Forrester Report: Why to automate AppSec now.

Learning from the Experts – How JavaScript and HTML5 Vulnerabilities Affect Application Security

Checkmarx recently sponsored an educational webinar to raise Application Security awareness amongst developers and IT professionals. JavaScript and HTML5 were given special attention in the online event hosted by SecureWorld. The aim was to shed some light on the vulnerabilities created by the integration of new features and functionality into the programming languages.

Maty Siman from Checkmarx and LivePerson’s Yair Rovek shared their InfoSec Industry experiences backed by real-time demonstrations. Sam Masiello, Head of Application Security at Groupon, was the moderator.

“Insecure code is all around us,” Masiello explained at the beginning of the webinar. “It doesn’t matter if you are running Windows, iOS, Android or Java. These loopholes, if left unpatched, leave your company data vulnerable.”

Masiello elaborated on the developers’ role in creating safe software. The security guru confessed that learning secure coding is a skill that is acquired over time. He stressed that applications need to be more robust, closed to snooping and capable of dealing with unexpected scenarios. Security professionals need to lend their help to raise the awareness.

Maty Siman, the Checkmarx CTO, endorsed Masiello’s statements. He also provided an in-depth analysis of the IT industry security issues and how these tough challenges can be met.

Siman started off by demonstrating a simple XSS attack and then showed how this common hacking technique can be maliciously implemented in HTML5 (sticky XSS). Data theft was very easily performed with the use of a screenshot-capture component called HTML2Canvas. One exploited page eventually lead to the hijacking of the entire website.

The Checkmarx CTO also showed how to bypass a traditional firewall in order to scan WebSockets. This advanced port scanning enables the easy mapping of networks.

Another worrying HTML5 feature Siman demonstrated was the Local Storage Capability. This was displayed on a random online Pacman gaming website, where he easily manipulated the High Score via his browser. The server eventually fetched the manipulated data from the client-side storage (HTML5) without any basic ability to check for contaminations.

Siman went on to tamper with the online Pacman game’s parameters, altering the Inner Game Logic to his benefit. He used a Burp Proxy to intercept the server’s incoming code and injected his own malicious expression to make the Pacman immune. The result was a slower gaming experience, but with the option to reach unrealistic scores.

Siman Demonstrating The Pacman Hacking

Client-side Business Logic Manipulations can have serious implications on numerous fronts. Securing software is extremely crucial, taking into consideration how many banking, gambling and e-commerce websites are built with the use of the aforementioned languages.

“Initially most of the issues were on the server-side,” Siman told the participants. “But the evolution of client-side coding has changed the ball-game. These vulnerabilities are hugely different from the old server-side ones. Full testing integration and programming in secure frameworks and environments is a must. One example is the OWASP ESAPI for Java.”

Challenges in performing Continuous Integration for JavaScript/Client side:

  • Detecting and identifying Business Logic in the client-side code.
  • Dealing with minified libraries on the client-side.
  • Checking, analyzing and sanitizing third-party code.
  • Tweaking of testing parameters in accordance to the browser type/make.

LivePerson representative and security specialist Yair Rovek rounded off the webinar with his notes about the security challenges faced by CISOs and developers in the IT industry today.

His first job at LivePerson was explaining the value of secure coding and loophole-free software. Good security awareness leads to proper implementation. Rovek explained that once medium or high risks are detected in LivePerson, the build is halted completely until the issue is resolved. Security bugs should always be taken seriously.

“All companies should also aspire to automate their testing,” Rovek stressed. “Automation helps in the scaling and mapping of vulnerabilities. This helps companies accumulate knowledge and develop their intelligence. Once the repositories are constantly updated, it becomes easier to locate and eliminate vulnerabilities while creating new builds.”

According to Rovek, complete integration of the security solution into the SDLC is of utmost importance. LivePerson’s developers were trained over a period of time before they became security-competent and understood the basics of safe coding. But once the whole team was on board and educated, it was just a matter of implementing the SCA solution.

To view the full recording of the 2014 SecureWorld Webinar – Click Here

Jump to Category