Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

Published byArthur Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu."— Presentation transcript:

1 HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

2 Contents Setup 12 Abusing Sockets, XHR 3 About DOM

3 Setup Domain: attacker.com IP: 192.168.222.133 OS: Windows server 2012 Server: IIS 8.0 Domain: victimserver.com IP: 192.168.223.138 OS: Windows server 2012 Server: IIS 8.0 Language:.Net C# Ip: 192.168.223.139 OS: Windows XP Browser: Chrome 1

4 Abusing sockets, XHR SOP Vulnerabilities!! Script, IMG, Iframe bypasses 1 2 DNS Rebinding 3 PostMessage Mechanism 2

5 Script, IMG, Iframe bypasses 11111111111111111 3

6 DNS Rebinding DNS rebinding is an exploit in which the attacker uses Javascript in a malicious Web page to gain control of the victim’s router. 4

7 DNS Rebinding visit Malicious Website Attacker’s DNS server bind attacker.com to attacker’s IP address (short TTL). 5

8 DNS Rebinding Malicious script uses XMLHttpRequest Attacker rebinds attacker.com to target’s IP address. In fact 6

9 DNS Rebinding 7

10 SOP Violation! 8

11 DNS Rebinding 9

12 10

13 DNS Rebinding Browser’s DNS cache DNS request flooding 11

14 DNS Rebinding Firewall Circumvention: -Access Machine behind firewalls -Interact with a number of internal services besides HTTP(direct socket access) 12

15 DNS Rebinding IP Hijacking: -Access publicly available servers from client’s IP -Take advantage of the target’s implicit or explicit trust in client’s I address 13

16 DOM DOM(Document Object Model) 14

17 DOM We all know that: ① Reflected XSS ② Stored XSS both purely inside client-side code 15

18 DOM The third kind of XSS: DOM Based XSS which is not depended on the malicious data send to the service at the first time 16

19 DOM The API may vulnerable in DOM based XSS 17

20 DOM 1). document.location 2). document.URL 3). document.URLUnencoded 4). document.referrer 5). window.location These API can visit DOM data through a designed URL, but this kind of jumped-out window is not really harmful, attacker has no idea if users never click on the URL. 18

21 DOM 1). document.write() 2). document.writeln() 3). document.boby.innerHtml 4). eval() 5). window.execScript() 6). window.setInterval() 7). window.setTimeout() These API are mostly used in form hijacking, inject a part of XSS code while users submit the forms. This is more dangerous, most of them are used in stealing cookie. 19

22 EXAMPLE: document.boby.innerHtml While running this code, xxx will take the value of “yyyyyy” “yyyyyy” can be replaced by something else like “ ” or Unicode like “\u003cimg src=1\u003e”. xxx document.getElementById("a").innerHTML="yyyyyy"; 20

23 EXAMPLE: document.boby.innerHtml Real example: qq.com (most of you should know this right? ☺ ) 21

24 EXAMPLE: document.boby.innerHtml URL: http://datalib.ent.qq.com/cgi- bin/search?libid=1&keyvalue=aaaaaaa&attr=133&stype=2&tname=star_s econd.shtml (there was some vulnerabilities, but there isn’t now, I think) search_by job1: aaaaaaa if("aaaaaaa"=="") document.getElementById("titleshow").innerHTML="search_by_place: all_stars"; if("job1"=="job1") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job2") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job3") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; 22

25 EXAMPLE: document.boby.innerHtml We know that “ ”would not be recognized, but “/”can be recongnized, So perhaps we should try Unicode! We see that if(“job1”==“job1”) is executed, so we focus on this two lines of code. search_by job1: aaaaaaa if("aaaaaaa"=="") document.getElementById("titleshow").innerHTML="search_by_place: all_stars"; if("job1"=="job1") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job2") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job3") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; 23

26 EXAMPLE: document.boby.innerHtml As we know from above, we can change “aaaaaaa” into “\u003cimg src=1 onerror=alert(1)\u003e ” search_by job1: aaaaaaa if("aaaaaaa"=="") document.getElementById("titleshow").innerHTML="search_by_place: all_stars"; if("job1"=="job1") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job2") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job3") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; 24

27 EXAMPLE: document.boby.innerHtml This is an example we learn when we try to get a better understand on DOM based XSS, we didn’t actually attack this website, and this vulnerability has been reported! 25

28 DOM 1). document.location 2). document.URL 3). document.open() 4). window.location.href 5). window.navigate() 6). window.open These API are mostly used in redirection attack. The perniciousness can be big or small, but this kind of perniciousness are often eaily ignored by people. 26

29 DOM Differences between Standard XSS and DOM based XSS 27

30 DOM 28

31 DOM How to find DOM based XSS 29

32 DOM 1). Using byte level taint tracking in chromium - precise source information for every character - patched sinks (for example document. write) 2). Chrome extension to crawl given set of web site - also act as interface between taint engine and backend 3). And an exploit generator - using precise taint information - and javascript and HTML syntax rules - to generate exploits fully automatic 30

33 What to do next -Defend of DNS rebinding -PostMessage Mechanism -Make DOM based XSS DEMO -Find the ways to avoid the jeopardize 31

34 Reference s 1. http://www.oschina.net/translate/dom-based-xss-of-third-kind 2. http://www.vulnerable.site/welcome.html 3. https://www.usenix.org/conference/usenixsecurity14/technical- sessions/presentation/stock 4. http://www.2cto.com/Article/201303/194444.html 5. http://www.owasp.org/documentation/topten/a4.html 6. https://www.owasp.org/index.php/DOM_Based_XSS 7. https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet 8.http://www.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUni versalPDFXSS.ppt 32

35 Thank You ;) 10/28 2014

36 Questions?

Download ppt "HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
PHP I.

PHP I.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Languages for Dynamic Web Documents

Languages for Dynamic Web Documents
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 3: Web application security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 3: Web application security Dieter Gollmann Hamburg University of Technology
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Beware of Finer-Grained Origins

Beware of Finer-Grained Origins
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Similar presentations

Ads by Google