4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
207<br />
Web Application Penetration Testing<br />
• Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH):<br />
http://www.christian-schneider.net/<br />
CrossSiteWebSocketHijacking.html<br />
• Jussi-Pekka Erkkilä - WebSocket Security Analysis: http://juerkkil<br />
iki.fi/files/writings/websocket2012.pdf<br />
• Robert Koch- On WebSockets in Penetration Testing: http://www<br />
ub.tuwien.ac.at/dipl/2013/AC07815487.pdf<br />
• DigiNinja - OWASP ZAP and Web Sockets: http://www.digininja<br />
org/blog/zap_web_sockets.php<br />
Test Web Messaging (OTG-CLIENT-011)<br />
Summary<br />
Web Messaging (also known as Cross Document Messaging) allows<br />
applications running on different domains to communicate in a secure<br />
manner. Before the introduction of web messaging the communication<br />
of different origins (between iframes, tabs and windows)<br />
was restricted by the same origin policy and enforced by the browser,<br />
however developers used multiple hacks in order to accomplish<br />
these tasks, most of them were mainly insecure.<br />
This restriction within the browser is in place to restrict a malicious<br />
website to read confidential data from other iframes, tabs, etc, however<br />
there are some legitimate cases where two trusted websites<br />
need to exchange data between each other. To meet this need Cross<br />
Document Messaging was introduced within he WHATWG HTML5<br />
draft specification and implemented in all major browsers. It enables<br />
secure communication between multiple origins across iframes,<br />
tabs and windows.<br />
The Messaging API introduced the postMessage() method, with<br />
which plain-text messages can be sent cross-origin. It consists of<br />
two parameters, message and domain.<br />
There are some security concerns when using ‘*’ as the domain that<br />
we discuss below. Then, in order to receive messages the receiving<br />
website needs to add a new event handler, and has the following attributes:<br />
• data: The content of the incoming message<br />
• origin: The origin of the sender document<br />
• source: source window<br />
An example:<br />
Send message:<br />
iframe1.contentWindow.postMessage(“Hello world”,”http: /<br />
www.example.com”);<br />
Receive message:<br />
window.addEventListener(“message”, handler, true);<br />
function handler(event) {<br />
if(event.origin === ‘chat.example.com’) {<br />
/* process message (event.data) */<br />
} else {<br />
/* ignore messages from untrusted domains */<br />
}<br />
}<br />
Origin Security Concept<br />
The origin is made up of a scheme, host name and port and identifies<br />
uniquely the domain sending or receiving the message, it does not<br />
include the path or the fragment part of the url. For instance, https://<br />
example.com/ will be considered different from http://example.com<br />
because the schema in the first case is https and in the second http,<br />
same applies to web servers running in the same domain but different<br />
port.<br />
From a security perspective we should check whether the code is filtering<br />
and processing messages from trusted domains only, normally<br />
the best way to accomplish this is using a whitelist. Also within the<br />
sending domain, we also want to make sure they are explicitly stating<br />
the receiving domain and not ‘*’ as the second argument of post-<br />
Message() as this practice could introduce security concerns too,<br />
and could lead to, in the case of a redirection or if the origin changes<br />
by other means, the website sending data to unknown hosts, and<br />
therefore, leaking confidential data to malicious servers.<br />
In the case the website failed to add security controls to restrict the<br />
domains or origins that can send messages to a website most likely<br />
will introduce a security risk so it is very interesting part of the code<br />
from a penetration testing point of view. We should scan the code<br />
for message event listeners, and get the callback function from the<br />
addEventListener method to further analysis as domains must be<br />
always be verified prior data manipulation.<br />
event.data Input Validation<br />
Input validation is also important, even though the website is accepting<br />
messages from trusted domains only, it needs to treat the<br />
data as external untrusted data and apply the same level of security<br />
controls to it. We should analyze the code and look for insecure<br />
methods, in particular if data is being evaluated via<br />
eval()<br />
or inserted into the DOM via the<br />
innerHTML<br />
property as that would create a DOM-based XSS vulnerability.<br />
How to Test<br />
Black Box testing<br />
Black box testing for vulnerabilities on Web Messaging is not usually<br />
performed since access to the source code is always available as it<br />
needs to be sent to the client to be executed.<br />
Gray Box testing<br />
Manual testing needs to be conducted and the JavaScript code analyzed<br />
looking for how Web Messaging is implemented. In particular<br />
we should be interested in how the website is restricting messages<br />
from untrusted domain and how the data is handled even for trusted<br />
domains. Below are some examples:<br />
Vulnerable code example:<br />
In this example, access is needed for every subdomain (www, chat,<br />
forums, ...) within the owasp.org domain. The code is trying to accept<br />
any domain ending on .owasp.org: