radi::blog

On DOM Snitch internals and some of the rationales behind them

2011-07-23T11:40:00.004-05:00

Given some of the feedback I've received during the first couple of weeks after releasing DOM Snitch, I'd like to shed more light into some of the inner workings of DOM Snitch and the rationales behind some of the decisions that were made while building the tool.

Topic 1: Why is DOM Snitch not catching security issues executing at load time through inline JavaScript?

In its current implementation, DOM Snitch is set to start running on a page as soon as the DOMWindow object is created, but before the DOM tree is built. This allows the extension to act either as soon as it's instantiated or when any of the DOM modification events get dispatched. Relying on the events, however, comes with a cost and that is the inability to know what caused the event to be dispatched in the first place; therefore resulting in the tool's inability to gather proper debug information. (I should add the disclaimer that currently DOM Snitch does not use any of the V8 debugging functionality.)

Topic 2: Is DOM Snitch using any of the experimental APIs in Chrome?

The short answer is "no". One of the early goals I set while building the tool was to stay away from experimental APIs or touching the Chromium code base as doing either one of the two will get in the way of deploying easily without changing the security posture of the user. Additionally, using unsupported functionality might result in some maintenance issues further down the line. That being said, I'm quite keen on using the chrome.experimental.debugger API should it become supported by the Chromium team.

Topic 3: On innerHTML, outerHTML, and stale pointers inside JavaScript

Stale JavaScript pointers is one side effects that really worries me when intercepting innerHTML. Although, the tool has gone through lots of iterations to getting this right, I must admit that people still find creative ways to introduce a stale pointer somewhere in their code. By giving a bit more detail on how innerHTML is intercepted, I hope that developers will pay some attention as to what may go wrong in their code from a testability perspective.

In its current version, WebKit does not reveal the internal innerHTML pointers through the getter and setter methods. As a result, by overwriting the innerHTML setter, DOM Snitch loses the value of the original pointer. To counter this, DOM Snitch re-creates the action of setting an element's innerHTML by appending a new child element and setting the child's outerHTML to the intended innerHTML value ( and as it turns out, this will force WebKit to throw away the newly created child element and replace it with whatever children that get introduced through the HTML content). You can see this implementation here.

Creating spreadsheets in Google Docs... mission possible?

2011-06-04T01:57:00.004-05:00

Exporting data as spreadsheets into Google Docs sounds easy and quite feasible. However, it also has a few gotcha's. After struggling for a day, I've decided to share my notes on approaching this problem.

Creating the spreadsheet
My initial requirement for my application is to export my data into a brand new spreadsheet where the user will have ownership of it. A quick stroll through the Spreadsheet API led me to a section describing the need to upload a spreadsheet beforehand or create one manually. This was definitely against my requirements.

However, buried inside the Google Documents List Data API is a mechanism for creating empty documents or from a template (I'll come to this in a minute). Voila!

Changing the term attribute to http://schemas.google.com/docs/2007#spreadsheet surely does the trick if I want a completely blank spreadsheet.

Feeding data into the spreadsheet
This is where it becomes more tricky -- as it turns out, there isn't any convenient way to use the list approach (something I preferred using as opposed to the cell approach) to populate an empty spreadsheet without first telling Google Docs the schema that your list would use. One bit of observation to make is that the list schema is derived from the header row in your spreadsheet, therefore if the A1 cell stores "sample text" as its value, every subsequent row will have the "A" column described as <gsx:sampletext>. In my case, I opted to use a pre-built template from which to create my spreadsheet (see above about copying documents); however, there might be also a workaround involving batch cell update.

Some random tips
Here are some random bits that I found useful during this exercise:
- Always pay attention to the response object when posting new items (be it documents, worksheets, list entries, etc.) to Google Docs. The response object will provide you with some very useful information (stored inside the link element of the feed/entry) about what are the next logical APIs to call.
- The _worksheetId_ for the default worksheet in a newly created spreadsheet is... yes, "default". Should you need to add a row to it, you can simply call POST https://spreadsheets.google.com/feeds/list/[spreadsheet key]/default/private/full.

