This was one of many insights from Sean Park, a senior malware scientist at Trend Micro, who gave a talk at Black Hat on hacking banks that I could only partially follow. It had a lot to do with MIPS (MICR Image Processing System wherein MICR is Magnetic Ink Character Recognition) which had not heard of before. I was expecting a talk with more of focus on banking web sites, though this talk did have aspects of that too. For example...
$("#submit").on("click", function(){
var id = $("signin-id").val();
var pw = $("signin-password").val();
console.log(">> DOM Inject: "+id+":"+pw);
});
...was given as some jQuery code that could accompany the login control at the gate of a banking portal. Clearly, if you can inject something sinister like this you can do all sorts of "wonderful" things with the usernames and passwords of those who log in to check their finances. This was called DOM injection in his slides, but this is clearly not XSS because user-driven content is not going to be bubbling back to the screen at the same locale as that box with two form fields the public uses to log into the web site with. So how would such a script even get in place to do its job? That has to do with MIPS and I'd be lying if I said I really understood it. His slides that I took photos of show someone hacking MIPS and then MIPS pushing bad stuff to the web front end. Mitigate this with a process of self-auditing, looping through all functions in your JavaScript comparing what is to a whitelist of what should be. Do this at identified entry points assuming that a hacker may have augmented your existing JavaScript. Also, rootkits, which are toolkits for hacking, may also just drop some of your existing JavaScript functions so compensate by making sure everything in your whitelist still exists too. Moreover, be sure the jQuery library itself has not been hacked. Sean mentioned opaque predicates in his talk which was a term I had not heard of before, I suppose these are expressions which either evaluate to true or false, or, perhaps in JavaScript's context, truthy or falsy.
No comments:
Post a Comment