Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

JavaScript Breaks Free

JavaScript Breaks Free
Zulfikar Ramzan
Symantec Security Response
Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
Outline
1
The Web 2.0 Security Picture
2
Position: Boundary Challenges
3
Example: Drive-by Pharming
4
Other Examples and Parting Thoughts
Copyright © 2007, Symantec. All Rights Reserved.
Zulfikar Ramzan, JavaScript Breaks Free
2
The Web 2.0 Picture
WEB SERVER
WEB SERVER
WEB SERVER
WEB SERVER
WEB SERVER
1
2
WEB SERVER
WEB SERVER
CLIENT MACHINE
Copyright © 2007, Symantec. All Rights Reserved.
User-driven content
Content aggregation
Intranet web devices
3
4
Plug-ins / Extensions
5
Multiple “Browsers”
6
“Local” online apps
Zulfikar Ramzan, JavaScript Breaks Free
3
What Makes it Hard
• Unprecedented amount of content (not always
trustworthy)
• Aggregation of content on local client and also by
intermediaries (same-origin policy workarounds)
• Intranet devices often have web servers
(internet/intranet boundary issues)
• Web browsers augmented with plug-ins (not
always trustworthy & complicate interactions)
• Machines may have many local web browsers
that communicate over HTTP, render HTML, and
emulate JavaScript (increased attack surface).
• Some local client applications can interact with
web browser and provide combined online /
offline capabilities (compromises can lead to
machine ownership).
Copyright © 2007, Symantec. All Rights Reserved.
Zulfikar Ramzan, JavaScript Breaks Free
4
Main Position Points and Examples
There are many pieces in the puzzle. The
policies governing boundaries between
these pieces needs to be better
understood and better enforced.
If we get this wrong, *-script code running
in one context, can affect another.
Example: Drive-by Pharming.
Copyright © 2007, Symantec. All Rights Reserved.
Zulfikar Ramzan, JavaScript Breaks Free
5
Drive-by Pharming Overview
• Attack concept developed by Sid Stamm, Markus
Jakobsson, and me that strongly leverages prior
work on JavaScript host scanning presented by
Grossman at BlackHat.
• Local broadband routers (both wired and wireless)
offer a web management interface for device
configuration
– Consequently, these devices contain a web
server that runs a web app
• The web app is often susceptible to cross-site
request forgeries (made easier since there is
usually a default password that users often fail to
change)
• Broadband routers govern DNS settings…
• Can change these settings from a remote location;
victim only has to view web page containing
malicious JavaScript to become infected
Copyright © 2007, Symantec. All Rights Reserved.
Zulfikar Ramzan, JavaScript Breaks Free
6
Drive-by Pharming Flow
Your
Bank
Good DNS
Server
om
c
k. 8.8
n
a
.7
.b .79
w
w 29
w 1
Web Browser
ww
w.
ba
Home
n
broadband / 66.6 k.c
o
wireless router .66.6 m
Rogue DNS
Server
Copyright © 2007, Symantec. All Rights Reserved.
8.8
7
.
9
.7
129
66.6.66.6
Clic
kM
e!!!
<SCRIPT
Not Your
SRC =
Bank
“http://192.16
Web site with
8.1.1/...?...”
JavaScript
</SCRIPT>
Malware
Zulfikar Ramzan, JavaScript Breaks Free
7
Drive-by Pharming Current Status
• Working proof of concept code for various Linksys,
Netgear,and DLINK routers
• No known instances In the Wild yet
• Similar concept can be used to upgrade router
firmware
• Solutions
– Simple bandaid: change password on home router
– More fundamental: protect the web app on the
router from Cross-Site Request Forgeries
– Way to implement second sol’n: web app requires
and validates unpredictable value hidden
somewhere on web page containing config.
management interface
Copyright © 2007, Symantec. All Rights Reserved.
Zulfikar Ramzan, JavaScript Breaks Free
8
Other Examples and Parting Thoughts
• Other Examples:
– Overtaking Google Desktop (Amit, Allan &
Sharabani)
– Universal XSS (Di Paola & Fedon)
• Not understanding boundaries associated with the
plethora of component and failing to understand and
enforce policies governing boundaries can have
devastating consequences
• Things are getting more complex! New technologies
like Silverlight, etc., are looming.
© 2007 Symantec Corporation. All rights reserved.
THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS
DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE
WITHOUT NOTICE.
Copyright © 2007, Symantec. All Rights Reserved.
Zulfikar Ramzan, JavaScript Breaks Free
9
Related documents
The Emerging Threat Landscape Agenda
The Emerging Threat Landscape Agenda
Download