The Dangers of Third Party Content OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Tom Stripling Senior Consultant Security PS [email protected] (913) 888-2111 Copyright © 2007 - The OWASP.
Download ReportTranscript The Dangers of Third Party Content OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Tom Stripling Senior Consultant Security PS [email protected] (913) 888-2111 Copyright © 2007 - The OWASP.
The Dangers of Third Party Content OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.webappsec.org/ Tom Stripling Senior Consultant Security PS [email protected] (913) 888-2111 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/ Introduction What are we talking about today? More and more organizations are using third parties (users, business partners, etc.) to provide active content for their sites. “Third party active content” is anything on your site that you didn’t create that can change the way the site functions For today, we’ll focus on JavaScript, but other types have similar risks This can be a Bad Thing™ if users or application owners get false assumptions about trust. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 2 The “Circle of Trust” OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 3 The “Amorphous Blob of Trust” OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 4 3 Factors of Control Who is allowed to put content (JavaScript, HTML, Flash, CSS, etc.) on your page? What could be accomplished if it were malicious? Can you prevent unexpected changes in content? OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 5 Scenario 1: User-Provided Content Site customization Intended to customize look and feel for user pages, but can often do more Examples: Myspace, Blogger, etc. User-provided features Uses JavaScript/Flash/whatever to create gizmos, gadgets, mini-apps, etc. Examples: Google gadgets, Google OpenSocial, Facebook, etc. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 6 Introduction to iGoogle OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 7 Google Gadget Approval Process 1. I create a gadget and put it on my server 2. I submit the gadget to Google 3. Gadget is approved? Yes Uploaded to Google servers, displayed in content directory and loadable on users’ homepages with 1 click No Uploaded to Google servers, displayed somewhere else and loadable on users’ homepages with 2 clicks OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 8 Google Gadget Security Model Whether my gadget is approved or not, Google fetches it from my server and hosts it for me on gmodules.com When a user selects a gadget, it is loaded on his homepage via an iframe to gmodules.com So, there is a ton of unvalidated, user-created, active content on gmodules.com (which is owned by Google), but it can’t hurt iGoogle users because JavaScript isn’t dangerous inside of an iframe, right? OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 9 JavaScript in an Iframe (Cross-Domain) Can’t access cookies or DOM for the outer frame But it can: Redirect the outer frame via top.location Attempt to download malware Attempt to access content for other modules In Google’s case, do all of this from a domain you probably trust, if you’re using other gadgets Firefox NoScript plugin likely disabled for gmodules.com Other domain blacklists may not include the domain either OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 10 Not Convinced? A list of the Viruses and Malware downloaded by ONE malicious JavaScript file (yl18.net/0.js) AhnLab-V3 2007.11.7.0 2007.11.06 AntiVir 7.6.0.30 2007.11.06 TR/PSW.OnlineGames.gul Authentium 4.93.8 2007.11.05 – Avast 4.7.1074.0 2007.11.05 – AVG 7.5.0.503 2007.11.06 PSW.OnlineGames.QCP BitDefender 7.2 2007.11.06 Trojan.PWS.Onlinegames.NMG CAT-QuickHeal 9.00 2007.11.06 TrojanPSW.OnLineGames.gul ClamAV 0.91.2 2007.11.06 – DrWeb 4.44.0.09170 2007.11.06 Trojan.PWS.Gamania.5503 eSafe 7.0.15.0 2007.10.28 suspicious Trojan/Worm eTrust-Vet 31.2.5270 2007.11.05 – Ewido 4.0 2007.11.06 – FileAdvisor 1 2007.11.06 – Fortinet 3.11.0.0 2007.10.19 – F-Prot 4.4.2.54 2007.11.06 – F-Secure 6.70.13030.0 2007.11.06 TrojanPSW.Win32.OnLineGames.gul Ikarus T3.1.1.12 2007.11.06 TrojanPWS.Win32.OnLineGames.gul Kaspersky 7.0.0.125 2007.11.06 TrojanPSW.Win32.OnLineGames.gul McAfee 5157 2007.11.06 – Microsoft 1.3007 2007.11.06 – NOD32v2 2641 2007.11.06 – Norman 5.80.02 2007.11.06 W32/OnLineGames.SPZ Panda 9.0.0.4 2007.11.06 Suspicious file Prevx1 V2 2007.11.06 Heuristic: Suspicious File With Persistence Rising 20.17.12.00 2007.11.06 – Sophos 4.23.0 2007.11.06 Mal/Packer Sunbelt 2.2.907.0 2007.11.06 VIPRE.Suspicious Symantec 10 2007.11.06 Infostealer.Gampass TheHacker 6.2.9.117 2007.11.06 – VBA32 3.12.2.4 2007.11.06 – VirusBuster 4.3.26:9 2007.11.06 Packed/FSG Webwasher-Gateway 6.0.1 2007.11.06 Trojan.PSW.OnlineGames.gul OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 11 Did You *Really* Want that Iframe? Not all Google gadgets run in an iframe Google provides “inlining”, which removes the iframe and places the gadget directly on the page Allows access to DOM, cookies, etc. But don’t worry, the user is protected with this helpful message. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 12 Inlined Gadgets I’m now running scripts on www.google.com. What could I get? Google has a LOT of my data Email Contact lists Documents Spreadsheets Calendar What else? OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 13 And Don’t Forget Google Checkout… OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 14 Factors of Control for Google Gadgets Who is allowed to put content on the page? If you allow user-provided active content, you have a lot of risk: There is no good way to measure the “trustworthiness” of the users contributing content All domain-based trust mechanisms are gone What could they accomplish if it were malicious? An inline script could steal every piece of my data that Google has: docs, spreadsheets, email, etc. Can you control unexpected changes? They don’t. Google automatically polls my site for updates to my content and updates gmodules.com OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 15 Problems with the Gadgets Security Model Security warnings alone are close to useless Most users just don’t understand the risks Single Sign-On allows malicious scripts to access data from other services They have no barrier between untrusted content and sensitive data They allow gadgets more power than they need They could provide an API that offered a reduced set of functions instead of allowing free-form JavaScript OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 16 Scenario 2: Content From Other Sites Advertising and Ad Tracking Site tracking “You had 1 visitor today. He clicked here and here and here.” Enhanced content or functionality Mashups, RSS feeds, stock tickers, content from partners, etc. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 17 Advertising and Ad Tracking Banner ads are often rotated with JavaScript To ensure consistency and allow for updates, most online advertising companies host the JavaScript files themselves <!-- begin ad tag --> <script type="text/javascript"> ord=Math.random()*10000000000000000 + 7; document.write('<script language="JavaScript" src="http://n4061ad.doubleclick.net/adj/you.home/_default;sz=3 00x35;kvideoid=-1kItblmJow;tile=1;dcopt=ist;ord=' + ord + '?" type="text/javascript"><\/script>'); </script> OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 18 Advertising and Ad Tracking Question: How do you hack 2,000 websites at once? Answer: Hack DoubleClick. Replacing their JavaScript files could effectively create a cross-site scripting attack against all the sites that use them. But surely they’re secure, right? Maybe. Can you afford to assume that? With that kind of prize, do you think people won’t try? Why are you letting someone else control the scripts that are run on your site? OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 19 Site Tracking Google Analytics Installation Instructions Basic installation - Copy and paste the code segment into the bottom of your content, immediately before the </body> tag of each page you are planning to track. If you use a common include or template, you can enter it there. <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"> </script> <script type="text/javascript"> _uacct="UA-xxxx-x"; urchinTracker(); </script> OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 20 Pop Quiz What do you call a script that runs on every page of your application, is hosted on someone else’s server, and sends data offsite? A) Cross-site scripting B) An attack snuck into production by a disgruntled developer C) Google Analytics OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 21 Problems with the Analytics Security Model Analytics *requires* you to embed a script that: Runs on every page of the application Runs in the context of your domain and so has access to all your users’ data Is externally hosted – it can change at any time Is protected by a security program that you have no control over and can’t verify OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 22 Factors of Control for Site-Provided Content Who is allowed to put content on your page? If you allow content from another company, have you done your due diligence? Ask questions about their security program Demand independent validation Form agreements with these providers that include security requirements to protect their data What could