File System API with HTML5 – Juice for XSS

HTML5 has come up with several APIs and one of them is File System API (http://www.w3.org/TR/file-system-api/). Browsers are implementing it and it is covering both directories and files under this API. Hence, now web application can create a mini file system and dump files inside the browser. These files can be accessed at any point in time by the browser with the same domain context. These files can be permanent or temporary. The browser is acting like a mini OS and exposing the surface. If XSS is found it is easy to extract full file system created by the application.

For example, if an application has created a token file on the file system using the API. We can see files by following URI on chrome.

In above figure we can see files are being created in the browser. Now assuming XSS is found, it is easy to exploit by hooking into the file system and extracting the content. Following code can be part of the access routine.

Bottom-line, lot is getting added to HTML5 and strong JavaScript analysis and look around would be needed from security professional. Looks like developer community is still playing around with these APIs but the days are not far where we will start seeing these types of application in production and landing for review at the door steps. 

CSRF with upload – XHR-L2, HTML5 and Cookie replay

XHR level 2 calls embedded in HTML5 browser can open a cross domain socket and deliver HTTP request. Cross Domain call needs to abide by CORS. Browser will generate preflight requests to check policy and based on that will allow cookie replay. Interestingly, multi-part/form-data request will go through without preflight check and “withCredentials” allows cookie replay. This can be exploited to upload business logic files via CSRF if server is not validating token/captcha. Business applications are allowing to upload files like orders, invoices, imports, contacts etc. These critical functionalities can be exploited in the case of poor programming.

If we have a business functionalities for actual upload form then this type of HTTP request will get generated at the time of upload. Note, cookie is being replayed and request is multi-part form.

Now, if CSRF payload has following XHR call.

Above call will generate following HTTP request and causes CSRF and upload the file. Hence, without user’s conscent or knowledge cross domain file being uploaded on the target application with the logged in credential.

Future probes – one needs to check other impact like AMF stream uploading, XML file transfer and few other library protocols which is now a day’s dealing in multi-part to support binary calls.

If you are interested in this analysis should visit @kkotowicz work - http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html.