html5 group 3: dongyang zhang, wei liu, weizhou he, yutong wei, yuxin zhu

HTML5Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

ContentsSetup1

2 Abusing Sockets, XHR

3 About DOM

SetupDomain: attacker.comIP: 192.168.222.133OS: Windows server 2012Server: IIS 8.0

Domain: victimserver.comIP: 192.168.223.138OS: Windows server 2012Server: IIS 8.0Language: .Net C#

Ip: 192.168.223.139OS: Windows XPBrowser: Chrome

1

Abusing sockets, XHR

SOP Vulnerabilities!!

Script, IMG, Iframe bypasses1

2 DNS Rebinding

3 PostMessage Mechanism

2

Script, IMG, Iframe bypasses

3

DNS Rebinding

DNS rebinding is an exploit in which the attacker uses Javascript in a malicious Web page to gain control of the victim’s router.

4

DNS Rebinding

visit Malicious Website

Attacker’s DNS server bind attacker.com to attacker’s IP address (short TTL). 5

DNS Rebinding

Malicious script uses XMLHttpRequest

Attacker rebinds attacker.com to target’s IP address.

In fact

6

DNS Rebinding

7

DNS Rebinding

SOP Violation!

8

DNS Rebinding

9

DNS Rebinding

10

DNS Rebinding

Browser’s DNS cache

DNS request flooding

11

DNS Rebinding

Firewall Circumvention:-Access Machine behind firewalls-Interact with a number of internal services besides HTTP(direct socket access)

12

DNS Rebinding

IP Hijacking:-Access publicly available servers from client’s IP -Take advantage of the target’s implicit or explicit trust in client’s I address

13

DOM

DOM(Document Object Model)

14

DOM

We all know that:

① Reflected XSS② Stored XSSboth purely inside client-side code

15

DOM

The third kind of XSS:

DOM Based XSS

which is not depended on the malicious data send to the service at the first time

16

DOM

The API may vulnerable in DOM based XSS

17

DOM

1). document.location2). document.URL3). document.URLUnencoded4). document.referrer5). window.location

These API can visit DOM data through a designed URL, but this kind of jumped-out window is not really harmful, attacker has no idea if users never click on the URL.

18

DOM

1). document.write()2). document.writeln()3). document.boby.innerHtml4). eval()5). window.execScript()6). window.setInterval()7). window.setTimeout()

These API are mostly used in form hijacking, inject a part of XSS code while users submit the forms. This is more dangerous, most of them are used in stealing cookie.

19

EXAMPLE: document.boby.innerHtml

While running this code, xxx will take the value of “yyyyyy”

“yyyyyy” can be replaced by something else like “<img src=1>” or Unicode like “\u003cimg src=1\u003e”.

<div id="a">xxx</div>

<script>document.getElementById("a").innerHTML="yyyyyy";</script>

20


Real example: qq.com(most of you should know this right? )☺

21


URL: http://datalib.ent.qq.com/cgi-bin/search?libid=1&keyvalue=aaaaaaa&attr=133&stype=2&tname=star_second.shtml (there was some vulnerabilities, but there isn’t now, I think)

<strong id="titleshow">search_by job1: aaaaaaa </strong></div><script>if("aaaaaaa"=="")document.getElementById("titleshow").innerHTML="search_by_place: all_stars";

if("job1"=="job1")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";


if("job1"=="job3")document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa";</script>

22


We know that “<“ or “>”would not be recognized, but “/”can be recongnized, So perhaps we should try Unicode!We see that if(“job1”==“job1”) is executed, so we focus on this two lines of code.





23


As we know from above, we can change “aaaaaaa” into “\u003cimg src=1 onerror=alert(1)\u003e ”





24


This is an example we learn when we try to get a better understand on DOM based XSS, we didn’t actually attack this website, and this vulnerability has been reported!

25

DOM

1). document.location2). document.URL3). document.open()4). window.location.href5). window.navigate()6). window.open

These API are mostly used in redirection attack. The perniciousness can be big or small, but this kind of perniciousness are often eaily ignored by people.

26

DOM

Differences between Standard XSS and DOM based XSS

27

DOM

28

DOM

How to find DOM based XSS

29

DOM

1). Using byte level taint tracking in chromium - precise source information for every character - patched sinks (for example document. write)

2). Chrome extension to crawl given set of web site - also act as interface between taint engine and backend

3). And an exploit generator - using precise taint information - and javascript and HTML syntax rules - to generate exploits fully automatic

30

What to do next

- Defend of DNS rebinding- PostMessage Mechanism- Make DOM based XSS DEMO- Find the ways to avoid the jeopardize

31

References1. http://www.oschina.net/translate/dom-based-xss-of-third-kind2. http://www.vulnerable.site/welcome.html3. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/stock4. http://www.2cto.com/Article/201303/194444.html5. http://www.owasp.org/documentation/topten/a4.html6. https://www.owasp.org/index.php/DOM_Based_XSS7. https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet8.http://www.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUniversalPDFXSS.ppt

32

Thank You ;)10/28 2014

Questions?

html5 group 3: dongyang zhang, wei liu, weizhou he, yutong wei, yuxin zhu

Documents