Edit: I went back to experiment with alternative ways of setting the header row of the default worksheet. As expected, one can set the header row by fetching the cells there and updating them with whatever contents they need to have.

Separating code from data... are we there yet?

2011-03-13T17:45:00.005-05:00

Disclaimer: The opinions in this post are entirely my own and should not be associated with any current or previous employer of mine.

Mixing code and data has been a big (and I mean BIG) problem for decades in security. Setting security design flaws aside, having the ability to transform data into code has led to some of the biggest and probably most notorious examples of why software security really matters. Period.

While there is a lot of progress in handling this problem in native code (examples are plenty: GS, SafeSEH, DEP, ASLR, etc.), where does this leave web? Unlike native applications, the web has one major disadvantage: it relies heavily on parsers that help with the execution of dynamically written code. Browser security aside, there have been a few initiatives to help developers separate code from data through validating data on input or rendering data in a safe format. Although they've been done with a noble intent, I am still not convinced that this is a comprehensive enough solution. Here is why:

Input validation. Input validation limits the user in submitting data... both malicious and legitimate; therefore limiting the application's usability and the its users' productivity. For instance, should the folks maintaining the input validation need to be aware of every context in which their data is used (e.g. database query, JavaScript/JSON, HTML, etc.)?

Output encoding/escaping. Output encoding/escaping is useful for transforming data into a format that is then interpreted as data within the context where the data will be used. However, the major question here is what is the actual context in which the data will be used? In the following sample snippet the data passes through at least 2 different contexts (HTML and JavaScript):
```
<html>
  <head>
    <script>
      document.write('<div id="' + [USER_CONTROLLED_DATA] + '">bla</div>');
```
So naturally the question: how should the encoding/escaping be done in such cases? According to which context should the encoding/escaping be tailored?

Contextual escaping via templates. In most cases and if (a big IF) properly enforced, templates are a good thing to use. Needless to say, with their help development teams can streamline a solution to the problem. From that point on lint and checks on commit are the way to go. However, what if the templates are not strictly enforced? What if the development team provides special cases where data should not be escaped? What if data from upstream already comes escaped/encoded?

So where does this leave web? I suspect the biggest challenge is to separate the channels through which code and data are communicated. Avoiding or limiting the use of code parsers and eval() (or equivalents of it) for parsing data are definitely steps in the right direction...

P.S. - This post has been picking a lot on cross-site scripting as an example. However, the same logic holds for other types of security issues that arise from injection based attacks.

The evil magic of eval

2011-02-25T15:09:00.004-05:00

Eval is a special, very powerful function in many scripting languages. JavaScript is not an exception. Although quite useful for dynamic manipulation of the existing code, any misuse of eval can cause a lot of problems and headaches. StackOverflow covers this topic well, with the exception of one very important bit: eval can get in the way of testability.

Static analysis
With JavaScript being what it is, it is easy to assume that one can painlessly audit the scripting code that runs inside the browser and understand how the client-side part of a web application functions. Well, that's not entirely true. With web applications becoming more complex, we often run into cases where we have a 60k line obfuscated code that looks a lot like this:

function a() {
 this.c = eval;
}
...
var b = a();
var d = b.c(e);

How should this be tested or audited? Simple answer: you can't really or at least not easily.

Dynamic analysis
This leads me to the next bit: what about dynamic analysis? What if we "hook" into eval and listen to the code as it goes by? As it turns out, this isn't a fool proof solution either. Eval is not exactly a function. In fact, if you ask any experienced developer, he/she may flat out tell you that eval is magic and should not be touched. To re-use the example from StackOverflow, what value should the alert box show?

var a = 10;
function foo() {
 var a = 1;
 eval("a+=1");
 alert(a);
}
foo();

As it turns out, eval is aware of the current scope from which it was called; therefore the alert box will show 2 and not 11. This is important because as you overload eval, you change the scope in which it operates (off by 1 stack frame). As a result eval will attempt to manipulate a global object and not the local one. This in turn may lead to a half baked page.

