With New Features Come New Vulnerabilites. The Web is Broken.

I spam in twitter and RSS.
HN discussi0n

°ÂÁ´ Digest:

• Rails coders, I remind you the very last time :) Run Ì¿Îá¡Ê¤¹¤ë¡Ë Find ".to_json" agains your 'app/¸«²ò¡Ê¤ò¤È¤ë¡Ës' and please sanitize it, I ¤Ä¤Þ¤º¤¯ upon »öÎã¡¿´µ¼Ô 2 from my Rails & °ÂÁ´ talk really often.
• Use JSONP only with unique µ­Ç°ÉÊ per »ÈÍѼÔ. Don't give out »äŪ¤Ê data ·Ðͳ¤Ç static URL.
• It goes without Àâ but.. Ëܵ¤¤Ç, Regexp /^http://www.¾ì½ê¡¿°ÌÃÖ.com/ is not enough to mitigate CSRFs (Yeah, also if you are rubyist you should use \A instead of ^! Rails has »×¤¤½Ð¤ÎÉÊ now https://github.com/rails/rails/pull/6671) Why? Because http://www.¾ì½ê¡¿°ÌÃÖ.com.hacker.com and http://www.¾ì½ê¡¿°ÌÃÖ.com@hacker.com both are legit domains too. Do Äɲ乤ë "\/" in the end of your Regexp. Anyway, don't rely on Referer.
• X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs (XFO) ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸« from Javascript
• I ÀßΩ¤¹¤ë out that 'autofocus onfocus=ÃíÆþ¤¹¤ë' is a really nice vector and ºîÉÊ ¹­Âç¤Ê¡¿Â¿¿ô¤Î¡¿½ÅÍפÊ. Thanks .mario's html5sec.org, some of »öÎã¡¿´µ¼Ôs over there are really ²ÁÃ͡ʤ¬¤¢¤ë¡Ë getting ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½êd.
• This is new section, please ¸º¾¯¡Ê¤¹¤ë¡Ë me a line homakov@gmail.com if you have any epic thing about °ÂÁ´ :3

¸½ºß¤Î status:
On the left - Me, pointing ¤µ¤Þ¤¶¤Þ¤Ê problems, ²î»à¤¹¤ëing to get feedback and Äó°Æ¤¹¤ëing some ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëing in a painless way.
On the ¸¢Íø - browsers, ruby, community, whatever's ÊÖÅú :)

Look, web °ÂÁ´ is all about philosophy and ³µÇ°. Root of plenty of the problems is a poor problem ²òÅú/design or irresponsible Äɲ乤ëing of new features.

When browsers ´ï¶ñ¡¿¼Â»Ü¤¹¤ë a new feature they should also care how it'll work along with ¸ºß¤¹¤ëing websites, ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of °ÂÁ´ too.

Cross POST ÌÀÇò¤Ë breaks Web.

I used words and ³èÆ°¡¿ÀïÆ®s to ¾ÚÌÀ¤¹¤ë my point that POST CSRF is just a really poor part of Web  but barely got ¸å·Ñ¤¹¤ë. 

Yeah, I was always talking only about POST, CSRF GET is ¾µÇ§¤¹¤ë. Some guys answer "Browser should not °·¤¦ requests, there is no difference between GET and POST or whatever for him". 

There is difference, they just work in the different ways and are supposed to do the different things. Dear browser, please care about that. 

This time (I hope last time because I'm tired to get »Ù±ç¤¹¤ë to the »ÙÇÛ¤¹¤ë over and over) I °úÍѤ¹¤ë wikipedia.

Per RFC 2616, the POST method should be used for any ¾õ¶· in which a request is Èó¡¤ÉÔ¡¤Ìµ-idempotent: that is, it ¸¶°ø¡Ê¤È¤Ê¤ë¡Ës a change in server ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë each time it is À®¤·¿ë¤²¤ëd, such as submitting a comment to a blog ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë or Åêɼ¡Ê¤¹¤ë¡Ëing in an online Åêɼ.

Site1 ¸¶°ø¡Ê¤È¤Ê¤ë¡Ës "a change in server ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë" on Site2. Read again, it's vanilla English: "such as submitting a comment to a blog ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë or Åêɼ¡Ê¤¹¤ë¡Ëing in an online Åêɼ". It's ÌÀ³Î¤Ë not supposed that Site1 will Åêɼ¡Ê¤¹¤ë¡Ë for you (hi putin).

How to explain an obvious thing? I'm exhausted. Just ÈÝÄꤹ¤ë cross POST, make it Àܶá-»ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë-µö¤¹-Origin based (ƱÍÍ¤Ë as XHR2 ºîÉÊ), in ¿·µ¬²ÃÆþ developers should ¼è¤Ã¤ÆÂå¤ï¤ë it with cross GET when possible (all analytics work that way). And it will be over. The worst web vulnerability (¤ÎÃæ¤Ç "fixable" vulns, XSS and SQL ÃíÆþ¤¹¤ë are not fixable that Ê¿°×¤Ê) would be ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd ¨»þ¤Ë.

¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ës and Clickjacking. In 2012?
Do you want to find pictures of you on the first page of some stupid magazine w/o your À§Ç§? I don't. Nobody does.

In the Internet it happens: Site1 ´Þ¤às Site2 or Site3 or them all in ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ës and this is an ÀäÂÐ silly allowance ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of °ÂÁ´. Neither Site2 nor site3 want to be shown on Site1. They really don't want it BY DEFAULT ÌÀÇò¤Ë.

I know only one "good" usage of cross ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ës - google images. It Ééôs page with ½é¤á¤Î page in the background ÁØ. Silly ²òÅú: the ¾ì½ê¡¿°ÌÃÖ thinks you are visiting it + it will not work with framekillers or X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs + GET CSRF attack is possible not by ÌÜŪ etc + you don't interact with the website anyhow = much better to use Screenshots instead of the 'trick'. 

¸½¼Â¤Ë google already has screenshots of all pages - please, use them, ¾µÇ§¤¹¤ë? 

Clickjacking and cross ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ëing (which is ´Êñ¤Ë senseless 'feature') are getting worse:

sandbox ¤»¤¤¤Ë¤¹¤ë
This ¤»¤¤¤Ë¤¹¤ë turns JS in the ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë off. Framekillers (only whitelist-based helps) just don't work. But without JS clickjacking is not working.
Wait! Most of Web2.0 websites use unobtrusive JS - even w/o JS they work °æ¸Í¡¿ÊÛ¸î»ÎÀÊ. So just ¶¡µë¤¹¤ë sandbox='µö¤¹-forms' to make <form> submissions work and enjoy clickjacking!

seamless 
This ¤»¤¤¤Ë¤¹¤ë ÌÜŪ¡Ê¤È¤¹¤ë¡Ës to ½üµî¤¹¤ë all ¹ñ¶­s - to make ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë look as native as possible. It does a ¹­Âç¤Ê¡¿Â¿¿ô¤Î¡¿½ÅÍ×¤Ê ¹¥°Õ for phishing websites. I have seen it in ³èÆ°¡¿ÀïÆ® (smth like g00gle.com.co.co.com used my profile picture) and this is wonderful - any square on any website can be embedded in your ¾ì½ê¡¿°ÌÃÖ. 
"seamless - making UI À§Àµ¤¹¤ëing clickjacking good looking since HTML5". WTF?

Below is seamless ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë for m.vk.com with turned off JS. ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë looks pretty native and trustful.


Content Type Æ÷¤¤¤ò¤«¤°ing Problem.
Don't you remember 'breaking news' a few years ago: "JSON Arrays ϳ¤ì¤ë!". I hope you do, read the ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë from John Resig if you don't. Now I wonder: Why they patched it by changing Javascript interpreter instead of ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëing the real problem - browsers Æ÷¤¤¤ò¤«¤° content-type?

Web ³«È¯ is not for idiots. But why browsers assume that developer is lame idiot? Why browsers are trying to ²ò¼á¤¹¤ë¡¿ÄÌÌõ¤¹¤ë text/html, text/plain, »ÈÍÑ¡¿Å¬ÍÑ/json, images and whatever? 

