Sunday, June 19, 2011
Next Generation Attack
The blend of DOM L3 (Remote Execution stack),
XHR L2 (Sockets for injections) and HTML5 (Exploit
delivery platform) is all set to become the
easy stage for all attackers and worms. We have
already witnessed these types of attacks on popular
sites like twitter, facebook or yahoo. Hence the need of
the hour is to understand this attack surface and the
attack vectors in order to protect next generation
applications. Moreover this attack surface is expanding
rapidly with the inclusion of features like audio/video tags,
drag/drop APIs, CSS-Opacity, localstorage, web workers,
DOM selectors, mouse gesturing, native JSON, cross site
access controls, offline browsing etc. This expansion of
attack surface and exposure of server side APIs allows the
attacker to perform lethal attacks and abuses such as:
• XHR abuse alongwith attacking Cross Site access controls
using level 2 calls
• JSON manipulations and poisoning
• DOM API injections and script executions
• Abusing HTML5 tag structure and attributes
• Localstorage manipulations and foreign site access
• Attacking client side sandbox architectures
• DOM scrubbing and logical abuse
• Browser hijacking and exploitations through advanced
DOM features
• One-way CSRF and abusing vulnerable sites
• DOM event injections and event controlling
(Clickjacking)
• Hacking widgets, mashups and social networking sites
• Abusing client side Web 2.0 and RIA libraries
HTML 5 on the rise – reshaping
the RIA space
Web applications have traveled a significant distance
in the last decade. Looking back, it all started with CGI
scripts and now we are witnessing the era of RIA and
Cloud applications. Also, over these years existing
specifications evolved to support the requirements
and technologies. To cite an instance, in the last few
years Flex and Silverlight technology stacks have not
only come up but also continued to evolve to empower
the browser to provide a rich Internet experience. To
compete with this stack the browser needed to add
more native support to its inherent capabilities. HTML 5,
DOM (Level 3) and XHR (Level 2) are new specifications
being implemented in the browser, to make applications
more effective, efficient and flexible. Hence, now we
have three important technology stacks in the browser
and each one of them has its own security weaknesses
and strengths (Figure 1).
HTML 5 has caused the underlying browser stack
(application layer especially) to change on many fronts.
Moreover, it has added the following significant new
components to support application development.
• Support for various other technology stacks through
plugins (Silverlight and Flash)
• New tags and modified attributes to support media,
forms, iframes etc.
• Advance networking calls and capabilities from
XMLHttpRequest (XHR) object – level 2 and WebSockets
(TCP streaming).
• Browsers’ own storage capabilities (Session, Local and
Global)
• Applications can now run in an offline mode too by
leveraging the local database which resides and runs in
the browser, known as WebSQL.
• Powerful Document Object Model (DOM – Level 3) to
support and glue various browser components and
technologies.
• Sandboxing and iframe isolations by logical
compartments inside the browser.
• Native support in the browser or through plugins for
various different data streams like JSON, AMF, WCF,
XML etc.
• Drag and Drop directly in the browser made possible to
make the experience more desktop friendly.
• Browsers’ capabilities of performing input validations to
protect their end clients.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment