Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
Discussion will include the theory surrounding some of the more dangerous web application attacks known, how to test for them quickly and determine possible countermeasures. Insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. It is for these very reasons that WhiteHat Security Inc., is pleased to introduce its new release, "WhiteHat Arsenal", the next generation of professional web security audit software.
WH Arsenal possesses a powerful suite of GUI-Browser based web security tools. These endowments make WH Arsenal capable of completing painstaking web security pen-test work considerably faster and more effectively than any of the currently available tools. Imagine employing WH Arsenal to quickly customize and execute just about any web security attack possible and having those penetration attempts logged in XML format for later reporting or analysis.
Many experienced web security professionals tend to agree that even the best current web security scanners, which scan only for known vulnerabilities, achieve only very limited success or simply do not work at all. Furthermore, these types of tools often result in an enormous overflow of false positives. WhiteHat understands these frustrating shortcomings and is poised to revolutionize the way in which web applications are penetration tested.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
Advanced Web Services Hacking - Attacks & Defense (AusCERT 2006).
Web services attacks are on the rise with evolution of web applications which are consuming back end web services over SOAP. UDDI, SOAP and WSDL are three important blocks of this new attack vectors. Several attacks are evolving around web services like UDDI enumeration, XPATH injection, XML poisoning, WSDL scanning, SOAP bruteforcing etc. At the same time new range of defense is evolving for web services with SOAP filtering. It is critical to know methodologies, attack vectors and defense strategies before deploying web services into the corporate environment. This paper will discuss advanced web services hacking methods and defense approaches.
7. Major Overlap in Web Apps Presentation Layer Business Layer Utility Layer Data Access Authentication Communication etc . Runtime, Platform, Operating System Components Server side Components Client side Components (Browser)
8.
9. Next Generation Architecture HTML / JS / DOM RIA (Flash) Ajax Browser Internet Blog Web 2.0 Start Database Authentication Application Infrastructure Web Services End point Internet Mails News Documents Weather Bank/Trade RSS feeds
The famous web application set up diagram. Walk through each component, mention their roles. Web client - HTTP connections Firewall - lets in only HTTP requests, and allows only outbound HTTP responses Web server - handles all initial requests Applications - run either on the web server, or on app servers Database - SQL databases, and connection interfaces