Conclusion
Although eval is very powerful, it is also overly misused for parsing and/or processing data (example: using eval to parse JSON). In a nutshell, eval provides one of the easiest ways to mix code and data... a dangerous thing to do nowadays.

P.S. - Although some browsers (namely Firefox) may allow you to overload eval at a lower level through an extension, it is not necessarily the same case with all mainstream browsers; therefore, some edge cases may be missed.

The importance of the end-user experience: internationalization

2011-01-28T15:30:00.002-05:00

A friend of mine always says: "I don't want more features. I want working features." This friend is also a big fan of Apple and the simple, clean, pleasant, intuitive user interfaces. In principle I agree with him (although I'm not an Apple fan boy), but I'd also like to add that software should work not only in its own little environment, but also in the user's environment.

I've ranted time and time again about the importance of localization and internationalization privately that I think it's time I express my opinion in the public. I'd like to pick on the Apple iTunes Store as an example and point out some of the reasons for my rants.

Here it goes...

Different country means different store.
Be it due to legal issues or some business strategy, Apple has decided separate entities to operate each store at the country level. So for instance, an Inc. operates the U.S. store, a B.V. operates the Dutch store, and so on. One thing worth of noting is that the content in each store differs. While the U.S. store offers games, music, movies, and so on, the Bulgarian store, for example, offers only a limited subset of the iOS apps that are available to U.S. customers.

Transferring from one store to another you ask? Not so easy. Buying a product in the Dutch store does not guarantee that you will receive your updates if you change to the Bulgarian or U.S. stores. Sure, you will get notified that your apps are out of date and a determined attacker may use them to compromise your email and private messaging... but in reality, the app you've installed has been purchased from a separate entity and is not available at the store which you are using. This brings me to the next point...

Your billing address determines your locale.
This is the fun bit in Apple's model. Everything is tied to the customer's payment card. Here is a trivial question: you're an expat living in the U.K., having just moved from Germany (thus having a credit card from a German bank), and are receiving your monthly statements in the Netherlands. Which locale of the Apple Store would you say you are using? The Dutch of course, your billing address is in the Netherlands.

Your locale determines your language.
Here's even the better question: what are the supported languages for your locale? English? German? Actually... Dutch is the only supported language in the Dutch locale. It's sad to see big companies like Apple deciding for their users that if a user receives his/her bank statements in a given country, then he/she surely speaks the local language.

So why am I sharing all this? Well... I for once experienced it as a user. It is not pleasant and it turns users away. Users deserve the right to use software at their own comfort level without being victims of engineering mistakes. Let's learn from this.

The cyber crime ecosystem

2010-11-26T04:00:00.003-05:00

I'm re-sharing via Dexter a presentation from Albert Hui on cyber crime. It's impressive to see how far this has grown technology wise since early 2000s. It seems like yesterday when I read the reports on MyDoom experimenting with it's powers to bring DDoS against Yahoo and Google in the UK.

Anyhow, slide 9 in Albert's presentation is particularly interesting as it shows a nice overview of the players in the cyber crime underground.

Manager index continued...

2010-09-09T22:48:00.002-05:00

After my last post I did a bit more experimenting with the manager statistics. This time I've added a second Bulgarian manager -- Yassen Petrov, the current manager of Levski Sofia. Since both Stoilov and Petrov started their careers roughly the same time, it's interesting to see how they stack against each other. Feedback is always welcome. Enjoy! :)

Edit: I've now added Ilian Iliev, the manager of Beroe to the mix.

Measuring a football manager's performance?

2010-09-07T23:43:00.004-05:00

Bulgaria lost last night to Montenegro. We lost with the same manager that led Levski Sofia to the 1/4 finals in the UEFA Cup and the groups in the Champions League in 2006. So I decided to run some quick stats on his performance as a manager with the team he managed. So far the stats are quite simple and nothing fancy like the Capello Index. Here they are

name: Stanimir Stoilov

2004/05: Levski Sofia
games: 38
wins: 30 (78.9473684211%)
losses: 3 (7.89473684211%)
ties: 5 (13.1578947368%)
goals for: 97 (2.55263157895 per game)
goals against: 23 (0.605263157895 per game)
goal diff: 74

2005/06: Levski Sofia
games: 43
wins: 28 (65.1162790698%)
losses: 8 (18.6046511628%)
ties: 7 (16.2790697674%)
goals for: 86 (2.0 per game)
goals against: 38 (0.883720930233 per game)
goal diff: 48

2006/07: Levski Sofia, Bulgaria
games: 47
wins: 33 (70.2127659574%)
losses: 8 (17.0212765957%)
ties: 6 (12.7659574468%)
goals for: 118 (2.51063829787 per game)
goals against: 40 (0.851063829787 per game)
goal diff: 78

2007/08: Levski Sofia
games: 34
wins: 21 (61.7647058824%)
losses: 9 (26.4705882353%)
ties: 4 (11.7647058824%)
goals for: 62 (1.82352941176 per game)
goals against: 25 (0.735294117647 per game)
goal diff: 37

2008/09: Litex, Bulgaria
games: 44
wins: 24 (54.5454545455%)
losses: 8 (18.1818181818%)
ties: 12 (27.2727272727%)
goals for: 78 (1.77272727273 per game)
goals against: 37 (0.840909090909 per game)
goal diff: 41

2009/10: Litex, Bulgaria
games: 14
wins: 7 (50.0%)
losses: 6 (42.8571428571%)
ties: 1 (7.14285714286%)
goals for: 25 (1.78571428571 per game)
goals against: 20 (1.42857142857 per game)
goal diff: 5

2010/11: Bulgaria
games: 3
wins: 0 (0.0%)
losses: 3 (100.0%)
ties: 0 (0.0%)
goals for: 0 (0.0 per game)
goals against: 6 (2.0 per game)
goal diff: -6

Aside from the trophies that Stoilov has lifted as a manager, there are few interesting observations to make:
- Since 2006/07 Stoilov's teams have been struggling to score 2 goals per game on average
- Starting in 2007/08 Stoilov's teams have an increasing trend in the goals they concede per game on average
- Starting in 2006/07 Stoilov's teams have a downward trend in the percentage games they've won in a season

So then comes the question: what would be the best metrics to evaluate and measure a manager's performance?

Last days in Amsterdam

2010-05-28T10:13:00.002-05:00

These are my last days as a resident of Amsterdam. This morning I submitted my petition to deregister to Gemente Amsterdam. Starting in June, I will reside near the beautiful Swiss Alps.

Tot ziens Amsterdam und grüezi Zurich!

Bugs, security, input validation...

2010-05-26T07:20:00.003-05:00

Gabe has 2 very interesting posts on the topic of validating input:

Input Validation & Injection Vulnerabilities

OWASP and Input Validation

A definitely recommended read.

Domain names in Cyrilic

2010-05-16T06:14:00.002-05:00

Veni Markovski wrote:

http://президент.рф is up and running! congratulations, Russia!!!

Well done, ICANN! We now have domain names in Cyrilic!

I suspect this will have a lot of security implications, but from an internationalization perspective, it's awesome! :)

Business Models

2010-05-13T16:48:00.003-05:00

Roussi sent me the following example of the different business models... have to appreciate the analogies here. :)

To validate or not to validate... that is the question!

2010-03-13T16:11:00.000-05:00

Secure development guidance preaches that all input should be validated for length, format, type, and value as appropriate. Typically, guidance stretches along the lines of validate all input that your code takes and validate accordingly. A few years ago there was a similar belief that input validation can stop cross-site scripting. Although this is partially true, full remediation of cross-site scripting is achieved by properly encoding the input data according to the context in which it is later outputted.