they accomplish if it were malicious? Most implementations require inlined scripts (no iframe) Could steal any and all of the user’s data in the application OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 23 Factors of Control Continued Can you prevent unexpected changes in content? Would you ever allow anyone to deploy any kind of HTML/JavaScript/whatever to your production applications without checking it first? If so, you should probably stop doing that Externally hosted scripts are equivalent to this. They could change at any time without notice. Hosting the script prevents this, but doesn’t help if you don’t validate the content Must check for both flaws and malicious code, which requires time and expertise Updates to the script are problematic OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 24 A Simple Formula If you’re using JavaScript (or other active content) from someone else’s site, then: The security of your users’ data ≤ The security of their data Allowing another site to run arbitrary scripts on your application could violate information security policies Your own privacy policy What else? OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 25 Regulatory Requirements Could the use of externally hosted, third party active content violate regulatory requirements such as PCI DSS, FFIEC, HIPAA, etc.? The requirements generally include: The implementation of safeguards to prevent the exposure of user data to a third party Regular assessments on all systems with access to the data Caveat: I have never known of anyone that failed an audit by a regulatory agency because of third party content OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 26 BestBuy.com <script src="http://cts.channelintelligence.com... OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 27 Amazon.com <iframe src="http://ad.doubleclick.net... <iframe src="http://servedby.advertising.com... OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 28 OverStock.com (Shopping Cart) <script src="http://api.aggregateknowledge.com... (from http://api.aggregateknowledge.com/2007/01/15/js/2442718.js) /* Do not copy or host this file yourself! This is dynamically generated and is intended to be centralized and common across all Aggregate Knowledge customers. You should not need to change it. */ OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 29 BankofAmerica.com (Search Page) <script language=“javascript”> // external script that has been downloaded and hosted </script> OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 30 BankofAmerica.com Script Source OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 31 BankofAmerica.com Script Source OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 32 Schwab.com (Login Page) <script src="https://ad.doubleclick.net... OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 33 Ringo.com (Login Page) <script src="http://pagead2.googlesyndication.com... <embed src="http://m1.2mdn.net... <iframe src="http://ads.monster.com... <script src="http://m1.2mdn.net... <script src="http://update.videoegg.com... <script src="http://cookie.monster.com... <script src="http://4.adbrite.com... <script src="http://media.monster.com... OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 34 Summary of Recommendations 3 factors of control Who is allowed to put active content on your page? Users, some guy with a website, trusted partners, etc. How can you increase the trustworthiness of these parties? What could be accomplished if it were malicious? Segment third party content from sensitive data Can you prevent unexpected changes? Need to prevent updates that introduce risk Hosting the code works, but validating it is expensive and time consuming Hosting the code without validating it doesn’t help OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 35 Resources Stealing browser history with CSS http://ha.ckers.org/blog/20070228/steal-browser-history-withoutjavascript Network scanning with CSS http://ilia.ws/archives/145-Network-Scanning-with-HTTP-withoutJavaScript.html Rsnake’s blog entry about google apps http://ha.ckers.org/blog/20070817/xss-hole-in-google-apps-isexpected-behavior/ Google apps documentation about script inlining http://www.google.com/intl/en/apis/gadgets/fundamentals.html#Inl ine OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 36 Resources SANS Story on yl18.net/0.js http://isc.sans.org/diary.html?storyid=3621 SANS Story on yl18.net/0.js part II http://isc.sans.org/diary.html?storyid=3625 Top 5 questions to ask your software vendor http://www.securityps.com/resources/ArticleTop5QSoftwareVendor.html Story of DoubleClick server hack http://www.clickz.com/723761 OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 37