 Okay. The talk is called JavaScript Gone Wild. I will ask again, how many people get the cultural reference here? It's a parody on something. Oh, good. Yeah, some people know about this. So it's cultural. It's an American cultural icon. Okay. The reference I'm trying to point to is that there are a series of videos, website DVDs about something called Girls Gone Wild, which is popular in the US. The important part to get from that is that the premise of the USP of those DVD series or whatever is that it's supposed to be unexpected. They don't know what they're going to shoot next because it's unscripted. Okay, it's a little abstract or whatever. I wanted to try all these jazzy text effects. There's a warning. I'm warning you the content of the code is not safe for work. I'm being absolutely clear about it. Okay, so the content, okay, but you will learn something interesting. Some of you may already be using this, but I just wanted to, you know, try this. The content of the code is not safe for work. So if you go back and you want to try this on your website or your friend's website or some other website which you do not own or, you know, you're not authorized to look at, then it's kind of illegal in India. So get your permissions in place. There are no dirty pictures. It does not have any dirty pictures. That's from a movie which is going to release next month or something. It's got Vidya Balan in it. And it's light on technical content. It's a different kind of presentation. I might like really, you know, fail at this. It might bomb completely, but I'm guessing you guys have fun. You'll laugh. And it's important. It's a session after lunch. That's actually a, you know, the bottom half of Miller's light, which is a beer in the U.S., if you want to do know. Why bother? If it's light on technical content, there are no dirty pictures. The content of the code is not safe for work. Why bother? Okay. What I'm trying to do is like plant a seed of an idea, which is from another Hollywood movie Inception. You can see the totem. It doesn't look that good right now, but whatever. It's from this movie called Inception, which had a bunch of things. There are theories around what really happened in the movie. They were like dream, dream, dream, whatever. But you know, a lot of you, almost all of you are developers. I guess there are more server-side developers who do JavaScript than purely front-end JavaScript developers. But JavaScript is a very powerful language. And some people might not agree. They think that flash is also important in this whole thing, but whatever. So, since he mentioned Silver, are you still working for Microsoft? He used to. So, Microsoft ships this, you know, new OS called Windows 7. And mostly you get the 64-bit edition. And you know what's with SilverLite? If you go to a Microsoft.com page where they want you to install the plugin for SilverLite, and then you click on that link to say install, then you get to this other page where it says, sorry, this plugin doesn't work in 64-bit operating systems. So it's kind of like a non-starter right now. Okay. Come in, come in. We haven't done anything important yet. So the interesting thing is I would like to cover something which maybe a lot of you don't really think about because you are really busy with your continuous integration and, you know, your test suits and a bunch of other cool things, especially Node.js. Do you want to close the door? What is the idea I'm going to plant? Oh, it looks better on my screen. Okay. I don't know what goes wrong here. The idea is JavaScript code showing up in unexpected places can have unintended consequences. That's it. You know, that's all the gyan I have. Rest is all about, you know, showing this up. So if you have another talk, you can please, you know, give me a plus one and go. Okay. I'm making it efficient. And the important part is if unexpected places and unintended consequences, that's not a bad thing. Okay. What I'm trying to say is that can you have fun and somehow profit from that? Okay. See, a lot of you are intrigued now. You're like really thinking this is like a how to become a millionaire kind of talk or something. It can be. A lot of people in Eastern Europe have become rich because of this, simply because of JavaScript, not silver light, maybe flash, but definitely because of JavaScript. And anyone who's run a website for some time, maybe like, you know, three, four years, anyone who has like multiple websites and does not have a lot of technical resources has faced issues of security. And maybe, you know, they had bugs in their SQL code or whatever, might be familiar with this. Okay. The important and the operative words are unexpected places. Now that's what I'm going to talk about. Maybe you have not really thought about this or maybe you're already doing this. You're the expert. Please jump in. But you know, that's the interesting part about why I like JavaScript at all trivia question. First, do you know who this is? Do you know the movie? Yeah. What's the name? Someone said, yes, it's, um, oh, yes. Brilliant. That's the only relation has. Okay. I just added this slide. I needed some extra content. Yeah. Well done. The movie is called major league and, uh, uh, this guy is like kind of half blind in the movie. And, uh, he's in a baseball team, which kind of sucks. And, uh, then finally the coach realizes that he can't see who is, you know, he's pitching to, he's supposed to be a pitcher like the guy with, I mean, America, they just throw the ball, right? There's no balling and all. So, uh, they make him wear these ugly glasses, but then he becomes like a super kick ass pitcher and they start calling him wild thing. The only reason it's added is because JavaScript gone wild. So my wild idea number one, how many of you have tried this? Anyone? What? Why wouldn't it work? I mean, that's the example I have. I have limited JavaScript