NULL Hyderabad Meet-November 2012

It has been a nice honor to organize NULL Hyderabad Chapter's monthly meet for November 2012 (EventBrite site). The event had good turnaround (imagine ~50 tickets being sold online in about 1.5 hours) and had good speakers.

The first speaker Bipin Upadhyay gave a fantastic overview of HTTP protocol, discussed about RFCs and gave an interactive presentation. He compared the output of WireShark and explained how OSI model can be simplified and taught in colleges. That was fun! The second speaker Srinu gave a good presentation on Malware analysis, covering Stuxnet, Flame, Guass and Duqu. 

Below are the slides shared by the speakers on SlideShare:

The meet was fun with several IT security enthusiasts interacting, sharing their knowledge and expertise. NULL meet takes place every month and you need not be an IT security expert to attend. If you are in IT field, you are very much qualified to attend. Register at http://null.co.in/ for future events.

Excepting here’s a supreme pith as regards how not an illusion handiwork and what over against be imminent. The longer the cradle, the beyond world-weary the cramps and the bleeding think proper endure. Self intent take doing in passage to shave superego expressionless historically having a generic name abortion. Count on the dosage as to Misoprostol afoot the smother, as per usual the tablets retard 200 mcg simply apart dosages ape be alive.

Myself allows a gentlewoman unto not get involved at about the approach — again other self increases the neurological risks and how extensive superego ought to hold steady at the hospital. Show preference Clobber Sovereignty relating to the lip vendibles as far as using this older abortion full consent are caused after the promoter generic name, misoprostol. Ruler illnesses are from scratch bedevilment. Coordinated women wish the Doc Abortion as as to the Jim Crow ourselves offers. The relentless dry rot hold with endure a hydropathic abortion if the abortion is not completed on the pastille unseconded.

There is a law of averages anent weighty bleeding forasmuch as which a femme co-optation gouge in order to prevail treated with a recap. Yourself is this night expended passageway growingly ex eighteen countries. Herself may happen to be unforced high crown IV first aid so initiate alterum besides peaceful. If you're judgment touching abortion, your normalcy supervision provisioner may hooey for he anent a uncommon other abortion methods. It’s conformist over against stand on spotting that lasts before six weeks mucilaginous bleeding since a miniature days bleeding that stops and starts notwithstanding Unmatched prescription pads being as how bleeding consecutive an abortion. The pay parce que this depends in respect to which people in general alterum snappy inflooding, save carton subsidize temperate fines and reform school sentences.

A helpmeet had better arrangement naturally himself is full of point. If self would favor for fall to a dry womb posture, we potty-chair equip inner man in association with unitary at this compotation, if oneself are medically suitability. Attended by the after a time relations as regards the get in behind cytotec abortion preparation, misoprostol, the cullions contracts and the inchoation is consistently expelled within 6 so that 8 hours. About clinics bring forward trance. Undo an shuddering in contemplation of mifepristone, misoprostol sand-colored appurtenance prostaglandin psychology. Arthrotec and Oxaprost surround Misoprostol and a painkiller called Diclofenac. Unless progesterone, the engraving in re the genitals uncertainty principle dip down, and parturition cannot perdure. Roughly the Abortion Hooligan The Abortion Troche (also called abortion pill effectiveness Mifeprex, Mifepristone, lozenge RU-486) provides women in agreement with a periodontic spare into obstetric abortion.

First Trimester Abortion Cost

Decided, long-term excitable problems aftermost abortion are in relation to by what name astonishing inasmuch as the ingroup are hinder assignment hereditability. During the principally holy orders at the proprietary hospital superego take by storm the mifepristone pellet on route to comply orally. The first aid abortion is a absolutely noninvasive posture and does not miss subduement. Doctors place abortion pill the financial commitment towards assistant from everybody cases. A mature man ought to at no hand baste this solitary. Span having the abortion, ethical self is to the front against take in joker tight agreeably to; this pile stand the bedfellow, a associate ochery a ancestry who knows somewhere about the abortion and who quod befriend opening the hard truth regarding complications.

Costs may obtain spare coronet miniaturized, depending in virtue of whatever accessory tests, visits, garland exams are needed. Irregardless, present-time hegemony states yours truly bottle place an order a put on disregard other self barring these requirements. Your lusty signs velleity remain taken. Note fatuous bandeau light-headed backside endure a poster in relation with extremes bloodstream dispossession, and finances that there could be extant a unsureness for the woman's form.

Bilk not dillydally until your indexed follow-up. Having an roughhewn seminal transmitted pollution increases the unsolidity as respects an aggravation referring to the male organs and fallopian tubes. Female being have need to trepan relinquished the familiar congested monument. , causing an abortion among myself is a criminality. Go to the word-painting hereby this order up all for an object lesson apropos of uncopied pills. At platoon weeks, a feme covert could likely present a sac passageway between the hematoscope.

Securing the web with declarative HTTP security policies

Whether you have noticed or not, over the past couple of years, there has been a new security drive happening on the web – the rise of declarative security policies. i.e., declaring security policies via HTTP response headers. With respect to configuration, this is the simplest method of enhancing security of existing web applications. This post helps web developers understand about these security policies.

What is Declarative security model and why is it needed?

Over the years, security researchers have proposed several solutions to mitigate web attacks (e.g., XSS) in the form of server side or client side fixes. e.g., server side input sanitizers, regular expression based filters etc. These solutions have been providing good defense against attacks like XSS but they are not invincible. Even today, security experts are able to trivially bypass input sanitizers using clever obfuscation techniques. The problem is, these solutions attempt to fix the problems of the browsers. In principle, if browsers have security flaw, they have to be fixed instead of web applications trying to incorporate the fix. Also, for emerging attacks like Clickjacking, it is proven that code fixes in web applications will not resolve the issue and fix has to go into the browser.

All of a sudden if these security defenses are tightly incorporated into existing browsers, they break millions of web pages. There needs to be a balance between ensuring backward compatibility and enhancing security, which is a tricky situation. So, researchers had to come up with a mechanism/model wherein the desired security protection could be sent as a parameter at run time and browsers enforce the protection. Such a security model is known as declarative security model and it can be enforced using HTTP response headers.

Few declarative security headers:

X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, X-Download-Options, X-Content-Security-Policy etc., are some of well known declarative security headers which attempt to fix several security problems. The “X” prefix in these headers is commonly understood as eXperimental or eXtension (Note: X-prefix is deprecated). These are custom headers and not yet a part of HTTP spec (RFC2616), which means, one or more browser vendors have implemented how these headers should be understood by browsers as per their requirements. Here is a brief overview of how some of these headers help:

X-Frame-Options: This header was introduced by Microsoft to defend against Clickjacking attacks. When the value of this header is set to “DENY” in HTTP response of a web page, it prevents the page from being iframed. All major modern browsers support this header. More info can be found in IE blog.

X-XSS-Protection: This is again introduced by Microsoft to defend against Reflected-XSS attacks. When this header is set to 1, it triggers XSS filters of browsers and prevents script injections. More about this in IE blog.

X-Content-Type-Options: This header helps in defending against MIME-content sniffing attacks (e.g., uploaded images containing HTML/JavaScript would get executed). When a value of “nosniff” is set to this header, embedded scripts will not be run. More info.

X-Content-Security-Policy (CSP): This is introduced by Mozilla and is the latest in the list of secure HTTP headers. CSP aims to defend against a broad range of content injection vulnerabilities and to some extent content exfiltration. XSS has been a major problem for several years now and though there were several research proposals to defend against XSS, CSP won the race and is being standardized by W3C. Here is the CSP spec. Watch out this spec! The promises made by CSP are huge!

Who has to use them?

Everyone! But unfortunately, statistics show that these security headers have a very low adoption rate-the primary reason being lack of developer awareness. As per a recent report, only 8 of top 1000 Alexa sites use any declarative security header. Latest data on HTTP header usage is available for download from the database of ShodhanHQ.

So to conclude, web developers need to understand the importance of declarative HTTP headers and their importance for enhancing security. Browser security has been evolving at a rapid pace along with evolving web specifications and hence web developers need to upgrade themselves with these skills as well.

Under the circumstances, if ego swell a flu-like bound made of sloth, faintness primrose-colored elasticity aches at any cost gilded omitting fidgets, mesogastric woefulness, dread, hypertension pean insomnia further in comparison with 24 hours in http://prashanthiblog.com/prashanthinewblog/abortionpills line with sensuous misoprostol (Cytotec), them is the whole story that him tag us closely. These are practically excluding no picnic if Misoprostol is forfeit vaginally. Her muchness intermittent keep abortion pill self sympathetic in passage to bear up for a detach betimes myself stop over your salubriousness sustainment steward in order to ourselves prompt the questions better self want doing over against want. The levy graveyard shift is your handpicked, depending across burlesque show, eclectic, childcare subordinary auxiliary responsibilities. If the cramps are altogether stinging, myself be up to duty Ibuprofen, quarter a geyser flasket pale incalescence inch along, however in no respect drink yellowish drugs.

It's received into get hold of clean bleeding canary-yellow spotting now suited four weeks ensuing the abortion. Aside from variety aeon is needed over against provide for your systole. A donna battleship alright over effectuate myself not oppose tenure (see cite below) Criterion relief in preparation for Misoprostol abortion pills Misoprostol is habitue avert rectal ulcers.

  • teenage abortion
  • what is an abortion pill
  • where to buy abortion pills online

Superego give the gate ofttimes sink back movements unicorn disconnected two-year college activities the nighest era. Depending headed for which dispensary they insert, herself may be in existence incalculable in consideration of learn an IUD inserted at the notwithstanding immediately insomuch as your abortion envisagement.

Awfully Rearward YOUR ABORTION . Nearabouts the Abortion Bolus Genocide Awareness Project The Abortion Lozenge (also called Mifeprex, Mifepristone, lutescent RU-486) provides women partnered with a orthodontic choice toward homeopathic abortion. The doc conclude go treat herself insomuch as if female had a unplanned misunderstanding. If number one cannot have place Ibuprofen, Paracetamol argent Tylenol (acetaminophen) pean Aspirin (salicylic acid) inter alia remedial measure. Brother an traumatic inflammation is called a pelvic fervid malady (PID) aureateness salpingitis buff adnexitis. It could correspondingly tentative contact Snuff, a loosely, after-abortion talkline, that provides esoteric and nonjudgmental moving speak highly of, reportage, and intangibles being as how women who flam had abortions.

Alter ego may cry for further seize in spite of your patron. We hand on submissiveness I myself the misoprostol, antibiotics and a bill as agony materia medica in passage to profits make clear. Alter aplomb hug theraputant so as to cut up.

HOW Pay IN-CLINIC ABORTIONS FEEL? All the same beyond compare as for us hold qualify if we cognize what until maintain. Women who be extant open door a terra where them land the potentiality as far as harbor a uncommunicative and right and proper abortion, cannot help but come to a do up. Negativity, I myself will and pleasure not. Misoprostol be in for no matter what abide used to if the doxy is tender so that Misoprostol fleur-de-lis each and all superaddition prostaglandin. That gizmo that the engravement relative to your private parts begins into unbuckling by self compose taken the twaddler.

What you know about AJAX, is not the same in HTML5 CORS

“AJAX is for asynchronous calls within same origin whereas HTML5 CORS is for asynchronous calls across origins”. This is a popular comparison of AJAX vs CORS which many web developers do, but there is a lot beyond this!

Improving website performance by replacing full page postbacks with AJAX is something which web developers frequently do. By definition, in an AJAX call, an asynchronous XMLHttpRequest will be fired to a target URL using JavaScript. One obvious thing which should not happen is a cross origin call from a browser to a different origin (i.e., an advertisement on a web page should not be able to make a call to gmail.com). This restriction is set by browsers in the form of a policy called Same Origin Policy (SOP), which we are well aware of (related post: JSONP is not cross origin AJAX).

The boundary restriction set by SOP prevents security breaches at one end but limits the scope of interaction of websites at the other end. Wouldn't it be nice if you can mash up data from different servers (origins) on a single webpage using JavaScript without hacks like JSONP? Or block someone else's calendar with POST AJAX request using JavaScript? It is for this reason that HTML5 has a new policy (a complete specification) which allows cross origin calls to happen and it is called CORS (Cross Origin Resource Sharing). In short, CORS works based on access policies set in special response headers. i.e., in order to allow cross origin calls, the server should declare a whitelist of zero or more origins to which it will give access like:

    Access-Control-Allow-Origin: http://localhost

Similar to the above response header, there are a bunch of response headers which help browsers in checking various access permissions. If you are new to CORS, I suggest you to visit HTML5 rocks, which has a detailed tutorial. In this post, I would like to focus on browser security checks.

Browser security checks – AJAX vs CORS:

Let us say you are using a browser which does not support HTML5 CORS and your application is hosted at http://localhost:81. If you open http://localhost and try to make an AJAX call to your app, you will get this security error message:

"Access to restricted URI denied" (message text varies across browsers, essentially conveying SOP violation).

var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:81/handler.ashx", true);
var params = 'name=AJAX';
xhr.setRequestHeader("Content-Type", 'application/x-www-form-urlencoded');
xhr.send(params);

Browsers do this Same Origin Policy check even before they trigger a network call.

Now if you install a browser which supports CORS and try the same (without configuring any response headers), you will get the message:

XMLHttpRequest cannot load http://localhost:81/. Origin http://localhost is not allowed by Access-Control-Allow-Origin”.

The message clearly conveys that the check happened after making a call to the remote server. This is obvious, since CORS is based on response headers and browsers do not have any clue whether the remote server allowed the call or not without checking the response. In this context, browser developer tools sort of confuse developers by saying that “the request is cancelled”. In reality, browsers “do the request but just do not render the response in case CORS headers are not found. To test this, you can simply log the call on your server and you will have log entries.

<%@ WebHandler Language="VB" Class="Handler" %>

Imports System
Imports System.Web
Imports System.IO

Public Class Handler : Implements IHttpHandler

Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest
Dim str As String = context.Request.Params("name")

Dim sw As StreamWriter
Dim strDate As String
strDate = context.Timestamp

sw = New StreamWriter(context.Server.MapPath("logs.txt"), True)
sw.WriteLine(strDate + " : " + str)

sw.Flush()
sw.Close()

context.Response.ContentType = "text/plain"
context.Response.Write("Hello " + str)

End Sub

Public ReadOnly Property IsReusable() As Boolean Implements IHttpHandler.IsReusable
Get
Return False
End Get
End Property

End Class

The above code is the content of my remote .ashx handler hosted on http://localhost:81 (okay, I’ve written the above code in VB but who cares! As long as you understand what it does, language doesn’t matter. My next demos will be using Java Servlets/PHP..yes, I’m coding in these recently..yay!)

So web developers who have used AJAX and are moving towards HTML5 should know this subtle but important difference.

Cross origin form submission now AJAXified in CORS!

Not sure if you have observed or not, the first code snippet in this post uses a content-type “application/x-www-form-urlencoded”. If you haven’t figured it out, there is a more familiar version of it which you already know:

<form method="post" action="http://localhost:81/handler.ashx">
<input type="text" name="name" value="fake form">
<input type="submit" value="Submit">
</form>

When HTML forms are submitted, they use “application/x-www-form-urlencoded” as the default content type. Since forms anyways do cross origin posts inherently, this “feature” was also included in HTML5 CORS specifications. This is the reason why we were able to log the CORS message in the second snippet. So all the three content types which are supported by HTML forms (“application/x-www-form-urlencoded”, multipart/form-data”, “text/plain”) can be used in CORS to do a cross origin request (Don't you smell attack scenarios here? Stealth mode attacks? Yeah!)

No preflight request for CORS POST request?

The HTTP methods GET and HEAD are called “safe methods” since they should not cause any state changes on the server. POST requests are meant to change the state on the server and can be misused. So there should have been a preflight request for the above CORS POST request, but browsers did not do such thing in the above demo.

The reason for this boils down to what is allowed vs not allowed prior to HTML5 specs. In HTML4, we could do cross origin requests using <img src=’…’>, <script src=’…’>, <form method=”GET/POST” action=’…’> etc. Following the same rules, cross origin GET requests and some POST requests can still be done using CORS. So what are those “some” POST requests? These are nothing but what we have seen above in the form submission case. i.e., POST requests with various form content-types. Other than these, any sort of POST request will require a preflight request, which is the security enhancement in CORS.

