Web security News - 12/29/2006 Backdooring UIML's and Existing JavaScript Applications

News

Web Server Security

Phishing

Database Security

Application Server Security

Library

Vulnerability Archive

Secure Development

Web Services

Pen Test

AJAX

Application Firewalls

Main -> Internet Security News

TOPIC'S

Advertising

Old News

About

Resume

Contact

FAQ

Irc

Links

Books

Demos

Papers

Downloads

Advisories

Contributions

Security Services

Submit News

Syndicated News

Hosting generously provided by

www.mv.com

12/29/2006 Backdooring UIML's and Existing JavaScript Applications

One of the more interesting aspects of so called 'Rich Internet Applications' involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to 'paint' buttons, menubars, grids, forms, messageboxes, and other GUI components associated with HTML and Forms UI (including progress meters) by specifying certain XML tags. The goal is to quickly develop applications using XML, and then using backend code to perform a function (usually written in JavaScript or .NET).

If you're reading this you're probably interested in attacking these sorts of applications, same here! Ok we know everything is xssable but how can XSS impact a UIML based application? One example would be to find a website using this type of technology and find an xss issue in it. Ok so far this is pretty standard however instead of actively attacking the UIML application directly lets instead make a copy of it and sniff its usage thereby making a 'trojaned' copy. If you can utilize an existing xss flaw you can create a new link to your own copy of the UIML based (externally hosted or with the data URI trick) application which essentially sniffs what the user is doing before performing the action (You record everything they do, then perform the actual duties). Javascript does not support overloading however does allow you to define a method twice, and the second declaration will win. If you can XSS after the JS inclusion (which is often the case) you can override it.

Much like an existing website a UIML application may perform a transaction or a duty containing sensitive user information requiring a login first. If you emulate the application you will have the ability to know when the user has logged in and once you can identify this, perform whatever duty it is that you want to do. While writing this news entry a paper came to my attention discussing backdooring Ajax applications that was released during the CCC conference. Be sure to check it out.

UPDATE:
Here are some sample UIML applications so you have an idea of exactly what I'm talking about.
XUL: http://www.faser.net/mab/chrome/content/mab.xul (Mozilla Only)
WPF/XBAP: http://www.mobiform.com/demos/paintfactory/WebPaintFactory.xbap (.NET 3.0 Beta must be installed!)(IE Only)
WPF/XBAP/XAML: http://scorbs.com/workapps/woodgrove/Finance.xaml (.NET 3.0 Beta must be installed!)(IE Only)
WPF/XBAP : http://scorbs.com/workapps/woodgrove/FinanceApplication.xbap (Same req as above)

Link to this Story: 12/29/2006 Backdooring UIML's and Existing JavaScript Applications
Link: Have a Site Suggestion, Material Request, or News? Submit it!
News RSS Feed: Web Security news RSS Feed