CIS 4615 meeting -*- Outline -*- * web client related vulnerabilities ** gadgets and widgets the platform for the attacks ------------------------------------------ GADGETS AND WIDGETS affect gadgets and widgets What is a gadget or widget? Examples: ------------------------------------------ ... a mini-app bbuilt using web technologies like HTML, JavaScript, and XML runs in browser or an interpreter Q: What are some examples of gadgets or widgets you have seen? RSS feed readers, system information, weather data, sports scores... Q: What technology is used to program gadgets and widgets? HTML and JavaScript, manipulating the Document Object Model (DOM) ** attack description ------------------------------------------ TYPE 0 XSS ATTACK 1. gadget or widget takes input from 2. gadget or widget renders Example (JavaScript): if (XMLHttpRequest) { xhr = new XMLHttpRequest(); } else { xhr = new ActiveObject("MSXML2.XMLHTTP.3.0"); } xhr.open("GET", url, true); if (xhr.responseXML) { xmlDoc = xhr.responseXML; results.innerHTML = xmlDoc...; } ------------------------------------------ ... an untrusted source (something on the web) ... that input out (using the JavaScript interpreter) ------------------------------------------ BUGGY RSS FEED HEADLINES GADGET g_viewElements.FeedItems[i].innerHtml = feedItemName; ------------------------------------------ Q: What could happen if feedItemName is tainted? it might contain a script, leading to problems. ** prevention ------------------------------------------ PREVENTION Don't trust Don't use innerHTML, instead use Don't use insertAdjacentHTML, instead use Consider using ------------------------------------------ ... input (tainted values) - validate by parsing (regular expressions usually suffice) - restrict input length at a minimum ... innerText, if possible ... createElement, populate it, then use appendChild or insertBefore ... something other than JavaScript, like Windows Presentation Foundation, Adobe Flash, or Microsoft Silverlight