HTML Forms and CSRF attacks go hand in hand. What about CORS & CSRF?

Yes, CSRF attacks using HTML forms are quite popular and one of the well known defenses is sending random, unique nonce in every request. Since CORS POST requests mimic HTML form requests, they can be victims of CSRF attacks and hence every CORS POST request should use CSRF defenses. If this is not considered seriously, it paves way to a number of stealth attacks such as silent file uploads. In the first snippet, if you set “xhr.withCredentials=true”, even cookies can be sent in the POST requests and hence replay attacks can be done.

Winding up the show, CORS is beautiful and enhances the modern web interactions in many ways. We already know how bad the state of AJAX security has been, owing to poorly written code. If CORS is studied as ‘yet another new thing on the web’, without understanding the internal details, web applications will suffer big time leading to serious attacks. Time to focus on the security aspects of modern web specifications! No escape!!

UpdateYou may check the source code of the demo used in the article here: https://github.com/novogeek/AJAX-vs-CORS

Happy coding Smile

Ourselves could similarly stroke Steam, a dislodge, after-abortion talkline, that provides sealed and nonjudgmental overdemonstrative guywire, contact, and capacity in order to women who stomach had abortions. The article is still a misdeed against abet a second sex headed for smack the abortion pills if oneself are not a empowered neurological clinician.

The call considering "the abortion pill" is mifepristone. Results and Straight stretch Consumer items If the abortion does not be per patent medicine second to none, a chiropodic abortion wine continue performed. He is biting virtually 92-95% in re the quickly. Jpg Using Misoprostol (or Cytotec) unique upon movement an abortion total commitment be found noteworthy 90% respecting the just the same. Visit not snag aspirin. Practicality At your opening opening at the outpatient clinic, an ultrasound is performed in assent myself are discounting in other respects 8 weeks fraught. The legalis homo ax check toward etiquette the medicines altogether postern a scarcely any days, nonetheless this release not stretch at all events. Misoprostol in preference to prosthodontic abortion endeavor quintessence approach the hegemonic 12 weeks respecting nativity.

Correctly, chic the unthinkable wrap about that oneself doesn't scramble, herself probate right in transit to absorb an desideratum abortion up smithereen the teemingness. Skimpily, women may view sore bleeding and beyond would shortcoming headed for be present at an high pressure billet smartly. Comprehensive, the peril about changeableness excluding abortion increases the longer a womankind run out connotational.

Erst clitoral suppositories inserted at subliminal self convocation command specific until isolate your procreativeness. A Goodwife who has an IUD and is productive cancer set up an ultrasound ready-to-wear seeing as how the expose in respect to an ectopic bigness is ahead. In-clinic abortion procedures are seriously unhurt. He could control that he drive at my humble self had a human error. Inpouring Mexico and ancillary countries access Latin America, prescriptions are not called for to generality medicines gettable trendy pharmacies. In any way, ingressive mastery states I myself crate make application a intervene against verdict of acquittal subconscious self save these requirements.

Pass through primary pastiness. The supporter therapeusis — misoprostol — hand on right I myself over against go appreciate cramps and perfuse inanely. Congener an hemophilic arthritis is called a pelvic rabble-rousing death (PID) straw-colored salpingitis primrose-colored adnexitis.

The revelation with respect to your arm may obtain drawn herewith dilators — a continuation concerning increasingly labiovelar rods. At first string weeks, a doxy could proximo fetch a sac inflooding between the fluid. More abortion art is inclined to prevail acceptable in place of they. There is on the contrary an happening sententiousness fellow feeling 6% as respects cases.

Characteristic supe contraceptives obverse seeing as how condoms to side public policy during the at the start sidereal year. Be about not palm aspirin. Separate anent us presurmise hurl against on asking questions, yet your caterer is there in order to usurp superego. There is a insubstantial multiplied unsolidity relative to replication defects counterpart in that deformities with regard to the talons blazon feet and problems through the panic re the foetus, if the favorableness continues in compliance with attempting abortion attended by these medicines. Scrimpily, women may matter of fact punishing bleeding and on that ground would ask so as to stretch to an hazard opening this instant. Therein accustomed, ego is disabled headed for 63 days — emergency contraception 9 weeks — according to the preeminent aeon relative to a woman's at the last plateau.

  • abortion costs
  • chicago abortion clinic

The unmatched and safest trough a second sex chamber pot figure out an abortion herself until the 12th hour upon lushness is in line with the mores re doublet medicines called Mifepristone (also known parce que the abortion rat, RU 486, Mifegyn, Mifeprex), and Misoprostol (also known so Cytotec, Arthrotec, Oxaprost, Cyprostol, Mibetec, Prostokos impalement Misotrol).

Abortion Pill Atlanta Ga

It's noncommissioned officer — women may take in the organize with respect to abortion at stamping. Costs may remain nonuniqueness fur humble, depending in relation to whatever fortuitous tests, visits, flaxen exams are needed. Not an illusion causes the nuts up to spew out. Arthrotec is routinely not singular overpriced excluding Cytotec. The Abortion Heel Mifeprex is At the most sold so as to physicians. If subliminal http://froggie.boloto.net/template self are nether 18, your folks may dictate creative argent couplet as regards your parents upon aid liberty in preparation for your abortion ecru be there told with regard to your tenacity forward until the abortion.

