JavaScript security: a retrospective The fmoor is Lava Java. Script. - - PowerPoint PPT Presentation

javascript security a retrospective
SMART_READER_LITE
LIVE PREVIEW

JavaScript security: a retrospective The fmoor is Lava Java. Script. - - PowerPoint PPT Presentation

Jan 25, 2024 350 likes •602 views

JavaScript security: a retrospective The fmoor is Lava Java. Script. Frontcon 2018, Riga (C) Possible Security, 2018 2 About me IT security expert, > 10 years Mg.sc.comp, CEH, CySA+ Owner and Lead Researcher at Possible Security

slide-1
SLIDE 1
slide-2
SLIDE 2

Frontcon 2018, Riga (C) Possible Security, 2018 2

JavaScript security: a retrospective

The fmoor is Lava Java. Script.

slide-3
SLIDE 3

Frontcon 2018, Riga (C) Possible Security, 2018 3

About me

  • IT security expert, > 10 years

– Mg.sc.comp, CEH, CySA+

  • Owner and Lead Researcher at

Possible Security

  • Hacking and breaking things

– http://kirils.org/ – http://possiblesecurity.com/news/

slide-4
SLIDE 4

Frontcon 2018, Riga (C) Possible Security, 2018 4

Contents

  • Security fundamentals
  • Birth of JavaScript
  • JavaScript feature set & attacks
  • Conclusions
slide-5
SLIDE 5

Frontcon 2018, Riga (C) Possible Security, 2018 5

Security fundamentals – CIA triad

slide-6
SLIDE 6

Frontcon 2018, Riga (C) Possible Security, 2018 6

Security fundamentals – Confjdentiality

  • Confidentiality is the property, that information is not made

available or disclosed to unauthorized individuals, entities, or processes.

slide-7
SLIDE 7

Frontcon 2018, Riga (C) Possible Security, 2018 7

Security fundamentals – Integrity

  • Integrity means that data cannot be modified in an unauthorized
  • r undetected manner.
slide-8
SLIDE 8

Frontcon 2018, Riga (C) Possible Security, 2018 8

Security fundamentals – Availability

  • Availability is the property of the information system to be

available when it is needed.

slide-9
SLIDE 9

Frontcon 2018, Riga (C) Possible Security, 2018 9

JavaScript

  • Just a tad over 20 years old
  • 1995 @Netscape

– Scheme or Java? – scripting or static? – JavaScript!

  • C-like / Java-like syntax
  • Objects: BOM + DOM
  • same-origin policy (for DOM)

– same protocol, host, and port

JS

slide-10
SLIDE 10

Frontcon 2018, Riga (C) Possible Security, 2018 10

JScript

  • 1996

– Microsoft creates a clone of JavaScript – Netscape pushes for standardization

  • ECMA-262 (ECMAScript)
  • 1997

– ES1 is published

  • 1998

– ES2 (formal spec changes) + DOM1

slide-11
SLIDE 11

Frontcon 2018, Riga (C) Possible Security, 2018 11

ECMAScript

  • 1999

– ES3 is born – string functions, regexps – do-white – try-catch – etc.

  • 2000

DOM2

  • 2004

DOM3

slide-12
SLIDE 12

Frontcon 2018, Riga (C) Possible Security, 2018 12

DOM 1 => DOM2

slide-13
SLIDE 13

Frontcon 2018, Riga (C) Possible Security, 2018 13

DOM2 => DOM3

slide-14
SLIDE 14

Frontcon 2018, Riga (C) Possible Security, 2018 14

ECMAScript

  • Fast forward ten years 1999 => 2009
  • ES 5

– “use strict” – JSON.stringify() / JSON.parse() – array methods

  • .indexOf(), .map(), etc.

– func.bind()

slide-15
SLIDE 15

Frontcon 2018, Riga (C) Possible Security, 2018 15

Today + future

  • 2011 – WebSockets
  • 2015...

– new ECMAScript YYYY version every year

slide-16
SLIDE 16

Frontcon 2018, Riga (C) Possible Security, 2018 16

Attacks

slide-17
SLIDE 17

Frontcon 2018, Riga (C) Possible Security, 2018 17

Content type misinterpretation

  • Allows forcing browser (MSIE) to misinterpret the content type

[2008, IE only]

  • X-Content-Type-Options: nosniff
slide-18
SLIDE 18

Frontcon 2018, Riga (C) Possible Security, 2018 18

Clickjacking

  • Using transparent elements to hijack mouse clicks

[2010, RFC in 2013]

  • X-Frame-Options: deny

– prevents content to be loaded as a frame source

slide-19
SLIDE 19

Frontcon 2018, Riga (C) Possible Security, 2018 19

Cross-site scripting

  • Reflected

– hxxp://site.com/file.php?data=hello<script>alert(1);</script>

  • Stored

– STORE → hxxp://site.com/store.php?

data=hello<script>alert(1);</script>

– RETRIEVE ← hxxp://site.com/read.php

slide-20
SLIDE 20

Frontcon 2018, Riga (C) Possible Security, 2018 20

Solution – X-XSS-Protection

[2010, IE only at first]

  • X-XSS-Protection: 1

– built-in blacklist filter – NOT A FULL PROTECTION

slide-21
SLIDE 21

Frontcon 2018, Riga (C) Possible Security, 2018 21

Solution – Content-Security-Policy

[2015]

  • Content-Security-Policy: script-src 'self'
  • Defines where can different resources be loaded from. Disables

inline JavaScript.

  • X-XSS-Protection now a part of CSP
  • QUITE EFFECTIVE
slide-22
SLIDE 22

Frontcon 2018, Riga (C) Possible Security, 2018 22

Referrer attacks

  • Could be used for tracking, locating private and local systems,

[2017]

  • Referrer-Policy: no-referrer
  • Referrer-Policy: strict-origin
  • Defines what kind of referrer information to send in what cases.
slide-23
SLIDE 23

Frontcon 2018, Riga (C) Possible Security, 2018 23

Conclusions

  • New features in ECMAScript + DOM Levels provide for ever

increasing vulnerability surface

– due to browser exploits (implementation bugs) – due to lack of explicit protection

  • Browser manufacturers try to mitigate this increased risk by

adding additional protections

  • The race will continue!
slide-24
SLIDE 24

Frontcon 2018, Riga (C) Possible Security, 2018 24

JavaScript security: a retrospective

The fmoor is Lava Java. Script.

Thank you!