(4) XSS Risk: Cookie Theft

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
 <head>
  <script src="jquery.js" type="text/javascript"></script>
  <script src="jquery.cookie.js" type="text/javascript"></script>
  <script type="text/javascript">
   $(document).ready(function() {
    $.cookie("username", "Mr.X");
    $.cookie("password", "SuperSecret");
    $("#remote").load("include.html");
   });
  </script>
 </head>
 <body>
  <p>XSS Demo:</p>
  <div id="remote"></div>
 </body>
</html>

<p>This is included content ...</p>
<script type="text/javascript">
 alert("... and this is injected scripting stealing your cookie:");
 alert( document.cookie );
</script>

(5) Same-Origin Policy

• Browsers combine content from various sources
  • HTML loaded from one site
  • images/CSS/scripting may come from other sites
  • resources are identified by URIs which may point anywhere
• Content may have data integrity and privacy implications
  • stealing cookies effectively means stealing an authenticated session
  • access to content should be isolated across sites
• Same-Origin Policies [http://en.wikipedia.org/wiki/Same_origin_policy] isolate content by domain name
  • not perfect and can be circumvented with certain types of attacks
  • the first policy implemented on the Web and the only one you can trust

(6) Mobile Applications and XSS

• Mobile applications often use different services
  • the limitations of browsers can be inconvenient
  • cooperation with well-behaving 3rd-parties can be essential
• Accepting data from 3rd parties can be risky
  • many data formats have the capability to embed code
  • any data format that can embed code should be properly sanitized
  • if data formats can load more data (and code), things become very complicated
• Proper sanitization should be done by all applications
  • many applications do not sanitize and there should be a fallback
  • if applications willingly allow XSS they should be risk-aware

(7) Allowing XSS

• Server-side methods channel everything through one domain
  1. write a program that accepts and forwards requests (custom proxy)
  2. use an HTTP proxy and configure it as a reverse proxy
• Client-side methods engineer around the browser security model
  • same-origin policies only apply to some resource classes
  • cleverly reusing unrestricted access circumvents same-origin policies
• Requesting scripts vs. requesting data from within scripts
  • scripts can be requested from any origin
  • scripts can request data only from the same origin they're from
  • but scripts can request other scripts to be loaded

(9) XMLHttpRequest Restrictions

• XMLHttpRequest in its original design implements the same-origin policy
  • XMLHttpRequest [http://www.w3.org/TR/XMLHttpRequest] implements the same-origin policy
  • XMLHttpRequest2 [http://www.w3.org/TR/XMLHttpRequest2] is less limited but not yet widely deployed
• HTML has a number of elements without request policies
  • img requests images from any domain
  • iframe requests HTML from any domain
  • HTML has a large number of linking elements [http://dret.typepad.com/dretblog/2009/10/links-in-html.html]
  • script is a link to a script that is loaded and executed

(10) JSON is JavaScript

• XMLHttpRequest implements the idea of script-based data access
  • access is limited by the same-origin policy
• script is not limited by any security policy
• Scripts adding new script elements is legal and unrestricted
  • this does not add new risks to the risky practice of loading 3rd-party scripts
  • there is quite a bit of risk to the practice of loading 3rd-party scripts

(11) JSON with padding (JSONP)

• Serve JSON as a script instead of just data
  • JSON data is just a data structure

    { "JSON" : "Hello World!"}

  • JSONP data is a function call and thus can be executed

    jsonp({ "JSON" : "Hello World!"})

• JSONP-aware services must serve data with the padding
  • many JSONP services support setting the function name in the URI

    http://api.flickr.com/…&format=json&jsoncallback=flickrfeed

    [http://api.flickr.com/services/feeds/geo/?g=1313291@N20&lang=en-us&format=json&jsoncallback=flickrfeed]
• JSONP clients must implement the JSONP function call
  • the control flow is the same as for Ajax
  • the handler function is called as soon as the JSONP script loads
• jQuery handles JSONP internally