skills. I'm starting with that. Okay. That's why it's light on technical content. So what are we doing? We are sealing a session cookie. What a session cookie does is allow your snazzy, you know, nice web apps to have authenticated users because HTTP is stateless. Anyone disagrees with that? So all this code does is that, I don't know if it's visible. Yeah, it's visible. So I have a, uh, I control a domain called evil.cxm and my script is called, you know, conveniently cookie and all I do is create an iframe and point the source to that. So if this gets executed in any user's context, which means that when they load some website and this JavaScript gets executed, this request, which is basically a get request, will get logged in their web server logs, in my web server log, sorry. Okay. And the part about, uh, that's just a DOM create whatever you call it. Uh, you can have, you know, it can be a, you can even like redirect directly with a location or something. But in this sense, if you set the width and the height of the iframe to 00, so it's kind of invisible. Right? So in any place where you're able to inject JavaScript or you have a code where, you know, JavaScript can be injected, uh, cookie can be stolen. If someone steals a cookie, they can, you know, hijack the session. How? They can just create the same cookie in their browser and log in. Uh, there was this tool called, uh, Firefox extension called fire sheep. How many of you tried that? Okay, bunch of people. Uh, it was doing exactly this. You know, it was doing a session hijacking, which is like taking the cookie and, you know, doing all the hard work for you so that you can log into your friends' Facebook or whatever you're doing. No, no, no, no. I'm just talking about size, session hijacking. That's just an extra, uh, piece of information. The stealing the cookie is session hijacking, so that's what it was doing. There are a bunch of ways to do it. If a website has persistent, uh, XSS, I could do that. I could create a link which someone could load in their browser. I could send that link to them. There are a bunch of ways, but right now I'm not trying to talk about how you would inject, but, like, what you could do with the JavaScript after that. This is more about, like, what do you do with the JavaScript? It may not be an ad to bookmark, it's just, you know, a tiny URL you create which you share on Facebook or something. Could be anything. So the idea is working. That's wild idea number one. Uh, this is today morning. Okay. If you have a login form and if you have, uh, you know, if you can inject JavaScript there, you can essentially, uh, repoint the action of the form to a domain that you control and submit it back to this domain. And, uh, I was looking for a screenshot and, uh, this is something that I found in the morning. It's still there. What? See, it's, it's pretty clear. The, uh, the logo is there on the image. It's kind of blurred. It made a request like that. And, and the, uh, the alert basically says JavaScript gone while it was just something that I thought was fun at that time. Whatever. Uh, so this is the other wild idea. It's like if you can inject, uh, if you have what we call XSS in your login form or it could be a registration form. Something similar can be done. Right? Uh, you can seal the username password and then you don't have to do the hard work of sealing the session and recreating it and doing the hijacking and all that. Then you just have the username password and clear text with you. Any questions about this? There's another wilder idea. I have seen this happen in, uh, a lot of, uh, sealing the Google page rank. Now the code isn't proper. This value is different. Okay. This is just for clarity. But what happens is when someone, uh, searches for this site in Google, they get the link. You, it could be the top link. So which means there is some Google page rank attached to that. I think a value between zero one to nine or one to 10 and, uh, paste only if you're coming from Google, you're redirected. Okay. So what it's essentially doing is stealing your page rank, the Google page rank. Okay. But, uh, do you guys just, you know, ever check that that how does my site look from, you know, when I go from Google or something. So that's another wild idea. JavaScript makes it possible. You can also do it in, uh, other server side ways. But since this is about JS foo, so you know, we'll, we'll stick to that. And it's not very difficult to do basically if you're able to inject the JavaScript again. Have you ever encountered this? Everyone? So, uh, this is what happens when you use, uh, either Firefox or Chrome because they're subscribed to something called safebrowsing.org, which has a database of sites which might be serving, uh, malware. And, uh, is there a question? Okay. So, so the wilder idea still is what if the JavaScript rather than, you know, redirecting to another page to steal Google page rank redirects you to, uh, you know, a page which is, which will allow downloading of some malicious software. Okay. And again, this JavaScript will enable this. It's as simple as that. There are server side ways of doing this, but a small piece of JavaScript can enable this as well. A lot of attacks that happen where, you know, uh, hundreds of sites or thousands of sites get infected or like a shared host gets infected. This kind of link gets added and the users of these pages of, when they visit these websites, get redirected and then, you know, if the software gets downloaded then maybe they'll get an ant, uh, virus or something. Another idea, which is the wildest one, you can log into an internal router. I mean, I'm using ADSL because most of our broadband connections are ADSL routers. When you're using a default username and password, okay, so if you have a broadband internet connection and you have not changed the, you know, I'm guessing all of you have done, done that because you're all very smart people, but some people don't change the user, default username password, uh, for the website with, which manages the router. Okay. And in a lot of cases it's usually a subnet, uh, or a network address of 192.168.1.0 or, uh, you know, 0.0. And again, it can be a get request in any other way, but a lot of times how it happens is using JavaScript where you just set the documental location and you can log in. Because that's basic, uh, HTTP authentication happening right there. Anyone who's not changed their default username password and then willing to admit that, I guess that's one way to be secure. Yeah. So this again, this is known to happen. I have tried it a couple of times. I mean, it works with my atl, uh, router. There is someone who would like to answer your question. No, you just need to open your browser, go to some evil website and where this thing will work. Okay. Yeah. Yeah. So what happens once you start the next part is to start changing the router password or do I have to get into your home network? You do that by, since you know the end point, so where is the router? Guess which router it is and put yourself in the DMC. So you can start accessing the router from outside. Which, which, uh, which ADSL router have you seen with any CSER protection ever? I am yet to see anyone any, any router with that. Why can't you submit a form? You can submit a form with JavaScript, right? No, you just, you know, the password is not changed. But I have seen a lot of people not change their default username password. You can disable the firewall. Why? This is a direct request. It runs in the context of the user's computer because JavaScript is executing in the user's computer. You can disable the firewall. You can change the DNS record. CSER protection will happen on the subsequent pages because when you log in, it will send you a link and it will ensure to pass the subsequent request. And you have that. If this succeeds, all subsequent forms will be submitted to you. Right. You can start at that. But how will, uh... The fast page is not available. It's not available. It's like all the CSER applications are coming to you. What's your internet connection? The CSR XSR or CSR is closed log in. It assumes your log is already done. So you are able to do a log in. If the user is already logged in, then it is CSR. And then if CSR protection exists, then you will not be able to do a subsequent send. No. The thing is, if you send this request where the user has already logged in, it will still go to the page. No. That's assuming the big name password works. Yeah, obviously. Your talk about scenario on the user is already saved as a user and a password. Or he has a session. Yes, in that situation, if there is CSR protection on the router, you can't do anything subsequent. But he is saying that he is starting from a fresh log in. Because he knows the user and the password. And if he doesn't put fresh log in, then he is the one who will get the CSR token from the server. I mean, if I am going to... You see, the document and the location of the log in, which is the router is logged in, right? No, no, no. We open a lot of web pages. We go to a lot of websites. If you load a page which has this, it doesn't have to be an XSS. A lot of people don't use something like NoScript. By default, they trust the JavaScript they get from multiple domains on a page. So if that happens, then a log in will go through. I have to move on. I am really happy with the discussing. That was the idea. So, since he mentioned Jeremy Grossman, this is a screenshot from one of the presentations he has done, where using the script tag and in the source, just putting the IP address. If we assume that the network subnet is 192.168.201.0, that's the network address, just sending... Doing a loop with the script source, he's figured out if web server is running on port 80 or not. If web server is running, the script source will get HTML rather than some JavaScript, and it will give an error. If you handle the error, it's an assumption because it's like a remote attack, but you can do that. The other is something called history stealing, which has kind of become a little popular. More people know about it now because I blame Reddit for that, but whatever. It's been there for a long time. Again, why? Because we tend to trust the JavaScript, which comes from different pages. There are times when there are popular websites, they run their own ad servers, and I can't... What's our open source ad server? OpenX, right? Yeah, so they've had a couple of exploits in their code which were not fixed for over three months. So when an ad server gets hacked and those ads are being served from another page, JavaScript can again come to your browser. It will get executed, which is why I said JavaScript is very powerful. You're allowing untrusted code to execute in your browser. And it's in the context of your computer. So if your computer can reach another IP address, then the JavaScript can reach another IP address because it can make these requests. And it becomes... I think it becomes a little shady when you enable XHR as well. And I guess you guys are better at writing these Ajax requests than I am, so... There are two things they're showing here. One is being able to figure out what are the internal web servers. Now what you do with those internal web servers is a separate discussion. The second is what are the kind of websites you'll visit. Right? And since we're talking about this, as far as this attack is concerned, it was first detected being used by a lot of pornography websites to figure out what kind of content to be served if you somehow stumble on a pornography website and if you visited something before. It's called a history-stealing attack based on the color of a visited link being different from an unvisited link. Yeah, I know, I read about that, but again, a lot of people