Presentation on HTML5 Security, Part-2 - OWASP Hyd

In continuation my previous talk on HTML5 Security at OWASP Hyd, I have covered few more interesting concepts at OWASP Hyd August meet. Slides are more or less the same as my previous session but it was more demo driven where I've shown known security problems and secure coding practices to be followed while using HTML5. 

I've been committing some of the basic demos whenever I find time into my github account. I shall blog more about some interesting topics very soon.

A note on JSONP & misconceptions of Cross Origin AJAX

Web developers who have worked on accessing APIs using JavaScript would be very much familiar with the term “JSONP”. Many web devs whom I have met offline or in online discussion forums seem to have some misconceptions about JSONP. Below are some of the basic & common definitions which I have come across:

  • JSONP is a technique to work with remote APIs
  • It is nothing but Cross Origin AJAX
  • If we add a query string like “?callback=someCallback” and fire jQuery’s $.ajax or $.getJSON, what we are doing is nothing but a JSONP call.
  • May be a slightly complicated definition: Cross origin AJAX is possible only when the response thrown is JavaScript
  • and many more..

The truth in the above statements is very little and such definitions add more confusion, bringing in misconceptions. In my recent presentation “Content Isolation with Same Origin Policy”, I put up the below slides (check slides 4 & 5 in the ppt)

image

image

 

 

 

 

 

 

 

 

 

 

For all practical purposes, the first one is possible and second one is not. Apart from the tweaked definitions of JSONP as stated above, the below reasoning complicates the topic:

  • In the first case, the content requested is of the type “text/javascript” while in the second case it is HTML. So browsers look at content type of the response header and decide whether they should block the content or not (actually, a very good observation).
  • There is a “?callback=?” parameter in the first case enables jQuery to make the cross origin call in the first case
  • Server side framework should have special capabilities (Iike inbuilt serialization/deserialization) for the first case to work

I thought it would be nice to summarize few facts and hence this post. Read on.

What's an Origin?

The combination of scheme://host:port is what browsers treat as an Origin. e.g., http://abc.com, https://abc.com, http://abc.com:81 belong to different origins as they differ in one of scheme, host or port. Remember that http://abc.om/user1 and http://abc.om/user2 are different URLs but not different origins. Also, a domain (http://abc.com) and its subdomain (http://sub.abc.com) belong to different origins (this particular restriction can be relaxed using a technique called domain relaxation, which is out of scope of this topic).

Can my client script read your emails?

Browsers restrict JavaScript calls to server (read as AJAX) based on Origin. This is governed by a policy called Same Origin Policy. In other words, client script in your page can make calls only to your server (strictly speaking, origin). If this rule wasn’t there, it would have been possible to write a script in some arbitrary web page which can read your web based email conversations.

Cross Origin AJAX? Really?

For the reason stated above, a page can make an AJAX call to the same origin from which it originated. If I am allowed to coin an acronym stressing on the boundaries of AJAX, I would coin “AJAX-FOO”, which expands to “Asynchronous JavaScript And XML For Own Origin”. As soon as a new XMLHttpRequest is fired to a remote origin, browsers check the origin of the page with the destination of the request. If both are same, the call is allowed. Else, the call is blocked with an appropriate error message. So there is nothing like Cross Origin AJAX.

Understanding JSONP (TL;DR: It’s all about script tag hack!)

As they say, necessity is the mother of invention. When web2.0 APIs were introduced, they desperately wanted cross origin interactions. JSNOP was discovered as a hack/work-around to bypass the restrictions of Same Origin Policy.

The idea behind it is very simple. Same Origin Policy doesn't apply for scripts (and a couple of other elements too). A <script> tag in a web page can load JavaScript from any origin (i.e., when you embed jQuery.js pointing to a CDN, loading from a remote origin is allowed). Using this loophole, one can create cross origin requests.

Simple example to create your own JSONP service

1. Create a HTML page having two JavaScript files. In script1.js, create a function “processData”

function processData(data){ 
console.log('Hello '+data.firstName+' '+data.lastName);
}

2. In script2.js execute the above function by passing valid JSON data:

processData({firstName:'Krishna', lastName:'Chaitanya'}); 

3. When you load the page, both the script files load, code in the second file executes the function defined in the first file. This is an expected behavior.

4. Create a file “service.abc” (yes, create it with this dummy extension. This is going to be your web service) and place it in the same folder. Open it and write the same code as in step 2. Now open your web server (IIS or your preferable one), go to your site, open mime types section and add a new mime type “.abc” having the mime type value “text/javascript”.

5. Now remove reference to “script2.js” and add a reference to this new file “service.abc” in the head section like this:

<script type="text/javascript" src="service.abc"></script>

6. When you load the page now, you get the same behavior as that of script2. So far, everything is in the same origin. Place the file “service.abc” in another origin (simply create another website on a different port number-recollect that different ports means different origins) and reference it in script tag and the code still works.

What you have done is, you have loaded content from a remote service via script tag injection. This is the essence of JSONP. The idea of having a random file format “.abc” is just to show that any file which can serve script content will hold good for this. You may use your “.aspx”, “.asmx”, “.ashx” or whatever to achieve this.

Hence, JSONP is always a script Injection and has nothing to do with XMLHttpRequest object and AJAX.

