Web Browsers And Other Mistakes

Web Browsers And Web Browsers And Other MistakesOther Mistakes

Alex “kuza55” K.Alex “kuza55” K.

[email protected]@gmail.com

http://kuza55.blogspot.com/http://kuza55.blogspot.com/

OutlineOutline

►Understanding Web TechnologiesUnderstanding Web Technologies►Finding VulnerabilitiesFinding Vulnerabilities►Triggering VulnerabilitiesTriggering Vulnerabilities►Exploiting VulnerabilitiesExploiting Vulnerabilities

Understanding Web Understanding Web TechnologiesTechnologies

►CookiesCookies► IE: FindMimeFromDataIE: FindMimeFromData►Flash: crossdomain.xml & Flash: crossdomain.xml &

LoadPolicyFileLoadPolicyFile►Browser Encoding BehaviourBrowser Encoding Behaviour

CookiesCookies

► What is a cookie?What is a cookie? It’s a name value pair stored on the clientIt’s a name value pair stored on the client It is sent only o the domain it was set forIt is sent only o the domain it was set for And that’s all most developers knowAnd that’s all most developers know

► Here is what a cookie looks like when it is set:Here is what a cookie looks like when it is set: Set-Cookie: Set-Cookie: NAMENAME==VALUE[VALUE[; expires=; expires=DATE][DATE][; ;

path=path=PATH][PATH][; domain=; domain=DOMAIN_NAME][DOMAIN_NAME][; secure][; ; secure][; httpOnly]httpOnly]

► Here is what a cookie looks like when it is sent:Here is what a cookie looks like when it is sent: Cookie: NAME=VALUE[; NAME=VALUE]Cookie: NAME=VALUE[; NAME=VALUE]

CookiesCookies

►But where does a cookie actually get sent?But where does a cookie actually get sent? The browser does a ‘domain-match’ which The browser does a ‘domain-match’ which

means:means:►Domain A Matches Domain B if:Domain A Matches Domain B if:►The domains are identical, orThe domains are identical, or►A is a FQDN string and has the form NB, B has the A is a FQDN string and has the form NB, B has the

form .B', and B' is a FQDN string.form .B', and B' is a FQDN string.►(So, x.y.com domain-matches .y.com but not y.com)(So, x.y.com domain-matches .y.com but not y.com)

A browser sends a cookie if the domain the A browser sends a cookie if the domain the user is going to (A) domain-matches the user is going to (A) domain-matches the domain in the cookie (B)domain in the cookie (B)

CookiesCookies

►So cookies set for .microsoft.com are So cookies set for .microsoft.com are sent to subdomain.microsoft.comsent to subdomain.microsoft.com

►Who can set cookies?Who can set cookies? A host (A) can set cookies for any domain A host (A) can set cookies for any domain

(B) that it domain-matches(B) that it domain-matches

►So subdomain.microsoft.com can set So subdomain.microsoft.com can set cookies for .microsoft.comcookies for .microsoft.com But not for .com (two-dot rule)But not for .com (two-dot rule)

CookiesCookies

►But the two-dot rule doesn’t work for But the two-dot rule doesn’t work for registries like .co.uk since they do registries like .co.uk since they do have two dotshave two dots Browsers have reacted differentlyBrowsers have reacted differently

►IE doesn’t allow cookies for (com|net|org).yy IE doesn’t allow cookies for (com|net|org).yy or xx.yy (unless they are in a whitelist)or xx.yy (unless they are in a whitelist)

►Firefox 2 has no protectionsFirefox 2 has no protections►Firefox 3 has a massive (but incomplete list)Firefox 3 has a massive (but incomplete list)►Opera does DNS resolution on the cookie Opera does DNS resolution on the cookie

domain (B)domain (B)

CookiesCookies

►So on Firefox2 you can set cookies for So on Firefox2 you can set cookies for any domain not on the com, net, org any domain not on the com, net, org TLDsTLDs

► In all browsers sub1.domain.com can In all browsers sub1.domain.com can set cookies for .domain.com which also set cookies for .domain.com which also get sent to sub2.domain.comget sent to sub2.domain.com

►By abusing the path attribute we can By abusing the path attribute we can effectively over-write cookies very effectively over-write cookies very specifically, or for the whole domain by specifically, or for the whole domain by setting lots of themsetting lots of them

CookiesCookies

► The secure attributes only lets cookies be The secure attributes only lets cookies be transmitted over SSLtransmitted over SSL

► The httpOnly attribute doesn’t let JavaScript access The httpOnly attribute doesn’t let JavaScript access cookiescookies You can however access the cookie via XHR as it is being You can however access the cookie via XHR as it is being

sent, so it is ineffective on sites which regenerate cookiessent, so it is ineffective on sites which regenerate cookies► On Firefox and Opera we can delete all the user’s On Firefox and Opera we can delete all the user’s

cookies by exhausting the global limit on how many cookies by exhausting the global limit on how many cookies can be storedcookies can be stored

