Classic: Web2. 0 client components vulnerability scanning one-vulnerability warning-the black bar safety net

ID MYHACK58:62200716089
Type myhack58
Reporter 佚名
Modified 2007-07-09T00:00:00



Web2. 0 is the several technology of integrated application of the results, these techniques are: AJAX(Asynchronous JavaScript and XML),Flash, JSON(JavaScript Object Notation),SOAP Simple Object Access Protocol and REST, Representational State Transfer, etc. These techniques coupled with cross-domain information access(Cross-Site Access). Together, they support the Web2. 0 this complex application. With the advent of Web2. 0 the application of the increasingly widespread and obvious to one variation of the end-user browser function gradually powerful.

These changes to the traditional Scan Tool and information security researchers has brought new challenges. The goal of this article is to study the following content:

(1)A new generation of Web application scanning complexity and challenges;

(2)Web2. 0 client scanning an object and method;

(3)Web2. 0 vulnerability detection(RSS feeds cross-site scripting attacks); and

(4)Use JSON for cross-domain injection;

(5)the client browser filter Defense responses;

Second, the Web2. 0 scan complexity

Web2. 0 the application is very complex, which gives the scanning technology brings new challenges. Its complexity can be attributed to the following factors:

Rich Client interfaces:AJAX and Flash use complex Java Scripts and Action scripts script provides a rich application interface, so that from these scripts are found in application logic and critical resources become extremely difficult.

Information source:some of the Web2. 0 applications integrated with many different sites of Information, Information Resources complex. For example, an application can be integrated at different sites RSS feeds or blogs resources, in a site to build a large library of information, or the use of different sources of data resources to build their own Mashups。

Data structure:between different applications to exchange data using a data structure diversity, which can be XML, JSON, JavaScript arrays, etc.

Protocol:in addition to the simple HTTP Get and Post, Web2. 0 applications can choose other different protocols, e.g., SOAP, REST and XML-RPC.

Our application goal, may be from a different site to get RSS feeds, using JSON in a different blog sites to exchange data between the use of SOAP and Exchange Web Service to communicate. All these services use AJAX technology to RIA(Rich Internet Applications).

Third, Web2. 0 application of scanning technology challenges

For Web2. 0 application of scanning technology challenges, can be divided into the following two aspects:

1. The scan service application components:when the scanning Web2. 0 application, the biggest challenge is to get the server resources. When scanning traditional WEB applications, you can run a Web crawler, by looking for the“href”of the way, you can know that a Web application what are the page resources. But in Web2. 0 application environments, to achieve scanning, the need to identify the rear end of the Web application, third-party Mashup, after the end of the proxy service and the like.

2. the Scan client components:a Web2. 0 application, you need to load in the browser some of the Java Scripts scripts, Flash components and other minor procedures. These components and the script use XMLHTTPRequest object with the rear of theWEB serverto communicate, at the same time, inside the browser cross-domain information is also possible. Due to Web2. 0 framework, using a variety of client-side script from a trusted third party to obtain resources, which makes cross-site scripting attacks(XSS)becomes app the user faces a potential threat. AJAX, AND JSON technologies, cross-domain access and dynamic DOM manipulation techniques are added to the traditional cross-site scripting attacks(XSS)method, so that the client component of security threats is greatly increased. The client component scanning and vulnerability detection are the focus of this article is.

Fourth, the client scans the object

In order to be clearly understood that the scanning of the object, we first give a simple example to illustrate a WEB application is how to deploy: as shown in Figure 1, A Web application running in the example. com. The customer through a browser to access this application. This Web Application according to their use and logical, divided into the following sections:


Figure 1 Web 2.0 application deployment

Application resources:these resources are example. com explains a variety of forms, for example, HTML, ASP/JSP, and Web Services. These resources in the trusting domain, is example. com The have.

Feed proxy:XMLHTTPRequest can not be on the back-end server for cross-domain access. Therefore, the need to build a proxy server, through a proxy server to access third-party RSS feeds, for example, it is assumed that the feeds are“Daily News”, then the example. com the users can also get the“Daily News”of this information.

Blog access:end-user through the access example. com can be obtained on the Internet blog resource, this is because the example. com in the user's browser and download some script that allows the user access to some cross-domain blog.

The following are the four key scan of the object, to determine whether the client presence of the vulnerability:

1. Library fingerprint:Web2. 0 the application is composed of AJAX and Flash libraries to create and support, these libraries are loaded into the user's browser, to for runtime use. So, it is necessary to extract these libraries of fingerprints, and has already published the vulnerability in the library data for comparison, for example, suppose a user's browser to download a library function vulnerability exists, and is recorded in the published vulnerabilities in the library, then through a fingerprint comparison can be found in this a potential threat to the library function.

2. Third-party untrusted information points:in Figure 1, We take Web applications into trusted and untrusted two parts. Untrusted information in loaded into the user's browser prior to the security scan. The example in Figure 1, RSS feeds is through the application server the Feed Agent reaches the user's browser, and blog information directly into the user's browser, the information into the browser after all to DOM(Document Object Model)of form. If, in these information into the user's browser before the secure scan, you can avoid some of the security threats.

3. DOM access point:due to browser anything to the DOM in the form of running, loads of Java Scripts the script is to manipulate the DOM, so the malicious information in any one of the DOM access points into, will be on the browser threat. Therefore, the DOM of the access point of the security scan is also crucial.

4. Use functions and variables of vulnerability detection:in order to find threats and vulnerabilities, the need for the browser to run the logic and the corresponding trajectory in-depth understanding, so that, once the DOM access point and third party information is identified, the ability to detect function calls, for security scanning.

Five, scan client application(News Feeds)

In this section, we describe the Manual Scan process. This method can be automated, but considering the complexity of the application, the enumeration of all possible combinations is very difficult. As shown in Figure 2, our example site offers RSS feeds configuration. Following the start of the client component of the scan.


Figure 2. RSS feed configuration

1. Scanning the library function fingerprint

When the WEB page is downloaded to the user's browser, all Java Scripts by viewing the HTML source, all you can find. An example of a page of Java Scripts the script information shown in Figure 3.


Figure 3. The Application page for JavaScript

If you use Firefox browser, install the“Web Developer”plugin, you can also see all scripts of the source code, specifically as shown in Figure 4.


Figure 4. All the JavaScripts script source code

By scanning these Java Scripts the script can get the following information:

AJAX a development package file dojo. js is being used. When the extracted fingerprint, the file name become important clues, by further scanning the content, you can determine the used version. The RSS feed used by the application function and where the file will and browser to establish the mapping, in this case these functions and where the file is as follows:

(1 File rss_xml_parser. js contains a function processRSS() and GetRSS (), is used from the server to get the RSS feeds and processes them.

(2 files XMLHTTPReq. jsfile contains the function makeGET()and makePOST () to handle the AJAX request.

(3 files dojo. js contains some other function.

These were the use of the library function and its version information and the known vulnerability database of information for comparison, can be found in some already existing vulnerabilities.

2. Third-party untrusted information access point

We scan the page's HTML code, find the following code fragment, this code calls GetRSS()function to access a different server to get the untrusted RSS feeds, the returned content may be the presence of malicious code, effective content inspection, you can avoid some of the security threats.


<div class="code"> the <pre><select id="feeds" name="feeds"> <option value="">Pick your feed</option> <option value="">CNN business</option> <option value="">USA today</option> <option value=""> XYZ business</option> </select></pre></div>

3. DOM access point

Collection Java Scripts script, we to find access to the DOM model, where the main focus used to“document.*” Place to put may be the case simplified into the following two categories:

(1)The document. getElementById(name). innerHTML: this function in the HTML code of the dynamic conversion is widely used.

(2)document. write (): this function is also used in the browser to convert the HTML code.

In the DOM access point to convert the HTML code to be scanned, the same can avoid some of the security threats, the following code is a Java Scripts using the“document.*” Example.

function processRSS (divname, response) { var html = ""; var doc = response. documentElement; var items = doc. getElementsByTagName('item'); for (var i=0; i < items. length; i++) { var title = items[i]. getElementsByTagName('title')[0]; var link = items[i]. getElementsByTagName('link')[0]; html += "" + title. the firstChild. data + ""; } var target = document. getElementById(divname); target. innerHTML = html; }

4. Use functions and variables of vulnerability detection

We can put the previous three steps to obtain the information organized, the filtering techniques used on the client-side logic of the entire process. Specifically, as shown in Figure 5.


Figure 5. News feed function execution logic and data flow

Shown in Figure 5, The News Feed server to filter out the“<”and“>”symbol, so that the injected JavaScript into the DOM becomes impossible. Assuming that does not set the filter, if an untrusted RSS feed injects a malicious link? The following is a sample code:

<div class="code"> the <pre><item> the <title>Interesting news item</title> <link>javascript:alert("Simple XSS")</link> <description><! [CDATA[]]></description> <author>XYZ news</author> <dc:date>2005-11-16T16:0 0:00-08:0 0</dc:date> </item></pre></div>

Can be noted that the link tag contains JavaScript, so when user clicked, this JavaScript script will be executed. This process is shown in Figure 6. If this Java Script is malicious code, then the user will be threatened.


Figure 6. Use the link to conduct cross-site scripting attacks

(Responsibility editor: Li lei)


[Reference article] the

Shreeraj Shah The Vulnerability Scanning Web 2.0 Client-Side Components, Introduction Of