Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Published byMildred Skinner Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation 6 th OWASP AppSec Conference Milan - May 2007 http://www.owasp.org/ Overtaking Google Desktop Leveraging XSS into Mayhem Yair Amit Senior Security Researcher, Watchfire yaira@watchfire.com +972-9-9586077 ext 4039

2 6 th OWASP AppSec Conference – Milan – May 2007 2 Presentation Outline  Background  Google Desktop Overview  Overtaking Google Desktop – Step by Step  Impact  What harm can a malicious attacker do?  Attack characteristics  Lessons learned  Q&A

3 6 th OWASP AppSec Conference – Milan – May 2007 Background  XSS  The most widespread web-application vulnerability  WASC Web Application Security Statistics Project (http://www.webappsec.org/projects/statistics/)http://www.webappsec.org/projects/statistics/  Used to be perceived as an identity theft attack  XSS has so much more to offer. It has teeth!  Change settings and steal data from attacked victim account  Web worms (Samy)  What we are about to see…  Stealth attack  Sensitive information theft from the local computer  Command execution 3

4 6 th OWASP AppSec Conference – Milan – May 2007 Google Desktop - Overview  Purpose: provide an easily to use and powerful search capability on local and other personal content  Some traits:  Runs a local web-server for interaction (port 4664)  Google.com like interface  Uses a service to run the indexing  User interface is almost purely web  Preferences control what to index, and indexing can be broad  Office documents, media files, web history cache, chat sessions, etc.  Easily extendible  Special integration with Google.com 4

5 6 th OWASP AppSec Conference – Milan – May 2007 Google Desktop Security Mechanisms  Web server only accessible from localhost  Not available from network 5

6 6 th OWASP AppSec Conference – Milan – May 2007 Google Desktop Protection Mechanism (cont.)  The main threats are XSS and CSRF attacks  Every request (except some images) has a unique signature  Signature is generated using a strong key stored in the registry  If signature doesn’t match query, request is denied  Key is different per installation  Signatures cannot be deduced from one installation to another  A powerful protection against XSS and CSRF 6

7 6 th OWASP AppSec Conference – Milan – May 2007 Signatures Protection Strength Example 7

8 6 th OWASP AppSec Conference – Milan – May 2007 Google Desktop Vulnerability – Sticky XSS  Available through the “under” keyword  For searching under specific folders in the hard-drive or a network drive.  XSS is Sticky  Saved in the history of the “under” option  Stickiness applies to all search results  “Under” history shown on all search results (added for usability)  Stickiness requires 3 “overwrites” to be cleared  How can this vulnerability be exploited, given the protection mechanisms?  http://127.0.0.1:4664/search?q=under:XSS_PAYLOAD&fl ags=68&num=10&s=9pKHqow9s-J4YfGgBjGF75g- ZwM 8

9 6 th OWASP AppSec Conference – Milan – May 2007 Google Desktop & Google.com integration  Google Desktop interjects between browser and website, and adds content  Google Desktop search results are displayed in Google.com’s results  ‘Desktop’ link – our way in… 9

10 6 th OWASP AppSec Conference – Milan – May 2007 Google Desktop & Google.com integration: Our way in  JavaScript on site has access to modified content  Signature can be harvested  Interesting point: Google.com-originating searches all use the same signature  This cannot be turned off…  Possible in newer versions  Attacker needs control over victim’s browser in Google.com context… 10

11 6 th OWASP AppSec Conference – Milan – May 2007 Google.com XSS Vulnerability  Standard XSS  For the purpose of this demonstration, a UTF-7 XSS vulnerability on search page is used.  Can apply to any XSS on Google.com and some of its subdomains  And there are plenty of those… 11

12 6 th OWASP AppSec Conference – Milan – May 2007 Complete overtaking process  Perform Google.com XSS exploit  Through SPAM mail, talkback links, social networks worms, etc. – the usual way  Injected JavaScript will do the rest…  Harvest the key from the search results  Infect the local machine by issuing XSSed Google Desktop search query (using the acquired signature)  Hide all traces of that occurring…  The system is now fully compromised! 12

13 6 th OWASP AppSec Conference – Milan – May 2007 What harm can a malicious attacker do?  Take advantage of Google Desktop’s powerful search and indexing capabilities  Search for sensitive information  Change user preferences to index more local information  “Search Across Computers”  Hijacking information with style. ;)  Execute commands through Google Desktop  Change preferences to index network drives  Complete takeover… 13

14 6 th OWASP AppSec Conference – Milan – May 2007 Web User Interface…  Attacker controls what the victim sees!  Hide changed preferences options  Hide version  Make the user think he’s using a more current version  Auto-correction if “under” parameter is used with other values  Makes sure the JavaScript malware remains active 14

15 6 th OWASP AppSec Conference – Milan – May 2007 Attack Characteristics  Low footprint  No need for malicious binary code to be injected  The code is automatically executed by the browser when visiting legitimate Google Desktop Web pages  Easy data leakage  Hijacked information can be covertly leaked back to the attacker via seemingly innocent encoded requests to an external Web site  Almost undetectable  No mangled URL in the address bar  The attack continues to persist across sessions and across browsers 15

16 6 th OWASP AppSec Conference – Milan – May 2007 Other interesting points  Can be leveraged as CSRF platform  Internet Explorer mhtml redirection bug exploitation  http://secunia.com/Internet_Explorer_Arbitrary_Content_D isclosure_Vulnerability_Test/ http://secunia.com/Internet_Explorer_Arbitrary_Content_D isclosure_Vulnerability_Test/  Other persistent XSS exists in the “machine name” and “computer name” fields  Very useful for covering attack traces  Latest versions of Google Desktop contain a fix  XSS vulnerabilities  ‘Desktop’ link integration is now configurable  The dangers are still here 16

17 6 th OWASP AppSec Conference – Milan – May 2007 Lessons Learned  XSS is a big issue  Very common  Very dangerous  Sticky XSS is even worse  Should be taken more seriously in the development process  Applications like Google Desktop are risky  Access to sensitive information means greater risk for the user  RIA trend  Integration between web applications and desktop applications is risky  The attack took advantage of this integration in order to overcome powerful protection mechanisms  Classical functionality/security tradeoff  Antivirus vendors should find creative ways to fight JavaScript Malware 17

18 6 th OWASP AppSec Conference – Milan – May 2007 More Information  Short Overview: http://download.watchfire.com/whitepapers/Goo gle-Desktop-Short-Overview.pdf http://download.watchfire.com/whitepapers/Goo gle-Desktop-Short-Overview.pdf  White paper: http://download.watchfire.com/whitepapers/Ove rtaking-Google-Desktop.pdf http://download.watchfire.com/whitepapers/Ove rtaking-Google-Desktop.pdf  Video Demo (11 Minutes): http://download.watchfire.com/googledesktopde mo/index.htm http://download.watchfire.com/googledesktopde mo/index.htm 18

19 6 th OWASP AppSec Conference – Milan – May 2007 Thank you! 19

Download ppt "Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike."

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
UWWD In our quest to eliminate bad websites, we present…. HALLELUJAH!!

UWWD In our quest to eliminate bad websites, we present…. HALLELUJAH!!
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The Internet & The World Wide Web Notes

The Internet & The World Wide Web Notes
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Similar presentations

Ads by Google