Thursday, November 08, 2012

XSS & CSRF with HTML5 - Attack, Exploit and Defense

HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more. The browser is emerging as a platform like a little operating system and expanded its attack surface significantly. Applications developed in this new architecture are exposed to an interesting set of vulnerabilities and exploits. Both traditional vulnerabilities like CSRF and XSS can be exploited in this new HTML5 architecture. In this talk we will cover following new attack vectors and variants of XSS and CSRF.

HTML5 driven CSRF with XMLHttpRequest (Level 2)
CSRF with two way attack stream
Cross Site Response Extraction attacks using CSRF
Cross Origing Resource Sharing (CORS) policy hacking and CSRF injections
DOM based XSS with HTML5 applications
Exploiting HTML5 tags, attributes and events
DOM variable extraction with XSS
Exploiting Storage, File System and WebSQL with HTML5 XSS
Layered XSS and making it sticky with HTML5 based iframe sandbox
Jacking with HTML5 tags and features

In this session we will cover new methodology and tools along with some real life cases and demonstration. At the end we will cover some interesting defense methodologies to secure your HTML5 applications. My slides are as under (I will post video once get released)

Friday, October 19, 2012

Fusion/iAppSecure - New Technology for AppSec Analysis

We have come up with new technology for application security analysis - it is known as Fusion Lite. Here is the abstract.


Fusion Lite is an innovative next generation technology from iAppSecure which radically changes the way applications are assessed.

At the core of Fusion Lite is its intelligent multi-way coordination and orchestration across advanced static, dynamic and instrumentation technologies. The Fusion Lite Analyzer uses observations and analysis from each of these technologies to continuously learn and refine the understanding of application knowledge and behavior as well as to intelligently coordinate and steer the further functioning of these technologies. This novel approach, along with many other innovative technologies, allows it to take the power of static, dynamic and instrumentation technologies far beyond a simple sum of benefits that these technologies can offer in isolation or even with current hybrid approaches (such as dynamic and static result based correlation, instrumentation/stack trace based correlation or instrumentation based feedback to external dynamic analyzers). The intelligent multi-way coordination and orchestration also allows Fusion Lite, as a complete system, to overcome many of the weaknesses inherent with each of these technologies.

Fusion Lite begins by building an accurate static analysis model of the application and performs an initial analysis on it. However, this model and preliminary analysis only serve as an initial representation of the application. Fusion Lite then intelligently instruments the application based on this analysis. These steps lay the foundation for the intelligent multi-way coordination and orchestration across all the technologies. During multi-way coordination and orchestration, even a single event such as execution of a use case can cause a chain reaction within the system which is controlled by Fusion Lite Analyzer. The information and events received from any of the technologies are used both to refine a multi-dimensional model representing the knowledge and behavior of the application as well as to drive other technologies further. The analysis then performed by the other technologies and Fusion Lite Analyzer can generate new information and events which further trigger and improvise the entire process. This process is continuously coordinated until the system stabilizes. The ability to continuously observe, analyze and coordinate these technologies enables continuous refinement of the model representing the knowledge and behavior of the application. This enables a deeper, smarter and accurate detection of vulnerabilities and weaknesses in the application.

Read complete note over here

It is launched under separate venture called iAppSecure Solutions.

Sunday, August 12, 2012

File System API with HTML5 – Juice for XSS


HTML5 has come up with several APIs and one of them is File System API (http://www.w3.org/TR/file-system-api/). Browsers are implementing it and it is covering both directories and files under this API. Hence, now web application can create a mini file system and dump files inside the browser. These files can be accessed at any point in time by the browser with the same domain context. These files can be permanent or temporary. The browser is acting like a mini OS and exposing the surface. If XSS is found it is easy to extract full file system created by the application.

For example, if an application has created a token file on the file system using the API. We can see files by following URI on chrome.













In above figure we can see files are being created in the browser. Now assuming XSS is found, it is easy to exploit by hooking into the file system and extracting the content. Following code can be part of the access routine.
























Bottom-line, lot is getting added to HTML5 and strong JavaScript analysis and look around would be needed from security professional. Looks like developer community is still playing around with these APIs but the days are not far where we will start seeing these types of application in production and landing for review at the door steps. 

Wednesday, August 01, 2012

[Blackhat 2012] HTML5 Top 10 Threats Stealth Attacks and Silent Exploits

BlackHat 2012 was really fun and lots of interesting talks. I presented paper on HTML5 Top 10 Threats and Security. You can find slides and paper over here.



Wednesday, February 15, 2012

CSRF with upload – XHR-L2, HTML5 and Cookie replay


XHR level 2 calls embedded in HTML5 browser can open a cross domain socket and deliver HTTP request. Cross Domain call needs to abide by CORS. Browser will generate preflight requests to check policy and based on that will allow cookie replay. Interestingly, multi-part/form-data request will go through without preflight check and “withCredentials” allows cookie replay. This can be exploited to upload business logic files via CSRF if server is not validating token/captcha. Business applications are allowing to upload files like orders, invoices, imports, contacts etc. These critical functionalities can be exploited in the case of poor programming.

If we have a business functionalities for actual upload form then this type of HTTP request will get generated at the time of upload. Note, cookie is being replayed and request is multi-part form.

Now, if CSRF payload has following XHR call.



Above call will generate following HTTP request and causes CSRF and upload the file. Hence, without user’s conscent or knowledge cross domain file being uploaded on the target application with the logged in credential.



Future probes – one needs to check other impact like AMF stream uploading, XML file transfer and few other library protocols which is now a day’s dealing in multi-part to support binary calls.

If you are interested in this analysis should visit @kkotowicz work - http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html.