► More detailed info at More detailed info at http://kuza55.blogspot.com/2008/02/understanding-http://kuza55.blogspot.com/2008/02/understanding-cookie-security.htmlcookie-security.html

FindMimeFromDataFindMimeFromData

► FindMimeFromData decides upon a content-FindMimeFromData decides upon a content-type for a page, rather than strictly following type for a page, rather than strictly following a server provided content-type headera server provided content-type header Allows uploaded images to be rendered as Allows uploaded images to be rendered as

javascript executing html pagesjavascript executing html pages►Well, it used toWell, it used to

Previously all GIF & JPG images with correct signatures Previously all GIF & JPG images with correct signatures would not be rendered as htmlwould not be rendered as html

Now PNGs aren’t eitherNow PNGs aren’t either We still have all the other formats though, e.g. .txt .pdfWe still have all the other formats though, e.g. .txt .pdf People still make mistakes with server-side signature People still make mistakes with server-side signature

verificationverification


► Checks are hardcodedChecks are hardcoded Not vulnerable to encoding issuesNot vulnerable to encoding issues Only first 256 bytes are checked for these Only first 256 bytes are checked for these

strings:strings:►<html<html►<head<head►<body<body►<script<script►<pre<pre►<table<table►<a href<a href►<img<img►<plaintext<plaintext►<title <title


► I’ve also been told that it has some I’ve also been told that it has some heuristic algorithms which trigger on heuristic algorithms which trigger on smaller tags if there are enough of smaller tags if there are enough of themthem Haven’t been able to reproduce with Haven’t been able to reproduce with

blackbox testingblackbox testing

crossdomain.xmlcrossdomain.xml► crossdomain.xml files let you allow cross-domain crossdomain.xml files let you allow cross-domain

communication via Flashcommunication via Flash► They look like this:They look like this:

<cross-domain-policy><cross-domain-policy> <allow-access-from domain=“www.domain.com" /><allow-access-from domain=“www.domain.com" /> </cross-domain-policy></cross-domain-policy>

► But do these apply to the site the flash file was loaded from, But do these apply to the site the flash file was loaded from, or the site it was embedded in?or the site it was embedded in? The site it was The site it was loadedloaded from! from!

► They also get the default ability to communicate with their hosted site, They also get the default ability to communicate with their hosted site, regardless of crossdomain.xmlregardless of crossdomain.xml

► File extensions and Headers attached to the HTTP response File extensions and Headers attached to the HTTP response are ignored…are ignored… If you can upload unfiltered .xyz files, you can load the .xyz file as If you can upload unfiltered .xyz files, you can load the .xyz file as

a flash file, and abuse it’s privilegesa flash file, and abuse it’s privileges► Think OWA and other webmailThink OWA and other webmail

Flash InternalsFlash Internals

►Flash AS2 VM is tag basedFlash AS2 VM is tag based Processed one tag after the other until it Processed one tag after the other until it

gets to the endgets to the end►No validity checks unless the tag is processedNo validity checks unless the tag is processed

We can append junk to our swf files, and they’re still We can append junk to our swf files, and they’re still validvalid

So we don’t need to control the whole fileSo we don’t need to control the whole file

►So injections of odd Content-Types where So injections of odd Content-Types where you control the very start are exploitableyou control the very start are exploitable Think JavaScript callbacksThink JavaScript callbacks Can even get around typical filteringCan even get around typical filtering

JavaScript CallbacksJavaScript Callbacks

► arbitrary data here([{"errors":["NO_RESULT"]}]); arbitrary data here([{"errors":["NO_RESULT"]}]);

►http://search.ebay.de/ws/search/http://search.ebay.de/ws/search/SaleSearchService?SaleSearchService?_safmen=1&saved=1&_sajscallback=ar_safmen=1&saved=1&_sajscallback=arbitrary%20data%20herebitrary%20data%20here

LoadPolicyFileLoadPolicyFile

► LoadPolicyFile lets you have those files by other LoadPolicyFile lets you have those files by other names and in non-root directoriesnames and in non-root directories

► Must be served with a Content-Type header of:Must be served with a Content-Type header of: text/*text/* application/xmlapplication/xml application/xhtml+xmlapplication/xhtml+xml Or in some cases Or in some cases text/x-cross-domain-policy text/x-cross-domain-policy

► But there is also additional strictness, depending on But there is also additional strictness, depending on the root crossdomain.xmlthe root crossdomain.xml

► LoadPolicyFile only gives you access to the directory LoadPolicyFile only gives you access to the directory which you loaded the file fromwhich you loaded the file from But it has a traversal bug which works with IISBut it has a traversal bug which works with IIS

