This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "3rd Party Javascript Management Cheat Sheet"

From OWASP
Jump to: navigation, search
(added link to DOM_Based_XSS)
(Added information about SRI)
Line 45: Line 45:
  
 
If this generated javascript contains vulnerabilities like cross site scripting or is changed in any way to execute malicious behavior by a hacker with access to the vendor code or the tag manager configuration, there is no way to detect that.
 
If this generated javascript contains vulnerabilities like cross site scripting or is changed in any way to execute malicious behavior by a hacker with access to the vendor code or the tag manager configuration, there is no way to detect that.
 +
 +
Good news is you can decrease these risks with help of [https://www.w3.org/TR/SRI/ Subresource Integrity]. To ensure that only the code that has been reviewed is executed, the developer generates integrity metadata for the vendor javascript, and adds it to the script element like this:
 +
 +
<script src="https://analytics.vendor.com/v1.1/script.js"
 +
  integrity="sha384-MBO5IDfYaE6c6Aao94oZrIOiC7CGiSNE64QUbHNPhzk8Xhm0djE6QqTpL0HzTUxk"
 +
  crossorigin="anonymous"></script>
 +
 +
It is important to know that in order for SRI to work, the vendor host needs [[https://www.w3.org/TR/cors/ CORS]] enabled.
  
 
==  Server Direct ==
 
==  Server Direct ==
Line 92: Line 100:
 
* [https://github.com/cure53/DOMPurify DOMPurify] is a fast, tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks.
 
* [https://github.com/cure53/DOMPurify DOMPurify] is a fast, tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks.
 
* [https://github.com/hackvertor/MentalJS MentalJS] is a JavaScript parser and sandbox. It whitelists JavaScript code by adding a "$" suffix to variables and accessors.
 
* [https://github.com/hackvertor/MentalJS MentalJS] is a JavaScript parser and sandbox. It whitelists JavaScript code by adding a "$" suffix to variables and accessors.
 +
 +
= Sandboxing with iframe =
 +
 +
You can also put vendor javascript into iframe from different domain (e.g. static data host). It will works as a "jail"
 +
and vendor javascript will not have direct access to the host page DOM and cookies. The host main page and sandbox iframe can communicate between each other via [https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage postMessage mechanism].
  
 
= Vendor Agreements =
 
= Vendor Agreements =

Revision as of 21:40, 17 April 2016

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 04/17/2016

Introduction

The rationale for third party vendor javascript ('tags') is to provide data from the user's browser DOM to the vendor for some form of marketing analysis. This data can be anything available in the DOM. The data is used for user navigation and clickstream analysis, identification of the user to determine further content to display etc., and various marketing analysis functions.

The term 'host' refers to the original site the user goes to, such as a shopping or news site, that contains or retrieves and executes third party javascript tag for marketing analysis of the user actions.

Security Risk

The security risk from these tags arises from the fact that they are unreviewed code that executes on the client when the client goes to the host site. The host site organization has never seen or executed the code before it arrives in the browser of a user on the host site. All the server code review means nothing, a web application firewall means nothing. None of the *AST technologies will help (IAST, RAST, SAST, DAST (AKA web application vulnerability scanning)) because the tag code goes directly from the tag vendor to the user browser. DAST usually looks at the application responses and emulates a browser, but there are no application responses here, just direct calls from the browser to load the tags.

The most common security risk is DOM Based XSS, which has been detected in major production web sites. (see references below). In a nutshell the issue happens because the tag javascript can get a value from some DOM element like a request parameter or URL fragment and copy it to a location in the page that will execute javascript.

3rd Party JavaScript Deployment Architectures

There are three basic deployment mechanisms for third party vendor javascript, or 'tags'.

Vendor Javascript on page

This is where the vendor provides the host with the javascript and the host puts it on the host page. To be secure the host company must review the code for any vulnerabilities like cross site scripting or malicious actions such as sending sensitive data from the DOM to a malicious site. This is often difficult because the javascript is commonly obfuscated.

Javascript Request to Vendor

This is where one or a few lines of code on the host page each request a javascript file or URL directly from the vendor site. When the host page is being created, the developer includes the lines of code provided by the vendor that will request the vendor javascript. Each time the page is accessed the requests are made to the vendor site for the javascript, which then executes on the user browser.

Indirect request to Vendor through Tag Manager

This is where one or a few lines of code on the host page each request a javascript file or URL from a tag aggregator or tag manager site; not from the javascript vendor site. The tag aggregator or tag manager site returns whatever third party javascript files that the host company has configured to be returned. Each file or URL request to the tag manager site can return lots of other javascript files from multiple vendors.

The actual content that is returned from the aggregator or manager (i.e. the specific javascript files as well as exactly what they do) can be dynamically changed by host site employees using a graphical user interface for development, hosted on the tag manager site that non-technical users can work with, such as the marketing part of the business. The changes can be either 1. get a different javascript file from the 3rd party vendor for the same request; 2. change what DOM object data is read, and when, to send to the vendor.