So here comes my question, in order to validate input properly, isn't it better to have the validation to be performed by the code that will act on it as opposed to having the validation at the trust boundary of the overall app? Example: Component1 uses Component2 for backend logic. If Component1 only passes the data straight through to Component2, my belief is that Component1 should leave the input validation to Component2. Thoughts?

SDL courses in the public

2010-03-04T18:57:00.001-05:00

A while ago I was pointing out some interesting stats about the secure development lifecycle (SDL). Last week, Microsoft made its four core SDL training classes available to the public. The titles are:
- Basics of Secure Design Development Test
- Introduction to the Microsoft Security Development Lifecycle (SDL)
- Introduction to Threat Modeling
- Privacy in Software Development

I would encourage everyone with a bit of spare time to take a look at these courses.

The daily /.

2010-03-02T15:13:00.003-05:00

A few interesting stories from my daily /.-ing:

1. CAPTCHA troubles
"Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCAPTCHA, which is also used by Facebook. It’s a third-party CAPTCHA that feeds a CAPTCHA challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCAPTCHA, which then transmits a CAPTCHA challenge to the customer.

But the perpetrators were able to thwart this as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, the authorities said."

After having a chat with Aldwin on the topic, it seems like this might be a serious flaw in CAPTCHA (i.e. mapping a challenge to a response via identifying the filename of the CAPTCHA image). After all, CAPTCHA should allow developers to feed arbitrary text that will then get rendered on the fly.

The original article is here.

2. Nearly 60% of apps fail first security tests. Interesting number from Veracode; however, I wonder in what phase of the SDLC were those apps when they were tested. Although I agree with their argument that more work is required in educating the developers, I must also add that more tooling is necessary (e.g. code annotations, code scanning when committing code to the repository, etc.) to enable developers focus on the bigger security problems.

More on the topic here.

Plastic problems

2010-02-13T04:43:00.000-05:00

...or Cambridge 2 PCI 0

This past week I landed on two very interesting papers that came out of Cambridge. The papers basically discuss the weaknesses of Chip & PIN and the 3-D Secure protocol for online transactions. Highly recommended read.

The Flying Dutchman

2010-01-09T09:00:00.001-05:00

Some recent stats about my whereabouts during the past 3 months:
6 countries
7 cities
3 timezones
2 economic areas
5 currencies
21 flights
27 hours of flight time

Yep.

Martin Palermo... no comment

2009-10-05T17:13:00.001-05:00

This is the guy who missed 3(!!!) penalty kicks in the same match for Inter Milano a few years ago. Now he scores a header from 40 meters. :)

The Story of Stuff

2009-09-29T08:18:00.001-05:00

The 7 plagues of testing

2009-09-07T05:49:00.003-05:00

James Whittaker was running the series of the 7 plagues of software testing on the Google Testing Blog. Since the series are at their last stretch, here is the list of plagues:
1. The Plague of Aimlessness
2. The Plague of Repetitiveness
3. The Plague of Amnesia
4. The Plague of Boredom
5. The Plague of Homelessness
6. The Plague of Blindness
7. The Plague of Entropy

There are also some additional plagues that were suggested by various readers (myself included):
- The Plague of Metrics
- The Plague of Semantics/Assumptions
- The Plague of Infinity/Endlessness/Exhaustion
- The Plague of Miscommunication/Language
- The Plague of Rigidness/Complacency

Out of the suggested bunch, I really like Roussi's notion that complacency can be the result of a product's success.

Recycling security test cases

2009-08-03T09:49:00.006-05:00

Test cases are precious. In my day to day work, a lot of what we do is built around the notion that a test case either passes or fails. Think about the time when you withdraw money out of your favorite ATM or when your favorite application may have compromised your privacy... it's always the case of a passed or failed test case. Is there a flaw in the system? Can the system under test be put to its knees because of it?

