Misunderstanding JavaScript HijackingSaturday, April 7. 2007Saturday, April 7. 2007 Very recently there has been a new paper about what the authors call JavaScript Hijacking. It is about an analysis of several JavaScript frameworks for a cross domain data retrieval vulnerability through the usage of the <script> tag. The paper comes to the conclusion that in nearly all JavaScript frameworks that work with JSON encoded data, the data can be retrieved cross domain via the <script> tag.
Comments
Display comments as
(Linear | Threaded)
If Chris Shiflett has no expertise in PHP, why do you read his blog and make false comments regarding his perspective? Chris is only trying to help others. What is your intention?
posted on Saturday, April 7. 2007
I am reading his blog because it is on planet-php.net and his pseudo knowledge is therefore enforced on the PHP community as if he has expertise.
Oh btw what exactly is your family relationship with shiflett? I am actually not suprised that your name is connected to him somehow on a friend/family level. Or are all his friends or family members experts in PHP (Security). That might explain why you believe you can judge my comments about his perspective. This might also explain why you had to google for my name. posted on Saturday, April 7. 2007
So, as someone genuinely interested and not related to anyone in the discussion, can you give me an example of how this exploit could get used outside of parsing the results of a CSRF attack?
I have no intention of trying to attack your post, I just want to fully understand this and so far I haven't thought of a use for this that doesn't center around CSRF. I get that it allows cross-domain scripting in a way that browsers explicitly forbid, I just don't get how it could get used for anything other than parsing leaked data. posted on Saturday, April 7. 2007
Uh, What?!
I made no claim that this attack is new (it's certainly not). It also isn't possible to execute this cross-domain data leakage attack from Flash because of its crossdomain.xml security model -- the server would have to explicitly allow it. Did you actually read my post before you linked to it? It seems like you have read something else entirely. posted on Sunday, April 8. 2007
Let's start with the obvious "definition" problem.
When you read definitions of CSRF at wikipedia or cgisecurity or ... you will see that the definitions require that some ACTION is performed and not that just data retrieval is performed. Because if you take normal data retrieval URLs into account then EVERY website is vulnerable to CSRF. So according to the popular definition the SCRIPT attack is not a CSRF at all. Secondly who says that only one user can get to the leaked data. A wrong setup of a server could allow anyone to read the data. So how it is CSRF if anyone can read it or if I read it myself. Now you might say: Uhh but then I can enter this URL into my browser and just look at it. But that is utltimatively missing the point. The vulnerability is about how JavaScript malware can use JSON data for further attacks. In the simple case this might be leaking the data to the attacker. In more complex scenarios JSON data could give out IPs or whatever of further targets. posted on Sunday, April 8. 2007
Ohh,
damn... You are right, I put in the wrong link. Outsch. I was not referring to your blog posting. I removed the link now with a message that it previously linked to the wrong URL. Sorry, lets see if I find the real URLin my history. And you are partly right according to Flash. Flash allows making a cross domain call to any URL, even with faked headers (if that was not indeed fixed meanwhile). It only does not allow data retrieval which is needed in this case unless some policy files allow the request. I demonstrated in the past that the crossdomain.xml policy can be tricked in many bigger webapplications that have open redirect scripts. http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html Ah yes you also misunderstood my post. I was not wrongly blaming you for calling it new but for blaming Fortify that they claim it is new. But yes it was not you who wrote that. posted on Sunday, April 8. 2007
Thanks for the explanation.
As far as the definition issue, it seems that data leakage due to performing a request as a user as opposed to causing side effects due to performing a request as a user has a bit of a gray area in between. They both have the same root cause, unless I've missed something. Also, cgisecurity defines the Gmail leakage of personal contacts as CSRF in the additional reading section ("Gmail Vulnerable to CSRF"), so it would seem that it also counts retrieval of data as an action. I did notice that the wikipedia entry doesn't require all of the points listed in order for something to get labeled CSRF, just that they commonly have those characteristics. Since the cross-domain scripting hole in question meets three of these: # Involve sites that rely on a user's identity # Exploit the site's trust in that identity # Trick the user's browser into sending HTTP requests to a target site) These things led me (and others, apparently) to assume that that data leakage via this route constitutes a CSRF attack. So, again, I just wanted to know if the cross-domain scripting attack could get used for anything else, since...well, honestly you know a hell of a lot more about web application security than I do and I want to make sure I fully understand this. posted on Sunday, April 8. 2007
Well the major problem is simply. That usually people would never say it is a vulnerability if I can force your browser to display a picture to you that only you are allowed to see.
Therefore CSRF usually does not cover this. I am quite sure that many many many websites will for example allow a site search that is accesible for everyone. And maybe because the site recognises you, you will see those items that fit your profile in the front. Now the big question is: is it a vulnerability of the site that I can force your browser to request that search result that is sorted by your profile? It is actually a "personalized" request and if I can get the result this might leak information about you. But it is not the fact that I can force you to search, but the fact that I can read the result that is dangerous. A similar thing is for example the Amazon site, that will greet you with your name, when it recognises you. So do you consider it a CSRF vulnerability that I can load the Amazon.com frontpage in a hidden iframe of your browser, that will show your personal info (your name). The moment I can use a browser vulnerability to read the content of the iframe or the moment the data comes back in JSON format that is vulnerable to <script> tags this becomes a vulnerability. But this has only partly to do with CSRF. And in the end lets not forget that even if you count it as CSRF, the damage can still be stopped by checking the Referer header. No matter what some other guy claims. posted on Sunday, April 8. 2007
Well, the image example I would definitely not consider a CSRF. Basically, I would consider it one if somehow I could use your browser to retrieve the image for myself. Only when reading and recording the data (like with the Gmail contacts disclosure) would it become a CSRF to my understanding.
"But it is not the fact that I can force you to search, but the fact that I can read the result that is dangerous." Completely, 100% with you. "So do you consider it a CSRF vulnerability that I can load the Amazon.com frontpage in a hidden iframe of your browser, that will show your personal info (your name)." Not at all, but if you can load the Amazon.com page and determine whether the user has logged in, or what they have in their cart, then I would. "The moment I can use a browser vulnerability to read the content of the iframe or the moment the data comes back in JSON format that is vulnerable to <script> tags this becomes a vulnerability. But this has only partly to do with CSRF." So if it only partly has to do with CSRF, what else does it have to do with as far as the web application itself goes? Forgive me if I seem to have missed something obvious, but as I said - I really do want to understand this if you see something that I don't, but so far I don't see anything other than information disclosure via a CSRF attack. "And in the end lets not forget that even if you count it as CSRF, the damage can still be stopped by checking the Referer header." Checking the Referer header would work for preventing the <script> vulnerability that sparked this discussion, definitely. However, it wouldn't stop someone from sniffing traffic and stealing the session in order to forge the request themselves, though that does rely on a vulnerability allowing session stealing in the first place. I do realize that moves the vulnerability further from CSRF, but the core defect of the web application remains the same. Basically, I see the issue stemming from the failure to ensure that only the user, when directly using the application, has the ability to load the information and scripts into their browser. Anything relying on the honor system of browsers seems broken to me, since attackers can easily (or eventually) get around that. posted on Sunday, April 8. 2007
Well so here is the problem.
From your point of view you consider two things that are technically the same either not an CSRF issue or a CSRF issue. If someone can retrieve my name from the amazon frontpage it is technically the same as if he can read the content of my shopping basket. Both are information leak vulnerabilities that are exploited by using a Cross Site Request and a "feature" (or bug) of the browser. Actually personally I would be more concerned if someone can remotely retrieve my name than if he can see what is in my basket without knowing my name. But that is just my personal opinion. But to come back to the original problem. You always think about using the script tags for CSRF. It is also possible that for example a big community site has an AJAX part that shows the last new members on the frontpage. Data exchange done by JSON. Now Dr. Evil wants to spam all those new members... Of course he could write a Perl/Python program that retrieves the information from the JSON, decodes it and then uses it for the further attacks. But that is far to complicated. It is far easier for him to just write the attack code in HTML/JavaScript and let it run in his own browser. Now what do we have. A cross site request. Is it forged? No, because Dr. Evil wants to make it. Does it exploit the site trusting the user? No, because the Information is free for everyone. However Dr. Evil wrote a JavaScript malware that abuses the information leak without a CSRF... I hope you understand that this is not a CSRF vulnerability at all but uses JSON+SCRIPT Tag to perform an attack from JavaScript malware that would never be possible with JavaScript when the JSON info leak does not exist. This should prove, that both are separate issues. And the only correct way to fix is to stop the JSON data exchange from being useable from a SCRIPT tag. The solution has nothing todo with CSRF at all. posted on Sunday, April 8. 2007
What you've missed is that this information leak sends cookies, which is often sufficient credentials to get private information via cookie based sessions. It's not about the attacker being stupid such that they'd rather use their browser instead of Python/Perl, it's about the attacker (ab)using the victim's browser to shuttle sensitive information from a some other site (e.g. gmail) to some server the attacker controls.
The attacker must be able to coerce the victim to visit some URL with the exploit JavaScript when the session cookies are still valid. This is trivial, especially if you don't particularly care who your victims are. posted on Sunday, April 8. 2007
So, essentially the fact that JSON evaluates as JavaScript by default forms the root of the problem?
