Monday, November 22, 2010

XSS track got ninja stealth skills thanks to HTML5

XSS-Track, a point of concept project on how to track users through XSS vulnerability today got even better: now it can change URL in browser address bar as you navigate through the site, making it even more transparent for the victim.

It is possible thanks to a HTML5 feature - window.history.pushState(). It was created for AJAX websites so that they could easily change window location bar and manipulate history. Read more about the it on WHATWG site.

It's a great and convenient feature for developers - for example, AJAX apps can now easily support back & forward buttons without resorting to URI fragment identifier (#) hacks. But it can also be used for malicious purposes. Basically, in HTML5 you can no longer trust the location bar. For security reasons, specs say you can only change a path (i.e. not hostname, port etc.) and of course it is subject to same-origin restrictions but that is enough for XSS-Track. So now we have these convenient functions in XSS-track source code:

var getPath = function(url) {
  return url.match(/(\/.*)/)[1];
};

var changeAddressBar = function(url) {
  try {
    // html5 goodness - should work in Safari, Chrome, FF 4
    window.history.pushState({}, "", getPath(url));
  } catch(e) {}
};

and navigating a link within vulnerable domain will update the address bar path accordingly, making XSS-track practically invisible (unless you click an external link).

Disclaimer:
window.history.pushState() works in Chrome 5, Safari 5 and Firefox 4 and more browsers will come in future. When it's not available, XSS-Track will just leave the URL of a vulnerable page, so we're forward compatible. Try and hack the demo site to see the effects in one of those browsers to see it in action. HTML5 FTW!

6 comments:

Anonymous said...

Yep http://heideri.ch/jso/?pushState

Krzysztof Kotowicz said...

@anonymous

Mhm, mario is THE guy when it comes to wicked XSS vectors & html5 security.

Anonymous said...

Oh good grief, that's nasty.

Certainly hope that the browsers will come up with a UI element that will warn when the URL is being changed by javascript, or show the actual URL on hover, or whatever.

Frank said...

Any updates for FF10+, Chrome 18+ etc. ??

kkotowicz said...

history.pushState() should work in both of them, it's widely supported now - http://caniuse.com/#search=push

mole removal at home said...

Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts.I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting.