Introducing the HTML5 Hard Disk Fillerâ„¢ API

[EagleKeeper]

http://feross.org/fill-disk/

I don't think this is to much to worry about just yet. It's worthless unless someone pairs it up with an exploit which pwnz your systemz so that they can make use of the drive space they have filled up.

Benchmark your hard drives just as a precaution.

It's just something to think about.

[EagleKeeper]

I just heard about this stuff today, I think it has potential to be a problem down the road.

HTML5 is early in implementation so it's probably not a big deal yet. The thing that caught my eye initially was the idea of a "fat client" or rather the client side storing larger amounts of data then in earlier iterations of html. Or rather the ability for html5 code to create a mini SQL database on the client and then turn around and attack it.

I don't think, so far, that there is anything that can be done to fix the problems beyond fixing the browsers but I am starting to see some things that would make for some pretty robust IDS rules.

Anyway, I'm reading something that's down in the weeds about this if anyone is interested. I was not familiar with the site but I am familiar with the writer.

It's labeled as a black-hat site and that should give pause but it is a .pdf file.

Here is the scary link...

http://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf

[EagleKeeper]

Ok, here is where I am at after reading the first verse...

A1 - CORS Attacks & CSRF

Figure 2 maintains that the redirect to the selling server is HTTP which I suppose is fine.
I guess the thing is that the redirect needs a user ID and passsword (which it can get from the initial connection, also called "visit attackers page")

In figure 2 this is http which is easy to do since nothing is encrypted.

The socket is created, the credentials are already there so no problem, except I think this only works on a local network with a directory service.

After all, I don't think you are going to be able to buy anything from Amazon over a non encrypted connection, right?

So I'm thinking this is an inside attack and you won't see it on the internets.

Comments welcome.

More to come as I continue to read thru.

Edit: Actually it doesn't even require a directory, it's just using logged in credentials to make a non encrypted connection...no problemo.

Edit2:

XHR can allow doing internal port scanning, CORS policy scan and mounting remote web shell. These
          vectors are really stealth and silent over the browser

          This is only true if usernames and passwords *and* workgroup/domain names are constant throughout the local network.

[EagleKeeper]

A2 - ClickJacking, CORJacking and UI exploits


Ok, here is the provided example in whole...

Let’s assume there are two domains – foobank.com and evil.com. Foobank application is having flash
driven application and it has its own login swf (login.swf) file. This flash component is loaded via object
in the browser. If by DOM call this login.swf file is replaced by similar file residing on evil.com then it will
cause CORJacking and user would be under impression that he/she is using foobank.com resources.
Also, reverse would be possible as well. Evil.com loads resources residing on Foobank.com domain and it
will cause reverse CORJacking.

Now what I want you to think about is something that I have experienced.

You go to a website that has advertisements, lets say Powerline. The browser loads and then you get a pop-up that looks like a virus scan and when it finishes it tells you that you're PC is infected with a virus...

It gives you a button that says "click here" to get rid of it..

Ok, what do I do?

What happens is, if you click "YES" you have just given permission to that app to do what it wants to do, maybe give you a virus.

If you kill the process (like closing the window) then nothing happens, it just goes away, that's kinda how windows security works.

Windows makes you the superuser and then lets you kill your PC, that's why there are so many computer viruses for Windows.

[Maxiest]

Very Good post, I read through the PDF and can see the potential for more exploits.  As noted in the PDF every evolution adds new security impacts and the potential for attackers to attack.

Clickjacking is scary and a newer version of the phishing users currently face.

[EagleKeeper]

Very Good post, I read through the PDF and can see the potential for more exploits.  As noted in the PDF every evolution adds new security impacts and the potential for attackers to attack.

Clickjacking is scary and a newer version of the phishing users currently face.

Thanks Maxiest, welcome.

I am hoping I am helping someone but I think this is a veiled attempt at getting you geeks talking.