The tag manager developer user interface will generate code that does what the marketing functionality requires, basically determining what data to get from the browser DOM and when to get it. The tag manager always returns a 'container' javascript file to the browser which is basically a set of javascript functions that are used by the code generated by the user interface to implement the required functionality. Similar to java frameworks that provide functions and global data to the developer, the container javascript executes on the browser and lets the business user use the tag manager developer user interface to specify high level functionality without needing to know javascript.

Security Problems with requesting Tags

Mechanisms 2 and 3 are difficult to make secure because you can only see the code if you proxy the requests or if you get access to the GUI and see what is configured. The javascript is generally obfuscated so even seeing it is usually not useful. It is also instantly deployable because each new page request from a browser executes the requests to the aggregator which gets the javascript from the third party vendor. So as soon as any javascript files are changed on the vendor, or modified on the aggregator, the next call for them from any browser will get the changed javascript.

If this generated javascript contains vulnerabilities like cross site scripting or is changed in any way to execute malicious behavior by a hacker with access to the vendor code or the tag manager configuration, there is no way to detect that.

Good news is you can decrease these risks with help of Subresource Integrity. To ensure that only the code that has been reviewed is executed, the developer generates integrity metadata for the vendor javascript, and adds it to the script element like this:

<script src="https://analytics.vendor.com/v1.1/script.js" 
  integrity="sha384-MBO5IDfYaE6c6Aao94oZrIOiC7CGiSNE64QUbHNPhzk8Xhm0djE6QqTpL0HzTUxk"
  crossorigin="anonymous"></script>

It is important to know that in order for SRI to work, the vendor host needs [CORS] enabled.

Server Direct

The tag manager developer user interface can be used to get data from anywhere in the browser DOM. This can allow vulnerabilities because the interface can be used to generate code to get unvalidated data from the DOM (e.g. URL parameters) and store it in some page location that would execute javascript.

The best way to constrain the generated code is to confine it to getting DOM data from a host defined data layer.

With this mechanism, only the javascript you (the host site owner) generate using the tag manager developer user interface will get and send data values to the tag manager or tag aggregator site which then sends the data to vendors. This the most secure technique because only your javascript executes on your users browser, and only the data you decide on is sent to the vendor.

This requires cooperation between the host, the aggregator or tag manager and the vendors.

The host developers have to work with the vendor in order to know what type of data the vendor needs to do their analysis. Then the host programmer determines what DOM element will have that data.

The host developers have to work with the tag manager or aggregator to agree on the protocol to send the data to the aggregator: what URL, parameters, format etc.

The tag manager or aggregator has to work with the vendor to agree on the protocol to send the data to the vendor: what URL, parameters, format etc. Does the vendor have an API?

Security Standards

Server Direct Data Layer

The server direct mechanism is a good security standard for third party javascript management, deployment and execution. A good practice for the host page is to create a data layer of DOM objects. The data layer is either 1. a DIV object with attribute values that have the marketing or user behavior data that the 3rd party wants. or 2. a set of JSON objects with the same data. Each variable or attribute contains the value of some DOM element. The data layer is the complete set of values that all vendors need for that page. The data layer can also perform any validation of the values, especially values from DOM objects exposed to the user like URL parameters and input fields, if these are required for the marketing analysis.

An example statement for a corporate standard document is 'The tag javascript can only access values in the host data layer. The tag javascript can never access a URL parameter.'.

You the host page developer have to agree with the 3rd party vendors or the tag manager what attribute in the data layer will have what value so they can create the javascript to read that value.

Indirect Requests

For indirect requests to tag manager/aggregator sites that offer the GUI to configure the javascript, they may also implement technical controls such as only allowing the javascript to access the data layer values, no other DOM element. The host company should also verify the security practices of the tag manager site such as access controls to the tag configuration for the host company.

Letting the marketing folks decide where to get the data they want can result in XSS because they may get it from a URL parameter and put it into a variable that is in a scriptable location on the page.

Do it Yourself

Bringing these features all in house may not be feasible given the number of different 3rd (and 4th and 5th) party scripts used (sometimes more than 50) and the business functions they perform, and the speed with which the business needs to turn on, change and turn off various functions.

Sandboxing Content

Both of these tools be used by sites to sandbox/clean DOM data.

  • DOMPurify is a fast, tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks.
  • MentalJS is a JavaScript parser and sandbox. It whitelists JavaScript code by adding a "$" suffix to variables and accessors.

Sandboxing with iframe

You can also put vendor javascript into iframe from different domain (e.g. static data host). It will works as a "jail" and vendor javascript will not have direct access to the host page DOM and cookies. The host main page and sandbox iframe can communicate between each other via postMessage mechanism.

Vendor Agreements

You can have the agreement with the 3rd parties say that they have to implement and prove secure coding and general corporate security.

References

https://randywestergren.com/widespread-xss-vulnerabilities-ad-network-code-affecting-top-tier-publishers-retailers/

Authors and Primary Editors

Jim Weiler - [email protected]

Other Cheatsheets