A while ago James Whittaker talked about building repositories with reusable test cases. The whole discussion is available at the MSDN blogs. I definitely recommend reading it. As applications often have common flaws, it is beneficial to have such a repository. Tweaking the test cases to the application under test is definitely a "must-do". However, once those tweaks are done for the particular software under test, the job gets much easier.

Reflecting at the security industry, it's hard to not notice the need for James's idea to be adopted. In fact, a typical problem report from a security vendor will include the following bits:

What is the problem?

How can the problem be reproduced?

How can the problem be fixed?

Maybe we should start swapping the second bit with the actual executable test case? I know it's hard to do this for any type of application, but for the most common type -- Web apps -- it's certainly doable. Just look at tools like Selenium and you'll get the idea.

Phish me a Safari

2009-07-22T04:07:00.004-05:00

Recently I decided to install Safari 4. The experience is quite nice, except I'm paranoid about phishing. Yes, I check the certificates of sites where I'm about to provide my user credentials. I check the validity of links before I click on them. I even use different browsers when browsing trusted and not so trusted sites (some might point me to this surf jacking article, but oh well).

In general, phishing is a concept that's been around for a while. It revolves around the idea to trick a user into performing an action while thinking he/she was performing another action. One of the mechanisms to do so is through obfuscating links inside a Web page. More on this can be found here.

Typically, Windows based browsers have been pretty good about revealing the URL of a link before clicking on it as this was a valid concern a few years ago (circa 2004/5). However, after switching to Mac I could say that I'm quite disappointed of not seeing any notification about the links I'm about to click on a page. In a way that goes against the secure by default concept that OS makers started adopting in 2003. Or maybe I'm just assuming too much from Apple?

P.S. - Of course, I can turn on the Safari status bar and everything will be fine; but then, would all users do the same?

Chrome and Privacy Mode

2009-07-15T05:34:00.002-05:00

A while back I was playing around with Google Gears and Incognito mode. The test was simple: I store some data in Gears while in Incognito and try to read it while in Normal mode.

The goal
The goal of this test is quite simple: prove that privacy related data (yes, with Gears gaining momentum a lot of apps like Google Docs, Google Reader, Google Calendar, MySpace, etc. are beginning to utilize Gears' SQLite engine to cache information) that was obtained in Incognito mode will persist in Normal mode and vice-versa.

The code
Load the following code in Incognito mode:

var db = google.gears.factory.create('beta.database');
db.open('privacy-test');

db.execute('drop table if exists secret');
db.execute('create table secret (message text)');
db.execute('insert into secret values (?)', "secret message");

Load the following code in Normal mode:

var db = google.gears.factory.create('beta.database');
db.open('privacy-test');

db.execute('create table if not exists secret (message text)');
var rs = db.execute('select message from secret');
if(rs.isValidRow()) {
 alert(unescape(rs.field(0)));
}

The result
Data indeed persisted. I've posted the code for Incognito mode here and for Normal mode here.

Conclusion
Browsers' attempt to provide additional privacy to users is noble; however, this is valid only for data that the browser controls directly (e.g. cookies, browser cache). As Web applications are becoming richer in features, third party technologies like Google Gears, Flash, and Silverlight will soon need to start playing the privacy game as well if browsers are to fully allow privacy modes to users.

SSN Predictability

2009-07-07T06:42:00.002-05:00

Carnegie Mellon has conducted a study in which they proved the predictability of Social Security Numbers in the U.S. given that date and location of birth are known. Because it is a common practice to tie an individual's SSN to his/her bank accounts, phone bills, drivers license, or practically anything, I'd love to see whether organizations in the U.S. will move more and more toward what their counter parts in Europe are doing -- namely to check the individual's social security number, the government ID number, and various other details about the individual.

This study will also be presented at BlackHat at the end of July.

Web Security 101

2009-06-24T04:00:00.002-05:00

Mike has released a set of webcasts that cover Web security for beginners. These webcasts, including the slides, are available here. Mike's announcement and comments are available here.