HTML5 and Security Part 2: Open redirect and CSRF HTML5 セキュリティ その 2 : ...

Click here to load reader

download HTML5 and Security Part 2: Open redirect and CSRF HTML5 セキュリティ  その 2  :  オープン リダイレクト 、 CSRF

of 29

  • date post

    25-Feb-2016
  • Category

    Documents

  • view

    55
  • download

    0

Embed Size (px)

description

HTML5 and Security Part 2: Open redirect and CSRF HTML5 セキュリティ その 2 : オープン リダイレクト 、 CSRF. Nov 14 2013 Yosuke HASEGAWA. # owaspjapan. 自己紹介. はせがわようすけ ネットエージェント株式会社 株式会社セキュアスカイ・テクノロジー 技術顧問 Microsoft MVP for Consumer Security Oct 2005 - http://utf-8.jp/. お知らせ announcement. - PowerPoint PPT Presentation

Transcript of HTML5 and Security Part 2: Open redirect and CSRF HTML5 セキュリティ その 2 : ...

HTML5 and SecurityPart 2: Open redirect and CSRFHTML5 2 : CSRFNov 14 2013Yosuke HASEGAWA

#owaspjapan1 Microsoft MVP for Consumer Security Oct 2005 - http://utf-8.jp/

OWASP Japan Local Chapter Meeting #8#owaspjapan2

announcementHTML5 from JPCERT/CC

OWASP Japan Local Chapter Meeting #8#owaspjapanOpen redirectOpen redirect Web

SEOhttp://example.jp/go?url=http://evil.example.com/http://example.jp/go?url=/next/page.htmlOWASP Japan Local Chapter Meeting #8#owaspjapanOpen redirect

site:www.microsoft.com/japan/ adultOWASP Japan Local Chapter Meeting #8#owaspjapanOpen redirect HTTP301302JavaScriptlocation

OWASP Japan Local Chapter Meeting #8#owaspjapanRedirect with 301 or 302HTTP#!/usr/bin/perluse URI::Escape;my $url = uri_unescape( $ENV{QUERY_STRING} || '/' );print "Status: 302 Found\n";print "Location: $url\n\n";HTTP/1.1 302 FoundDate: Tue, 28 Feb 2013 12:34:56 GMTLocation: http://other.example.jp/OWASP Japan Local Chapter Meeting #8#owaspjapanlocation with JavaScriptJavaScriptJavaScript

XSShttp://example.jp/#javascript:alert(1)

// http://example.jp/#/nextpagevar url = decodeURIComponent( location.hash.substring(1) );location.href = url;OWASP Japan Local Chapter Meeting #8#owaspjapan

IE6,7;URL

;

OWASP Japan Local Chapter Meeting #8#owaspjapanURLhttp://example.com///example.com/http:\\example.com/http:/\example.com/\example.com/

if( url.match( /^\/[^\/]/ ) ){ location.href = url;} // bad codeOWASP Japan Local Chapter Meeting #8#owaspjapanHTTP\r\nX-header: foo(0x0D 0x0A)Location: http://example.com/X-header: foo(0x0A)Location: http://example.com/X-header: foo(0x0D)Location: http://example.com/OWASP Japan Local Chapter Meeting #8#owaspjapanURL

// JavaScriptvar pages = { foo:'/foo', bar:'/bar', baz:'/baz' };var url = pages[ location.hash.substring(1) ] || '/';

location.href = url;#!/usr/bin/perluse URI::Escape;my $index = uri_unescape( $ENV{QUERY_STRING} || '' );my $pages = { foo=>'/foo', bar=>'/bar', baz=>'/baz' };my $url = $pages->{$index} || '/';print "Status: 302 Found\n";print "Location: $url\n\n";OWASP Japan Local Chapter Meeting #8#owaspjapanCSRFCSRFXHR Lv.2 :

OWASP Japan Local Chapter Meeting #8#owaspjapanCSRFformsubmit

OWASP Japan Local Chapter Meeting #8#owaspjapanCSRFXHR Lv.2CSRFvar xhr = new XMLHttpRequest();var boundary = '----boundary';var file="abcd"; //var request;xhr.open( 'POST', 'http://target.example.jp/upload', 'true' );xhr.setRequestHeader( 'Content-Type', 'multipart/form-data; boundary=' + boundary );xhr.withCredentials = true; // Cookiexhr.onreadystatechange = function(){};request = '--' + boundary + '\r\n' + 'Content-Disposition: form-data; name="file"; ' + ' filename="filename.txt"\r\n' + 'Content-Type: application/octet-stream\r\n\r\n' + file + '\r\n' + '--' + boundary + '--';xhr.send( request );OWASP Japan Local Chapter Meeting #8#owaspjapanCSRFXHR Lv.2CSRFXHR()Content-TypeJavaScript()CSRFOWASP Japan Local Chapter Meeting #8#owaspjapanCSRF

OWASP Japan Local Chapter Meeting #8#owaspjapanHTM5CSRFHTML5CSRFXMLHttpRequest(!!)

= new XMLHttpRequest();xhr.open( "POST", "/inquiry", true );xhr.setRequestHeader( "Content-Type", "..." );xhr.setRequestHeader( "X-Requested-With","XMLHttpRequest");xhr.send( params );POST http://example.jp/inquiry HTTP/1.1Host: example.jpUserAgent: Mozilla/5.0X-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencodedOWASP Japan Local Chapter Meeting #8#owaspjapanHTML5CSRFPOSTX-Requested-With

POST http://example.jp/inquiry HTTP/1.1Host: example.jpUserAgent: Mozilla/5.0Referer: http://trap.example.com/Content-Type: application/x-www-form-urlencoded

OWASP Japan Local Chapter Meeting #8#owaspjapanHTML5CSRFXHRPOSTOriginPreflight

OPTIONS /inquiry HTTP/1.1Host: example.jpUserAgent: Mozilla/5.0Origin: http://trap.example.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: X-Requested-With = new XMLHttpRequest();xhr.open( "POST", "http:/example.jp/inquiry", true );xhr.setRequestHeader( "Content-Type", "..." );xhr.setRequestHeader( "X-Requested-With","XMLHttpRequest");xhr.send( params );OWASP Japan Local Chapter Meeting #8#owaspjapanHTML5CSRFX-Requested-WithOriginCSRFPOSTCSRFJavaScriptDNS rebinding

OWASP Japan Local Chapter Meeting #8#owaspjapanConclusionJSURLCSRFJSXHRCSRF

OWASP Japan Local Chapter Meeting #8#owaspjapanQuestion ?Question? hasegawa@utf-8.jphasegawa@netagent.co.jp

@hasegawayosuke

http://utf-8.jp/

OWASP Japan Local Chapter Meeting #8#owaspjapan