We »Ï¤á¤ë¡¤·è¤á¤ë proper Content-Type to ÌÀ³Î¤Ë tell you what Æù¿Æ¡¤¿ÆÎàd of content is inside. And if this is »ÈÍÑ¡¿Å¬ÍÑ/json I think it is ÌÀÇò¤Ë not JS (»ÈÍÑ¡¿Å¬ÍÑ/javascript), isn't it?

Yet another °ÂÁ´ header has been introduced to "ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë" this ÌäÂ꡿ȯ¹Ô¤¹¤ë in IE - X-Content-Type-ÁªÂòs:nosniff which ¸½¼Â¤Ë is useless and doesn't work in chrome. text/html is ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ëd assuming it's JS. 

Proof of ³µÇ° - some server Åú¤¨¤ë¡¿±þ¤¸¤ës with plain data (not in JSON/XML) thus it likely will not raise Syntax error. Google Wallet ÊÖÅú is text/html '¾µÇ§¤¹¤ë' which is also valid JS. Login ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸«:
window.__defineGetter__('¾µÇ§¤¹¤ë',µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(){·ÙÊó('you are logged in google wallet');})
ʸ½ñ.Îá¾õ('<script src="https://wallet.google.com/manage/ping"></script>')
Anti-XSS Êݸî or Yet Another Nice Æ»¶ñ for Defacing & °Î¶È¡¿ÍøÍѤ¹¤ëing
Some info about X-XSS-Êݸî header.

X-XSS-Êݸî is ¡¼¤¹¤ë¤Ä¤â¤ê¤Ç¤¢¤ëd to be a header to »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë XSS Auditor in Chrome and IE - it just checks does the ÊÖÅú ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ë some param from request and if attack is ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ëd all URLs are ¼è¤Ã¤ÆÂå¤ï¤ëd with 'about:blank' and XSS <script></script> tags are ½üµî¤¹¤ëd.

Let's µÕž¤¹¤ë it - you can easily get rid of ANY script/inline event(onclick,onmouseover)/link with 'javascript:' just passing a few lines of that code in request params. Browser thinks that XSS is happening and ½üµî¤¹¤ës those "XSSed" parts, which are just native parts of the website.

We can easily run some page w/o jQuery library, without validators.js or onclick=Ͷȯ¤¹¤ë('are you sure?') ´Êñ¤Ë¤¹¤ëing clickjacking. It's up to you how to get Íø±×¡Ê¤ò¤¢¤²¤ë¡Ë from the 'feature'. 

Getting rid of Google Adsense:
http://www.SITE.com/?ads_go_away=%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fshow_ads.js%22%3E

I have fun sending this link — http://www.google.com/?%3Cscript%3Eif(google.j.b)ʸ½ñ.ÃÄÂΡ¿»àÂÎ.style.visibility%3D'hidden'%3B - to my friends and telling google.com seems broken. May be you know why it turns into 'about:blank'? Here is why: google websites send X-XSS-Êݸî:1; Êý¼°=Éõº¿¤¹¤ë which equals "Do not ½üµî¤¹¤ë XSS, just show about:blank if attack is ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ëd".

I also don't like framekillers. I got to switch JS off with 'sandbox'. But websites are often broken without JS... ²òÅú!

Let's ñ¤Ë ½üµî¤¹¤ë the annoying framekiller and leave JS alone! Showcase — Æ°¤­¤ä¤¹¤¤ ¸«²ò¡¿ËÝÌõ¡¿ÈÇ of vk.com (russian facebook) — m.vk.com

<form method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ³èÆ°¡¿ÀïÆ®="http://m.vk.com" Ū=ifr><textarea »Ø̾¤¹¤ë="get_rid_of_framekiller"></textarea></form><iframe »Ø̾¤¹¤ë=ifr></iframe>

Paste in textarea and Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë. Enjoy clickjacking with working JS and Éõº¿¤¹¤ëd framekiller.
<script type="text/javascript">parent&&parent!==window&&(ʸ½ñ.getElementsByTagName('ÃÄÂΡ¿»àÂÎ')[0].innerHTML='');

Bad »ÈÍÑ¼Ô experience: Basic auth should be shown in a new window.
There was popular phishing through <img src=basicauth> a while ago. Now that's ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd in Chrome but it still ºîÉÊ when you click any link.