► http://www.site.com/path/to/policy/file/%3f/..\..\..\..\..\path\http://www.site.com/path/to/policy/file/%3f/..\..\..\..\..\path\from\root.aspxfrom\root.aspx

Flash 9,0,124,0Flash 9,0,124,0

►Adobe released a patch ~3 weeks agoAdobe released a patch ~3 weeks ago►A lot of stuff changedA lot of stuff changed

(It seems) Flash files now only inherit (It seems) Flash files now only inherit permissions if they are hosted and loaded permissions if they are hosted and loaded from a given sitefrom a given site

Directory Traversal bug still works thoughDirectory Traversal bug still works though Flash files can no longer force users to Flash files can no longer force users to

send (somewhat) arbitrary headers to send (somewhat) arbitrary headers to arbitrary domainsarbitrary domains►Or at least that’s the ideaOr at least that’s the idea

Bypassing Header ChecksBypassing Header Checks

►All header-allowance checks are being All header-allowance checks are being done before handing the request off to done before handing the request off to the browserthe browser

►Browsers support redirectsBrowsers support redirects Redirects redirect some headersRedirects redirect some headers

►All redirects in IEAll redirects in IE Doesn’t let plugins add Authorization headersDoesn’t let plugins add Authorization headers

►307 redirects in Firefox (requires user 307 redirects in Firefox (requires user interaction)interaction)

Can redirect the forbidden Authorization headerCan redirect the forbidden Authorization header

Browser Encoding BehaviourBrowser Encoding Behaviour

►Horribly UnderstoodHorribly Understood Little-to-No useful documentationLittle-to-No useful documentation

►We’ve still discovered enough to We’ve still discovered enough to exploit some appsexploit some apps

UTF-7 XSSUTF-7 XSS

► Classic case:Classic case: No charset in HTTP headers and no charset in meta No charset in HTTP headers and no charset in meta

tagstags IE auto-detects UTF-7 if you throw it enough UTF-7 IE auto-detects UTF-7 if you throw it enough UTF-7

encoded data in the first 4Kb of a documentencoded data in the first 4Kb of a document

► Improved Classic Case: (Stefan Esser)Improved Classic Case: (Stefan Esser) As above, but don’t rely on auto-detectAs above, but don’t rely on auto-detect Load utf-7 xss-ed page into an iframe with the Load utf-7 xss-ed page into an iframe with the

outside frame having a charset of utf-7outside frame having a charset of utf-7 All browsers originallyAll browsers originally Firefox PatchedFirefox Patched

UTF-7UTF-7

►No charset in header; charset in meta No charset in header; charset in meta tag, UTF-7 injection before meta tagtag, UTF-7 injection before meta tag E.g. injection in a title tagE.g. injection in a title tag

►Close the title tagClose the title tag►Inject a UTF-7 encoded meta tagInject a UTF-7 encoded meta tag►Inject your UTF-7 encoded XSSInject your UTF-7 encoded XSS►Credit to YoCredit to Yosuke Hasegawasuke Hasegawa

► http://openmya.hacker.jp/hasegawa/PoC/utf-7/inject-methttp://openmya.hacker.jp/hasegawa/PoC/utf-7/inject-meta.htmla.html

NULL BytesNULL Bytes

►Completely ignored in HTML by IECompletely ignored in HTML by IE►<scr%00ipt> is the same as <script><scr%00ipt> is the same as <script>►Makes a lot of filters exploitableMakes a lot of filters exploitable

Including previous versions of Including previous versions of RequestValidationRequestValidation

Variable Width EncodingVariable Width Encoding

►<a href=“<a href=“<input><input>”>”><input><input></a></a>►<a href=“<a href=“<input>[MBChar]<input>[MBChar]>>

style=“a:expression(alert(1));>textstyle=“a:expression(alert(1));>text</a></a> [MBChar] is a Multibyte character, where “ [MBChar] is a Multibyte character, where “

or ‘ (if ‘ is used as the quote symbol) is the or ‘ (if ‘ is used as the quote symbol) is the last byte and the first byte is the last byte of last byte and the first byte is the last byte of our first inputour first input

Only some character sets:Only some character sets:►http://http://ha.ckers.org/charsets.htmlha.ckers.org/charsets.html

HTML Entity DecodingHTML Entity Decoding

►When the browser uses html tag When the browser uses html tag attributes it HTML-decodes them, e.g.attributes it HTML-decodes them, e.g. <a href=http://site/page.php?x=y&a=b><a href=http://site/page.php?x=y&a=b>

►Is effectively the same asIs effectively the same as <a href=http://site/page.php?<a href=http://site/page.php?

x=y&a=b>x=y&a=b>►SoSo

<a onclick=‘func(“test”);’><a onclick=‘func(“test”);’>►Is the same asIs the same as

