CSRF with JSON – leveraging XHR and CORS

Same Origin Policy (SOP) dictates cross domain calls and allows establishment of cross domain connections. SOP bypasses allow CSRF attack vector, an attacker can inject a payload on cross domain page that initiate a request without consent or knowledge of the target user. HTML 5 is having one more policy in place called CORS (Cross Origin Resource Sharing). CORS is a “response blind” technique and controlled by extra added HTTP header “orgin” and their variants but it allows request to hit the target in one way direction. Hence, it is possible to do one-way CSRF. It is possible to initiate CSRF vector using XHR-Level 2 on HTML 5 pages and can prove really lethal attack vector. XHR establishes a stealth connection and remains much hidden, XHR connection can be set using “withCredentials” as true along with POST method. It allows cookie to replay and helps in crafting successful CSRF scenario or session riding. Interestingly HTML 5 along with CORS allows performing file upload CSRF as well. It is possible to craft a JavaScript using XHR and inject JSON payload as cross domain. If server side code on JSON library is not validating the “Content-Type” then it will process the request and allows successful CSRF.
For example,

Here is a script which will do CSRF on cross domain.



Here, we have “Content-Type” as “text-plain” and no new extra header added so CORS will not initiate OPTIONS to check rules on the server side and directly make POST request. At  the same time we have kept credential to “true” so cookie will replay.

On the wire we can see following request.

















As you can see cookie is replayed and JSON POST has been initiated. We get following response back from application.
















Application processed the request and sent JSON back. It is clear case of CSRF. This can be applied to other streams as well.

Labels: , , , ,

Training at Syscan - Web Hacking – Threats & Countermeasure

Web Hacking – Threats & Countermeasure
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Web Hacking and Security. We are witnessing new ways of hacking and exploiting web based applications and it needs better understanding of technologies to perform penetration testing and assessment of web security. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new scanning tools and exploits.

Visit syscan training page - here

HTML 5, XHR (L2) and DOM (L3) - Top 10 Attacks

Current stack and technology surface
















Top 10 Attack Vectors
1. XSS abuse with tags and attributes
2. DOM based XSS and Redirects
3. Stealing from the storage
4. Injecting and Exploiting WebSQL
5. Abusing network API and Sockets
6. CSRF across streams – JSON, AMF and XML
7. Sandbox attacks and ClickJacking
8. Abusing new features like drag-and-drop
9. Botnet/Spynet gets persistent life using WebWorkers
10. Threats to widgets and mashups

DOM Hacking - Paper and Tools

DOM Hacking was presented at BlackHat and going to present at next HackInTheBox. Here is the paper and Tools (DOMScan and DOMTracer). It helps during scanning, assessments and pen-testing. Enjoy!

Paper on DOM Hacking

Download
PDF document from here [BlackHat site]
Presentation slides from here [BlackHat site]


DOMScan (Beta)
DOMScan - Scanning and Analyzing DOM

DOMScan is utility to drive IE and capture real time DOM from the browser. It gives access to active DOM context along with JavaScripts. One can observe the DOM in detail using this utility. It has predefined rules to scan DOM. One can run the scan on existing DOM and fetch interesting entry points and calls. It allows tracing through JavaScript variables as well. Using this utility one can identify following vulnerabilities.

• DOM based XSS
• DOM based vulnerable calls
• Source of abuse and external content loading methods
• Possible DOM logic and business layer calls
• Same Origin Bypass calls and usage
• Mashup usage inside DOM
• Widget Architecture review using the tool

Download

DOMTracer (Beta)
DOMTracer - Firefox Plugin (Trace DOM and JavaScript Calls)

The DOM as seen in all the aforementioned cases needs to be analyzed in many aspects. Run-time analysis of the DOM/JavaScript is vital and aids one to look at the calls made during the ‘dynamic DOM manipulation’. The DOMTracer is a Firefox Extension for this same purpose. It has been written using the standard method of writing extensions using the XUL platform and the JavaScript language in majority. This is in beta and we are working on new features.

Download

HITB - Malaysia

Training - TT1 – Web 2.0 Hacking – Advanced Attacks and Defense (Ajax, RIA and SOA)

Hacking a Browser’s DOM – Exploiting Ajax and RIA

Web 2.0 applications are using dynamic DOM manipulations extensively for presenting JSON or XML streams in the browser. These DOM calls mixed with XMLHttpRequest (XHR) object are part of client side logic written in JavaScript or part of any other client side technology be it Flash or Silverlight. DOM driven XSS is a sleeping giant in the application code and it can be exploited by an attacker to gain access to the end user’s browser/desktop. This can become a root cause of following set of interesting vulnerabilities – Cross Widget Sniffing, RSS feed reader exploitation, XHR response stealing, Mashup hacking, Malicious code injection, Spreading Worm etc. This set of vulnerability needs innovative way of scanning the application and corresponding methodology needs to be tweaked. We have seen DOM driven XSS exploited in various different popular portals to spread worm or virus. This is a significant threat on the rise and should be mitigated by validating un-trusted content poisoning Ajax or Flash routines. DOM driven XSS, Cross Domain Bypass and CSRF can cause a deadly cocktail to exploit Web 2.0 applications across Internet. This presentation will be covering following important issues and concepts.
* Web 2.0 Architecture and DOM manipulation points
* JavaScript exploits by leveraging DOM
* Cross Domain Bypass and Hacks
* DOM hacking for controlling Widgets and Mashups
* Exploiting Ajax routines to gain feed readers
* Scanning and detecting DOM driven XSS in Web 2.0
* Tools for scanning the DOM calls
* Mitigation strategies for better security posture


Secure SDLC and Static Code Analytics ...

Defending Against Top Web Attacks of 2010

Subscribe to: Posts (Atom)