I think I'm done on this thread for tonight, but I'll be back tomorrow cause I have not got to my favorite part yet. I'll take it in order but it is the "fat client" part that is most interesting.

[EagleKeeper]

I was reading ahead a little and found this...

If by DOM call this login.swf file is replaced by similar file residing on evil.com then it will
cause CORJacking and user would be under impression that he/she is using foobank.com resources.

Ok, I get it.

It's not "similar", it has the exact same file name and translated path so it gets called.

server1/a/b/c

after redirect

server2/a/b/c

You could, I suppose, encrypt it and give it a key when it is installed.

I'm thinking this is another internal attack of a poorly coded internal application.

[Maxiest]

I was reading ahead a little and found this...

Ok, I get it.

It's not "similar", it has the exact same file name and translated path so it gets called.

server1/a/b/c

after redirect

server2/a/b/c

You could, I suppose, encrypt it and give it a key when it is installed.

I'm thinking this is another internal attack of a poorly coded internal application.

Browser security can fight against this by SSL certificate verification.  I use Chrome, and let me show you what I look for before I sign into any banking site, etc.



Users just need to be educated on what to look for.  Which in most banking emails I have received from several different banks I have used usually do a decent job of explaining what to look for when signing in.

Plus although I understand the example of foobank.com... no bank would ever use flash login, it is to easy to downloaded and .swf file and duplicate it on fake site as it is.  HTML5 or not.

[whiffleball]

I'm lost!  What can those of us who are non-technical do about this?  Do we need to do something?

[EagleKeeper]

I'm lost!  What can those of us who are non-technical do about this?  Do we need to do something?

Nothing, the browser manufacturers will fix it soon enough now that the proof of concept is out there.

Just keep your system updated.

[EagleKeeper]

Browser security can fight against this by SSL certificate verification.  I use Chrome, and let me show you what I look for before I sign into any banking site, etc.



Users just need to be educated on what to look for.  Which in most banking emails I have received from several different banks I have used usually do a decent job of explaining what to look for when signing in.

Plus although I understand the example of foobank.com... no bank would ever use flash login, it is to easy to downloaded and .swf file and duplicate it on fake site as it is.  HTML5 or not.

I think your exactly right, the example  that was used (foobank.com and evil.com) were not using SSL.

The architecture more closely resembled an in house built custom web app.

***CAUTION, DO NOT GO HERE****
Unless you want a drive full of kitty pics
 FillDisk.com.


This is the proof of concept, its not https either.

It's a good thing that someone found this but to a bad guy it's useless to take up drive space unless you also take some level of control over the system...like a botnet.

I'm sure that it will be coming down the road in the not to distant future.

[SSG Snuggle Bunny]

I'm lost!  What can those of us who are non-technical do about this?  Do we need to do something?

HTML allows a website to store information on your computer. Traditionally this has been a very small amount ~4k to facilitate cookies so the websites you visit -- such as this one -- remember you and whatnot.

With the new HTML there is no limit to the disk space a site can consume and conceivable what purpose they might use it for. So a malicious site could take-up every last speck on your HD.

Just follow the advice of the others until the exploit is fixed.

[CG6468]

I have to infected. My hard disk has filled up almost to capacity, whereas it only had a fraction of the capacity utilized before.

Anything I can do? I believe that's what's causing the estremely slow downloads and site refreshing.

[Chris_]

I have to infected. My hard disk has filled up almost to capacity, whereas it only had a fraction of the capacity utilized before.

Anything I can do? I believe that's what's causing the estremely slow downloads and site refreshing.

What happens if you clear your broswer cache/temp files?

[CG6468]

What happens if you clear your broswer cache/temp files?

I'll give it another try.

EDIT: Nope. Still real slow, and the screen freezes for up to 30 seconds.

[CG6468]

I seem to have fixed things by restoring to the point prior to the last Windows "update."

[biersmythe]

I seem to have fixed things by restoring to the point prior to the last Windows "update."

HAHA figures windoze update.