The talk was at Black Hat and of modern JavaScript frameworks React, AngularJS, Knockout, and Meteor were given as examples. If you look at the code base for AngularJS, for example, it is a rat's nest of spaghetti and whenever you work with Angular and you run into a bug if you step through code you will find yourself, very often, leaving your implementation, bouncing around inside of AngularJS's code one hundred times, and then eventually getting an error message that is impossible for mortal man to relate back to the pain point. The error message will be opaque and ungoogleable. Static analysis is becoming harder for client side JS code, so how may one undertake pen tests (penetration tests, attacks looking for weakness) against the modern frameworks without an impossible plumbing chore? DOMinatorPro is one tool for this challenge. Hookish! is a Google Chrome plugin that Ahamed wrote himself for WRT (Wireless RouTer) pen tests. Other interesting things said on this subject were:
- JSX is an extension for ECMAScript which allows for XMLesque syntax.
- The thing one is trying to guard against in this space is DOM XSS, cross-site scripting attacks in which one slips in some JavaScript content into a form's entry and it bubbles its way back up into displayed content causing drama. As far as terminology goes, "sources" are data entry points and "sinks" are the areas of reemergence where the injected code is executed.
- damnvulnerable.me is a web app that one may experiment attacks against.
- public-firing-range.appspot.com has some examples of some sinister code.
- Direct ways to cast a string into code in JavaScript include eval(), selfTimeout, Function(x)(), and execScript(x) while indirect ones include document.write, Element.setAttribute(x), Element.innerHTML=x, and the $(x) of jQuery.
- One may get a stack trace in Google Chrome's V8 Engine like so:
var functionCallTracer = function() {
this.error = new Error('Deliberate!');
this.stack = this.error.stack;
}
No comments:
Post a Comment