nextwebgen.com

The Next Generation Web Now

This Week in HTML 5: Clickjacking

Filed under: Uncategorized — Dion Almaer at 7:47 am on Tuesday, September 30, 2008

Mark Pilgrim, in his latest episode on This Week in HTML 5, got into an interesting topic indeed: clickjacking.

The big news this week is the disclosure of a vulnerability that researchers have dubbed “clickjacking.” To understand it, start with Giorgio Maone’s post, Clickjacking and NoScript. Giorgio is the author of the popular NoScript extension for Firefox. In its default configuration, NoScript protects against this vulnerability on most sites in most situations; you can configure it to defeat the attack entirely, but only at the cost of usability and functionality.

Of course, most web users do not run Firefox, and fewer still run NoScript, so web developers still need to be aware of it. Michal Zalewski’s post, Dealing with UI redress vulnerabilities inherent to the current web, addresses some possible workarounds:

  1. Using Javascript hacks to detect that window.top != window to inhibit rendering, or override window.top.location. These mechanisms work only if Javascript is enabled, however, and are not guaranteed to be reliable or future-safe. If the check is carried on every UI click, performance penalties apply, too. Not to mention, the extra complexity is just counterintuitive and weird.
  2. Requiring non-trivial reauthentication (captcha, password reentry) on all UI actions with any potential for abuse. Although this is acceptable for certain critical operations, doing so every time a person adds Bob as a friend on a social networking site, or deletes a single mail in a webmail system, is very impractical.

Worried yet? Now let’s turn to the question of what browser vendors can do to mitigate the vulnerability. Michal offers several proposals. It is important to realize that none of these proposals have been implemented yet, so don’t go rushing off to your text editor and expecting them to do something useful.

A few suggestions were discussed and one “moves us down a slippery slope towards site security policies for IFRAMEs and embedded content, similar to the Flash security model that allows trusted sites to access cross-domain resources. In practice, Flash crossdomain.xml files have a number of problems, and such an approach would still only cover a fraction of the possible use cases.”

Report and Case Study on CSRF

Filed under: Uncategorized — Dion Almaer at 7:41 am on Tuesday, September 30, 2008

Bill Zeller and Ed Felten have published a report on Cross-Site Request Forgery attacks on popular Web sites:

We found four major vulnerabilities on four different sites. These vulnerabilities include what we believe is the first CSRF vulnerability that allows the transfer of funds from a financial institution. We contacted all the sites involved and gave them ample time to correct these issues. Three of these sites have fixed the vulnerabilities listed below, one has not.

CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don’t verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will (unbeknownst to the user) send a request to a second site, and the second site will mistakenly think that the user authorized the request.

The chaps share deatils on the following attacks:

1. ING Direct (ingdirect.com)

Status: Fixed

We found a vulnerability on ING’s website that allowed additional accounts to be created on behalf of an arbitrary user. We were also able to transfer funds out of users’ bank accounts. We believe this is the first CSRF vulnerability to allow the transfer of funds from a financial institution. Specific details are described in our paper.

2. YouTube (youtube.com)

Status: Fixed

We discovered CSRF vulnerabilities in nearly every action a user could perform on YouTube. An attacker could have added videos to a user’s “Favorites,” added himself to a user’s “Friend” or “Family” list, sent arbitrary messages on the user’s behalf, flagged videos as inappropriate, automatically shared a video with a user’s contacts, subscribed a user to a “channel” (a set of videos published by one person or group) and added videos to a user’s “QuickList” (a list of videos a user intends to watch at a later point). Specific details are described in our paper.

3. MetaFilter (metafilter.com)

Status: Fixed

A vulnerability existed on Metafilter that allowed an attacker to take control of a user’s account. A forged request could be used to set a user’s email address to the attacker’s address. A second forged request could then be used to activate the “Forgot Password” action, which would send the user’s password to the attacker’s email address. Specific details are described in our paper.

(MetaFilter fixed this vulnerability in less than two days. We appreciate the fact that MetaFilter contacted us to let us know the problem had been fixed.)

4. The New York Times (nytimes.com)

Status: Not Fixed. We contacted the New York Times in September, 2007. As of September 24, 2008, this vulnerability still exists.

A vulnerability in the New York Time’s website allows an attacker to find out the email address of an arbitrary user. This takes advantage of the NYTimes’s “Email This” feature, which allows a user to send an email about a story to an arbitrary user. This emails contains the logged-in user’s email address. An attacker can forge a request to active the “Email This” feature while setting his email address as the recipient. When a user visit’s the attacker’s page, an email will be sent to the attacker’s email address containing the user’s email address. This attack can be used for identification (e.g., finding the email addresses of all users who visit an attacker’s site) or for spam. This attack is particularly dangerous because of the large number of users who have NYTimes’ accounts and because the NYTimes keeps users logged in for over a year.

