javascript security a retrospective
play

JavaScript security: a retrospective The fmoor is Lava Java. Script. - PowerPoint PPT Presentation

Jan 25, 2024 •350 likes •601 views

JavaScript security: a retrospective The fmoor is Lava Java. Script. Frontcon 2018, Riga (C) Possible Security, 2018 2 About me IT security expert, > 10 years Mg.sc.comp, CEH, CySA+ Owner and Lead Researcher at Possible Security

  2. JavaScript security: a retrospective The fmoor is Lava Java. Script. Frontcon 2018, Riga (C) Possible Security, 2018 2

  3. About me ● IT security expert, > 10 years – Mg.sc.comp, CEH, CySA+ ● Owner and Lead Researcher at Possible Security ● Hacking and breaking things – http://kirils.org/ – http://possiblesecurity.com/news/ Frontcon 2018, Riga (C) Possible Security, 2018 3

  4. Contents ● Security fundamentals ● Birth of JavaScript ● JavaScript feature set & attacks ● Conclusions Frontcon 2018, Riga (C) Possible Security, 2018 4

  5. Security fundamentals – CIA triad Frontcon 2018, Riga (C) Possible Security, 2018 5

  6. Security fundamentals – Confjdentiality ● Confidentiality is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes. Frontcon 2018, Riga (C) Possible Security, 2018 6

  7. Security fundamentals – Integrity ● Integrity means that data cannot be modified in an unauthorized or undetected manner. Frontcon 2018, Riga (C) Possible Security, 2018 7

  8. Security fundamentals – Availability ● Availability is the property of the information system to be available when it is needed. Frontcon 2018, Riga (C) Possible Security, 2018 8

  9. JavaScript ● Just a tad over 20 years old ● 1995 @Netscape – Scheme or Java? – scripting or static? – JavaScript! C-like / Java-like syntax ● JS Objects: BOM + DOM ● same-origin policy (for DOM) ● – same protocol, host, and port Frontcon 2018, Riga (C) Possible Security, 2018 9

  10. JScript ● 1996 – Microsoft creates a clone of JavaScript – Netscape pushes for standardization ECMA-262 (ECMAScript) ● ● 1997 – ES1 is published ● 1998 – ES2 (formal spec changes) + DOM1 Frontcon 2018, Riga (C) Possible Security, 2018 10

  11. ECMAScript ● 1999 ● 2000 – ES3 is born DOM2 – – string functions, regexps ● 2004 – do-white DOM3 – – try-catch – etc. Frontcon 2018, Riga (C) Possible Security, 2018 11

  12. DOM 1 => DOM2 Frontcon 2018, Riga (C) Possible Security, 2018 12

  13. DOM2 => DOM3 Frontcon 2018, Riga (C) Possible Security, 2018 13

  14. ECMAScript ● Fast forward ten years 1999 => 2009 ● ES 5 – “use strict” – JSON.stringify() / JSON.parse() – array methods .indexOf(), .map(), etc. ● – func.bind() Frontcon 2018, Riga (C) Possible Security, 2018 14

  15. Today + future ● 2011 – WebSockets ● 2015... – new ECMAScript YYYY version every year Frontcon 2018, Riga (C) Possible Security, 2018 15

  16. Attacks Frontcon 2018, Riga (C) Possible Security, 2018 16

  17. Content type misinterpretation ● Allows forcing browser (MSIE) to misinterpret the content type [2008, IE only] ● X-Content-Type-Options: nosniff Frontcon 2018, Riga (C) Possible Security, 2018 17

  18. Clickjacking ● Using transparent elements to hijack mouse clicks [2010, RFC in 2013] ● X-Frame-Options: deny – prevents content to be loaded as a frame source Frontcon 2018, Riga (C) Possible Security, 2018 18

  19. Cross-site scripting ● Reflected – hxxp://site.com/file.php?data=hello<script>alert(1);</script> ● Stored – STORE → hxxp://site.com/store.php? data=hello<script>alert(1);</script> – RETRIEVE ← hxxp://site.com/read.php Frontcon 2018, Riga (C) Possible Security, 2018 19

  20. Solution – X-XSS-Protection [2010, IE only at first] ● X-XSS-Protection: 1 – built-in blacklist filter – NOT A FULL PROTECTION Frontcon 2018, Riga (C) Possible Security, 2018 20

  21. Solution – Content-Security-Policy [2015] ● Content-Security-Policy: script-src 'self' ● Defines where can different resources be loaded from. Disables inline JavaScript. ● X-XSS-Protection now a part of CSP ● QUITE EFFECTIVE Frontcon 2018, Riga (C) Possible Security, 2018 21

  22. Referrer attacks ● Could be used for tracking, locating private and local systems, [2017] ● Referrer-Policy: no-referrer ● Referrer-Policy: strict-origin ● Defines what kind of referrer information to send in what cases. Frontcon 2018, Riga (C) Possible Security, 2018 22

  23. Conclusions ● New features in ECMAScript + DOM Levels provide for ever increasing vulnerability surface – due to browser exploits (implementation bugs) – due to lack of explicit protection ● Browser manufacturers try to mitigate this increased risk by adding additional protections ● The race will continue! Frontcon 2018, Riga (C) Possible Security, 2018 23

  24. Thank you! JavaScript security: a retrospective The fmoor is Lava Java. Script. Frontcon 2018, Riga (C) Possible Security, 2018 24