Recap:

• Cross POST. Make it work as XHR2 POST ºîÉÊ (Origin — based).
  Backwards incompatibility: ̵ (there are no "good" websites relying on cross POST). But sadly I feel it will never be done.
• »Ï¤á¤ë¡¤·è¤á¤ë default X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs to SAMEORIGIN. ˸¤²¤ës ALL Æù¿Æ¡¤¿ÆÎàd of clickjacking/¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë busters ÇË»º¤·¤¿¡¿¡Ê·Ù»¡¤¬¡Ë¼êÆþ¤ì¤¹¤ëing: UI À§Àµ¤¹¤ëing, transparent ÁØ, drag and ¸º¾¯¡Ê¤¹¤ë¡Ë (direct and µÕž¤¹¤ëd), XSS °Î¶È¡¿ÍøÍѤ¹¤ë ·Ðͳ¤Ç ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë src etc..
  Backwards incompatibility: ³èÆ°¡¿ÀïÆ®s must be taken carefully - We should Í׵᤹¤ë all pages those want to be appeared to send X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs: ALLOWALL and some day (probably in a year) ÈÝÄꤹ¤ë cross ¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ës if X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs is not ALLOWALL. It must be ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½êd because of incredible prevalence of "¹¶·â¤ò¼õ¤±¤ä¤¹¤¤" ¾ì½ê¡¿°ÌÃÖs. Very tiny ¥Ñ¡¼¥»¥ó¥È of ¾ì½ê¡¿°ÌÃÖs uses X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs. The web will be saved and safer.
• XSS Auditors are ¸½¼Â¤Ë helpful — I have seen it 'in ³èÆ°¡¿ÀïÆ®' and was impressed! But it's also harmful for now. We need to make them better by making 2 simple things:
  1. default to '1; Êý¼°=Éõº¿¤¹¤ë' instead of ¸½ºß¤Î 'Êý¼°=½üµî¤¹¤ë ÃíÆþ¤¹¤ëd scripts'. I see no sense to show ÂŶ¨d page to »ÈÍѼÔ.
  2. we should ·Ù¹ð¤¹¤ë »ÈÍѼÔs as we ·Ù¹ð¤¹¤ë them about insecure SSL cert. Redirect to about:blank is bad »ÈÍÑ¼Ô experience.
  Backwards incompatibility: ̵.
• sandbox ¤»¤¤¤Ë¤¹¤ë. Why do we need it at all? It is useless but harmful. Site1 switches off JS for site2. Try to be in site2's shoes, it's like ¸ºß naked :)
  Backwards incompatibility: approx. ̵. It's HTML5 ¤»¤¤¤Ë¤¹¤ë, not ´ï¶ñ¡¿¼Â»Ü¤¹¤ëd everywhere thus not used.
• browsers should be more strict with Content-Type. HTML and JSON Hashes raise syntax error when ´Þ¤àd in <script>. But who knows what doesn't raise and which data can ϳ¤ì¤ë in the ̤Íè?
  Backwards incompatibility: Low

Finally — we see '°ÂÁ´ is optional' ÂÖÅÙ too often. 

Don't forget to »Ï¤á¤ë¡¤·è¤á¤ë X-¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë-ÁªÂòs='SAMEORIGIN', X-Content-Type-ÁªÂòs='nosniff' and also X-XSS-Êݸî='1;Êý¼°=Éõº¿¤¹¤ë' which ¸½¼Â¤Ë must be default for 99% of ¾ì½ê¡¿°ÌÃÖs. 

Don't forget to ˸¤²¤ë cross POST Ω¾Ú¤¹¤ëing µ­Ç°ÉÊs, make sure all your links point to Ū=_blank. 

½üµî¤¹¤ë framekillers — they are broken and useless now. 

It seems browsers don't want to do this for us. Let's ask them?

Any feedback is welcome (grammar ´Ø·¸¤Î¤¢¤ë either), we must leave SaferWeb for our kids and for this kitten's sake.