Cyber Security Alliance, profile picture
Uploaded byCyber Security Alliance
PPTX, PDF1,411 views

Warning Ahead: SecurityStorms are Brewing in Your JavaScript

The document discusses security vulnerabilities in JavaScript, particularly focusing on the implications of HTML5 features like sandboxing and the risks associated with cross-site scripting (XSS). It details specific attack methods, such as 'monster XSS,' that exploit these vulnerabilities to capture user data, and emphasizes the importance of securing client-side applications. Recommendations provided include avoiding unnecessary permissions in iframes and maintaining vigilance against XSS attacks.

Downloaded 15 times
Warning Ahead: Security Storms are Brewing in Your JavaScript
About Me Helen Bravo Product Manager of Checkmarx Static Application Security Testing (AKA – Source Code Analysis)
Agenda • Broken sandbox • Same old XSS becomes a monster • Watch out for your client side • “I know where you were last summer”
HTML5 is booming Report released in August 2013 has shown that 153 of the Fortune 500 U.S. companies already implemented HTML5 on their corporate websites.
Some of the additions in HTML5 • WEB storage • WEB SQL database • Indexed DB • Application cache • Web workers • Web socket • CORS • Web messaging • Sandbox attribute • New HTTP headers • Server sent events • New and better semantic tags • New form types • Audio and video tags • Canvas • Inline SVG • New onevent attributes • Geolocation • New CSS selectors • New javascipt selectors • Custom data - attributes
The Sandbox Attribute
SOP Same Origin Policy permits scripts running on pages originating from the same site based on combination of scheme, hostname, and port number
Same Origin Policy http://www.cnn.com/main main page “Change background to green” http://www.cnn.com/story1 Iframe same origin
Same Origin Policy http://www.cnn.com/main main page “Change background to green” http://www.fox.com Iframe different origin
Markets • Recent trend - markets of extensions Salesforce.com, Microsoft 365, etc… • Extension is Javascript code written by a 3rd party but hosted and delivered from the very same server • So SOP doesn’t play well
Sandbox concept Sandbox concept? Sandbox is a hardening of the basic SOP – so that any content running in the sandboxed iframe is treated as if it comes from a different origin, and it gives fine-grained control over what restrictions apply.
Sandbox syntax • Syntax <iframe sandbox="value"> Valu•e Attribute Values Description "" Applies all restrictions below allow-same-origin Allows the iframe content to be treated as being from the same origin as the containing document allow-top-navigation Allows the iframe content to navigate (load) content from the containing document allow-forms Allows form submission allow-scripts Allows script execution
http://www.server.com http://www.server.com/iframe main page <script> alert(1) </script> 1 Iframe / same origin
http://www.server.com http://www.server.com/iframe main page <script> alert(1) </script> Sandboxed Iframe Default permissions Same Origin
http://www.server.com http://www.server.com/iframe main page <script> alert(1) </script> 1 Sandboxed Iframe Allowing Scripts and SOP(Same Origin)
http://www.server.com http://www.server.com/iframe main page <script> top.navigate(…) </script> Sandboxed Iframe Allowing Scripts and SOP(Same Origin)
http://www.server.com http://www.server.com/iframe main page <script> top.find(myself) addPermission(myself, top_nav) Refresh() navigate(…) </script> Sandboxed Iframe Allowing Scripts and SOP(Same Origin) And Top Navigation
http://www.hacker.server.com http://www.server.com/iframe main page <script> top.find(myself) addPermission(myself, top_nav) Refresh() Navigate(http://www.hacker.com) </script> Sandboxed Iframe Allowing Scripts and SOP(Same Origin) And Top Navigation
Don’t just count on Sandbox! Don’t assume that just because an iFrame is sandboxed, your code is secure. What can you do? Avoid granting a sandboxed iFrame with scripting and SOP capabilities.
How a single XSSed page can be used to take screenshots of other non-XSSed page ?
<canvas> Is the HTML5 element , used to draw graphics, on the fly, via scripting (usually JavaScript).
Monster XSS – Attack Steps • Step A – Use Bookstore project Login page vulnerable to Reflected XSS to embed itself in an iframe http://server/page.aspx?xss=<iframe src=“http://server/page.aspx”> Iframe border (left visible for demo purposes)
Monster XSS – Attack steps • Step B – The user logs in and browses the inside frame. The outer page remains the same while it’s scripts can access the inner’s data Iframe border (left visible for demo purposes) The user went to the admin page, but the URL is still the XSS’ed login page
Monster XSS – The result • The attacker gets set of pictures representing all user activity( yes, including user name and password!)
Monster XSS – The technique • HTML5 introduced the concept of Canvas, which can be used to take screenshots What is Canvas? (w3schools) The HTML5 <canvas> element is used to draw graphics, on the fly, via scripting (usually JavaScript).
Monster XSS – The technique • Html2canvas - open-source script which builds screenshots based on DOM information. • We modify it a bit – to reveal passwords
Monster XSS – The technique Modified HTML2Canvas runs at the outer page and every 2 seconds takes screenshots of the iframe XSS that takes base64 screenshots
Monster XSS – The technique
Monster XSS – bottom line So, what can you do ? Get rid of XSS!!!
WebSockets
Web Socket WebSocket – allows persistent connection between the client and the server , when both parties can start sending data at any time.
Super-charged XSS http://www.andlabs.org/tools/jsrecon.html
New Tricks, Old Dog • XSS can be used as an agent to map the structure of a network behind a firewall • Super-charged XSS – Advanced port scanning (WebSockets) • http://www.andlabs.org/tools/jsrecon.html
• Websocket – Fast and efficient network mapping process – Firewall bypass into organization
Client-Side Business Logic
Pacman - winning the odds • Client site business logic helps to gain efficiency. • Efficiency brings along security costs
Packman Demo
Pacman – recommendations • Don’t trust the client: validate user input • Do not ever store business logic on the client
GeoLocation
A Variant of Clickjacking How to trick victims into turning on their PC cameras without them even realizing?
A Variant of Clickjaking Demo http://localhost/bookstore/k2.html
A Variant of Clickjaking Against attacks focused on social engineering There is only one solution Awareness
Summary • HTML5 brings enhancements to Web development • …which comes with some great enhancements to security vulnerabilities
Thank you! Helen Bravo helen.bravo@checkmarx.com

