (part of scan)18 documentwrite(extcinput) secure19

20 var nobodyKnows = toCleanOrNotToCleanse(input) multiply defined (underspecified)21 documentwrite(nobodyKnows) not secure

Agenda

The SAP UI5 Architecture

Prototype-based Inheritance

1 var vl = new sapuicommonslayoutVerticalLayout()2 sapuicoreControlextend(fooLabel 3 metadata 4 properties 5 text string6 7 8 renderer function(oRm oControl) 9 oRmwrite(ltspangtXSSLabel )

10 oRmwrite(oControlgetText())11 oRmwrite(ltspangt)12 13 )14 var p = jQuerysapgetUriParameters()get(xss)15 vladdContent(new fooLabel(textp))16 return vl

CSRF PreventionYou need to know your frameworks

1 var request = 2 headers 3 X-Requested-With XMLHttpRequest4 Content-Type applicationatom+xml5 X-CSRF-Token Fetch6 7 8 if (AppccCSRFToken)9 var request =

10 headers 11 X-Requested-With XMLHttpRequest12 Content-Type applicationatom+xml13 X-CSRF-Token AppccCSRFToken14 15 16 else var request = 17 headers 18 X-Requested-With XMLHttpRequest19 Content-Type applicationatom+xml20 X-CSRF-Token etch secure21 22 23 var response = thisoServiceManagerread(request this thisbatch thisbusy)copy 2014 SAP AG All Rights Reserved Page 11 of 18

Agenda

Apache Cordova (SAP Kapsel) Overall IdeaAn integrated platform for developing hybrid mobile apps

bull Apache Cordova plusbull App managementbull Encrypted Storagebull Authenticationbull Loggingbull

bull Application management (SMP)

bull Can be used with devicemanagement solutions

Exploiting the JavaScript to Java Bridge

bull We can expose Java methods in JavaScript

fooaddJavascriptInterface(new FileUtils() FUtil)

bull And use them in JavaScript easily

1 ltscript type=textjavascriptgt lt[CDATA[2 filename = rsquodatadatacomlivingsocialwwwrsquo + id +rsquo_cachetxtrsquo3 FUtilwrite(filename data false)4 ]]gtltscriptgt

bull Which might expose much more than expected

1 function execute(cmd)2 return3 window_cordovaNativegetClass()forName(rsquojavalangRuntimersquo)4 getMethod(rsquogetRuntimersquonull)invoke(nullnull)exec(cmd)5

Agenda

The HANA XS Engine ArchitectureOverview

History Repeats SQL Injection

1 $responsecontentType = texthtml2 var userInput = $requestparametersget(rsquouserStuffrsquo)3

4 We assume5 - $dbgetConnection()prepareStatement(x0 xn) is secure iff x0 is not6 influenced by user input7 - sql_sanitize() safeguards us against SQL injections8 - any other preparedStatement call is evil regardless if it is influenced by9 user input or not

11 if (userInput) 12

13 var sql = select from SFLIGHTSNVOICE where CustomID =rsquo14 + userInput + rsquo15 var safe_sql = select from SFLIGHTSNVOICE where CustomID =rsquo16 + sql_sanitize(userInput) + rsquo17

18 var db_object = $db19 var conn = db_objectgetConnection()20

21 var pstmt00 = $dbgetConnection()prepareStatement(sql) SQL injection22 var pstmt01 = $dbgetConnection()prepareStatement(safe_sql) secure23

24 var pstmt02 = db_objectgetConnection()prepareStatement(sql) SQL injection25 var pstmt03 = db_objectgetConnection()prepareStatement(safe_sql) secure26

27 var pstmt04 = connprepareStatement(sql) SQL injection28 var pstmt05 = connprepareStatement(safe_sql) secure29

30 var pstmt06 = connprepareStatement(select from SFLIGHTSNVOICE where CustomID = rsquo$1rsquouserInput) secure

31 var pstmt07 = myconnprepareStatement(select from SFLIGHTSNVOICE where CustomID = rsquo$1rsquouserInput) SQL injection32

33 var pstmt08 = $mydbgetConnection()prepareStatement(sql) SQL injection34 var pstmt09 = $mydbgetConnection()prepareStatement(safe_sql) SQL injection35

36 if (pstmt)

18 var pstmt06 = connprepareStatement( where ID = rsquo$1rsquouserInput) secure19 var pstmt07 = myconnprepareStatement( where ID = rsquo$1rsquouserInput) SQL injection20

21 var pstmt08 = $mydbgetConnection()prepareStatement(sql) SQL injection22 var pstmt09 = $mydbgetConnection()prepareStatement(safe_sql) SQL injection

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG The information contained herein may be changedwithout prior noticeSome software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP AG in Germany and othercountries

Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP AGThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages

Motivation and Basics

SAP UI5 Client-side JavaScript

Apache Cordova JavaScript on Mobile

HANA XS Engine Server-side JavaScript

A Collection of Real World (JavaScript) Security Problems

Abstract

JavaScript is gaining more and more popularity as an implementation language for various applications typessuch as Web applications (client-side) mobile applications or server-side applicationsWe outline a few security challenges that need to be prevented in such applications and thus for which thereis a demand for analysis methods that help to detect them during during development

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)

Agenda

36 if (pstmt)