widgets - web vulnerabilities for all little helpers web 2.0 - - PowerPoint PPT Presentation

widgets web vulnerabilities for all little helpers web 2
SMART_READER_LITE
LIVE PREVIEW

widgets - web vulnerabilities for all little helpers web 2.0 - - PowerPoint PPT Presentation

Sep 08, 2022 113 likes •1.13k views

widgets - web vulnerabilities for all little helpers web 2.0 html / css / javascript easy to install safe secure convenient FAIL javascript outside the web with full control over the local machine widget.system runCommand

slide-1
SLIDE 1

widgets - web vulnerabilities for all

slide-2
SLIDE 2
slide-3
SLIDE 3

little helpers

slide-4
SLIDE 4

web 2.0

slide-5
SLIDE 5

html / css / javascript

slide-6
SLIDE 6

easy to install

slide-7
SLIDE 7
slide-8
SLIDE 8
slide-9
SLIDE 9

safe secure convenient

slide-10
SLIDE 10

FAIL

slide-11
SLIDE 11

javascript

  • utside the web
slide-12
SLIDE 12

with full control over the local machine

slide-13
SLIDE 13

widget.system runCommand System.Shell. execute

slide-14
SLIDE 14

run a command in the system’s shell

slide-15
SLIDE 15

when was your computer’s last cross-site scripting vulnerability?

slide-16
SLIDE 16

e.g., GMail

slide-17
SLIDE 17
slide-18
SLIDE 18 var titleText = MessagesTable. getTitleTextFromEntryElement(currentEntry); titleText = '&nbsp;&nbsp;&nbsp;<span class="title-class">' + titleText + '</span>'; // (skipping code to build message summary) titleText = "<div class='table-overflow-col'>" + titleText + "</div>"; titleColumn.innerHTML = titleText;
slide-19
SLIDE 19

titleColumn. innerHTML = titleText;

slide-20
SLIDE 20

who controls titleText?

slide-21
SLIDE 21

Subject: <i>hi!</i>

slide-22
SLIDE 22

hi!

slide-23
SLIDE 23

we can write html into the dom, by sending e-mail

slide-24
SLIDE 24

scripts?

slide-25
SLIDE 25

innerHTML handles <script> strangely

slide-26
SLIDE 26

event handlers work just fine

slide-27
SLIDE 27

<a

  • nmouseover=”

...”>

slide-28
SLIDE 28

<img src=”404.gif”

  • nerror=”...”>
slide-29
SLIDE 29

hacking through e-mail

slide-30
SLIDE 30
  • utput

sanitization

slide-31
SLIDE 31

entity-escape strings before writing them to the dom

slide-32
SLIDE 32

Google announced fix in December

slide-33
SLIDE 33

vulnerable versions don’t work any more

slide-34
SLIDE 34

how about rendering html?

slide-35
SLIDE 35

say, from Wikipedia

slide-36
SLIDE 36
slide-37
SLIDE 37
slide-38
SLIDE 38

html parsing required by design

slide-39
SLIDE 39

bake your

  • wn?
slide-40
SLIDE 40

.innerHTML!

slide-41
SLIDE 41

I OWNZ UR COMPUTR

http://en.wikipedia.org/wiki/Image:Jimmy-wales-frankfurt2005-alih01.jpg
slide-42
SLIDE 42

say, in an rss reader

slide-43
SLIDE 43
slide-44
SLIDE 44
slide-45
SLIDE 45
slide-46
SLIDE 46

the disaster is

  • ne click away
slide-47
SLIDE 47

(incidentally, forget your firewall)

slide-48
SLIDE 48

can we have shrimps in that turducken?

slide-49
SLIDE 49

widget.system and friends call the shell

slide-50
SLIDE 50

Secure Unix Programming FAQ 1999/05/17

slide-51
SLIDE 51

6.3) How do I safely pass input to an external program?

slide-52
SLIDE 52

“One of the biggest mistakes is to use a

  • shell. ...”
slide-53
SLIDE 53
slide-54
SLIDE 54

what’s new in that svn repository?

slide-55
SLIDE 55

notification through growl

slide-56
SLIDE 56 command = baseCommand // title (note the trailing space) + '"' + projLabel + ' is out of date" ' // message + '"You have revision r' + my_rev + ', and the repository has been updated to r' + repos_rev + ' by ' + repos_rev_author + ' with the following message:\n\n' + repos_rev_msg + '"';
slide-57
SLIDE 57 "; touch /tmp/gotcha; echo "
slide-58
SLIDE 58

hacking through svn commit messages

slide-59
SLIDE 59

there’s similar code in the wikipedia widget

slide-60
SLIDE 60

web 2.0

slide-61
SLIDE 61

JSON

slide-62
SLIDE 62

eval

slide-63
SLIDE 63

twitgit twitterlex facebook

slide-64
SLIDE 64
slide-65
SLIDE 65

json based apis

slide-66
SLIDE 66

XMLHttpRequest eval

slide-67
SLIDE 67

twitter facebook

slide-68
SLIDE 68

not quite a JSON example

slide-69
SLIDE 69
slide-70
SLIDE 70 var xmlResponse = xmlRequest.responseText xmlResponse = xmlResponse.replace(/[\n\r]/g,""); var NHLatl = null; var gameData = xmlResponse.match(/script[^<]*var NHLatl.*?<\/ script>/)[0].replace(/.*?var /,"").replace(/, \s*myScoresIcon.*/,"}"); eval(gameData);
slide-71
SLIDE 71

screen- scraping through eval

slide-72
SLIDE 72

another pattern: use JSON to check for updates

slide-73
SLIDE 73
slide-74
SLIDE 74

this._checkVersion (transport. responseText. evalJSON());

slide-75
SLIDE 75
slide-76
SLIDE 76

default json parser: eval

slide-77
SLIDE 77

widget doesn’t turn on sanitization

slide-78
SLIDE 78

frameworks may be less secure than you think

slide-79
SLIDE 79

“You’re trusting them anyway, so why bother?”

slide-80
SLIDE 80

http

slide-81
SLIDE 81

leverage network attack into machine takeover

slide-82
SLIDE 82

security of update servers at all times

slide-83
SLIDE 83

robustness against cross- site scripting

slide-84
SLIDE 84 http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html
slide-85
SLIDE 85

“more high profile sites iframe injected”

slide-86
SLIDE 86

widgets are a predictor

slide-87
SLIDE 87

javascript as programming language of choice?

slide-88
SLIDE 88

sms application, web-based, widget-style?

slide-89
SLIDE 89

social network worms that create zombies?

slide-90
SLIDE 90

targeted attacks with plausible deniability?

slide-91
SLIDE 91

the flaws aren’t rocket science

slide-92
SLIDE 92

Secure Unix Programming FAQ 1999/05/17

slide-93
SLIDE 93

bugtraq 1996

slide-94
SLIDE 94

widespread

slide-95
SLIDE 95

trivial to exploit

slide-96
SLIDE 96

easy to find

slide-97
SLIDE 97

json-based api?

slide-98
SLIDE 98

shows html?

slide-99
SLIDE 99

uses external programs?

slide-100
SLIDE 100
  • ooops
slide-101
SLIDE 101

<?>

tlr@w3.org