<a onclick=‘func("test&quot);’><a onclick=‘func("test&quot);’>

HTML Entity DecodingHTML Entity Decoding

► SoSo <a onclick=‘func(“test&quot); <a onclick=‘func(“test&quot);

eval(window.name);//”);’>eval(window.name);//”);’>►Is the same asIs the same as

<a onclick=‘func(“test”); eval(window.name);//”);’><a onclick=‘func(“test”); eval(window.name);//”);’>► So if you’re ever inserting data into attributes and the So if you’re ever inserting data into attributes and the

data inside could potentially be dangerousdata inside could potentially be dangerous E.g. event handlers, URLs, styles, etcE.g. event handlers, URLs, styles, etc

► Decode before escaping/encoding/filtering, then Decode before escaping/encoding/filtering, then re-encodere-encode

► If not escaping/encoding/filtering; double encode If not escaping/encoding/filtering; double encode to preserve valueto preserve value

Point?Point?

►Most developers and security people Most developers and security people still don’t fully understand all the still don’t fully understand all the technologies they work withtechnologies they work with Including me Including me

►Please provide good documentationPlease provide good documentation►Don’t force us to black-box test IE8 to Don’t force us to black-box test IE8 to

figure out how things workfigure out how things work I can’t reverse my way out of a wet paper I can’t reverse my way out of a wet paper

bagbag

Finding VulnerabilitiesFinding Vulnerabilities

► IE: FindMimeFromDataIE: FindMimeFromData►Flash: crossdomain.xml & Flash: crossdomain.xml &

LoadPolicyFileLoadPolicyFile►Browser Encoding IssuesBrowser Encoding Issues► IE: Inter-Protocol XSSIE: Inter-Protocol XSS


►Usually no checks doneUsually no checks done►Many sites use the `recommended` Many sites use the `recommended`

Microsoft solution, setting a header like Microsoft solution, setting a header like this:this: Content-Disposition: attachmentContent-Disposition: attachment

►Still dangerous if users open filesStill dangerous if users open files

►Some sites try to do filtering themselvesSome sites try to do filtering themselves These can usually be bypassed by throwing These can usually be bypassed by throwing

more knowledge of the algorithm at themmore knowledge of the algorithm at them


► Some sites verify you have an image for Some sites verify you have an image for which IE has a signaturewhich IE has a signature Try setting an extension for which IE has a Try setting an extension for which IE has a

signature, e.g. .pngsignature, e.g. .png But include a valid image of another formatBut include a valid image of another format

►e.g. a GIF with .jpg extensione.g. a GIF with .jpg extension

► Sometimes works since developers only Sometimes works since developers only verify that the image is valid using a generic verify that the image is valid using a generic function, e.g. getimagsize() for PHPfunction, e.g. getimagsize() for PHP Or they simply look for the presence of a signatureOr they simply look for the presence of a signature

crossdomain.xmlcrossdomain.xml

►Config:Config: Check the /crossdomain.xml fileCheck the /crossdomain.xml file search for ”search for ”<cross-domain-policy>” <cross-domain-policy>”

site:site.comsite:site.com

►Content-based attacks:Content-based attacks: Crawl the site for instances where you Crawl the site for instances where you

control the first bytescontrol the first bytes Inspect File uploadsInspect File uploads

►Try to inject a flash file under a different extensionTry to inject a flash file under a different extension

LoadPolicyFileLoadPolicyFile

►Examine /crossdomain.xmlExamine /crossdomain.xml Depending on what you find there Depending on what you find there

may be restrictionsmay be restrictions►If no file exists; LoadPolicyFile will failIf no file exists; LoadPolicyFile will fail

There were some tricks to bypass this before, but There were some tricks to bypass this before, but they don’t seem to work any morethey don’t seem to work any more

►May specify restrictions on other policy filesMay specify restrictions on other policy files http://www.adobe.com/devnet/flashplayer/articles/fplayer9_sehttp://www.adobe.com/devnet/flashplayer/articles/fplayer9_se

curity_print.htmlcurity_print.html

Browser Encoding IssuesBrowser Encoding Issues

►Check for charset in HTTP HeadersCheck for charset in HTTP Headers Is it multi-byte?Is it multi-byte?

►Can you make valid multibyte characters with Can you make valid multibyte characters with a quote as the last character?a quote as the last character?

VulnerableVulnerable

►Check for charset in meta tagsCheck for charset in meta tags Do you have a filtered injection before it?Do you have a filtered injection before it?

►VulnerableVulnerable

►Otherwise vulnerableOtherwise vulnerable

Inter-Protocol XSSInter-Protocol XSS

► Browsers speak HTTP to ports regardless if Browsers speak HTTP to ports regardless if those ports understandthose ports understand

► IE doesn’t perform any checks on the IE doesn’t perform any checks on the responseresponse

► Firefox searches for http (case-insensitive) in Firefox searches for http (case-insensitive) in the first 8 bytesthe first 8 bytes Never going to happen unless it’s validNever going to happen unless it’s valid

► IE searches for http/ (case-insensitive) in the IE searches for http/ (case-insensitive) in the first 1024 bytes and then assumes the next first 1024 bytes and then assumes the next line is a http headerline is a http header So we can sometimes do HTTP Response Splitting So we can sometimes do HTTP Response Splitting

and Header Injectionand Header Injection

Point?Point?

