Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP – Ajax Security

Roberto Suggi LiveraniSecurity ConsultantSecurity-Assessment.com

5 December 2007

OWASP

Who am I?

Roberto Suggi Liverani

Security Consultant, CISSPSecurity-Assessment.com

4 + years on Information Security focusing on web and network security

OWASP New Zealand leader

2

OWASP

Agenda

Ajax- What is Ajax?- Ajax Components - Traditional Web Model vs Ajax Web Model- Why Ajax is used?- Who is using Ajax?

Ajax Security- Ajax and Security – Server of origin policy- Real Attack examples (Samy worm, Yammaner, Nduja -

Webmail XSS worm)- Web worms – Comparison

3

OWASP 4

Introduction What is Ajax?

- Ajax is not synonymous of WEB 2.0- Ajax = Asynchronous Javascript And XML- Ajax is a group of technologies combined together to create new ways of interaction.- Term coined by Jesse James Garrett of Adaptive Path (Feb 2005)

Before AJAX:- DHTML- Macromedia Flash 4- Microsoft Remote Scripting- Microsoft XMLHttpRequest object- Object element in HTML 4- Document Object Model Level 3

OWASP

Ajax Components (cont.)

5

HTML/XHTML- Necessary to display the information

JavaScript- Necessary to initiate the client-server communication and manipulate the DOM to update the web page

Document Object Model (DOM)- Necessary to change portions of an XHTML page without reloading it.

Server-side processing- There is no Ajax without a stable, responsive server waiting to send content to the engine

OWASP

Ajax Components

Cascading Style Sheet (CSS)- In an Ajax application, the styling of a user interface may be modified interactively through CSS

Extensible Markup Language (XML)- Data exchange format

Extensible Stylesheet Language Transformations (XSLT)- Transforms XML to XHTML

XMLHttpRequest object- XMLHttpRequest object allows retrieving data from the web server as a background activity

6

OWASP

Ajax Components – Simple Diagram

7

OWASP

Let’s define Ajax:

The browser hosts an application, not content- A “rich” client application is delivered to the browser and it is able to handle input, respond or wait for requests

The server delivers data, not content- The role of the server is only to send data. The client is a “rich” client and process the data

User interaction with the application can be fluid and continuous- Asynchronous data transfers allows new way of interaction like drag and drop and double clicking. Traditional web = click-and-wait

This is real coding and requires discipline- High-performance and maintainable code are the main requirements for Ajax applications

8

OWASP

Traditional Web Model vs Ajax Web Model

9

OWASP

Classic Web Model – Usability/Time

10

OWASP

Ajax Web Model – Usability/Time

11

OWASP

Why Ajax is used?

Speed- Only the data (or parameters) required are posted

Reduced network traffic- Less data exchanged between client and server

Interactivity- User doesn’t click and wait. User drags and drops

Functionality- Richer client with more features available

Usability- Easy to use -> friendly interface and content updated “on-

the-fly”12

OWASP

Who is using Ajax?

13

And many others…

OWASP

Let’s talk about Ajax and security…

Many of the security issues that an Ajax application faces are the same as for a classical web application

So let’s talk about a specific security issue which relates to Ajax applications: Server of origin policy

Server of origin policy- The JavaScript security model prevents scripts from

different domains from interacting with one another- An Ajax application can’t read or write to the local

filesystem

14

OWASP

Ajax and Security – Server of origin policy Examples of cross browser security policy:

15

URLs Cross – Scripting allowed?

Comments

http://www.example.com:8080/script1.js No Port number doesn’t match.http://www.example.com/script2.js

http://www.example.com/script1.js No Protocol type doesn’t match.https://www.example.com/script2.js

http://www.example.com/script1.js No Browser will not perform domain name resolution.

http://192.168.0.10/script2.js

http://sub.example.com/script1.js No Subdomains treated as separate domains.http://www.example.com/script2.js

http://www.example.com/hello/script1.js YES Domain name is the same.http://www.example.com/bye/script.2.js

http://www.example2.com/script1.js NO Different domain names.http://www.example1.com/script2.js

OWASP

Ajax and Security – Server of origin policy

So is it possible to bypass or avoid this security control?

Yes – there are multiple ways Developer workaround: Proxing remote services- Make a call to the remote server from our own server rather than from

the client, and then forward it on to the client- Example: http://website1/proxy?url=http://website2/

User workaround: Change browser security settings- IE: allow permission of executing code from a security zone to another.

The user is presented with a popup security warning.- Firefox: PrivilegeManager need to be configured accordingly. The value

signed.applets.codebase_principal_support should be set to “true”

Attacker workaround: Sending an email- This technique is showed in the case study of the Nduja - the webmail

XSS worm of Rosario Valotta16

OWASP

Real attacks examples Ajax seen by an attacker:- Group technologies means there are more elements to attack -

increased attack surface- New ways of interaction means more complexity. Consequently,

there are more chances developers commit mistakes like exposing internal functions of the application

- Application is delivered to the browser. The attacker controls the functionality of the application

- Ajax application is still a web application – traditional web attack techniques can be used

Let’s go through three real examples of attack involving Ajax:

- Samy worm- Jammanner worm- Nduja - Webmail XSS worm

17

OWASP

Ajax Security – Case Study – Samy worm

Started as a joke Inserted HTML and JavaScript through

MySpace’s profile editor. Automated the friend selection process.