Also, TimesPeople, a social networking site launched by the New York Times on September 23, 2008, is also vulnerable to CSRF attacks. We hope the New York Times will decide to fix these vulnerabilities now that they have been made public.

And, what about mitigation?

Our paper provides recommendations for preventing these attacks. We provide a server-side plugin for the PHP MVC framework Code Igniter that can completely prevent CSRF. We also provide a client-side Firefox extension that can protect users from certain types of CSRF attacks (non-GET request attacks).

Dojo Fishtank

Filed under: Uncategorized — Dion Almaer at 7:30 am on Tuesday, September 30, 2008

Blaine Ehrhart wrote a fun little fish tank using Dojo, as another example of doing animation using JavaScript, which includes the following to give you a taste:

PLAIN TEXT
JAVASCRIPT:

  1.  
  2. function playBubble (target,newbubble) {
  3.         var top = parseInt(target.style.top);
  4.         var left = parseInt(target.style.left);
  5.         var rand = 50+Math.round(50*Math.random());
  6.         // Here we detect how far up the page the bubble is so we can fade it out with the dojo.fadeOut function and delete it
  7.         if (top <= 150) {
  8.                 var fadeOut = dojo.fadeOut({
  9.                         node: target,
  10.                         duration: 200,
  11.                         onEnd: function(){dojo._destroyElement(target);}
  12.                 });
  13.                 fadeOut.play();
  14.                 return true;
  15.         }
  16.         // If it’s a new bubble then we want to setup it’s bubble sequence to go up
  17.         if (newbubble == 1) {
  18.                 var floatUp = dojo.fx.slideTo({
  19.                         node: target,
  20.                         duration: 10000,
  21.                         properties: {
  22.                                 top: {
  23.                                         end:“-200″,
  24.                                         unit:“px”
  25.                                 }
  26.                         }
  27.                 });
  28.                 floatUp.play();
  29.         }
  30.         // After many random variables are used you get a very bubbly effect when using dojo.fx.slideTo
  31.         var bubbleEffect = dojo.fx.slideTo({
  32.                 node: target,
  33.                 duration: 1000,
  34.                 properties: {
  35.                         left: {
  36.                                 end:(left%2)?(left-rand):(left+rand),
  37.                                 unit:“px”
  38.                         }
  39.                 },
  40.                 onEnd: function(){playBubble(target);}
  41.         });
  42.         bubbleEffect.play();
  43.         return true;
  44. }
  45.  

Web 2.0: Unprecedented data liabilities for users and businesses (ZDNet)

Filed under: Uncategorized — Yahoo! News Search Results for web 2.0 at 6:47 am on Tuesday, September 30, 2008

Guest post: Drew Bartkiewicz is a Technologist and Author of the Upcoming Book, Unseen Liability.  He is a Graduate of Yale and West Point.  He insures Web 2.0 business risks with The Hartford.  His post is a follow-up to a recent talk he gave on Web business risk.  As an industry and as users of the modern Internet we have gone from our Internet childhood of Web 1.0, full of data innocence, …

Web 2.0: Unprecedented data liabilities for users and businesses – ZDNet

Filed under: Uncategorized — web 2.0 - Google News at 6:03 am on Tuesday, September 30, 2008
Web 2.0: Unprecedented data liabilities for users and businesses
ZDNet - 56 minutes ago
He insures Web 2.0 business risks with The Hartford. His post is a follow-up to a recent talk he gave on Web business risk. As an industry and as users of

Selection blunder not on – Independent Online

Filed under: Uncategorized — Ajax - Google News at 5:15 am on Tuesday, September 30, 2008
Selection blunder not on
Independent Online, South Africa - 44 minutes ago
The Ajax and Bloemfontein Celtic players will miss Tuesday's Bafana clash against Malawi because their clubs have decided that they will be needed when the

Teleworking drives Web 2.0 applications – NetworkWorld.com

Filed under: Uncategorized — web 2.0 - Google News at 5:13 am on Tuesday, September 30, 2008
Teleworking drives Web 2.0 applications
NetworkWorld.com, MA - Sep 30, 2008
Though early adoption was primarily in the consumer space, Web 2.0 applications – including wikis, blogs, shared workspaces, and social computing – are

A Web 2.0 Book Launch: An Innovative Thriller Author Throws a New … – PR Web (press release)

Filed under: Uncategorized — web 2.0 - Google News at 3:08 am on Tuesday, September 30, 2008
A Web 2.0 Book Launch: An Innovative Thriller Author Throws a New
PR Web (press release), WA - 1 hour ago
To a Web 2.0 generation accustomed to tag clouds, wikis and widgets, authors' static text-and-images-only websites are as outdated as Fred Flintstone's

« Previous PageNext Page »