javascript security a retrospective
play

JavaScript security: a retrospective The fmoor is Lava Java. Script. - PowerPoint PPT Presentation

Jan 25, 2024 •350 likes •601 views

JavaScript security: a retrospective The fmoor is Lava Java. Script. Frontcon 2018, Riga (C) Possible Security, 2018 2 About me IT security expert, > 10 years Mg.sc.comp, CEH, CySA+ Owner and Lead Researcher at Possible Security

  2. JavaScript security: a retrospective The fmoor is Lava Java. Script. Frontcon 2018, Riga (C) Possible Security, 2018 2

  3. About me ● IT security expert, > 10 years – Mg.sc.comp, CEH, CySA+ ● Owner and Lead Researcher at Possible Security ● Hacking and breaking things – http://kirils.org/ – http://possiblesecurity.com/news/ Frontcon 2018, Riga (C) Possible Security, 2018 3

  4. Contents ● Security fundamentals ● Birth of JavaScript ● JavaScript feature set & attacks ● Conclusions Frontcon 2018, Riga (C) Possible Security, 2018 4

  5. Security fundamentals – CIA triad Frontcon 2018, Riga (C) Possible Security, 2018 5

  6. Security fundamentals – Confjdentiality ● Confidentiality is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes. Frontcon 2018, Riga (C) Possible Security, 2018 6

  7. Security fundamentals – Integrity ● Integrity means that data cannot be modified in an unauthorized or undetected manner. Frontcon 2018, Riga (C) Possible Security, 2018 7

  8. Security fundamentals – Availability ● Availability is the property of the information system to be available when it is needed. Frontcon 2018, Riga (C) Possible Security, 2018 8

  9. JavaScript ● Just a tad over 20 years old ● 1995 @Netscape – Scheme or Java? – scripting or static? – JavaScript! C-like / Java-like syntax ● JS Objects: BOM + DOM ● same-origin policy (for DOM) ● – same protocol, host, and port Frontcon 2018, Riga (C) Possible Security, 2018 9

  10. JScript ● 1996 – Microsoft creates a clone of JavaScript – Netscape pushes for standardization ECMA-262 (ECMAScript) ● ● 1997 – ES1 is published ● 1998 – ES2 (formal spec changes) + DOM1 Frontcon 2018, Riga (C) Possible Security, 2018 10

  11. ECMAScript ● 1999 ● 2000 – ES3 is born DOM2 – – string functions, regexps ● 2004 – do-white DOM3 – – try-catch – etc. Frontcon 2018, Riga (C) Possible Security, 2018 11

  12. DOM 1 => DOM2 Frontcon 2018, Riga (C) Possible Security, 2018 12

  13. DOM2 => DOM3 Frontcon 2018, Riga (C) Possible Security, 2018 13

  14. ECMAScript ● Fast forward ten years 1999 => 2009 ● ES 5 – “use strict” – JSON.stringify() / JSON.parse() – array methods .indexOf(), .map(), etc. ● – func.bind() Frontcon 2018, Riga (C) Possible Security, 2018 14

  15. Today + future ● 2011 – WebSockets ● 2015... – new ECMAScript YYYY version every year Frontcon 2018, Riga (C) Possible Security, 2018 15

  16. Attacks Frontcon 2018, Riga (C) Possible Security, 2018 16

  17. Content type misinterpretation ● Allows forcing browser (MSIE) to misinterpret the content type [2008, IE only] ● X-Content-Type-Options: nosniff Frontcon 2018, Riga (C) Possible Security, 2018 17

  18. Clickjacking ● Using transparent elements to hijack mouse clicks [2010, RFC in 2013] ● X-Frame-Options: deny – prevents content to be loaded as a frame source Frontcon 2018, Riga (C) Possible Security, 2018 18

  19. Cross-site scripting ● Reflected – hxxp://site.com/file.php?data=hello<script>alert(1);</script> ● Stored – STORE → hxxp://site.com/store.php? data=hello<script>alert(1);</script> – RETRIEVE ← hxxp://site.com/read.php Frontcon 2018, Riga (C) Possible Security, 2018 19

  20. Solution – X-XSS-Protection [2010, IE only at first] ● X-XSS-Protection: 1 – built-in blacklist filter – NOT A FULL PROTECTION Frontcon 2018, Riga (C) Possible Security, 2018 20

  21. Solution – Content-Security-Policy [2015] ● Content-Security-Policy: script-src 'self' ● Defines where can different resources be loaded from. Disables inline JavaScript. ● X-XSS-Protection now a part of CSP ● QUITE EFFECTIVE Frontcon 2018, Riga (C) Possible Security, 2018 21

  22. Referrer attacks ● Could be used for tracking, locating private and local systems, [2017] ● Referrer-Policy: no-referrer ● Referrer-Policy: strict-origin ● Defines what kind of referrer information to send in what cases. Frontcon 2018, Riga (C) Possible Security, 2018 22

  23. Conclusions ● New features in ECMAScript + DOM Levels provide for ever increasing vulnerability surface – due to browser exploits (implementation bugs) – due to lack of explicit protection ● Browser manufacturers try to mitigate this increased risk by adding additional protections ● The race will continue! Frontcon 2018, Riga (C) Possible Security, 2018 23

  24. Thank you! JavaScript security: a retrospective The fmoor is Lava Java. Script. Frontcon 2018, Riga (C) Possible Security, 2018 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it) bugs to fix &lt;script&gt; injection: perl.com pr0n.com (http://radar.oreilly.com/2008/01/dangers-of-remote-javascript.html) lure.org

345 views • 17 slides
Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf University of California Santa Barbara CGO 2014 1 JavaScript-based Browser Addons 2 Addons: JavaScript with High Privileges 3