More Related Content

PDF
[OWASP Poland Day] Web App Security Architectures
byOWASP
 
PDF
An easy way into your sap systems v3.0
byCyber Security Alliance
 
PPTX
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
byBlueHat Security Conference
 
PDF
Web Application Security with PHP
byjikbal
 
PPTX
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
byImperva Incapsula
 
PPTX
Ten Commandments of Secure Coding
byMateusz Olejarka
 
PDF
Corporations - the new victims of targeted ransomware
byCyber Security Alliance
 
PDF
iOS malware: what's the risk and how to reduce it
byCyber Security Alliance
 
[OWASP Poland Day] Web App Security Architectures
byOWASP
 
An easy way into your sap systems v3.0
byCyber Security Alliance
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
byBlueHat Security Conference
 
Web Application Security with PHP
byjikbal
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
byImperva Incapsula
 
Ten Commandments of Secure Coding
byMateusz Olejarka
 
Corporations - the new victims of targeted ransomware
byCyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
byCyber Security Alliance
 

What's hot

PPTX
[Wroclaw #2] Web Application Security Headers
byOWASP
 
PDF
Building a low cost hack lab
byJoe McCray
 
PDF
Web security for developers
bySunny Neo
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
PDF
Secure Coding for Java - An Introduction
bySebastien Gioria
 
PPTX
External to DA, the OS X Way
byStephan Borosh
 
PPTX
Wireless Pentesting: It's more than cracking WEP
byJoe McCray
 
PPTX
Security War Games
bySeniorStoryteller
 
PPTX
You Spent All That Money And Still Got Owned
byJoe McCray
 
PPTX
[OWASP Poland Day] Application frameworks' vulnerabilities
byOWASP
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
PPTX
Rugged DevOps at Scale with Rich Mogull
bySeniorStoryteller
 
PDF
Is code review the solution?
byTiago Mendo
 
PDF
The Web Application Hackers Toolchain
byjasonhaddix
 
PPTX
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
byJakub Kałużny
 
PPTX
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
byBlueHat Security Conference
 