►Finding everything is hardFinding everything is hard Especially when clients are constantly Especially when clients are constantly

changingchanging We need something for developers to more We need something for developers to more

easily write secure codeeasily write secure code►FrameworksFrameworks

►Better documentation is neededBetter documentation is needed Most of this was found by trial and error and Most of this was found by trial and error and

eureka moments by various researcherseureka moments by various researchers

Triggering VulnerabilitiesTriggering Vulnerabilities

►Logged out XSSLogged out XSS►CSRF-Protected XSSCSRF-Protected XSS► JavaScript HijackingJavaScript Hijacking►Session FixationSession Fixation►CSRF Token FixationCSRF Token Fixation►CSRF VulnerabilitiesCSRF Vulnerabilities

Logged Out XSSLogged Out XSS

►What does it mean to be ‘logged in’?What does it mean to be ‘logged in’? No, its not like the meaning of life.No, its not like the meaning of life.

►To be logged in is to send a cookie tied To be logged in is to send a cookie tied to a valid sessionto a valid session

►So when are you logged out?So when are you logged out? When your cookie is invalid or you don’t When your cookie is invalid or you don’t

send a cookiesend a cookie►How do we log the user out for a single How do we log the user out for a single

request?request?

Logged Out XSSLogged Out XSS

► Stop a valid cookie being sentStop a valid cookie being sent Flash to mangle the cookieFlash to mangle the cookie

► Not in IENot in IE► Not Latest FlashNot Latest Flash► Some session handlers like PHP throw a warning, but still Some session handlers like PHP throw a warning, but still

create a new session.create a new session. RequestRodeoRequestRodeo

► Firefox Extension which strips all auth data from off-site Firefox Extension which strips all auth data from off-site requestsrequests

► Nice extension, but introduces new issuesNice extension, but introduces new issues Path Specific CookiesPath Specific Cookies

► Cross-Site CookingCross-Site Cooking► Subdomain XSSSubdomain XSS

Hope you can somehow delete part of an authentication Hope you can somehow delete part of an authentication cookie which can be guessed, e.g. a usernamecookie which can be guessed, e.g. a username

CSRF-Protected XSSCSRF-Protected XSS

► Log the user in as someone elseLog the user in as someone else Log the user out first (not always necessary)Log the user out first (not always necessary)

►Delete all cookies or CSRF or Wait (not long usually)Delete all cookies or CSRF or Wait (not long usually)►Or Stop the cookies being sentOr Stop the cookies being sent

RequestRodeoRequestRodeo

Log the user in as yourselfLog the user in as yourself►Flash (Not IE) (Not latest)Flash (Not IE) (Not latest)►Session FixationSession Fixation

URL TokensURL Tokens► PHP, Java, others?PHP, Java, others?

Cross-Site CookingCross-Site Cooking Subdomain XSSSubdomain XSS Abusing SSO systemsAbusing SSO systems

JavaScript HijackingJavaScript Hijacking

► Also called JSON hijackingAlso called JSON hijacking Prevalent in Web 2.0 sites which use JSON to Prevalent in Web 2.0 sites which use JSON to

transport sensitive datatransport sensitive data Remote <script> tags allow us to extract it ifRemote <script> tags allow us to extract it if

►The JSON data is wrapped in a callback functionThe JSON data is wrapped in a callback function►The user is running Firefox 2.XThe user is running Firefox 2.X

We can over-write the default constructors and read the data We can over-write the default constructors and read the data without it being returned to uswithout it being returned to us

► But sometimes it is actual JavaScript But sometimes it is actual JavaScript hijacking, e.g. sometimes other sensitive data hijacking, e.g. sometimes other sensitive data is included in files which are interpreted as is included in files which are interpreted as valid JavaScriptvalid JavaScript

► So don’t put anything sensitive in JavaScript So don’t put anything sensitive in JavaScript files or JSONfiles or JSON

Session FixationSession Fixation

► Instead of stealing the cookie, set the cookie Instead of stealing the cookie, set the cookie and then let the user eventually authenticate and then let the user eventually authenticate using itusing it Useful when we are only able to set a cookieUseful when we are only able to set a cookie Standard defence is to regenerate the session id Standard defence is to regenerate the session id

when the privilege level changeswhen the privilege level changes► Usually considered difficult, unless:Usually considered difficult, unless:

We can supply the token via the URL (sometimes)We can supply the token via the URL (sometimes)►With PHP’s default session handler we must first delete the With PHP’s default session handler we must first delete the

existing cookiesexisting cookies We can use Cross-Site Cooking attacksWe can use Cross-Site Cooking attacks We have an XSS/Cookie Injection bug in a subdomainWe have an XSS/Cookie Injection bug in a subdomain

CSRF Token FixationCSRF Token Fixation

►But is regenerating tokens enough?But is regenerating tokens enough? Not alwaysNot always

►Session Tokens are not the only things Session Tokens are not the only things we wantwe want We want CSRF tokensWe want CSRF tokens Which we can also fixateWhich we can also fixate

►Use a similar procedure to Session FixationUse a similar procedure to Session Fixation►Still need to force the user to use our cookieStill need to force the user to use our cookie

Just as difficult to exploitJust as difficult to exploit

CSRF VulnerabilitiesCSRF Vulnerabilities

►Usually very simple to TriggerUsually very simple to Trigger Not on ASP.NETNot on ASP.NET

►We can only do user-to-user CSRFWe can only do user-to-user CSRF Not unauthed-to-user csrfNot unauthed-to-user csrf So admin areas are unexploitable by defaultSo admin areas are unexploitable by default

►However, protections are not configurable; However, protections are not configurable; only programmableonly programmable

ViewStateUserKeyViewStateUserKey►Prone to replay attacks between sessions if the Prone to replay attacks between sessions if the

key is non-session specifickey is non-session specific

CSRF VulnerabilitiesCSRF Vulnerabilities

►CAPTCHAs as CSRF solutionsCAPTCHAs as CSRF solutions Two typesTwo types

►captcha.phpcaptcha.php►captcha.php?id=123456captcha.php?id=123456

Both can be CSRF-edBoth can be CSRF-ed►captcha.php can be csrf-ed onto the page and captcha.php can be csrf-ed onto the page and

filled in by the userfilled in by the user►captcha.php?id=123456 can sometimes be captcha.php?id=123456 can sometimes be

retrieved, solved by an attacker, and then retrieved, solved by an attacker, and then used in an attackused in an attack

File Upload CSRFFile Upload CSRF

► Publicly considered unexploitable until Publicly considered unexploitable until February ’08February ’08 Due to the unusual format of the http requestsDue to the unusual format of the http requests Two methods released, by pdp and meTwo methods released, by pdp and me

► An ActionScript 3 object called URLRequest An ActionScript 3 object called URLRequest gives us enough flexibility to easily forge the gives us enough flexibility to easily forge the headersheaders http://http://www.gnucitizen.orgwww.gnucitizen.org/blog/cross-site-file-upload-attacks//blog/cross-site-file-upload-attacks/

► There is a browser bug which also give us There is a browser bug which also give us enough controlenough control http://kuza55.blogspot.com/2008/02/csrf-ing-file-upload-fields.htmlhttp://kuza55.blogspot.com/2008/02/csrf-ing-file-upload-fields.html

Point?Point?

►Assume all client-side vulnerabilities Assume all client-side vulnerabilities can be triggeredcan be triggered New techniques constantly being New techniques constantly being

developeddeveloped Browser technology is a moving targetBrowser technology is a moving target

►Don’t let researchers tell you there are Don’t let researchers tell you there are bugs, but then not patch them bugs, but then not patch them because you think no-one can exploit because you think no-one can exploit themthem

Exploiting VulnerabilitiesExploiting Vulnerabilities

►Beyond Simple Cookie StealersBeyond Simple Cookie Stealers►Hiding in Client-Side ChannelsHiding in Client-Side Channels►Beyond the Same-Origin PolicyBeyond the Same-Origin Policy

Beyond Simple Cookie Beyond Simple Cookie StealersStealers

►Cookie stealing payloads are still the Cookie stealing payloads are still the most commonmost common Also most easily defeatedAlso most easily defeated

►httpOnlyhttpOnly►IP locksIP locks

►However more complex payloads are However more complex payloads are slowly gaining tractionslowly gaining traction


►User-as-a-proxy payloads are User-as-a-proxy payloads are becoming more common, especially as becoming more common, especially as tools are releasedtools are released XSS ProxyXSS Proxy XSS TunnelXSS Tunnel

► http://www.portcullis-security.com/tools/free/xssshell-xsstunnelhttp://www.portcullis-security.com/tools/free/xssshell-xsstunnell.zipl.zip

►Single action user-as-a-proxy payloads Single action user-as-a-proxy payloads are sometimes preferableare sometimes preferable


►Other XSS TricksOther XSS Tricks Password manager abusePassword manager abuse Browser cache snoopingBrowser cache snooping Altering client-side data storesAltering client-side data stores

Password Manager AbusePassword Manager Abuse

►Browser automatically fills in Browser automatically fills in passwordspasswords Can opt-out on FirefoxCan opt-out on Firefox

►signon.prefillFormssignon.prefillForms►Still possible if you know the usernameStill possible if you know the username