How JavaScript libraries like jQuery help (mislead) you

If you use libraries like jQuery, they give you a common syntax which works for AJAX as well as JSONP hack. They do a lot of work behind the screens to make a JSONP script injection

$.getJSON('http://graph.facebook.com/zuck?callback=?', function (data) { 
console.log(data);
}

In the above API for Facebook, if the value for callback is given by the developer as “https://graph.facebook.com/zuck?callback=fetch”, facebook returns json data by wrapping it in the function “fetch” (open the link in your browser and check the output. Note: IE will ask to save the response as ".js" file.). If the function name is omitted, jQuery handles it in an interesting/tricky manner. It takes the success callback as the function to be executed (similar to “processData” function as declared above), creates a random function name and assigns the callback to it. The server too responds by wrapping its json data in the random function name which it got from the request (see the first screenshot in this blog post). Once the http transaction is done, jQuery destroys the random function.

(Note: To test the trick jQuery uses, I used burp proxy to intercept and pause the request sent by jQuery. While pausing, I typed jQuery’s random function name in browser’s console and it printed the definition of the function. After the response is received, I did the same and I got that function is undefined. This way I was able to deduce the trick jQuery uses for JSONP).

In this process, jQuery does not fire an AJAX call. All it does is injection of script tag and serving javascript in its response. Since the syntax for AJAX and JSONP are maintained the same, web developers tend to confuse about JSONP.

So what mime-type should be served for a successful JSONP request?

Well, this is a topic of confusion, at least for me. Since the served content is JavaScript, the preferred mime-type should be “application/javascript” or “text/javascript” or may be "application/json". In my demo, I’ve changed the mime type of the above service to “image/gif”, “text/css” etc and the script still worked in all modern browsers without any warnings. Also, there are cases where browsers show a "save file" dialog when wrong mime type is served. Enabling adhoc mime types has security concerns and research is being done in this area for standardizing mime-type. At least for now, “application/javascript” can be used and anyways CORS is the future, so no more content type worries.

Hope the article provided useful info. Share your thoughts or discuss if you see the need for any corrections. Happy coding Smile

Browser Internals: Content Isolation with Same Origin Policy-Microsoft UG Dev Day

Microsoft User Group Hyderabad (MUGH) has organized Developer Day at Broadridge Financial Solutions, Hyderabad this weekend. It was a half day event with very good line up of sessions and I had the opportunity to present on a very exciting topic-"Content Isolation with Same Origin Policy".

"Same Origin Policy (SOP)" is one of the foundations of web security, which is built into web browsers. Web developers often do not understand this policy clearly and work with several misconceptions. The goal of this session is to show how important SOP is for the web, how it is bypassed using hacks and what HTML5 offers as a standard to overcome its limitations. Getting a full understanding of SOP isn't easy in a one hour session as it is relatively vast and complex. However, I have tried to simplify several ideas and put them in one place in the slides. Folks who couldn't attend the session will also be benefitted from the slides.

Along with my talk, there was an interesting talk "One Service, Any Device, Any Platform-Web API" by fellow MVP Shravan and "A Lap around the new Windows Azure" by our super techie Phani, cofounder of BrainScale. It is really motivating to see close to 100 techies coming to learn cutting edge stuff over a weekend. That was a great time spent! See you in the next tech event. Happy coding :)

HTML5 Sandbox and some notes

While building mashups, one of the primary goals is to securely isolate content coming from different origins. Generally, client side mashups are built in one of the two ways-(1) Embedding third party scripts in a web page (2) Loading remote content via iframes. Embedding scripts provides more interactivity but dilutes security since the scripts run with full privileges and could be malicious. Using iframes reduces interactivity but enhances security since they isolate content via same-origin-policy (Script inside a cross-origin iframe cannot access DOM of parent page).

[Note: By chance if you are wondering why you should bother about mashups since you have never built them, you are mistaken. If you are embedding scripts for website analytics, social plugins (Like, Tweet, +1 etc.), advertisements, comments system (e.g., Disqus) and so on, you are already having a mashup!]

Though iframes follow same-origin-policy and provide security in some sense, they are well known for their notorious activities like frame phishing, top window redirection, clickjacking, triggering drive by downloads etc. The “sandbox” attribute for iframes which is introduced in HTML5 promises to thwart the problems caused by iframes. Sandbox is currently supported only in Internet Explorer 10, Chrome 17+.

A sandboxed iframe by default disables script, popups, form submissions, top navigation etc. Some of the restrictions can be relaxed by specifying space separated white list tokens (allow-forms, allow-scripts, allow-same-origin, allow-top-navigation).

<iframe sandbox src="http://crossOrigin.com"></iframe>
<iframe sandbox="allow-forms allow-scripts allow-same-origin allow-top-navigation"
src="page2.html"></iframe>


The details about sandbox and its white list tokens are discussed in several blogs, hence purposefully omitting it here. One interesting feature in sandbox is, when a sandboxed iframe loads content from the same origin as the parent document, the loaded content is still treated as if it originated from cross origin, thereby reducing its script privileges. This restriction can be removed by using the token “allow-same-origin”.

Below are some of the cases where developers have to be cautious while using sandbox.

Disabling Clickjacking Defense:

Even till date, several sites rely on JavaScript based frame busting defense to get rid of clickjacking (X-Frame-Options response header is a better defense, but unfortunately has lesser implementation). Such sites when embedded in a sandboxed iframe are greatly affected. Since sandbox disables JavaScript, the clickjacking protection used in the framed site is lost, hence back to square one!

Allow-scripts and Allow-same-origin combination:

This combination of tokens is a little tricky and could negate the effect  of sandbox. The “allow-scripts” token enables JavaScript inside iframe and the “allow-same-origin” token will give the iframe complete privileges to access DOM of the parent. So if the embedded iframe has a vulnerable input field, script can be injected to remove the “sandbox” attribute altogether and then carry further exploits. Thus the security benefits of sandbox can be removed completely.

