lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAN10O-YHxrz_mogR9dtw=nyvZZWxrAXwx8e+OB8vjXwmat9mYg@mail.gmail.com>
Date: Sat, 20 Aug 2016 16:11:40 +1000
From: x ksi <s3810@...stk.edu.pl>
To: fulldisclosure@...lists.org
Subject: [FD] The continuing problem of a third party resources in web
	applications.

$ cat ./3rdparty.txt


Release   (08.06.2015): Writeup with PHP PoC released

Update #1 (04.02.2016): JavaScript PoC created

Update #2 (16.06.2016): W3C SRI information added

Update #3 (01.08.2016): Added reference about the AdGholas

Update #4 (20.08.2016): Added reference about D. Trump site


--


[ Subresource Integrity ]


I'm slightly disappointed in my poor web crawling skills. Apparently works

on the Subresource Integrity[0] started in January 2014. At that time I

was unable to stumble upon this project when I was researching the subject

back in the mid 2015. However, it was not until June 2015 for Chrome

(45.0) and September 2015 for Firefox (43) when the new browser versions

with an SRI support were released. For that reason I feel excused to some

extent.


Currently only Chrome, Firefox and Opera support this mechanism on desktop

computers.  On mobile platforms it looks it's only supported by Chrome and

Firefox. Microsoft considers implementing it in the Internet Explorer but

doesn't provide any timelines for that[2].


The SRI can be applied to <script> and <link> tags what seems to be

obvious and reasonable. It could be used for other tags as well (e.g.

<img>, <media>, <object> etc.) but unfortunately this idea has been

abandoned by Chrome devs[3] (i.e. spec doesn't cover other tags). I

presume Firefox devs decision was based on the same grounds. It's a pity

that spec hasn't been extended in that regard instead.


>From the above it is clear that there is still room for improvements (when

there isn't?) but honestly, it looks it's currently the best solution to

address the problem of fetching remote resources and verification of their

integrity.


Thanks to Edwin Kwan who brought[4] the SRI to my attention.



References:

[1] https://www.w3.org/TR/SRI/

[2] https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

[3] https://codereview.chromium.org/1151773007

[4] https://www.linkedin.com/pulse/trust-your-cdn-verify-sri-edwin-kwan?trk=hp-feed-article-title-like



[ Third Party JS scripts verification ]


Few years ago there was a fuss in the Polish part of the net. It was all

about the security breach that happened to a controversial security news

blog[1][2][3]. Story like many others but the attack vector was quite

interesting - get into the third party server and modify the JS script

that was used by the targeted blog.  Shortly after, some discussions took

place about possible preventive measures against rough third party scripts

and/or malicious CDNs.  Unfortunately, I couldn't attend the OWASP

meeting[4] during which the potential mitigations and solutions to the

problem were meant to be discussed. It's also a pity the meeting was not

recorded. I'm not aware of any new technical solutions, which addresses

the problem and would be a direct outcome of this OWASP brain-storming

(feel free to correct me if you think that I'm wrong). On the other hand,

it doesn't mean there is no such solution already out there, but please

keep on reading.  I'm pretty sure that our domestic case wasn't the first

nor the last one that happened this way[5][6][7][15][16]. Therefore, I

thought there is a need to talk more about this problem and help to

address it.


During the past years I saw few penetration test reports written by

various companies. It is not a secret that pentesters use the Burp proxy

extensively when conducting a web app assessments. Its scanner module

picks up JS scripts that are included by the applications from remote

locations/other domains[8]. Well, at least the simplest scenarios (it

seems that it has difficulties to properly detect cases where scripts are

included by creating a new script element using createElement() function,

and then by setting its src attribute to URL in a different domain). Said

that, it comes as no surprise that this finding is quite commonly

reported. Exactly, "Another one got caught today". Most sane people would

say that it's enough to copy the contents of the remote script and serve

it locally. This would concur on Burp's recommendation too.  Very simple

and elegant solution. However, one can imagine scenarios where this

approach is not applicable (e.g. the script content is not static). Other

recommendations include these from OWASP[9][10], which IMO are not

promoted adequately for people that are interested in the subject / are

affected by the problem. Would be cool to see this problem being described

in thr OWASP testing guide or somewhere in their wiki.

The client side solutions like NoScript[13] (allows to enable JS scripts

selectively) are not an answer for obvious reasons. What we need is a

simple server-side solution that would be platform independent and could

be used even for already deployed applications.


If you follow the references in the text as you read, then you could

notice that some of them are really old, eight years and older. One would

say that the subject has been already profoundly studied and the problem

has been fixed long time ago. I'm sorry to say that but that's only a

wishful thinking.


Probably the most promising solution meant to solve the problem was a

js.js API[11][12]. However, it never managed to become popular enough and

wasn't used on a larger scale. This could be due to its overcomplexity but

it's only my suspicion. What we know for a fact is that the project is now

effectively dead. What do I mean exactly by the above? It's enough to say

that:


 - the last commit was submitted 4 years ago[14]

 - web developers can be unfamiliar with compiler optimizations, LLVM,

   javascripts engines etc.

 - new javascript engine versions required recompilation of the projects

 - its deployment and maintenance seemed to be an overkill if it was going

   to be used only for a small scripts


Are you still here? Don't worry, it's almost over.


If, for whatever reason, the third party script can't be copied and served

locally, my suggestion would be to keep locally hash checksums of the

third party scripts and before including them for execution simply verify

the downloaded script checksum. If the checksum is different from a known

"good", then you may have a problem. It could be a legit change on the

side of the third party you weren't aware of (e.g. new ad campaign, new

features, bugfixes etc.), but it could be also a malicious change

(watering hole, drive-by-download etc).


I wrote a proof of concept for such checksum verification of a third party

scripts. It is available at:


http://s1m0n.dft-labs.eu/files/3rdparty/


The very concept can be implemented relatively quickly and easily in

various languages/frameworks.


In the first version of this writeup I wrote:


"Most people probably would like to customize it anyway thus I don't see a

point to attempt and implement some generic PoC implementation".


After some time I must disagree with myself. Surely I had to wrote it

because I'm lazy slash short of time. The JavaScript PoC implementation

should provide platform independency and I suspect will be more appealing

than PHP. This is why you can now also check the JS version of the PoC at

the same location.


Yes, I'm perfectly aware this is nothing ground breaking and it's far from

a perfect solution. Needless to say, it's rather a sad compromise between

doing nothing and potentially good but dead solution.


I'm not under illusions that developers will start implement this or other

solution anytime soon. Probably some epic fail caused by this attack

vector would break the status quo but why sit and wait for it? I would

presume it's more beneficient to be proactive rather than reactive. Time

will tell.



References:

[1] http://zaufanatrzeciastrona.pl/post/niebezpiecznik-hacked-czyli-przepowiednie-sie-spelniaja/
(PL)

[2] http://blog.pi3.com.pl/?p=411 (PL)

[3] http://wampir.mroczna-zaloga.org/archives/1183-sie-porobilo.html (PL)

[4] https://www.owasp.org/index.php/Poland#tab=Past_Events (PL)

[5] http://blog.sucuri.net/2014/11/the-dangers-of-hosted-scripts-hacked-jquery-timers.html

[6] http://www.clickz.com/clickz/news/1705296/doubleclick-admits-servers-were-hacked

[7] http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/

[8] http://portswigger.net/burp/help/scanner_issuetypes.html (Type ID 5244160)

[9] http://owasp.blogspot.co.uk/2011/06/question-on-3rd-party-js.html

[10] https://www.owasp.org/images/6/6d/OWASP-WASCAppSec2007SanJose_Dangers_of3rdPartyContent.ppt

[11] https://www.usenix.org/system/files/conference/webapps12/webapps12-final6.pdf

[12] https://github.com/jterrace/js.js/

[13] https://noscript.net/

[14] https://github.com/jterrace/js.js/commit/87cdca631515d97fa155f48fc76ca02732b19075

[15] https://www.proofpoint.com/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight

[16] https://blog.chibicode.com/you-can-submit-a-pull-request-to-inject-arbitrary-js-code-into-donald-trumps-site-here-s-how-782aa6a17a56#.3kfo3dy2p


Filip Palian

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