Fill in the usernameFill in the username Focus on the username fieldFocus on the username field Focus on the password fieldFocus on the password field Extract the password (use setTimeout)Extract the password (use setTimeout)

►Firefox only does a domain checkFirefox only does a domain check IE does a URL check and doesn’t prefillIE does a URL check and doesn’t prefill


► However, it’s not so simpleHowever, it’s not so simple You need to tab to the password field for it to be You need to tab to the password field for it to be

filled infilled in►Focus tricks don’t workFocus tricks don’t work

► IE has a weirder event model than FirefoxIE has a weirder event model than Firefox Tabs from script do not invoke the password Tabs from script do not invoke the password

managermanager Makes the popup blocker bypassable (well, it used Makes the popup blocker bypassable (well, it used

to)to) Makes this harder to exploitMakes this harder to exploit

► So we need some social engineeringSo we need some social engineering► Entice the user into pressing the tab keyEntice the user into pressing the tab key


► IE’s page check checks the top frame’s IE’s page check checks the top frame’s URLURL So we can’t have the page inside an iframeSo we can’t have the page inside an iframe Doesn’t check whether the form is off-siteDoesn’t check whether the form is off-site

►Not particularly useful unless you can only inject Not particularly useful unless you can only inject an iframe into a login pagean iframe into a login page

►Or you can do cross-site frame injection, maybeOr you can do cross-site frame injection, maybe

►Open the login window in a popupOpen the login window in a popup Inject JS into itInject JS into it

►Entice users to press the tab key Entice users to press the tab key Probably too much effort, and too many tricks requiredProbably too much effort, and too many tricks required

Browser Cache SnoopingBrowser Cache Snooping

►Why?Why? Sensitive detailsSensitive details

►Think credit cards, etcThink credit cards, etc

►How?How? XmlHttpRequest()XmlHttpRequest()

►Results?Results? IE onlyIE only

►Requires no tricks.Requires no tricks.

Altering client-side data Altering client-side data storesstores

►Some Javascript becomes exploitable, Some Javascript becomes exploitable, e.g.e.g. window.location = getCookie(‘redirURL’);window.location = getCookie(‘redirURL’);

►We still face the issue of what our We still face the issue of what our payload should dopayload should do

►But we gain the benefit of persistenceBut we gain the benefit of persistence

Hiding in Client-Side Hiding in Client-Side ChannelsChannels

►One of the problems with XSS is that it One of the problems with XSS is that it can be found in server logscan be found in server logs This is silly since we only need the client This is silly since we only need the client

to see our payloadto see our payload So we can use client-side channels to So we can use client-side channels to

transfer our payloadtransfer our payload►document.domaindocument.domain►location.hashlocation.hash►window.namewindow.name►sessionStorage/globalStoragesessionStorage/globalStorage►etcetc

Beyond the Same-Origin Beyond the Same-Origin PolicyPolicy

►Exploiting Trust RelationshipsExploiting Trust Relationships IPIP DNSDNS

Exploiting Trust Exploiting Trust Relationships: IPRelationships: IP

►Many technologies do not discriminate Many technologies do not discriminate by portby port

►Many are not virtual host-awareMany are not virtual host-aware

IP portsIP ports

►Cookies are shared across portsCookies are shared across ports►Flash crossdomain.xml policies rarely Flash crossdomain.xml policies rarely

make use of port restrictionsmake use of port restrictions

►Why does this matter?Why does this matter? Non-virtual host aware portsNon-virtual host aware ports

►E.g. Inter-Protocol XSSE.g. Inter-Protocol XSS

Virtual HostsVirtual Hosts

► The domain is based on the Host: request The domain is based on the Host: request header the browser added to the requestheader the browser added to the request Some ports may not be vhost aware but xssableSome ports may not be vhost aware but xssable

► Inter-Protocol XSS, Reverse Proxies, etcInter-Protocol XSS, Reverse Proxies, etc Some may be vhost aware, but may not know Some may be vhost aware, but may not know

our specific vhost, e.g. chosts registered for only our specific vhost, e.g. chosts registered for only one portone port►SSL Ports, Load Balancers, etcSSL Ports, Load Balancers, etc

Sometimes we can manipulate the Host: headerSometimes we can manipulate the Host: header► In an earlier version of Flash we could send a In an earlier version of Flash we could send a

malformed Host: headermalformed Host: header addRequestHeader(“Host:blah", " ");addRequestHeader(“Host:blah", " ");

► Gets the default hostGets the default host

Exploiting Trust Relationships: Exploiting Trust Relationships: DNSDNS

►Many security models rely on DNSMany security models rely on DNS And the security of all sites in the DNS And the security of all sites in the DNS

treetree

► Implicit trust between parents and Implicit trust between parents and child domainschild domains In certain protocols anywayIn certain protocols anyway

