Introduction to HTML5 security Speaker :luke
Html5 security
Dec 10, 2014
an investigation on HTML5 security
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Introduction to HTML5 security
Speaker :luke
Outline
• What is HTML5
• Web Security related to HTML5
• Conclusion & looking forward
HTML5
HTML5
• New protocol of HTML HTML5 + CSS3+ JavaScript
Compare to XML and XHTML
• Protocol design WHATWG (Apple Mozilla Google Opera) in 2004
W3C
IETF
• Still in progress http://www.html5test.com/
HTML5
What’s in HTML5
• New Tag: <button> <canvas> <audio> <video>
• New Tag attribute: autocomplete ,autofocus ,regex
• New form controls for date ,time, email
• Geolocation(demo: http://html5demos.com/geo)
• Client-side storge localStorge sessionStorge and WebSQL
(demo:http://html5demos.com/database-rollback)
• WebSockets new way of communication
• WebWorkers allow multithread javascript in the background
What’s out in HTML5
• Present element <font><center>
• Present attribute<align><border><frame><frame set>
• Old special effects<marquee>,<bgsound>
Follow the rule :
Presentation and content are divided
Security Issues in HTML5
Basic ideas about the new vulnerability
New security problem because of new method brought into web application
the security issues in web application has not been changed
New security has been found worth to investigate
Security concern 1 client
Attack surface : client-side
• client-side and offline storage
• allows greater amount of data to be stored
Security concern 2 web sql
• Bring SQL to the client-side
• Core methods:
– openDatabase(“Database”,”Database version”,”Database Description”,”Estimated Size”)
– Transaction (“SQL statement”)
• The usual attack : XSS,SQL injection can be used here.
Security concern 3 Application cache • Useful for offline browsing speed and reduce
server load • The size limit for cached data for site :5MB • Example 1 enabling application cache:
<html manfest=“example.manifest”> ….. </html>
• Example 2 update applicaton cache: applicationCache.addEventListener(‘checking’,updateCacheStatus,false);
• Poisoning the Application cache • Any website can create a cache in the client • Any file can be cached even in the /root directory
Security concern 4 html5 sandbox
• Sandbox is used to protect website from 3-party software
<iframe src="untrusted.html" sandbox></iframe>
• can be used to clickjacking attack
<iframe sandbox=“allow-same-origin allow-form allow-scripts”>
Security concern 5 CROS • Cros (Cross Origin Resource Sharing )
• Allow cross domain AJAX
• Silent file upload
var xhr = new XMLHttpRequset() xhr.open(“post”,http://victim, ture ) xhr.setRequsetHeader(“Content-Type ”,”text/plain”); xhr.withCredentials = “ture”;//send cookies Xhr.send(Anything I want )
Fuction fileUpload(url,filedata,fileName){ Var fileSize = fileData.length, Boundary =‘xxxxxxxxxxxx’ xhr = new XMLHttpRequest(); xhr.open(“POST”,url,true); Xhr.withCredentials(“Content-Type”,”multipart/form-data”,boundary=“+boundary)
Xhr.setRequestHeader(“cotent-Length”,fileSize);}
Demo
Allow cross domain AJAX http://victim.kotowicz.net/crossdomain-upload/vuln/index.php
http://attacker.kotowicz.net/crossdomain-upload/evil/upload.html
Silent file upload http://kotowicz.net/wu/
http://attacker.kotowicz.net/wu/evil.html
Security concern 5 clickjacking
Clickjacking also called UI redressing
<iframe src=outer.html width=20 height=20 scrolling=nostyle="opacity:0;"></iframe>
<!-- outer.html --> <iframe src="//victim" width=5000 height=5000 style="position: absolute; top:-300px; left: -350px;"></iframe>
Security concern 5 clickjacking
Can be easy bypassed by in HTML5 <iframe sandbox src="//victim"></iframe>
Most Alexa top 500 website use frame busting to protect from clickjackng
If (top!=self)
If (top.location != self.location)
Security concern 5 XSS
New Tag and new Attribute cause XSS
<video onerror=“javascript:alert(1)”><source> <audio onerror=“javascript:alert(1)”><source>
Before HTML5: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onmouseover=ʺalert(ʹInjected valueʹ)ʺ> With HTML5: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onfocus=ʺalert(ʹInjected valueʹ)ʺ autofocus>
Security concern 5 Drag and Drop API
<div draggable=ʺtrueʺ ondragstart=ʺevent.dataTransfer.setData(ʹtext/plainʹ, ʹEvil dataʹ)ʺ>
<h3>DRAG ME!!</h3>
</div>
Security concern 6 html5 shell
Proxy
Web server
Send request to the web server
Send the response body to
he proxy
Pentester’s browser
GET http://www.google.com
Victim’s browser
Send the response body to the shell of the
web serverSend the request to the victim’s
browser
www.google.com
Google web server responds with the
HTML fot its homepage
Request the google web server for
http://www.google.c
Send Google home page to Pentester’s browser
Security concern 7 network reconnaissance
Cross domain XMLHttpRequests and WebSockets
Port Status WebSocket COR
Open (application type 1&2)
<100ms <100ms
Closed ~1000ms ~1000ms
Filtered >30000ms >30000ms
Security concern 8 HTML5 Botnets
Webworkers is a threading model for javascript
Botnet creation: • Reaching out to victims
• Extending execution lifetime
Html5 botnets based attack • Application –level DDos attacks
• Email Spam
• Distributed password cracking
Background JavaScript threads that were started using WebWorkers can send cross domain XMLHttpRequests even
though the remote website does not support it. A test showed that around
If you a small botnet just has 600 zombies can send around
Distributed password cracking
easy to launch a password cracker under HTML5 http://www.andlabs.org/tools/ravan.html
Work farm
Ravan MaterRavan Web
Backend
Get Work
Submit Result
Manage Cracking
Submit hash
Test show that one browser possible can observe password guessing rates of 100,000 MD5/second in JavaScript 100-115 times slower than that native code (like LC5),but if you control 100
zombies.it has the same cracking rate.
Top10 Risks in html5
1. ClickJacking & Phishing by mixing layers and iframe
2. CSRF and leveraging CORS to bypasses SOP
3. Attacking WebSQL and client side SQL injection
4. Stealing information from Storage and Global variables
5. HTML5 tag abuse and XSS
6. HTML5 and DOM based XSS and redirects
7. DOM injections and Hijacking with HTML 5
8. Abusing thick client features
9. Using WebSockets for stealth attacks
10. Abusing WebWorker functionality
Conclusion
• HTML5 &DOM-level3 &XHR-level2 via javascript are involved in creating the next generation application
• As the people heavily use web browser .More features will bring into HTML5
• More enhanced features in HTML5 will bring threat and challenges
• More security issues will be discovered in the future
Reference
[1]HTML5 Security CheatSheet ‐ http://code.google.com/p/html5security/
[2]Shell of the Future ‐ http://www.andlabs.org/tools.html#sotf
[3] Next Generation Clickjacking ‐ http://www.contextis.co.uk/resources/white‐papers/clickjacking/Context‐Clickjacking_white_paper.pdf
[4]OWASP ClickJacking Guide ‐ http://www.owasp.org/index.php/Clickjacking
[5]http://html5sec.org/
[6]Hacking Facebook with HTML5 ‐ http://m‐austin.com/blog/?p=19
[7]http://html5demos.com
[8] https://www.owasp.org/index.php/Clickjacking
[9] http://www.andlabs.org/
Thanks for listening
any suggestion and comment
Related Documents