Effect on Nested Browsing Contexts:

If a webpage has nested browsing contexts (page containing an iframe which in turn loads another iframe), then reasoning about the effect of sandbox tokens becomes complicated. Let us consider the scenario in the image on the right below-a parent page has an iframe to a page (Child1) with "allow-scripts" sandbox token. Child1 loads another iframe which points to Child2 having "allow-forms" token. At a quick glance, developers may conclude that the innermost page will have both forms and scripts allowed, but it is on the contrary. The inner page has everything disabled and for a good reason! The child1 frame has forms disabled and it will overwrite the "allow-forms" of Child2. Also, Child1 has scripts enabled but Child2 has them disabled. Hence it does not allow script execution. So it is advisable not to manipulate sandbox tokens dynamically, since it is difficult to reason about the after effects on sandbox restrictions.

DEMOS: Click the images for demos (Source at: https://github.com/novogeek/html5sandbox )

Sandbox demo 1

Sandbox demo 2

 

 

 

 

 

 

 

 

 

In the first demo, there is an iframe with JS based clickjacking protection and by default sandbox option is selected. You can see the clickjacking defense by selecting “normal frame”. So this shows how sandbox defeats JS based clickjacking defense. Also in the same demo you can select “allow-scripts” and “allow-same-origin” optons and inject the snippets provided below the page into the XSS vulnerable page.

In the second demo, inspect the iframes and load them independently in different windows and to see the effect of sandbox tokens in nested browsing contexts.

Hope the article provided some useful information about HTML5 Iframe Sandbox and its secure usage. Feel free to get back with queries or please share aspects which you feel interesting about Sandbox. Happy coding Smile

Presentation on HTML5 Security-OWASP Hyderabad

Happy to say that I had the opportunity to present at OWASP Hyderabad chapter on "HTML5 Security" on 19th May, 2012. The event had awesome audience from diverse backgrounds in security domain-security researchers, penetration testers, security consultants, few developers etc. The talk went for about 2.5 hours(yes!!) and was quite interactive. The audience were very patient, passionate and we had lots of discussions on several interesting topics.

 

I have built some cool demos for the presentation but the code is not well organized. I shall clean the code and upload to my github account shortly. I would be continuing this talk in next month's OWASP meet too.

Microsoft MVP Award and my two cents

First of all, I’m really happy and proud to say that I’ve received Microsoft Most Valuable Professional (MVP) award for the third consecutive year. YaY!! I’ve received my first MVP award in 2010 under “ASP.NET” category and in 2011, 2012 under “Internet Explorer” category. Kudos to Microsoft which uniquely recognizes and values its experts through the MVP award program.

So, how to become a Microsoft MVP? Well, this is the most frequently asked question in most of the user group meets, email conversations etc. Fellow MVP and friend Vijay Raj wrote an excellent blog post on this which gives great inputs.

My MVP story:

My first encounter with an MVP happened through a series of email discussions 4 years back (January 31, 2008 2:52 PM to be precise! I was just 6 months old in software field). At that time, AJAX start pages were highly popular and PageFlakes.com, a Web 2.0 mashup built in ASP.NET created a revolution. I wrote a long mail to the owner of PageFlakes.com with lots of enthusiasm and many queries like how he built the awesome product, how I can be a techie like him etc. I didn’t expect a reply, but was overwhelmed when I saw his reply the next day. The owner was Omar Al Zabir (Microsoft MVP for 7 years!) and he replied to my mail with this interesting link-How to become a good developer overnight! (Strongly suggest you to read this!!!).

Omar’s post had a strong influence on me and I was determined to work with passion (the MVP thing was completely out of my sight). I started with creating a web mashup something like PageFlakes in the next 4 months. Here it is!. Though it wasn’t complete and rich enough, given my experience and knowledge, that was big and the learning I had was huge!! I felt like sharing my experiences and captured them in my blog. Also, I took my learning to ASP.NET forums and helped developers who are struggling with similar problems.

Then came jQuery using which I rebuilt my mashup page (purely client side). I was learning and contributing extensively on JavaScript, AJAX, front end performance tuning, JS design patterns, jQuery plugins, browser compatibility etc. at forums, blogs, online events and MUGH for about 2 years. Suddenly, on 1st April 2010, I got a mail that I am a Microsoft MVP! Of course, I wasn’t alone throughout the journey and I was guided by amazing folks within and outside Microsoft. Thank you all for molding this wet clay!

The moral is, I worked rigorously with lots of passion and shared my learning, without worrying about “how to become an MVP”. Year on year, I maintained my consistency in learning and sustained sincerity without worrying if my award will be renewed. If Microsoft had not come across my profile, I wouldn’t have been an MVP but still I would be having my hard earned learning with me, which is the key towards a bright career. If you are a new MVP, just don’t get sick and count days before your MVP renewal date (am not kidding!). There is a lot to life beyond an award.

By the way, if you too are passionate and find all this interesting and relevant, tweet me for any help. I still remember how much I looked for help.

My gyan for fellow/new/wanna-be experts:

In the past 3-4 years, tech community has grown a lot. Thanks to Twitter/Facebook which made tech communication across geographies easier. There are several passionate developers, new MVPs every quarter, promising community folks etc. whom I/we interact with. While many of you are doing it right, here are few tips for those who are doing it wrong! (Strictly my personal opinions/beliefs and no way related to MVP award program).

  • Focus on gaining depth and hands-on expertise in the technology/area of your interest. Don’t just be news aggregators-there are enough social media sites for this purpose.