898 views • 56 slides
a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

Java Security: a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com December 10, 2009 300~ Pages of Meeting Notes 1000~ Meetings in 30 months Why Security Technologies Seldom Make Into Actual

608 views • 21 slides
JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce JavaScript? Notorious for being worlds most misunderstood programming language o (Douglas Crockford -

432 views • 11 slides
IAB Security Workshop Retrospective IAB Plenary IETF 60 Thursday, August 5, 2004

IAB Security Workshop Retrospective IAB Plenary IETF 60 Thursday, August 5, 2004

IAB Security Workshop Retrospective IAB Plenary IETF 60 Thursday, August 5, 2004 Acknowledgments Many thanks to Steve Bellovin for his thoughts and recollections. Any errors or omissions are the responsibility of the presenters 8/6/2004 2

509 views • 15 slides
Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.03k views • 54 slides
Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.1k views • 57 slides
JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31, 2013 Weve Been Here Before A Definition Ja va Script | jv skript | invective . 1 A vendor-neutral, cross-platform liability for

583 views • 42 slides
CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic programming language. Introduced in 1995 as a way to add programs to web pages in the Netscape Navigator browser. It has made modern web

795 views • 35 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming Language Principles Introduction to JavaScript Prof. Tom Austin San Jos State University History of JavaScript In 1995, Netscape hired Brendan

395 views • 16 slides
VSE: 5-Year Retrospective (March 2017) Disclaimer This VSE 5-Year Retrospective is neither an

VSE: 5-Year Retrospective (March 2017) Disclaimer This VSE 5-Year Retrospective is neither an

VSE: 5-Year Retrospective (March 2017) Disclaimer This VSE 5-Year Retrospective is neither an offer or solicitation to anyone to purchase, sell or otherwise trade in VSE common stock or any other securities. The information in this

374 views • 25 slides
Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Software and Web Security 2 Software and Web Security 2 Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked

829 views • 43 slides
Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript Lars Larsson Today JavaScript strings JavaScript Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful degradation AJAX Summary Lecture #11 Advanced JavaScript 1

831 views • 38 slides
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research Web Programmability Platform openid.net yelp.com adsense.com Google maps 2

727 views • 41 slides
Real-time compatible ODF change-tracking Svante.Schubert@gmail.com Freelancer CT

Real-time compatible ODF change-tracking Svante.Schubert@gmail.com Freelancer CT

Real-time compatible ODF change-tracking Svante.Schubert@gmail.com Freelancer CT Interoperability ODF with Microsoft Offices (MSO) All MSO throw away all ODF changes MS claims ODF underspecified for change-tracking (template styles)

390 views • 16 slides
Perfect Competition in Markets with Adverse Selection Eduardo Azevedo and Daniel Gottlieb

Perfect Competition in Markets with Adverse Selection Eduardo Azevedo and Daniel Gottlieb

Perfect Competition in Markets with Adverse Selection Eduardo Azevedo and Daniel Gottlieb (Wharton) Presented at Frontiers of Economic Theory &amp; Computer Science at the Becker Friedman Institute August 13, 2016 Eduardo Azevedo (Wharton)

766 views • 64 slides
The Diffusion of Knowledge via Managers Mobility Giordano Mion (University of Sussex, CEP,

The Diffusion of Knowledge via Managers Mobility Giordano Mion (University of Sussex, CEP,

The Diffusion of Knowledge via Managers Mobility Giordano Mion (University of Sussex, CEP, CEPR, CESifo) Luca David Opromolla (Banco de Portugal, CEPR, CESifo, UECE) Alessandro Sforza (LSE, CEP) Joint CEPR conferences on Incentive, Management

1.77k views • 130 slides
Lets talk about TypeScript Ive only been working with TypeScript since the first of the

Lets talk about TypeScript Ive only been working with TypeScript since the first of the

Lets talk about TypeScript Ive only been working with TypeScript since the first of the year, so some of you may know more about it than I do. If so, great! You can keep me honest and help answer quesCons from everyone else. My aim here

694 views • 53 slides
Usability of Programming Languages Special Interest Group (SIG) meeting at CHI2016 Brad A.

Usability of Programming Languages Special Interest Group (SIG) meeting at CHI2016 Brad A.

Usability of Programming Languages Special Interest Group (SIG) meeting at CHI2016 Brad A. Myers Margaret Burnett Andreas Stefik Franklyn Turbak Stefan Hanenberg Philip Wadler Antti-Juhani Kaijanaho 1 What is this SIG about?

775 views • 26 slides
Value types are on the stack, reference types are on the heap C# PROGRAMMER ANSWERING

Value types are on the stack, reference types are on the heap C# PROGRAMMER ANSWERING

Value types are on the stack, reference types are on the heap C# PROGRAMMER ANSWERING INTERVIEW QUESTION 1 18.07.2020 WORLD OF UNSAFE - ADAM FURMANEK World of Unsafe CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 2

693 views • 43 slides
ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State

ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State

CS 252: Advanced Programming Language Principles ES6 JavaScript, Metaprogramming, &amp; Object Proxies Prof. Tom Austin San Jos State University Fixing JavaScript ECMAScript committee formed to carefully evolve the language.

558 views • 43 slides
JavaScript Deian Stefan (adopted from my &amp; Edward Yangs CSE242 slides) Why JavaScript?

JavaScript Deian Stefan (adopted from my &amp; Edward Yangs CSE242 slides) Why JavaScript?

JavaScript Deian Stefan (adopted from my &amp; Edward Yangs CSE242 slides) Why JavaScript? Linga franca of the Internet Used in the browsers, used server-side, used for IoT Still evolving to address growing needs (EcmaScript)

1.03k views • 55 slides

More recommend