who am i
play

Who Am I? - PDF document

Aug 15, 2022 •204 likes •681 views

2/23/2012 HTML5 Top 10 Threats Stealth Attacks and Silent Exploits Shreeraj Shah

  1. 2/23/2012 HTML5 Top 10 Threats Stealth Attacks and Silent Exploits Shreeraj Shah ���������������������������� ���������������������������� ��������������������� ��������������������� Who Am I? ����������������������� ����������������������� ��������� ��������� ��������� ��������� Founder & Director • Blueinfy Solutions Pvt. Ltd. – SecurityExposure.com – Past experience • Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino – Dev) Interest • Web security research – Published research • Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. – Advisories - .Net, Java servers etc. – Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. – Books (Author) • Web 2.0 Security – Defending Ajax, RIA and SOA – Hacking Web Services – Web Hacking – 2 1

  2. 2/23/2012 Agenda • HTML5 & Security – Evolution, Threat Model, Browser Architecture … • Top 10 Threats – Demos, Tools and Vectors … A1 - CORS Attacks & CSRF A2 - ClickJacking, CORJacking and UI exploits A3 - XSS with HTML5 tags, attributes and events A4 - Web Storage and DOM information extraction A5 - SQLi & Blind Enumeration A6 - Web Messaging and Web Workers injections A7 - DOM based XSS with HTML5 & Messaging A8 - Third party/Offline HTML Widgets and Gadgets A9 - Web Sockets and Attacks A10 - Protocol/Schema/APIs attacks with HTML5 • Conclusion and Questions 3 HTML5 & Security 4 2

  3. 2/23/2012 HTML5 – Attacks on the rise … Evolution of HTML5 1991 – HTML started (plain and simple) • 1996 – CSS & JavaScript (Welcome to world of XSS and browser security) • 2000 – XHTML1 (Growing concerns and attacks on browsers) • 2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion) • 2009 – HTML5 (Here we go… new surface, architecture and defense) – • HTML+CSS+JS HTML5 dynamics • Android • iPhone/Pad • HTML 5 • Other • Storage • Flash Mobile • AMF • WebSocket • DOM • WebSQL • Flex • JS • Storage • XHR • XAML Server side Components • Silverlight • WCF Presentation Layer • NET Business Layer Client side Data Access Layer Components Authentication (Browser) Communication etc. Runtime, Platform, Operating System Components 3

  4. 2/23/2012 HTML5 in nutshell - Specs Source: http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by- Sergey-Mavrody.png Source: http://html5demos.com/ Evolution going on by Web Hypertext Application Technology Working Group (WHATWG) 7 Modern Browser Model Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies 4

  5. 2/23/2012 HTML5 – App Layers • Presentation – HTML5 (Tags & Events – new model) • Process & Logic – JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. • Network & Access – XHR – Level 2 – WebSockets – Plugin-Sockets • Core Policies – SOP – Sandboxing for iframe – CORS Threat Model & HTML5 Components • CORS/SOP – Data transfer & Origin issues • Web Messaging – Cross Domain calls • Web Workers – Domain calls & Logic issues • LocalStorage – Information leakage & Identity • Web SQL – Offline & Data theft • UI/HTML5 – UI Redressing (mixed with CORS) • DOM/XHR – Several issues • APIs - Geo-Location, Sockets, Drag-Drop Abuse 5

  6. 2/23/2012 Attacks - Stealth and Silent … A1 - CORS Attacks & CSRF A2 - ClickJacking, CORJacking and UI exploits A3 - XSS with HTML5 tags, attributes and events A4 - Web Storage and DOM information extraction A5 - SQLi & Blind Enumeration A6 - Web Messaging and Web Workers injections A7 - DOM based XSS with HTML5 & Messaging A8 - Third party/Offline HTML Widgets and Gadgets A9 - Web Sockets and Attacks A10 - Protocol/Schema/APIs attacks with HTML5 11 A1 - CORS Attacks & CSRF Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies 6

  7. 2/23/2012 HTML5, CORS & XHR • Before HTML5 – XHR was possible to same origin only (SOP applicable) • HTML5 – allows cross origin calls with XHR- Level 2 calls • CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) • Adding extra HTTP header (Access-Control- Allow-Origin and few others) 13 HTTP Headers • Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) • Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) 14 7

  8. 2/23/2012 Stealth threats • CSRF++ - powered by XHR-L2 • XML/JSON Cross Domain stream injection • CORS preflight bypass – content-type • Internal network scanning and tunneling • Information harvesting (internal crawling) • Stealth browser shell – post XSS (Allow origin- *) • Forcing cookie replay by “withCredentials” • Business functionality abuse (upload and streams) CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server 8