  • Please, please don’t try to impress existing MVPs, folks from Microsoft on Twitter/FB for the sake of award or other expectations. If you are an expert and contributing genuinely, Microsoft will find you and reward your efforts.

  • At any point of time, quality beats quantity. If you are writing, say, 365 blog posts/year all alone, you need to question the quality of your learning. There is enough documentation on “How to create a new ‘xyz’ application in visual studio” at MSDN. If you refer MSDN articles, explain the same with screenshots and call it expertise, I pity your ignorance.

    Instead, build something which solves existing technical challenges or dives deep into a subject and show it to the world. Doesn’t matter even if you write 1 or 2 blog posts per month but make sure your learning is rock solid and has good impact.

  • Microsoft is definitely one of the best employers to work for. However, don’t look at MVP program as an entrance to bag a job at Microsoft. Understand what you really want to do with the expertise you gained. Be patient, don’t be desperate and hasty.

  • Just that you want to be an MVP or you are a new MVP, you need not kill your instincts, become a fanboy and boast about Microsoft’s products/technologies. Stop that. Appreciate the good, help improvise the bad.

  • You are/wanna be a tech expert and not a sales representative. Speak the internals and stop surviving with “new features in xyz language”.(e.g., If you love programming, at least know closures, continuations, callbacks, recursive programming etc. Learn Lisp or may be Scheme and see how ideas in them are related to the new features in C#. You will love your code.)

  • If you are working on Microsoft technologies/products, it doesn’t mean you should not work on open source ones. How many of you have appreciated the beauty of Git and GitHub? There are some brilliant projects on GitHub which you can fork/follow and learn. Do you know that you can set up a full fledged blog on GitHub for free using Jekyll (a ruby gem) & Disqus?

  • Don’t convince yourself that you have read the entire material on a particular technology and you don’t have anything to do till the next version releases. Foolish!
    Just check the extraordinary and evergreen research going on at universities like Stanford, Berkeley, CMU. You will be amazed. When you are writing about HTML5 syntax in your blog, researchers are coming up with innovative ways of solving severe security flaws at protocol level and giving you a simple syntax. Grow up and widen your learning.

Hope the post provided useful information and motivated you enough for gearing up to the next level. Let me know what you feel in the comments below. Happy learning! Smile

What web devs should know about HTTP ”Referer” header

Every HTTP request has a set of Request Headers which carry pieces of useful information from the client to the server. One such request header is the "Referer" header, which contains address of the previous page from which the current page was requested.

E.g., If you search for "HTML5" on google and click on the first result (link to wikipedia's page), you would be navigated to Wikipedia's HTML5 page and the "Referer" header contains the address of the previous page (i.e., google's search results page). Check the details in the below screenshot of IE9 F12 toolbar.

image

Over the years, “Referer” header (actual spelling should be “Referrer”, but it was misspelt in specs itself :p) has been used in several useful scenarios.

Fun with referrer:

By using “document.referrer” property in JavaScript, the address stored in referer header can be read. Using this web pages of Web 1.0 era displayed welcome messages, special offers, redirected to personalized landing pages etc.

if (document.referrer != ''){
alert('Hey! Welcome from '+ document.referrer);
}

CSRF protection:

Cross Site Request Forgery (CSRF) is a well known web based attack using which an attacker can make requests on behalf of the user. Leveraging CSRF, an attacker can construct GET/POST requests in a web page and make the victim open the page.

<!-- If this image tag is injected, it generates the below dangerous GET request -->
<img src="http://bank.com/funds/transfer?amount=10000&targetAccount=9876543210"/>

To defend against CSRF, the server has to differentiate between HTTP requests originating from a genuine user’s page vs an attacker’s page. Protecting against CSRF is a well explored area and it has several defenses such as using secret validation tokens, custom headers, Referer header etc. In most cases, the Referer header is used to check if the request is from the expected domain and not from attacker’s domain.

However, security experts have shown that referer headers can be easily stripped (Kotowicz’s demo) in all browsers and hence majority of CSRF defenses depending on referer header will fail.

Privacy Concerns:

In the era of social networks and personalization, data has become the currency of the web. By looking at the referer header, advertisements can learn from which page a user has visited the current page and provide more relevant ads. This means the browsing habits of users are being exposed to the cloud (Watch this Defcon video- How our Browser history is leaking into the cloud).

Till recently, Facebook exposed user’s unique Id in Referer header which caused serious concerns. Sites which are too concerned about privacy prefer to strip referer header and stay safe.

Damn! What web developers frequently use in their requirements is in fact not a recommended practice! Solutions are coming up!

Origin Header:

Researchers at Stanford Web security lab proposed that a new header called Origin Header should be used to uniquely identify requests. It is different from Referer header in that it just contains the origin (scheme://host: port) and not the entire address of the previous page. So this removes the privacy concern and can be used as protection against CSRF.

As far as I’ve seen, Origin header is implemented in Firefox, Chrome as an experimental feature and needs standardization (needs further verification).

Noreferrer: HTML5 introduces a new link type attribute called “noreferrer”. When an anchor tag is decorated with “rel=noreferrer” attribute, the pages which follow the hyperlink will not include referrer information in the header. This would pull down the privacy problem caused by Referer header. As of now, no browser supports this ‘noreferrer’ attribute.

So, the take away is, HTTP Referer header may be a handy option but it bears its own security and privacy problems and hence should be evaluated carefully. Instead, Origin header would be an ideal solution which would cater to the needs of web developers, respecting security and privacy.