have been talking about that these browsers are not updated and all that. Allowing untrusted code in the browser is not the smartest thing to do. So use Firefox, use NoScript. And if Chrome has something similar, use that. Does it? That would happen definitely. You can, but that would happen definitely. Can I come by? Okay. You code, why not? Set the developer in. Yeah. Who did not demo his socket.io code today. Okay, so this is a site, okay? You get the movie reference? So this movie is also going to release sometime soon. They're not paying me for all this, okay? It's called, It's actually called, It's actually called, The reason I'm showing this slide is like, it's very interesting. If you are JavaScript programmers, this is one person you should be aware of, not the people from that movie, the Bollywood movie, but this guy called Sammy, which is not showing up there now. So Sammy was this guy who didn't have a lot of friends on MySpace and he wanted to be popular. And he's like a kick ass JavaScript guy apparently. because he wrote a XSS worm. So he wrote this code which when his friend visited got copied to his profile and when other people visited that guy's profile, they all became Sammy's friend and he single-handedly brought MySpace.com down like in 24 hours. And I'm talking about this before Facebook gave and MySpace was big and people were like using it at least in the US. So apparently that's again from his website that he had from zero, he had like okay from one. As soon as you used to log into MySpace, there was a guy called Tom who would be your friend. He had a million friends in 24 hours. So if you're talking about performance and server load, that's something interesting to look at. He still has the code hosted on his website and he was afraid that he'd get arrested but he's still doing web app hacking. He has this amazing talk called How I Met Your Girlfriend. You should definitely watch it. If you're like somewhat interested in security after this talk, you should definitely watch that thing. It's brilliant. You agree, right? It was, no, he misused one of the places where you could change the CSS, right? It was a theme. MySpace allowed themes at one point. So I don't think it was a request for this. No, no, but to change the theme, you have to do an XSR app. No, no, it was allowed. It was a feature given by them. It's not paid to change my profile. It's using my number to do an XSR app request so that it gets my theme, right? And then the base of theme is XSS because then somebody else who's in MySpace will essentially get that. So it is a combination of both. But Oracle was never that popular, right? Apparently, till this guy figured it out, it was a mythical thing in XSR's worm. That's what I understand from this. So in that way, it was a path breaker. It was very cool. And all he wanted to do was he wanted some friends. He wanted to be popular in MySpace, yeah. And the code is available. You can actually go through the entire code of his worm. It's on his website. Just search for Sammy is my friend or something. I think they suspended his account and he was glad that he didn't charge him and put him in jail or something. But he was not allowed to touch a computer for two years. He was on probation. But he came back and then figured out stuff with Facebook and then he was like, how am I to a girlfriend? Okay, so jumping to certain conclusions about this, JavaScript can be pretty wild if it shows up in unexpected places. One of the things that I wanted to talk about, and obviously there are some very qualified people sitting here, is that a lot of us don't think about that JavaScript can have consequences if they turn up in places where they're not meant to. You know, they're not meant to execute or whatever. Like injecting JavaScript where, you know, you're expecting CSS to be there. So, and again, it's very powerful. The very idea that outside code is allowed execution in the browser is radical and dangerous. Okay, I'm making a very controversial statement because most of your internet websites will stop working if you do that. Like if you actually use NoScript diligently, most of the websites will not work, at least parts of the websites. Like even Google Analytics doesn't work if you have NoScript enabled. But in some websites, you know, you can get away with just enabling parts of the websites, parts of the domains that you trust. I'm not asking you to start, you know, distrusting or start trusting JavaScript, but be aware that this is still code outside, okay? And apart from the internet or whatever, you know, you don't really see that happening. Like, you know, like there are these ads for car spare parts where they say that you should not buy spare parts which are not genuine or whatever. I mean, they say it for a reason, right? Well, since he's mentioned this, they were like three three instances of them finding bugs in that. Why is it better? Okay, I promise I did not plant him there, okay? He's asking all these questions on his own account. Why is it better? But you're trusting? Okay, I'm going to move on because I just have five minutes and I want to like pin myself. My name is Akash Mahajan. I'm a web security consultant. I have a website or whatever. If you have any questions about security or anything generally about JavaScript, interesting stuff, please feel free to send me a mail. Any questions? I think we've covered some of it. I don't have a place where, you know, you can put any user input in my website. I don't have a form on my website. It's just some... Yeah, that's... Yep, just the last part. It's your dress level. The last part, the trivia answer which this guy got, there was a theme song that was played every time that guy would walk into pitch with those weird glasses and it said, wild thing. You make my heart sing and all. Okay, that's all I have. Thank you so much. Pack forms on your way out. Thank you.