Recommend

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it) bugs to fix &lt;script&gt; injection: perl.com pr0n.com (http://radar.oreilly.com/2008/01/dangers-of-remote-javascript.html) lure.org

345 views • 17 slides
Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf University of California Santa Barbara CGO 2014 1 JavaScript-based Browser Addons 2 Addons: JavaScript with High Privileges 3

898 views • 56 slides
a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

Java Security: a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com December 10, 2009 300~ Pages of Meeting Notes 1000~ Meetings in 30 months Why Security Technologies Seldom Make Into Actual

608 views • 21 slides
JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce JavaScript? Notorious for being worlds most misunderstood programming language o (Douglas Crockford -

432 views • 11 slides
IAB Security Workshop Retrospective IAB Plenary IETF 60 Thursday, August 5, 2004

IAB Security Workshop Retrospective IAB Plenary IETF 60 Thursday, August 5, 2004

IAB Security Workshop Retrospective IAB Plenary IETF 60 Thursday, August 5, 2004 Acknowledgments Many thanks to Steve Bellovin for his thoughts and recollections. Any errors or omissions are the responsibility of the presenters 8/6/2004 2

509 views • 15 slides
Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 2 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.03k views • 54 slides
Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and

Introduction to JavaScript Niels Olof Bouvin 1 Overview A brief history of JavaScript and ECMAScript JavaScript for Java developers The JavaScript ecosystem Getting access to JavaScript Some language basics A look at the Node.js standard

1.1k views • 57 slides
JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31, 2013 Weve Been Here Before A Definition Ja va Script | jv skript | invective . 1 A vendor-neutral, cross-platform liability for

583 views • 42 slides
CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic programming language. Introduced in 1995 as a way to add programs to web pages in the Netscape Navigator browser. It has made modern web

795 views • 35 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming Language Principles Introduction to JavaScript Prof. Tom Austin San Jos State University History of JavaScript In 1995, Netscape hired Brendan

395 views • 16 slides
VSE: 5-Year Retrospective (March 2017) Disclaimer This VSE 5-Year Retrospective is neither an

VSE: 5-Year Retrospective (March 2017) Disclaimer This VSE 5-Year Retrospective is neither an

VSE: 5-Year Retrospective (March 2017) Disclaimer This VSE 5-Year Retrospective is neither an offer or solicitation to anyone to purchase, sell or otherwise trade in VSE common stock or any other securities. The information in this

374 views • 25 slides
Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Software and Web Security 2 Software and Web Security 2 Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked

829 views • 43 slides
Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful

Advanced JavaScript Lars Larsson Today JavaScript strings JavaScript Advanced JavaScript dates JavaScript timing events JavaScript Lars Larsson cookies Graceful degradation AJAX Summary Lecture #11 Advanced JavaScript 1

831 views • 38 slides
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research Web Programmability Platform openid.net yelp.com adsense.com Google maps 2

727 views • 41 slides
Gatekeeper Mostly Static Enforcement of Security &amp; Reliability Policies for JavaScript Code

Gatekeeper Mostly Static Enforcement of Security &amp; Reliability Policies for JavaScript Code

Gatekeeper Mostly Static Enforcement of Security &amp; Reliability Policies for JavaScript Code Salvatore Guarnieri, University of Washington Ben Livshits, Microsoft Research 1 alert (hi); program malicious Catch me if you can dont

828 views • 26 slides
Mergers: a 20 year Retrospective Retrospective Competition Law Conference Sydney 4 May 2013

Mergers: a 20 year Retrospective Retrospective Competition Law Conference Sydney 4 May 2013

Mergers: a 20 year Retrospective Retrospective Competition Law Conference Sydney 4 May 2013 Tim Grimwade and Jill Walker 20 years Outline Background and history of SLC in mergers Evolution of merger analysis and the Guidelines

454 views • 42 slides
JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C

JavaScript Concepts JavaScript is pretty hard to escape if you want to do anything for the web C of the Internet Take JavaScript for instance. It's widely criticized in the POPL community for getting many things wrong. But it must have

655 views • 44 slides
Sisyphus or Sir Edmund? A Retrospective on Data Sharing Erin Kenneally Dept of Homeland

Sisyphus or Sir Edmund? A Retrospective on Data Sharing Erin Kenneally Dept of Homeland

Sisyphus or Sir Edmund? A Retrospective on Data Sharing Erin Kenneally Dept of Homeland Security Cyber Security Division The (non-Oxford) Debate Q1. Has data sharing improved over the past 3-5 yrs? By what measures? [Pre: Yes= ____

585 views • 20 slides
Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application

Game Development In JavaScript First Impressions Javascript Designed for web application Had a rough childhood Very misunderstood Performance difference across browsers Benchmark Pros/Cons JavaScript: WebGL &amp; Canvas

939 views • 18 slides
J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript

J AVA S CRIPT JavaScript is the programming language of HTML and the Web. JavaScript Java JavaScript is interpreted by the browser JavaScript 1/15 JS W HERE T O &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;script

591 views • 15 slides
TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript

TESTING JAVASCRIPT BUILDING JAVASCRIPT APPLICATIONS YOU WON'T HATE 1/45 Testing Javascript Called Testing JS but really about embracing the front end Classic JS meme about &quot;this&quot; This tweet could have ended half way through and

844 views • 45 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide For next class, read

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide For next class, read

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide For next class, read http://eloquentjavascript.net/ chapters 1-4. CS 152: Programming Language Paradigms JavaScript Prof. Tom Austin San Jos State University History of

550 views • 17 slides

More recommend