I definitely see how Dr. Evil's pulling in publicly available information to his own browser doesn't have anything to do with CSRF, but I guess I just fail to see what part of this constitutes an attack at all. Just to recap: I do understand that this achieves its end result by way of altering the behavior of a script coming from another domain. Definitely not what browsers had intended, but seems like a side effect of the <script> tag supporting a src from another domain in the first place. Does this mean that anyone embedding Google maps or some other JavaScript API in their site has basically just performed non-malicious cross-domain JavaScript hijacking? Or would they need to do something like this first: function loopkup() { /* do something */ } function Object() { this.a setter = lookup; this.a = 1; } They use a script from some other site, just as your example of Dr. Evil fetching the JSON contacts. If they use a technique like this to display information to the user that the developers didn't intend to expose through the original API, does that mean that they've written malware? posted on Sunday, April 8. 2007
Bob,
I know what CSRF is, but that does not change the fact that my point is that the SCRIPT tag information leak is a (lets call it technique) that can be used in a CSRF attack (if you really want to call it that way). That it is however not bound to CSRF. The SCRIPT tag allows catching cross domain JSON data. That is the whole message in all this hype. And this is not only true in some obscure CSRF attack it is always true. posted on Sunday, April 8. 2007
Shawn,
I am starting to believe that you want to misunderstand me. The SCRIPT Attack is an attack because it abuses a Browser Feature that was not intended. It is not just including a remote JavaScript file that is open to anyone. It explicitly exploits a browser misfeature. And when JSON data is put online this does not necessary mean that Google or whoever offers it intended that someone use it from another domain. You might have hit a public API but then there is most probably a crossdomain.xml file that allows you to access it anyway. The point is that JSON data on domain X is not supposed to be readable from JavaScript on domain Y. This is a simple fact. The SCRIPT Tag however allows (with dirty tricks) to get this data from JavaScript on domain Y when it has a special format. This is a cross domain security problem of JSON that has nothing, absolutely NOTHING todo with CSRF. In cases where you can trick another persons browser into accessing personal data in JSON format you might call it CSRF if it fits your idea of CSRF. However following several accepted definitions it is not, because data retrieval is NOT an action. An action would be buying a shop basket, not showing it to the user, because NO HARM would be performed by this. It only becomes dangerous because of a browser/data format problem. However I will stop explaining it now. If you want, just call it CSRF but then you only follow the hype that wants to tell the world that CSRF is the sleeping giant, because suddendly they redefine every security problem as CSRF. Taking into account that the MHTML vulnerability still exists this means every single site that shows your name is vulnerable to CSRF because a browser vulnerability allows you to retrieve the name. Sorry but I will not eat this definition. And on the other hand it should be pretty clear by now that the SCRIPT problem is a general trick to get access to cross domain data in some JSON formats. It is nothing more and nothing less. It can be used in what you want to call CSRF but it is not CSRF. posted on Sunday, April 8. 2007
I really agree when you say that this security problem is not a CSRF.
But I totally disagree when you say that the solution is the Referer header. You should know that, but the Referer is often removed/altered by some proxies/firewalls on the path to a website. This apply for many big companies for example, where the network admin is the king (URL filtering, ...). If you use Referer to deny javascript ressources, you exclude all these legitimate users ! Referer is good for only and only one purpose : statistics. Never for security related things (ok, maybe in deterministic environments, but this is not the web). The only way I can think about to prevent Javascript Hijacking is to put private javascript ressources behind a non-predictable URL, with a token specific to the user who requested id (the session_id is a good candidate). posted on Thursday, April 12. 2007
Uhmm first of all I never said that Refers are a good solution.
I just said that it is bullshit to claim that because Flash can (or could in the past) fake the Referer header it is not a valid defense here. And yes, checking the referer field will result in some users being locked out. Unfortunately the HTTP spec failed to make the Referer Mandatory. And lots of people put important data in URLs in the past. Therefore nowadays many personal firewalls etc... filter the Referer Header out. Unfortunately this is reality. However this nonsense of Referer Header filtering/manipulation is responsible for CSRF being so hard to fix in the first place. And I remember a few years ago everyone was crying about cookies being evil and session IDs should be transported in URLs. This major nonsense is meanwhile the opposite. People realised that httpOnly Cookies are far more secure than a session id in the URL. And if the referer header would still work then unguessable URLs would not be needed at all. (Beside the fact that unguessable URLs cannot defeat CSRF completely anyway, because not everything can be behind unguessable URLs) posted on Friday, April 13. 2007
James D.,
do you really believe after such a comment anyone here takes you serious? posted on Saturday, April 14. 2007
First of all the sentence is plain wrong, because JavaScript Hijacking CAN build upon CSRF but it does not have to.
And aside from that there is a big difference between 'build upon' vs. 'is equal to' posted on Monday, July 2. 2007
Add Comment
|
Calendar
Archives Categories Syndicate This Blog Protected By 
|
|||||||||||||||||||||||||||||||||||||||||||||||||
