flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... , 11, 12, 13  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
Did you fly BA recently and used their JS-laced website to book? Oops, maybe you should check your CC for pwnage.
Last week, British Airways revealed that all the payment information processed through the airline's website and mobile app between August 21 and September 5 had been exposed. As many as 38,000 British Airways customers may have had their contact and financial information stolen in the breach, which evidence suggests was the result of malicious JavaScript code planted within British Airway's website.
Or maybe you have been using NoScript thinking it will protect you? Oops, nope.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS). PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
No JS for me.
Post 12 Sep 2018, 04:28
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 362
Location: Belarus
I guess it’s not a matter of JavaScript only, it’s a matter of software for which quality should be measured in Bristol scale.
Post 12 Sep 2018, 08:19
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
Also note the poor usage of the word "stolen" in the first article. You can't have your financial and contact information stolen. You still have it after the breach. Just that now some hacker has it also.
Post 12 Sep 2018, 08:29
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7502
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
let me introduce a new word, clonejack, Laughing

why not they just introduce double md5 or etc hashes for a page, hashes stored in blockchain, all modification essential to blockchain transactions, incoming visits equal to coin generation,
Post 12 Sep 2018, 21:35
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 362
Location: Belarus
Double hashing doesn’t improve hashes and blockchain has obvious problems with its usage.
Post 12 Sep 2018, 22:01
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
sleepsleep: I don't see how a public and open ledger (i.e. a blockchain) is supposed to prevent JS problems? Do you have some plan in mind?
Post 13 Sep 2018, 00:50
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7502
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
i got ideas how to solve this JS issues, please fund me, :pray:
Post 13 Sep 2018, 09:04
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1225
sleepsleep wrote:
i got ideas how to solve this JS issues, please fund me, :pray:
You need convincing arguments for people to fund your ideas. How about explaining them first? Cause I'm sure they're exploitable Wink
Post 13 Sep 2018, 12:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
Solving JS issues is easy. Eliminate JS. It isn't needed. There, problem solved. You're all welcome. Smile
Post 13 Sep 2018, 12:10
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7502
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
we transport x of bytes from network into our pc, nothing happen if we just transfer, provided we got solid protocol and zero way to cause buffer overflow,

in static content, we are vulnerable at parsing to display them, dynamic content cause parsing, executing and display,

a limited scripting support is doable,

dynamic content is useful, because not every data we want are located in one place, and it allows a section updating without re downloading the whole static thing,


are we making everything too complex, i guess so, that why we got so much issues and never ending,

what are the simplest proven way?
Post 13 Sep 2018, 12:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
The problem with scripting is that it is unable to be audited. No matter how "safe and secure" you make a scripting language it will always have vulnerabilities. Because the vulnerabilities aren't necessarily to do with the language implementation, but the mere existence of a language itself. The ability of some random third-party website to tell your first-party system what to execute is the root of the problem. The entire model is inherently unsafe. It can't be made safe by simply making the implementation "safe and secure". To show the evidence of that just look back through this very thread.
Post 13 Sep 2018, 12:56
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 362
Location: Belarus
revolution wrote:
The problem with scripting is that it is unable to be audited. No matter how "safe and secure" you make a scripting language it will always have vulnerabilities. Because the vulnerabilities aren't necessarily to do with the language implementation, but the mere existence of a language itself. The ability of some random third-party website to tell your first-party system what to execute is the root of the problem. The entire model is inherently unsafe. It can't be made safe by simply making the implementation "safe and secure". To show the evidence of that just look back through this very thread.

I think, sleepsleep has a good point: even if we switch to static content or declarative content there’s still place for vulnerabilities in the implementation because, well, HTML is a language as well. It is not a programming language but its syntactic elements imply certain behaviour so it’s just a projection from language constructs to implementation-defined code pieces.

And no difference here between JS and plain HTML. We can only talk about probabilities here but the whole problem is not solvable: either you say we can’t write bugless software and then you can’t rely on plain HTML (or even plain text) being safe to use, or you say we can avoid all possible bugs and then it doesn’t matter which language implementing which paradigm we use to describe what the user sees.
Post 13 Sep 2018, 13:20
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
I see a fundamental difference with HTML and JS. HTML can't spy on the user. HTML can be controlled in the browser by the user deciding which elements to allow and which to ignore. HTML can't connect to random servers downloading unknown content and executing it. HTML can't do memory scans (with Meltdown) to clonejack your secret data. HTML can't alter pagetables (with Rowhammer) and clonejack your banking password.

Of course your browser implementation can have bugs in rendering, but once they are identified and fixed you become safer.. But for JS, the implementation can be perfect and you are still not safe, you are still at the mercy of random websites to behave nicely.


Last edited by revolution on 14 Sep 2018, 01:32; edited 1 time in total
Post 13 Sep 2018, 14:18
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7502
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
revolution wrote:

The ability of some random third-party website to tell your first-party system what to execute is the root of the problem. The entire model is inherently unsafe.

true, but html with iframe href already provide access to load third-party content already, it just JS enhances them to a more elegant way, non-iframe way, or etc ways to load another content,

imo, the input > process -> output is the most elegant way and everything should basically just expand from this concept,

the issue here i see is browser, they are the one who decide how to implement a scripting language, there is draft etc, but in the end, it still the browser who decide how to process,

a reward based approach, eg,

first idea, website must stack some (minimum) crypto coin in blockchain, higher traffic mean higher stack,

2nd, website upload a hash formula so every access would get verify on blockchain and website receive some incentive,

3rd, coin would be given to people who discover issues with this website, so this provides incentive for people to go and make sure the site really secure, high traffic equal high rewards,

4th, as i said previously, a basic secure scripting language is fundamentally doable, in fact, such feature is a must in today landscape,

5th, the implementation is on the browser part, eg, it must has an options page to allow us to switch off how things work, from what i see, browser companies are the root of all causes, they tend to turn on every exploitable features by default,

6th, u guys are smarter than me in every way, perhaps we should really do a new browser and reshape this whole craziness,
Post 13 Sep 2018, 14:22
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1225
revolution wrote:
I see a fundamental difference with HTML and JS. HTML can't spy on the user. HTML can be controlled in the browser by the user deciding which elements to allow and which to ignore. HTML can't connect to random servers downloading unknown content and executing it. HTML can't do memory scans (with Meltdown) to clonejack your secret data. HTML can't alter pagetables (with Rowhammer) and clonejack your banking password.
It can spy on you though: https://www.bleepingcomputer.com/news/security/css-is-so-overpowered-it-can-deanonymize-facebook-users/

But HTML being mostly declarative rather than imperative, it can't do much compared to JavaScript. No loops and stuff like that (two of your attacks). So it's more about it being more limited in scope rather than an inherent impossibility. If HTML had more features it could easily match JavaScript in attack vectors.
Post 13 Sep 2018, 20:34
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7502
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
lets take a look on firefox profile,

- you got bookmarkbackups, why? it means even all bookmarks deleted, they still there in sqlite db,
- saved-telemetry-pings,
- datareporting, since when i agree to allow reporting back?
- startupCache - why cache, i prefer no cache, just fresh everytime,
- thumbnails folder, what?

and there are tons of about:configs that default on lots of stuffs that allow you to be unique,
Post 13 Sep 2018, 23:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
sleepsleep wrote:
lets take a look on firefox profile,

- you got bookmarkbackups, why? it means even all bookmarks deleted, they still there in sqlite db,
- saved-telemetry-pings,
- datareporting, since when i agree to allow reporting back?
- startupCache - why cache, i prefer no cache, just fresh everytime,
- thumbnails folder, what?

and there are tons of about:configs that default on lots of stuffs that allow you to be unique,
All of those things you have control over. Some random website can't change those things. If you wanted to you could simply delete the entire browser installation and saved data and then install a new copy each day. Or run it in a VM and always begin from the same snapshot.
Post 13 Sep 2018, 23:17
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
Furs wrote:
revolution wrote:
I see a fundamental difference with HTML and JS. HTML can't spy on the user. HTML can be controlled in the browser by the user deciding which elements to allow and which to ignore. HTML can't connect to random servers downloading unknown content and executing it. HTML can't do memory scans (with Meltdown) to clonelack your secret data. HTML can't alter pagetables (with Rowhammer) and clonejack your banking password.
It can spy on you though: https://www.bleepingcomputer.com/news/security/css-is-so-overpowered-it-can-deanonymize-facebook-users/
HTML != CSS. But you have a point there, maybe there can be another topic why we should disable CSS. But here we have a difference also. CSS isn't a programming language, so it can't run arbitrary code. We can tell the browser to ignore the bits we don't like.
Furs wrote:
But HTML being mostly declarative rather than imperative, it can't do much compared to JavaScript. No loops and stuff like that (two of your attacks). So it's more about it being more limited in scope rather than an inherent impossibility. If HTML had more features it could easily match JavaScript in attack vectors.
HTML isn't a programming language. Just like CSS it can't run arbitrary code. And in the same way everyone blocks the <blink> and <marquee> tags, we can control how our browser treats different parts of HTML.
Post 14 Sep 2018, 01:26
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 362
Location: Belarus
revolution wrote:
HTML isn't a programming language. Just like CSS it can't run arbitrary code.

It can’t do that until someone finds a tricky sequence of characters that messes up the parser. There was once a vulnerability with PNG support in one of the browsers which allowed to do pretty much. Who would ever think funny cats pictures can be dangerous?

JavaScript makes it easier BUT it’s not responsible for opening the box. Security vulnerabilities that used to be possible to implement with plain JavaScript were a conequence of little time spent designing certain browser features for which JS is only a way to use the features. Such bugs get fixed but we’re still left with implementation bugs caused by using languages that let you shoot your leg and developers that should have better do some non-qualified work like bringing coffee.

P.S. Although the whole idea of turning off stuff like JS or CSS and complaining something stops working would make a lot of web-applications better, and a lot of developers believing their JS-files are always available and downloaded completely out of profession. Which would be a good thing.
Post 14 Sep 2018, 07:33
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15974
Location: Qo'noS
Browser errors can be fixed, and sites can't rely upon them existing in all browsers. This is very different from JS that is supposed to run random code as dictated by the site.

Just because browsers can have bugs doesn't mean we should give up and throw our hands in the air and let JS do anything it wants to. We can significant;y reduce the problem space by simply not allowing JS at all.
Post 14 Sep 2018, 07:54
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... , 11, 12, 13  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2018, Tomasz Grysztar.

Powered by rwasa.