PPT
L27
byNathannyabvureMapisa
 
PDF
Advanced SQL Injection Attack & Defenses
byTiago Mendo
 
[Wroclaw #2] Web Application Security Headers
byOWASP
 
Building a low cost hack lab
byJoe McCray
 
Web security for developers
bySunny Neo
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
Secure Coding for Java - An Introduction
bySebastien Gioria
 
External to DA, the OS X Way
byStephan Borosh
 
Wireless Pentesting: It's more than cracking WEP
byJoe McCray
 
Security War Games
bySeniorStoryteller
 
You Spent All That Money And Still Got Owned
byJoe McCray
 
[OWASP Poland Day] Application frameworks' vulnerabilities
byOWASP
 
Web security-–-everything-we-know-is-wrong-eoin-keary
bydrewz lin
 
Rugged DevOps at Scale with Rich Mogull
bySeniorStoryteller
 
Is code review the solution?
byTiago Mendo
 
The Web Application Hackers Toolchain
byjasonhaddix
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
byJakub Kałużny
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
byBlueHat Security Conference
 
L27
byNathannyabvureMapisa
 
Advanced SQL Injection Attack & Defenses
byTiago Mendo
 

Viewers also liked

PPTX
8b/10b Encoder Decoder design and Verification for PCI Express protocol usin...
byT. Rajib Subudhi
 
PDF
L'elefante incatenato
byHR&O Consulting
 
PPTX
Profilaxis de trombosis venosa profunda en cirugía meniscal:¿cunado y como?
byMarcelo Sandoval Mora
 
PPT
Social Media for B2B Companies - Updated, 2012
bySarah Sturtevant / Integrated Website Solutions Inc.
 
PPSX
Social Media for Book Publishers and Authors
byHikeBandit
 
PPTX
8/28 數位教學檔案製作
byJin-yuh Huang
 
PPTX
Bubba's birthday 2013
byQuality Logo Products
 
PPTX
Typography Inspiration from Movie Title Cards
byQuality Logo Products
 
PPTX
Data & Energie
byClaire Foulquier-Gazagnes
 
PPTX
Building trust for cloud customers - the value of cif certification
byDavid Terrar
 
PDF
How to leverage paid social media advertising to achieve enrollment goals by ...
byjwalovitch
 
PPTX
Social Media for B2B Small Business
byInfusionsoft
 
PDF
373
byMourad Karoudi
 
PPT
Historypin_DigiTools_Map_App
byCaroline Welling Van Deusen
 
PDF
8717385 d karotte_190g
byFarmacia Internacional
 
PPTX
Recrutement 2.0
byGabriel Bergevin-Estable
 
PDF
8b5
bysilvia_lfr
 
PDF
Social Media for Awareness and Influence
byDavid Horne
 
PDF
1° básico b semana 16 al 20 de mayo
byColegio Camilo Henríquez
 
DOCX
Mafer cuadros (1)
byJONATHAN Apellidos
 
8b/10b Encoder Decoder design and Verification for PCI Express protocol usin...
byT. Rajib Subudhi
 
L'elefante incatenato
byHR&O Consulting
 
Profilaxis de trombosis venosa profunda en cirugía meniscal:¿cunado y como?
byMarcelo Sandoval Mora
 
Social Media for B2B Companies - Updated, 2012
bySarah Sturtevant / Integrated Website Solutions Inc.
 
Social Media for Book Publishers and Authors
byHikeBandit
 
8/28 數位教學檔案製作
byJin-yuh Huang
 
Bubba's birthday 2013
byQuality Logo Products
 
Typography Inspiration from Movie Title Cards
byQuality Logo Products
 
Data & Energie
byClaire Foulquier-Gazagnes
 
Building trust for cloud customers - the value of cif certification
byDavid Terrar
 
How to leverage paid social media advertising to achieve enrollment goals by ...
byjwalovitch
 