Instead of someone selecting Samy as a friend, the worm automated the procedure with JavaScript.

The result of the code injection made the visitor and all visitor friends to befriend Samy when visiting Samy’s page. Samy automatically also became their “hero”.

18

OWASP

Ajax – Case Study – Samy worm (cont)

Impact: “In less than 24 hours, 'Samy' had amassed over 1 million friends on the popular online community”

19

OWASP 20

Screenshot showing list of Myspace profiles infected by Samy Worm

OWASP 21

And today there are still Myspace accounts with Samy as a hero!

532 results with live.com

OWASP

Ajax – Case Study – Samy worm

What we learnt from Samy worm technique?

- Embedding JavaScript in CSS tags- Used “java\nscript” to avoid Myspace’s stripping of the

string “javascript”.- Used JavaScript String.fromCharCode to convert quotes (‘’)

to avoid restrictions- Used the XML-HTTP object with the use of both HTTP GETs

and POSTs from/to the victim’s profile.

Worm Source Code: - http://namb.la/popular/tech.html

22

OWASP

Exploits a vulnerability in the onload event handling of Yahoo! Mail and then executes a script

Scans emails in the personal folders of the Yahoo! Mail account

Sends a copy of itself to the email addresses gathered

Redirects the Web browser from Yahoo! Mail to the following Web site: [http://]www.av3.net/index.htm

Sends the list of gathered email addresses to the above URL

Ajax – Case Study – Yamanner worm

23

OWASP

Ajax – Case Study – Yamanner worm

Impact: It is unknown the number of yahoo users hit by this worm. Harvested addresses from the address book have then been submitted to a remote URL, which is likely that was used for a spam database

What we learnt?- Large email provider does not guarantee security – Yahoo!

Mail software vulnerability was exploited in this case.- XML GET to retrieve contact addresses and use of

window.navigate to send data to third party site

Source Code Example:- http://archives.neohapsis.com/archives/incidents/2006-

06/0028.html- http://groovin.net/stuff/yammer.txt

24

OWASP

Ajax – Case Study – Nduja - Webmail XSS worm Probably the first cross domain worm Worm developed as PoC by Rosario Valotta Tested on four webmail services in Italy: - Libero.it- Tiscali.it- Lycos.it- Excite.com

Exploit XSS vulnerabilities in the webmail applications and then:

- Steal e-mails from the Inbox- Steal email addresses from Contact List- Self propagation to contacts

25

OWASP

Ajax Security – Case Study – Nduja - Webmail XSS Worm

Impact: the worm is able to capture emails, contact addresses from four different domains and post them to third party site.

What we learnt?- It is possible to create cross domain worms exploiting

multiple XSS vulnerabilities at the same time in different domains. The server of origin policy is bypassed using a feature of the application targeted (email function)

- The malicious script checks the domain and then applies the relative XSS attack

Extracts of source code: http://rosario.valotta.googlepages.com/home

26

OWASP

Nduja - Webmail XSS Worm Demo

27

OWASP

Web worms – Comparison

Worm Target Domain(s)

Cross Domain?

Impact

Samy worm Myspace.com No 1 million of users affected

Yannamer worm

Yahoo.com No Unknown number of yahoo users affected

Nduja worm Tiscali.itLibero.itLycos.itExcite.com

Yes N/A – This is a PoC

28

So the question is: Can you think about the impact of the next cross domain web worm?

OWASP

Questions/Conclusion

Thank you!

roberto.suggi@security-assessment.com

29

OWASP

References – Misc.

Stefano Di Paola, Giorgio Fedon – Subverting Ajax – Whitepaper

Andrew Van Der Stock – Ajax Security - Presentation

Billy Hoffman – Ajax Security Dangers - Whitepaper

Billy Hoffman – Analysis of Web Application Worms and Viruses - Whitepaer

Alex Stamos, Zane Lackey – Attacking AJAX Web Applications - Presentation

30

OWASP

References – Misc.

AJAX Security - http://www.cgisecurity.com/ajax/ Ajax Security Basics -

http://www.securityfocus.com/infocus/1868/2 MySpace Worm Explanation -

http://namb.la/popular/tech.html Adaptive Path -

http://www.adaptivepath.com/ideas/essays/archives/000385.php

Nduja Connection - http://rosario.valotta.googlepages.com/home

Yamanner Worm - http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99

31

OWASP

References – Books

Christopher Wells – Securing Ajax Applications – O’Reilly - Book

V.A. – The Professional Ajax – 2nd edition – Wrox - Book

V.A. – Ajax In Action – Manning - Book

32

OWASP

Table of Figures

Slide 7 – From Ajax In Action, Manning Slide 9 – The Professional Ajax – 2nd edition –

Wrox Slide 10 – Adaptive web site -

http://www.adaptivepath.com/ideas/essays/archives/000385.php

Slide 11 – Adaptive web site - http://www.adaptivepath.com/ideas/essays/archives/000385.php

Slide 19 – Rsnake web site - http://ha.ckers.org/blog/20070319/samy-worm-analysis/

33