Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
[Pages:36]Next Generation Web Attacks ? HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
HITB 2011 @ AMS
1
Blueinfy Solutions
Who Am I?
shreeraj@
? Founder & Director ? Blueinfy Solutions Pvt. Ltd. ?
? Past experience ? Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)
? Interest ? Web security research
? Published research ? Articles / Papers ? Securityfocus, O'erilly, DevX, InformIT etc. ? Tools ? wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. ? Advisories - .Net, Java servers etc. ? Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.
? Books (Author) ? Web 2.0 Security ? Defending Ajax, RIA and SOA ? Hacking Web Services ? Web Hacking
HITB 2011 @ AMS
2
Blueinfy Solutions
1
Agenda
? Next Generation Application's Attack Surface and Threat Model
? HTML 5 ? Tags, Storage & WebSQL ? DOM ? Vulnerabilities & Exploits ? Abusing Sockets, XHR & CSRF ? ClickJacking & Exploting Rich HTML
Components ? Reverse Engineering across DOM
HITB 2011 @ AMS
3
Blueinfy Solutions
Attack Surface and Threat Model
HITB 2011 @ AMS
4
Blueinfy Solutions
2
Real Life Cases
? Last three years ? several application reviewed (Banking, Trading, Portals, Web 2.0 sites etc...)
? Interesting outcomes and stats ? Auto scanning is becoming increasingly
difficult and impossible in some cases ? Sites are vulnerable and easily exploitable in
many cases
HITB 2011 @ AMS
5
Blueinfy Solutions
AppSec dynamics
Source - OWASP
HITB 2011 @ AMS
6
Blueinfy Solutions
3
Application Architecture
Browser HTML 5 - Ajax Flex/Silverlight JS/DOM/XHR
Documents
News
Weather
Mails
Internet
Bank/Trade RSS feeds
Internet
App
Blog
Database Authentication
Application Infrastructure Web Services End point
HITB 2011 @ AMS
7
Blueinfy Solutions
Attack Surface Expansion
JSON/XML streams
HTTP Response variables
Ajax
RIA (Flash)
DOM
HTML / JS / DOM
calls/events
API - streams
POST name and value pairs
QueryString
XML/JSON etc.
HTTP variables Cookie etc.
Open APIs and integrated streams
File attachments uploads etc.
Feeds and other party information
HITB 2011 @ AMS
8
Blueinfy Solutions
4
Browser Technology Components
? HTML 5 ? Storage
? WebSocket
? Flash ? AMF
? WebSQL
? DOM ? JS ? Storage ? Flex
? XHR
? XAML
? Silverlight
? WCF
? NET
HITB 2011 @ AMS
Blueinfy Solutions
Stack View (Browser)
Ajax/Flash/Silverligt HTML5/DOM/XHR/WS
UI Logic
User
Document Object Model (Rendering Engine)
Browser Engine (User, Security, Controls, Data etc.)
Plug-in
Flash/Silverlight
Browser Internals
JavaScript interpreter Core XML Parser
Networking/Graphics
HITB 2011 @ AMS
Blueinfy Solutions
5
Technology Vectors
? HTML 5 (Penetrated deeper)
? Storage ? WebSQL ? WebSockets ? XHR (L2) ? DOM (L3)
? RIA
? Flex ? Silverlight
HITB 2011 @ AMS
Blueinfy Solutions
Integration and Communications
? DOM glues everything ? It integrates Flex, Silverlight and HTML if needed
? Various ways to communicate ? native browser way, using XHR and WebSockets
? Options for data sharing ? JSON, XML, WCF, AMF etc. (many more)
? Browsers are supporting new set of technologies and exposing the surface
HITB 2011 @ AMS
Blueinfy Solutions
6
Browser Model
Events
Tags & Attributes Thick Features
Presentation
WebSQL
Parser/Threads
DOM
Storage
Process & Logic
XHR
WebSocket Plug-in Sockets
Browser Native Network Services
Network & Access
Same Origin Policy (SOP)
Sandbox
Core Policies
HITB 2011 @ AMS
Blueinfy Solutions
Demos
? App using DOM, AJAX and Web Services ? HTML 5 components and usage ? Fingerprinting Application Assets from DOM
or JavaScripts ? Frameworks, Scripts, Structures, and so on ?
DWR/Struts
HITB 2011 @ AMS
14
Blueinfy Solutions
7
Sandbox attacks7
and ClickJacking
Threat Model
1 XSS abuse with
tags and attributes
8 Abusing new features
like drag-and-drop
Events
Tags & Attributes Thick Features
Presentation
Injecting and Exploiting WebSQL
4
WebSQL
Parser/Threads
DOM
2 DOM based XSS
and Redirects
Storage
3 Stealing from
the storage Process & Logic
5
Abusing network API and Sockets
XHR
WebSocket Plug-in Sockets
Browser Native Network Services
Network & Access
CSRF 6
across streams
Same Origin Policy (SOP)
9
Botnet/Spynet using WebWorkers
HITB 2011 @ AMS
Sandbox
Core Policies
Threats to widgets 10 and mashups
Blueinfy Solutions
HTML 5 ? Tags, Storage & WebSQL
HITB 2011 @ AMS
16
Blueinfy Solutions
8
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- google web toolkit gwt
- procedure to request a json file or an xml file in the
- web mapping services
- ajax asynchronous javascript and xml
- exploiting and preventing deserialization vulnerabilities
- next generation web attacks html 5 dom l3 and xhr l2
- nnooddee jjss rreessttffuull aappii
- working with json in rpg scott klement
- from xml schema to json schema comparison and
Related searches
- next generation accuplacer score chart
- accuplacer next generation reading scores
- air force next generation fighter
- next generation air dominance program
- next generation fighter aircraft
- next generation sequencing define
- next generation synonym
- synonyms for next generation technology
- us next generation fighter jet
- next generation science standards
- accuplacer next generation test practice
- next generation air force one