Social Media for B2B Small Business
byInfusionsoft
 
373
byMourad Karoudi
 
Historypin_DigiTools_Map_App
byCaroline Welling Van Deusen
 
8717385 d karotte_190g
byFarmacia Internacional
 
Recrutement 2.0
byGabriel Bergevin-Estable
 
8b5
bysilvia_lfr
 
Social Media for Awareness and Influence
byDavid Horne
 
1° básico b semana 16 al 20 de mayo
byColegio Camilo Henríquez
 
Mafer cuadros (1)
byJONATHAN Apellidos
 

Similar to Warning Ahead: SecurityStorms are Brewing in Your JavaScript

PPT
HTML5 hacking
byBlueinfy Solutions
 
PPT
(In)Security Implication in the JS Universe
byStefano Di Paola
 
PPTX
Browser Security ppt.pptx
byAjaySahre
 
PDF
Secure java script-for-developers
byn|u - The Open Security Community
 
PDF
XCS110_All_Slides.pdf
byssuser01066a
 
PDF
Html5: something wicked this way comes - HackPra
byKrzysztof Kotowicz
 
DOC
Same Origin Policy Weaknesses
bykuza55
 
PPTX
Everybody loves html5,h4ck3rs too
byNahidul Kibria
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PPTX
Html5 security
byKrishna T
 
PDF
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
 
PDF
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
PPTX
Cos 432 web_security
byMichael Freyberger
 
PDF
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
PDF
Appsec XSS Case Study
byMohamed Ridha CHEBBI, CISSP
 
PPT
Same Origin Policy Weaknesses
bykuza55
 
PPT
Html5
bySatish Govindappa
 
PDF
Web Vulnerabilities And Exploitation - Compromising The Web
byZero Science Lab
 
PPTX
Secure webbrowsing 1
byUT, San Antonio
 
HTML5 hacking
byBlueinfy Solutions
 
(In)Security Implication in the JS Universe
byStefano Di Paola
 
Browser Security ppt.pptx
byAjaySahre
 
Secure java script-for-developers
byn|u - The Open Security Community
 
XCS110_All_Slides.pdf
byssuser01066a
 
Html5: something wicked this way comes - HackPra
byKrzysztof Kotowicz
 
Same Origin Policy Weaknesses
bykuza55
 
Everybody loves html5,h4ck3rs too
byNahidul Kibria
 
W3 conf hill-html5-security-realities
byBrad Hill
 
W3 conf hill-html5-security-realities
byBrad Hill
 
Html5 security
byKrishna T
 
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
 
Rich Web App Security - Keeping your application safe
byJeremiah Grossman
 
Cos 432 web_security
byMichael Freyberger
 
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
Appsec XSS Case Study
byMohamed Ridha CHEBBI, CISSP
 
Same Origin Policy Weaknesses
bykuza55
 
Html5
bySatish Govindappa
 
Web Vulnerabilities And Exploitation - Compromising The Web
byZero Science Lab
 
Secure webbrowsing 1
byUT, San Antonio
 

More from Cyber Security Alliance

PDF
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
byCyber Security Alliance
 
PDF
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
byCyber Security Alliance
 
PDF
Reverse engineering Swisscom's Centro Grande Modem
byCyber Security Alliance
 
PDF
Hacking the swisscom modem
byCyber Security Alliance
 
PDF
Easy public-private-keys-strong-authentication-using-u2 f
byCyber Security Alliance
 
PDF
Rump : iOS patch diffing
byCyber Security Alliance
 
PDF
Blockchain for Beginners
byCyber Security Alliance
 
PDF
Le pentest pour les nuls #cybsec16
byCyber Security Alliance
 
PDF
Understanding the fundamentals of attacks
byCyber Security Alliance
 
PDF
Bug Bounty @ Swisscom
byCyber Security Alliance
 
PDF
Killing any security product … using a Mimikatz undocumented feature
byCyber Security Alliance
 
PDF
Offline bruteforce attack on wi fi protected setup
byCyber Security Alliance
 
PDF
Asfws2014 tproxy
byCyber Security Alliance
 
PDF
Operation emmental appsec
byCyber Security Alliance
 
PDF
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
byCyber Security Alliance
 
PDF
Colt sp sec2014_appsec-nf-vfinal
byCyber Security Alliance
 
PDF
Why huntung IoC fails at protecting against targeted attacks
byCyber Security Alliance
 
PDF
Introducing Man in the Contacts attack to trick encrypted messaging apps
byCyber Security Alliance
 
PDF
Robots are among us, but who takes responsibility?
byCyber Security Alliance
 
PDF
Rump attaque usb_caralinda_fabrice
byCyber Security Alliance
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
byCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
byCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
byCyber Security Alliance
 
Hacking the swisscom modem
byCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
byCyber Security Alliance
 
Rump : iOS patch diffing
byCyber Security Alliance
 
Blockchain for Beginners
byCyber Security Alliance
 
Le pentest pour les nuls #cybsec16
byCyber Security Alliance
 
Understanding the fundamentals of attacks
byCyber Security Alliance
 
Bug Bounty @ Swisscom
byCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
byCyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
byCyber Security Alliance
 
Asfws2014 tproxy
byCyber Security Alliance
 
Operation emmental appsec
byCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
byCyber Security Alliance
 
Colt sp sec2014_appsec-nf-vfinal
byCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
byCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
byCyber Security Alliance
 
Robots are among us, but who takes responsibility?
byCyber Security Alliance
 
Rump attaque usb_caralinda_fabrice
byCyber Security Alliance
 

Recently uploaded

PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
Save administrator time with the automated remediation capabilities of Red Ha...
byPrincipled Technologies
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PPTX
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
WebXR in Android and Linux with OpenXR
byIgalia
 
MathML Core in WebKit
byIgalia
 
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
Save administrator time with the automated remediation capabilities of Red Ha...
byPrincipled Technologies
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 

