Presentation Material

Abstract

Hacking browser components by Reverse Engineering is emerging as the best way of discovering potential vulnerability across web applications in era of Rich Internet Applications (RIA). RIA space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous third party libraries. Browsers are getting hacked and attacked almost every day by attacker, worms and malware with specific scope. We have seen exploitation of these technologies on popular site like facebook, twitter, yahoo, google to name a few.

The traditional boundaries of web applications are fading out and browsers are hosting substantial part of web application including data access, business logic, encryptions etc. along with presentation layer. It is making browser components a potential target for hackers. The danger of poorly written browser components is greater in today’s world and successful exploitation can have significant impact on application.

Reverse Engineering can be applied to determine potential weakness by following well defined methodology. It contains reverse engineering the architecture of browser layer, fingerprinting components, discovery of cross domain interactions, debugging calls, DOM inspection, decompiling components, inter-platform communication, socket calls inspection and vulnerability tracing.

This paper will go over these steps in detail and help in identifying any weakness or vulnerability associated with browser component. Browsers are no longer a static content loader; it allows complicated operations in this era. Browsers can run powerful application using HTML 5 components like WebWorkers (threads), WebSockets and Sandboxed iframes. It can load Silverlight and flex content and allows application to emulate a rich desktop. We will be covering following attacks, threats and analysis techniques to dissect browser component using reverse engineering tools (author is releasing tools along with the paper).

• Malware and Worms leveraging XHR and WebSockets
• Exploiting cool HTML 5 presentation features like CSS-opacity, Sandboxed iframes, Canvas etc. for potential abuses like ClickJacking and Spoofing
• Reverse engineering Silverlight components to discover vulnerabilities and business logic secrets
• Hacking and attacking flex/flash components via DOM
• Protocol reverse engineering and injections AMF, WCF, JSON etc.
• DOM injections and pollution to gain execution capabilities
• Cross widgets and component hacking and architecture reverse engineering
• HTML 5 usage and impact analysis (Tag and Attributes decomposition)
• Decompilation and Static Code Analysis vectors for JavaScript/Flash/Silvelight
• Abusing and exploiting storage and WebSQL based browser components
• Attacking offline application mechanism
• Quick analysis of WebWorkers and abuse scenario
• SOP bypass and cross domain access and call reversing

We will be covering above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across application base. We will see some new scanning tools and approaches to identify some of these key issues

AI Generated Summary^{may contain errors}

Here is a summarized version of the content:

The speaker discusses various types of attacks and defense measures related to web application security. Specifically, they cover:

1. CSRF (Cross-Site Request Forgery) attacks using JSON and AMF (Action Message Format) traffic.
2. Clickjacking attacks using HTML 5 features such as canvas and layering.

To defend against these attacks, the speaker recommends:

1. Implementing frame busting code to prevent loading pages into iframes.
2. Performing reverse engineering to identify vulnerable components.
3. Conducting security testing at the code level, including source code and object code analysis.
4. Implementing resource discovery and fuzzing to identify backend issues.
5. Being cautious with HTML 5 implementation, particularly with WebSQL and storage.
6. Conducting DOM-based analysis and scanning to ensure secure DOM calls.
7. Avoiding eval() functions and instead using parsing or JSON.parse().
8. Performing cross-stream analysis with third-party tools.

Additionally, the speaker highlights the importance of implementing defense measures at multiple levels, including:

1. Code level: Implementing security measures in the code.
2. Filtering level: Using firewalls to filter out malicious traffic.
3. Incoming defense: Protecting against incoming attacks.
4. Outgoing filtering: Preventing malicious scripts from being sent to clients.
5. Server-side stream: Supporting AMF and JSON formats on the server-side.

Overall, the speaker emphasizes the need for a comprehensive approach to web application security, covering multiple layers of defense and testing.