►DNS is also not static or homogenousDNS is also not static or homogenous

Heterogeneous DNS RecordsHeterogeneous DNS Records

►DNS servers do not necessarily have the DNS servers do not necessarily have the same records, e.g.same records, e.g. A Company may have a wildcard DNS record for A Company may have a wildcard DNS record for

*.company.com resolving to 12.34.56.78*.company.com resolving to 12.34.56.78 If they now create a website at If they now create a website at

internal.company.com but only place that record internal.company.com but only place that record on the internal DNS serveron the internal DNS server

If *.company.com is vulnerable to XSS, then so is If *.company.com is vulnerable to XSS, then so is internal.company.com when resolved externallyinternal.company.com when resolved externally►Think laptopsThink laptops►Think `persistent` payloadsThink `persistent` payloads

Ambiguous IP Addresses in Ambiguous IP Addresses in DNSDNS

►Many domains inadvertently have a Many domains inadvertently have a localhost.domain.com address pointing localhost.domain.com address pointing to 127.0.0.1 (Travis Ormandy)to 127.0.0.1 (Travis Ormandy) localhost.microsoft.com used tolocalhost.microsoft.com used to

►Many internal hosts resolve externallyMany internal hosts resolve externally►Domains now resolve to IPs which are Domains now resolve to IPs which are

not controlled by domain ownernot controlled by domain owner

Ambiguous IP Addresses in Ambiguous IP Addresses in DNSDNS

►Exploitable in few scenariosExploitable in few scenarios Multi-User systemMulti-User system XSS-able service on 127.0.0.1 (Travis XSS-able service on 127.0.0.1 (Travis

Ormandy)Ormandy)►Local MachineLocal Machine►HTTP proxyHTTP proxy

Attacker on the same local netAttacker on the same local net

Bringing Down the Walls: Bringing Down the Walls: document.domaindocument.domain

► document.domain is a read/write property document.domain is a read/write property which is set to the domain of the current pagewhich is set to the domain of the current page

► This property can be set to any parent domainThis property can be set to any parent domain► To check whether sites communicate two To check whether sites communicate two

checks must be passed (usually):checks must be passed (usually): The document.domain’s are both the sameThe document.domain’s are both the same Either both have been altered, or neither haveEither both have been altered, or neither have

►Many sites alter the domain to allow this explicitlyMany sites alter the domain to allow this explicitly MySpaceMySpace Live.comLive.com Yahoo!Yahoo!

Bringing Down the Walls: Bringing Down the Walls: document.domaindocument.domain

►However these is a bug in IEHowever these is a bug in IE Known & Unpatched for >1 yearKnown & Unpatched for >1 year If a website reads the location.href If a website reads the location.href

property, IE will think the document.domain property, IE will think the document.domain peoperty has been alteredpeoperty has been altered►Many scripts read this propertyMany scripts read this property

Google AnalyticsGoogle Analytics

►So any parent domains which read So any parent domains which read location.href anywhere at all effectively location.href anywhere at all effectively trust all child domainstrust all child domains

Exploiting Trust Relationships: Exploiting Trust Relationships: DNSDNS

► Sites can set cookies for child domains and Sites can set cookies for child domains and read cookies from parent domainsread cookies from parent domains sessionStorage/globalStorage can read/write to sessionStorage/globalStorage can read/write to

parent domainsparent domains

► crossdomain.xml allows wildcardscrossdomain.xml allows wildcards Commonly usedCommonly used

►amazon.com allows *.amazon.com (among others)amazon.com allows *.amazon.com (among others)►yahoo.com allows *.yahoo.comyahoo.com allows *.yahoo.com

► SiteLock template for ActiveX controls allows SiteLock template for ActiveX controls allows wildcardswildcards

Subdomain SquattingSubdomain Squatting

►Network Solutions hijacked their Network Solutions hijacked their customers’ subdomains to serve ads customers’ subdomains to serve ads (Techcrunch)(Techcrunch)

►Earthlink and Comcast hijacked the Earthlink and Comcast hijacked the subdomains of all sites on the internet subdomains of all sites on the internet and served ads to their customers and served ads to their customers (Kaminsky)(Kaminsky)

►Both cases were XSS-able, the NetSol Both cases were XSS-able, the NetSol equivalent triviallyequivalent trivially

Point?Point?

►Stop building technologies which put Stop building technologies which put trust into DNStrust into DNS We can’t continue to blindly trust DNSWe can’t continue to blindly trust DNS

►Nothing other than same-origin-style Nothing other than same-origin-style matches should be good enoughmatches should be good enough Sometimes that’s not good enough eitherSometimes that’s not good enough either

►Don’t do weird DNS things, and don’t use Don’t do weird DNS things, and don’t use shared hostingshared hosting

Questions?Questions?

Thanks!Thanks!

Web Browsers And Other Mistakes

Technology

Transcript of Web Browsers And Other Mistakes