Warning Ahead: SecurityStorms are Brewing in Your JavaScript

  • 1.
    Warning Ahead: SecurityStorms are Brewing in Your JavaScript
  • 2.
    About Me HelenBravo Product Manager of Checkmarx Static Application Security Testing (AKA – Source Code Analysis)
  • 3.
    Agenda • Brokensandbox • Same old XSS becomes a monster • Watch out for your client side • “I know where you were last summer”
  • 4.
    HTML5 is booming Report released in August 2013 has shown that 153 of the Fortune 500 U.S. companies already implemented HTML5 on their corporate websites.
  • 5.
    Some of theadditions in HTML5 • WEB storage • WEB SQL database • Indexed DB • Application cache • Web workers • Web socket • CORS • Web messaging • Sandbox attribute • New HTTP headers • Server sent events • New and better semantic tags • New form types • Audio and video tags • Canvas • Inline SVG • New onevent attributes • Geolocation • New CSS selectors • New javascipt selectors • Custom data - attributes
  • 6.
  • 7.
    SOP Same OriginPolicy permits scripts running on pages originating from the same site based on combination of scheme, hostname, and port number
  • 8.
    Same Origin Policy http://www.cnn.com/main main page “Change background to green” http://www.cnn.com/story1 Iframe same origin
  • 9.
    Same Origin Policy http://www.cnn.com/main main page “Change background to green” http://www.fox.com Iframe different origin
  • 10.
    Markets • Recenttrend - markets of extensions Salesforce.com, Microsoft 365, etc… • Extension is Javascript code written by a 3rd party but hosted and delivered from the very same server • So SOP doesn’t play well
  • 11.
    Sandbox concept Sandboxconcept? Sandbox is a hardening of the basic SOP – so that any content running in the sandboxed iframe is treated as if it comes from a different origin, and it gives fine-grained control over what restrictions apply.
  • 12.
    Sandbox syntax •Syntax <iframe sandbox="value"> Valu•e Attribute Values Description "" Applies all restrictions below allow-same-origin Allows the iframe content to be treated as being from the same origin as the containing document allow-top-navigation Allows the iframe content to navigate (load) content from the containing document allow-forms Allows form submission allow-scripts Allows script execution
  • 13.
    http://www.server.com http://www.server.com/iframe mainpage <script> alert(1) </script> 1 Iframe / same origin
  • 14.
    http://www.server.com http://www.server.com/iframe mainpage <script> alert(1) </script> Sandboxed Iframe Default permissions Same Origin
  • 15.
    http://www.server.com http://www.server.com/iframe mainpage <script> alert(1) </script> 1 Sandboxed Iframe Allowing Scripts and SOP(Same Origin)
  • 16.
    http://www.server.com http://www.server.com/iframe mainpage <script> top.navigate(…) </script> Sandboxed Iframe Allowing Scripts and SOP(Same Origin)
  • 17.
    http://www.server.com http://www.server.com/iframe mainpage <script> top.find(myself) addPermission(myself, top_nav) Refresh() navigate(…) </script> Sandboxed Iframe Allowing Scripts and SOP(Same Origin) And Top Navigation
  • 18.
    http://www.hacker.server.com http://www.server.com/iframe mainpage <script> top.find(myself) addPermission(myself, top_nav) Refresh() Navigate(http://www.hacker.com) </script> Sandboxed Iframe Allowing Scripts and SOP(Same Origin) And Top Navigation
  • 19.
    Don’t just counton Sandbox! Don’t assume that just because an iFrame is sandboxed, your code is secure. What can you do? Avoid granting a sandboxed iFrame with scripting and SOP capabilities.
  • 20.
    How a singleXSSed page can be used to take screenshots of other non-XSSed page ?
  • 21.
    <canvas> Is theHTML5 element , used to draw graphics, on the fly, via scripting (usually JavaScript).
  • 22.
    Monster XSS –Attack Steps • Step A – Use Bookstore project Login page vulnerable to Reflected XSS to embed itself in an iframe http://server/page.aspx?xss=<iframe src=“http://server/page.aspx”> Iframe border (left visible for demo purposes)
  • 23.
    Monster XSS –Attack steps • Step B – The user logs in and browses the inside frame. The outer page remains the same while it’s scripts can access the inner’s data Iframe border (left visible for demo purposes) The user went to the admin page, but the URL is still the XSS’ed login page
  • 24.
    Monster XSS –The result • The attacker gets set of pictures representing all user activity( yes, including user name and password!)
  • 25.
    Monster XSS –The technique • HTML5 introduced the concept of Canvas, which can be used to take screenshots What is Canvas? (w3schools) The HTML5 <canvas> element is used to draw graphics, on the fly, via scripting (usually JavaScript).
  • 26.
    Monster XSS –The technique • Html2canvas - open-source script which builds screenshots based on DOM information. • We modify it a bit – to reveal passwords
  • 27.
    Monster XSS –The technique Modified HTML2Canvas runs at the outer page and every 2 seconds takes screenshots of the iframe XSS that takes base64 screenshots
  • 28.
    Monster XSS –The technique
  • 29.
    Monster XSS –bottom line So, what can you do ? Get rid of XSS!!!
  • 30.
  • 31.
    Web Socket WebSocket– allows persistent connection between the client and the server , when both parties can start sending data at any time.
  • 32.
  • 33.
    New Tricks, OldDog • XSS can be used as an agent to map the structure of a network behind a firewall • Super-charged XSS – Advanced port scanning (WebSockets) • http://www.andlabs.org/tools/jsrecon.html
  • 34.
    • Websocket –Fast and efficient network mapping process – Firewall bypass into organization
  • 35.
  • 36.
    Pacman - winningthe odds • Client site business logic helps to gain efficiency. • Efficiency brings along security costs
  • 37.
  • 38.
    Pacman – recommendations • Don’t trust the client: validate user input • Do not ever store business logic on the client
  • 39.
  • 40.
    A Variant ofClickjacking How to trick victims into turning on their PC cameras without them even realizing?
  • 41.
    A Variant ofClickjaking Demo http://localhost/bookstore/k2.html
  • 42.
    A Variant ofClickjaking Against attacks focused on social engineering There is only one solution Awareness
  • 43.
    Summary • HTML5brings enhancements to Web development • …which comes with some great enhancements to security vulnerabilities
  • 44.
    Thank you! HelenBravo helen.bravo@checkmarx.com

Editor's Notes

  • #3 Since we have visibility to a lot of customers data, and a lot of problems in JavaScript. And I am here to share it with you.
  • #4 exacerbate
  • #6 Explain each attribute concept
  • #11 Additional reason for sand box invention
  • #13 Let’s take a look at the granularity and what types of activities sandbox enables. Let’s look at the values, what it allows us. Even if you know it well let’s review it for the quize you are going to have at the end.
  • #19 Fix animation Punchline: And with that we have defeded the whole concept of sandbox
  • #27 s