html5 group 3: dongyang zhang, wei liu, weizhou he, yutong wei, yuxin zhu
TRANSCRIPT
![Page 1: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/1.jpg)
HTML5Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
![Page 2: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/2.jpg)
ContentsSetup1
2 Abusing Sockets, XHR
3 About DOM
![Page 3: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/3.jpg)
SetupDomain: attacker.comIP: 192.168.222.133OS: Windows server 2012Server: IIS 8.0
Domain: victimserver.comIP: 192.168.223.138OS: Windows server 2012Server: IIS 8.0Language: .Net C#
Ip: 192.168.223.139OS: Windows XPBrowser: Chrome
1
![Page 4: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/4.jpg)
Abusing sockets, XHR
SOP Vulnerabilities!!
Script, IMG, Iframe bypasses1
2 DNS Rebinding
3 PostMessage Mechanism
2
![Page 5: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/5.jpg)
Script, IMG, Iframe bypasses
3
![Page 6: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/6.jpg)
DNS Rebinding
DNS rebinding is an exploit in which the attacker uses Javascript in a malicious Web page to gain control of the victim’s router.
4
![Page 7: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/7.jpg)
DNS Rebinding
visit Malicious Website
Attacker’s DNS server bind attacker.com to attacker’s IP address (short TTL). 5
![Page 8: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/8.jpg)
DNS Rebinding
Malicious script uses XMLHttpRequest
Attacker rebinds attacker.com to target’s IP address.
In fact
6
![Page 9: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/9.jpg)
DNS Rebinding
7
![Page 10: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/10.jpg)
DNS Rebinding
SOP Violation!
8
![Page 11: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/11.jpg)
DNS Rebinding
9
![Page 12: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/12.jpg)
DNS Rebinding
10
![Page 13: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/13.jpg)
DNS Rebinding
Browser’s DNS cache
DNS request flooding
11
![Page 14: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/14.jpg)
DNS Rebinding
Firewall Circumvention:-Access Machine behind firewalls-Interact with a number of internal services besides HTTP(direct socket access)
12
![Page 15: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/15.jpg)
DNS Rebinding
IP Hijacking:-Access publicly available servers from client’s IP -Take advantage of the target’s implicit or explicit trust in client’s I address
13
![Page 16: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/16.jpg)
DOM
DOM(Document Object Model)
14
![Page 17: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/17.jpg)
DOM
We all know that:
① Reflected XSS② Stored XSSboth purely inside client-side code
15
![Page 18: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/18.jpg)
DOM
The third kind of XSS:
DOM Based XSS
which is not depended on the malicious data send to the service at the first time
16
![Page 19: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/19.jpg)
DOM
The API may vulnerable in DOM based XSS
17
![Page 20: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/20.jpg)
DOM
1). document.location2). document.URL3). document.URLUnencoded4). document.referrer5). window.location
These API can visit DOM data through a designed URL, but this kind of jumped-out window is not really harmful, attacker has no idea if users never click on the URL.
18
![Page 21: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/21.jpg)
DOM
1). document.write()2). document.writeln()3). document.boby.innerHtml4). eval()5). window.execScript()6). window.setInterval()7). window.setTimeout()
These API are mostly used in form hijacking, inject a part of XSS code while users submit the forms. This is more dangerous, most of them are used in stealing cookie.
19
![Page 22: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/22.jpg)
EXAMPLE: document.boby.innerHtml
While running this code, xxx will take the value of “yyyyyy”
“yyyyyy” can be replaced by something else like “<img src=1>” or Unicode like “\u003cimg src=1\u003e”.
<div id="a">xxx</div>
<script>document.getElementById("a").innerHTML="yyyyyy";</script>
20
![Page 23: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/23.jpg)
EXAMPLE: document.boby.innerHtml
Real example: qq.com(most of you should know this right? )☺
21
![Page 24: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/24.jpg)
EXAMPLE: document.boby.innerHtml
URL: http://datalib.ent.qq.com/cgi-bin/search?libid=1&keyvalue=aaaaaaa&attr=133&stype=2&tname=star_second.shtml (there was some vulnerabilities, but there isn’t now, I think)
<strong id="titleshow">search_by job1: aaaaaaa </strong></div><script>if("aaaaaaa"=="")document.getElementById("titleshow").innerHTML="search_by_place: all_stars";
if("job1"=="job1")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job2")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job3")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";</script>
22
![Page 25: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/25.jpg)
EXAMPLE: document.boby.innerHtml
We know that “<“ or “>”would not be recognized, but “/”can be recongnized, So perhaps we should try Unicode!We see that if(“job1”==“job1”) is executed, so we focus on this two lines of code.
<strong id="titleshow">search_by job1: aaaaaaa </strong></div><script>if("aaaaaaa"=="")document.getElementById("titleshow").innerHTML="search_by_place: all_stars";
if("job1"=="job1")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job2")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job3")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";</script>
23
![Page 26: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/26.jpg)
EXAMPLE: document.boby.innerHtml
As we know from above, we can change “aaaaaaa” into “\u003cimg src=1 onerror=alert(1)\u003e ”
<strong id="titleshow">search_by job1: aaaaaaa </strong></div><script>if("aaaaaaa"=="")document.getElementById("titleshow").innerHTML="search_by_place: all_stars";
if("job1"=="job1")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job2")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";
if("job1"=="job3")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";</script>
24
![Page 27: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/27.jpg)
EXAMPLE: document.boby.innerHtml
This is an example we learn when we try to get a better understand on DOM based XSS, we didn’t actually attack this website, and this vulnerability has been reported!
25
![Page 28: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/28.jpg)
DOM
1). document.location2). document.URL3). document.open()4). window.location.href5). window.navigate()6). window.open
These API are mostly used in redirection attack. The perniciousness can be big or small, but this kind of perniciousness are often eaily ignored by people.
26
![Page 29: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/29.jpg)
DOM
Differences between Standard XSS and DOM based XSS
27
![Page 30: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/30.jpg)
DOM
28
![Page 31: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/31.jpg)
DOM
How to find DOM based XSS
29
![Page 32: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/32.jpg)
DOM
1). Using byte level taint tracking in chromium - precise source information for every character - patched sinks (for example document. write)
2). Chrome extension to crawl given set of web site - also act as interface between taint engine and backend
3). And an exploit generator - using precise taint information - and javascript and HTML syntax rules - to generate exploits fully automatic
30
![Page 33: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/33.jpg)
What to do next
- Defend of DNS rebinding- PostMessage Mechanism- Make DOM based XSS DEMO- Find the ways to avoid the jeopardize
31
![Page 34: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/34.jpg)
References1. http://www.oschina.net/translate/dom-based-xss-of-third-kind2. http://www.vulnerable.site/welcome.html3. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/stock4. http://www.2cto.com/Article/201303/194444.html5. http://www.owasp.org/documentation/topten/a4.html6. https://www.owasp.org/index.php/DOM_Based_XSS7. https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet8.http://www.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUniversalPDFXSS.ppt
32
![Page 35: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/35.jpg)
Thank You ;)10/28 2014
![Page 36: HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu](https://reader035.vdocuments.us/reader035/viewer/2022062322/56649e155503460f94aff10d/html5/thumbnails/36.jpg)
Questions?