Hacking Facebook

JavaScript Sandboxing and XSS Attacks

Jeff Walden

What is XSS?

• Using unsanitized, untrusted data to change page layout or execute JavaScript
• Vectors
  • Query strings
  • POSTed form variables

d(Ajax)/dt > 0 => d(XSS)/dt > 0

• Interactivity, scripting make XSS more likely
• Still, some safety through techniques like tainting

Facebook goes one better

• Running user code is a feature, not a bug!
• It's not a (completely) domain-specific language

FBJS

FBJS

<div onclick="document.getElementById('out')
                       .setTextValue('hovered');">
This is Facebook application code!
</div>
<div id="out"></div>

Preventing XSS: goals of sandboxing

• Preventing executing arbitrary code
• Preventing direct access to native objects
• Preventing direct access to the global object

(Goals initially stated by Neil Mix in a blog post)