  9. 2/23/2012 CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making a Server buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server CSRF with XHR/HTML5 Attacker’s Authentication Site Server Session is still live – not yet logged out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true 9

  10. 2/23/2012 CSRF & HTML5 19 CSRF with XHR/HTML5 Attacker’s Authentication Site Server XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, Got it • Without victim’s consent or notice • Stealth HTTP request generated • Silent Exploitation takes place 10

  11. 2/23/2012 CSRF & HTML5 21 CSRF/Upload • Powerful XHR-Level 2 call allows file upload on the fly. • Interestingly – possible to craft file through JavaScript and post on the server – if CSRF token is not there. • Example, your profile is having a photograph of yours and you visit attacker site that photo changes to something else • More serious threat, exploiting actual business functionalities... 11

  12. 2/23/2012 CSRF with XHR/HTML5 Browser is having Form Authentication (multi-part) Business layer Server function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server CSRF/Upload - POC 12

  13. 2/23/2012 CSRF with XHR/HTML5 Attacker’s Authentication Site Server XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, Got it • Without victim’s consent or notice • Stealth HTTP Upload takes place • Silent Exploitation… CSRF/Upload 13

  14. 2/23/2012 Internal Scan/Crawl for CORS • XHR2 – allows full internal scanning capacity • If internal resource is set to “*” for Access-Control- Allow-Origin – Game Over!!! • Attacker can craft a page for box behind firewall, visit the page – XHR gets loaded and start crawling internal information with back tunnel • Harvest and POST back to the server • All JavaScript – supported by all HTML5 browsers • Also can be mixed with timing attacks • Limited crawl – “withCredentials” will not work … 27 Internal Scan/Crawl for CORS Attacker’s Site Internet CSRF Payload And stealth channel Intranet Client/Victim Browser Internal HR Internal Web/App Internal Web Application Server Mail 14

  15. 2/23/2012 Internal Scan for CORS Silent XSS Exploit with CORS • XHR allows to create stealth and silent back channel • Once XSS is found this channel can be implemented as payload • It allows attacker to control the session remotely – browser shell • XHR with Origin Allow (*) provides clear control over session • Keep on running eval() and harvest new info 30 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part 2 in two weeks Next week: guest lecture by David Parter on Oct 15

749 views • 36 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
Distributed Systems Principles and Paradigms Chapter 12 (version April 7, 2008 ) Maarten van

Distributed Systems Principles and Paradigms Chapter 12 (version April 7, 2008 ) Maarten van

Distributed Systems Principles and Paradigms Chapter 12 (version April 7, 2008 ) Maarten van Steen Vrije Universiteit Amsterdam, Faculty of Science Dept. Mathematics and Computer Science Room R4.20. Tel: (020) 598 7784 E-mail:steen@cs.vu.nl,

434 views • 22 slides
SSL Splitting Christopher Lesniewski-Laas and M. Frans Kaashoek { ctl,kaashoek } @mit.edu MIT LCS

SSL Splitting Christopher Lesniewski-Laas and M. Frans Kaashoek { ctl,kaashoek } @mit.edu MIT LCS

SSL Splitting Christopher Lesniewski-Laas and M. Frans Kaashoek { ctl,kaashoek } @mit.edu MIT LCS USENIX Security 2003 p. Bandwidth Offloading Server mypenguin.org (DSL) Mirror mirrors.kernel.org (OC12) Client Client GET

810 views • 34 slides
uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson,

uProxy: a Social Proxy for your Browser Raymond Cheng, Will Scott, Aaron Gallant, Tom Anderson, Arvind Krishnamurthy University of Washington Seattle, WA, USA with help from our friends at Google Ideas 1/19 Takeaways Users need more

563 views • 24 slides
Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University /

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University /

Session Juggler Elie Bursztein, Chinmay Soman, Dan Boneh, John Michell Stanford University / Google 1 About this presentation Date: 19 April 2012 Conference: WWW 2012 Feel free to contact me URL: http://ly.tl/p23 if you have any question

916 views • 27 slides
Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell:

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell:

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell: Offensive Security @ MDSec Responsible for *BEST, STAR and TIBER services Twitter : @domchell Projects: SharpShooter LyncSniper

802 views • 46 slides
Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project

Network Measurements Censorship and Digital Rights in Southeast Asia Khairil Yusof, Sinar Project This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. History 13th General Elections HTTP was

612 views • 34 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

233 views • 7 slides
CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL

CYBER SECURITY FOR AVIATION OPERATIONS DR ELENA SITNIKOVA, PHD, BE (HONS), CSSLP, SFHEA CRITICAL INFRASTRUCTURE PROTECTION, RESEARCH LEADER THE SPITFIRE MEMORIAL DEFENCE FELLOW UNSW CANBERRA @ ADFA E.SITNIKOVA@ADFA.EDU.AU BACKGROUND

731 views • 22 slides
Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott

Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott

Fingerprinting Information in JavaScript Implementations Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham Thursday, May 26, 2011 Authentication Usernames and Passwords weakening Third-party data loss can compromise

684 views • 26 slides
The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting The attacks could result

517 views • 20 slides
DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL?

DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL?

DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL? https://support.microsoft.com/en-ca/kb/815065 Windows DLL Injection Basics by Brad Antoniewicz

936 views • 23 slides
Dropwizard Make features not WAR Thursday, November 8, 12 Ryan Kennedy Infrastructure

Dropwizard Make features not WAR Thursday, November 8, 12 Ryan Kennedy Infrastructure

Dropwizard Make features not WAR Thursday, November 8, 12 Ryan Kennedy Infrastructure Engineering at Yammer @rckenned Thursday, November 8, 12 The road to the renaissance Thursday, November 8, 12 Well be taking the long road to the

1.04k views • 48 slides
1986-2011: 25 Years in 25 Minutes State of the World Economics Countries by GDP Companies

1986-2011: 25 Years in 25 Minutes State of the World Economics Countries by GDP Companies

1986-2011: 25 Years in 25 Minutes State of the World Economics Countries by GDP Companies USA General Motors Japan Exxon USSR Mobil West Germany Ford France IBM UK Texaco Italy Chevron Canada AT&T China Dupont India GE

1.41k views • 96 slides
ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to

ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to

ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals

386 views • 21 slides
Building Faster Websites WebRTC crash course on web performance Ilya Grigorik - @igrigorik Make

Building Faster Websites WebRTC crash course on web performance Ilya Grigorik - @igrigorik Make

Building Faster Websites WebRTC crash course on web performance Ilya Grigorik - @igrigorik Make The Web Fast Google Web performance in one slide... Critical rendering path HTML DOM Render Network JavaScript Layout Paint Tree CSS

1.54k views • 140 slides
A pattern language for microservices Chris Richardson Founder of the original CloudFoundry.com

A pattern language for microservices Chris Richardson Founder of the original CloudFoundry.com

A pattern language for microservices Chris Richardson Founder of the original CloudFoundry.com Author of POJOs in Action @crichardson chris@chrisrichardson.net http://plainoldobjects.com http://microservices.io http://eventuate.io

1.32k views • 68 slides
Java Programming Unit 15 HTTP Sessions and cookies Java

Java Programming Unit 15 HTTP Sessions and cookies Java

Java Programming Unit 15 HTTP Sessions and cookies Java Server Pages (c) Yakov Fain 2014 Synchronous and Asynchronous Servlets Java Servlets run

1.41k views • 32 slides
Data Breach in the EU Session Title The New Landscape Name Tilly Lang Organization HewardMills

Data Breach in the EU Session Title The New Landscape Name Tilly Lang Organization HewardMills

October 15, 2019 Date Data Breach in the EU Session Title The New Landscape Name Tilly Lang Organization HewardMills Name Chris Hydak Organization Microsoft 1 Name Kall Loper Organization Protiviti Speaker Tilly Lang Data

417 views • 24 slides
Session 8 Deployment Descriptor Http 1 Reading and Reference Reading

Session 8 Deployment Descriptor Http 1 Reading and Reference Reading

Session 8 Http Session 8 Deployment Descriptor Http 1 Reading and Reference Reading en.wikipedia.org/wiki/HTTP Reference http headers en.wikipedia.org/wiki/List_of_HTTP_headers http status codes

263 views • 11 slides
CHABADA: Checking App Behavior Against App Descriptions Alessandra Gorla Saarland University,

CHABADA: Checking App Behavior Against App Descriptions Alessandra Gorla Saarland University,

CHABADA: Checking App Behavior Against App Descriptions Alessandra Gorla Saarland University, Germany joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller London Restaurants Looking for a restaurant, a bar,

1.05k views • 87 slides
Architecting Java solutions for CICS Architecting Java solutions for CICS Course introduction

Architecting Java solutions for CICS Architecting Java solutions for CICS Course introduction

Architecting Java solutions for CICS Architecting Java solutions for CICS Course introduction Course introduction Reasons for hosting Java in CICS Requirements: Knowledge of transaction processing Experience of Java development What youll

757 views • 56 slides

More recommend