(12) JSONP Example

jsonFlickrFeed({
 "title":"The MobApp2010 Pool, with geodata",
 "link":"http://www.flickr.com/photos/",
 "description":"",
 "modified":"2010-01-31T06:10:25Z",
 "generator":"http://www.flickr.com/",
 "items":[
  {
   "title":"DSC00809",
   "link":"http://www.flickr.com/photos/47030217@N06/4318229442/",
   "media":{
    "m":"http://farm5.static.flickr.com/4028/4318229442_5ac597fdf5_m.jpg"
   },
   "date_taken":"2010-01-30T21:14:39-08:00",
   "description":"<p><a href=\"http://www.flickr.com/people/47030217@N06/\">stoodle246<\/a> posted a photo:<\/p> <p><a href=\"http://www.flickr.com/photos/47030217@N06/4318229442/\" title=\"DSC00809\"><img src=\"http://farm5.static.flickr.com/4028/4318229442_5ac597fdf5_m.jpg\" width=\"240\" height=\"180\" alt=\"DSC00809\" /><\/a><\/p> ",
   "published":"2010-01-31T06:10:25Z",
   "author":"nobody@flickr.com (stoodle246)",
   "author_id":"47030217@N06",
   "tags":"",
   "latitude":"37.873633",
   "longitude":"-122.256975"
  },

(13) JSONP Handling in jQuery

  // Handle JSONP Parameter Callbacks
  if ( s.dataType === "jsonp" ) {
   if ( type === "GET" ) {
    if ( !jsre.test( s.url ) ) {
     s.url += (rquery.test( s.url ) ? "&" : "?") + (s.jsonp || "callback") + "=?";
    }
   } else if ( !s.data || !jsre.test(s.data) ) {
    s.data = (s.data ? s.data + "&" : "") + (s.jsonp || "callback") + "=?";
   }
   s.dataType = "json";
  }

  // Build temporary JSONP function
  if ( s.dataType === "json" && (s.data && jsre.test(s.data) || jsre.test(s.url)) ) {
   jsonp = s.jsonpCallback || ("jsonp" + jsc++);

   // Replace the =? sequence both in the query string and the data
   if ( s.data ) {
    s.data = (s.data + "").replace(jsre, "=" + jsonp + "$1");
   }

   s.url = s.url.replace(jsre, "=" + jsonp + "$1");

   // We need to make sure
   // that a JSONP style response is executed properly
   s.dataType = "script";

   // Handle JSONP-style loading
   window[ jsonp ] = window[ jsonp ] || function( tmp ) {
    data = tmp;
    success();
    complete();
    // Garbage collect
    window[ jsonp ] = undefined;

    try {
     delete window[ jsonp ];
    } catch(e) {}

    if ( head ) {
     head.removeChild( script );
    }
   };
  }

(15) HTTP Server Configuration

• XMLHttpRequest requests are subject to the same-origin policy
  • accept requests for a 3rd-party URI at some same origin URI
  • forward the request to the 3rd-party URI
• Proxies are used for re-engineering HTTP traffic
  • forward proxies [Mobile Web Mechanics; User Agent Proxies (1)] are configured and used by the client
  • reverse proxies [Mobile Web Mechanics; Reverse Proxies (1)] are configured and used by the server
• The solution we need is a reverse proxy
  • not visible for the client (looks like a same-origin request)
  • passed through to the 3rd party server (additional HTTP hop)

(16) Server Requirements

• Apache needs to support proxying and rewriting URIs

  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule rewrite_module modules/mod_rewrite.so

• Proxying support allows the server to make HTTP requests
• Rewriting allows the server to map incoming URIs to outgoing requests

(17) Mapping Remote Resources

RewriteEngine On
ProxyRequests Off
<Proxy *>
	Order deny,allow
	Allow from all
</Proxy>
RewriteRule ^/staticmap(.*) http://maps.google.com/maps/api/staticmap$1 [P]