Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)

[Pages:36]Next Generation Web Attacks ? HTML 5, DOM(L3) and XHR(L2)

Shreeraj Shah

HITB 2011 @ AMS

1

Blueinfy Solutions

Who Am I?

shreeraj@

? Founder & Director ? Blueinfy Solutions Pvt. Ltd. ?

? Past experience ? Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)

? Interest ? Web security research

? Published research ? Articles / Papers ? Securityfocus, O'erilly, DevX, InformIT etc. ? Tools ? wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. ? Advisories - .Net, Java servers etc. ? Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.

? Books (Author) ? Web 2.0 Security ? Defending Ajax, RIA and SOA ? Hacking Web Services ? Web Hacking

HITB 2011 @ AMS

2

Blueinfy Solutions

1

Agenda

? Next Generation Application's Attack Surface and Threat Model

? HTML 5 ? Tags, Storage & WebSQL ? DOM ? Vulnerabilities & Exploits ? Abusing Sockets, XHR & CSRF ? ClickJacking & Exploting Rich HTML

Components ? Reverse Engineering across DOM

HITB 2011 @ AMS

3

Blueinfy Solutions

Attack Surface and Threat Model

HITB 2011 @ AMS

4

Blueinfy Solutions

2

Real Life Cases

? Last three years ? several application reviewed (Banking, Trading, Portals, Web 2.0 sites etc...)

? Interesting outcomes and stats ? Auto scanning is becoming increasingly

difficult and impossible in some cases ? Sites are vulnerable and easily exploitable in

many cases

HITB 2011 @ AMS

5

Blueinfy Solutions

AppSec dynamics

Source - OWASP

HITB 2011 @ AMS

6

Blueinfy Solutions

3

Application Architecture

Browser HTML 5 - Ajax Flex/Silverlight JS/DOM/XHR

Documents

News

Weather

Mails

Internet

Bank/Trade RSS feeds

Internet

App

Blog

Database Authentication

Application Infrastructure Web Services End point

HITB 2011 @ AMS

7

Blueinfy Solutions

Attack Surface Expansion

JSON/XML streams

HTTP Response variables

Ajax

RIA (Flash)

DOM

HTML / JS / DOM

calls/events

API - streams

POST name and value pairs

QueryString

XML/JSON etc.

HTTP variables Cookie etc.

Open APIs and integrated streams

File attachments uploads etc.

Feeds and other party information

HITB 2011 @ AMS

8

Blueinfy Solutions

4

Browser Technology Components

? HTML 5 ? Storage

? WebSocket

? Flash ? AMF

? WebSQL

? DOM ? JS ? Storage ? Flex

? XHR

? XAML

? Silverlight

? WCF

? NET

HITB 2011 @ AMS

Blueinfy Solutions

Stack View (Browser)

Ajax/Flash/Silverligt HTML5/DOM/XHR/WS

UI Logic

User

Document Object Model (Rendering Engine)

Browser Engine (User, Security, Controls, Data etc.)

Plug-in

Flash/Silverlight

Browser Internals

JavaScript interpreter Core XML Parser

Networking/Graphics

HITB 2011 @ AMS

Blueinfy Solutions

5

Technology Vectors

? HTML 5 (Penetrated deeper)

? Storage ? WebSQL ? WebSockets ? XHR (L2) ? DOM (L3)

? RIA

? Flex ? Silverlight

HITB 2011 @ AMS

Blueinfy Solutions

Integration and Communications

? DOM glues everything ? It integrates Flex, Silverlight and HTML if needed

? Various ways to communicate ? native browser way, using XHR and WebSockets

? Options for data sharing ? JSON, XML, WCF, AMF etc. (many more)

? Browsers are supporting new set of technologies and exposing the surface

HITB 2011 @ AMS

Blueinfy Solutions

6

Browser Model

Events

Tags & Attributes Thick Features

Presentation

WebSQL

Parser/Threads

DOM

Storage

Process & Logic

XHR

WebSocket Plug-in Sockets

Browser Native Network Services

Network & Access

Same Origin Policy (SOP)

Sandbox

Core Policies

HITB 2011 @ AMS

Blueinfy Solutions

Demos

? App using DOM, AJAX and Web Services ? HTML 5 components and usage ? Fingerprinting Application Assets from DOM

or JavaScripts ? Frameworks, Scripts, Structures, and so on ?

DWR/Struts

HITB 2011 @ AMS

14

Blueinfy Solutions

7

Sandbox attacks7

and ClickJacking

Threat Model

1 XSS abuse with

tags and attributes

8 Abusing new features

like drag-and-drop

Events

Tags & Attributes Thick Features

Presentation

Injecting and Exploiting WebSQL

4

WebSQL

Parser/Threads

DOM

2 DOM based XSS

and Redirects

Storage

3 Stealing from

the storage Process & Logic

5

Abusing network API and Sockets

XHR

WebSocket Plug-in Sockets

Browser Native Network Services

Network & Access

CSRF 6

across streams

Same Origin Policy (SOP)

9

Botnet/Spynet using WebWorkers

HITB 2011 @ AMS

Sandbox

Core Policies

Threats to widgets 10 and mashups

Blueinfy Solutions

HTML 5 ? Tags, Storage & WebSQL

HITB 2011 @ AMS

16

Blueinfy Solutions

8

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download