Html5 security
Upcoming SlideShare
Loading in...5
×
 

Html5 security

on

  • 2,301 views

an investigation on HTML5 security

an investigation on HTML5 security

Statistics

Views

Total Views
2,301
Views on SlideShare
2,301
Embed Views
0

Actions

Likes
1
Downloads
48
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Html5 security Html5 security Presentation Transcript

    • Introduction to HTML5 security Speaker :luke
    • Outline• What is HTML5• Web Security related to HTML5• Conclusion & looking forward
    • HTML5
    • HTML5• New protocol of HTML HTML5 + CSS3+ JavaScript Compare to XML and XHTML• Protocol design  WHATWG (Apple Mozilla Google Opera) in 2004  W3C  IETF• Still in progress http://www.html5test.com/
    • HTML5
    • What’s in HTML5• New Tag: <button> <canvas> <audio> <video>• New Tag attribute: autocomplete ,autofocus ,regex• New form controls for date ,time, email• Geolocation(demo: http://html5demos.com/geo)• Client-side storge localStorge sessionStorge and WebSQL (demo:http://html5demos.com/database-rollback)• WebSockets new way of communication• WebWorkers allow multithread javascript in the background
    • What’s out in HTML5• Present element <font><center>• Present attribute<align><border><frame><frame set>• Old special effects<marquee>,<bgsound> Follow the rule : Presentation and content are divided
    • Security Issues in HTML5
    • Basic ideas about the new vulnerabilityNew security problem because of new methodbrought into web applicationthe security issues in web application has not beenchangedNew security has been found worth to investigate
    • Security concern 1 clientAttack surface : client-side • client-side and offline storage • allows greater amount of data to be stored
    • Security concern 2 web sql• Bring SQL to the client-side• Core methods: – openDatabase(“Database”,”Database version”,”Database Description”,”Estimated Size”) – Transaction (“SQL statement”)• The usual attack : XSS,SQL injection can be used here.
    • Security concern 3 Application cache• Useful for offline browsing speed and reduce server load• The size limit for cached data for site :5MB• Example 1 enabling application cache: <html manfest=“example.manifest”> ….. </html>• Example 2 update applicaton cache: applicationCache.addEventListener(‘checking’,updateCacheStatus,false);• Poisoning the Application cache • Any website can create a cache in the client • Any file can be cached even in the /root directory
    • Security concern 4 html5 sandbox• Sandbox is used to protect website from 3- party software <iframe src="untrusted.html" sandbox></iframe>• can be used to clickjacking attack <iframe sandbox=“allow-same-origin allow-form allow-scripts”>
    • Security concern 5 CROS• Cros (Cross Origin Resource Sharing )• Allow cross domain AJAX var xhr = new XMLHttpRequset() xhr.open(“post”,http://victim, ture ) xhr.setRequsetHeader(“Content-Type ”,”text/plain”); xhr.withCredentials = “ture”;//send cookies Xhr.send(Anything I want )• Silent file upload Fuction fileUpload(url,filedata,fileName){ Var fileSize = fileData.length, Boundary =‘xxxxxxxxxxxx’ xhr = new XMLHttpRequest(); xhr.open(“POST”,url,true); Xhr.withCredentials(“Content-Type”,”multipart/form-data”,boundary=“+boundary) Xhr.setRequestHeader(“cotent-Length”,fileSize);}
    • DemoAllow cross domain AJAXhttp://victim.kotowicz.net/crossdomain-upload/vuln/index.phphttp://attacker.kotowicz.net/crossdomain-upload/evil/upload.htmlSilent file uploadhttp://kotowicz.net/wu/http://attacker.kotowicz.net/wu/evil.html
    • Security concern 5 clickjackingClickjacking also called UI redressing <iframe src=outer.html width=20 height=20 scrolling=nostyle="opacity:0;"></iframe> <!-- outer.html --> <iframe src="//victim" width=5000 height=5000 style="position: absolute; top:- 300px; left: -350px;"></iframe>
    • Security concern 5 clickjackingMost Alexa top 500 website use frame bustingto protect from clickjackng If (top!=self) If (top.location != self.location)Can be easy bypassed by in HTML5 <iframe sandbox src="//victim"></iframe>
    • Security concern 5 XSSNew Tag and new Attribute cause XSS <video onerror=“javascript:alert(1)”><source> <audio onerror=“javascript:alert(1)”><source>Before HTML5:<input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onmouseover=ʺalert(ʹInjected valueʹ)ʺ>With HTML5:<input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onfocus=ʺalert(ʹInjected valueʹ)ʺautofocus>
    • Security concern 5 Drag and Drop API<div draggable=ʺtrueʺondragstart=ʺevent.dataTransfer.setData(ʹtext/plainʹ, ʹEvil dataʹ)ʺ><h3>DRAG ME!!</h3></div>
    • Security concern 6 html5 shell GET http://www.google.com Send request to the web server Pentester’s browser Proxy Send Google home page to Pentester’s browser Send the response body to he proxy Web server Send the response body to the shell of the web server Google web server Send the request responds with the to the victim’s HTML fot its homepage browser Victim’s browser www.google.com Request the google web server for http://www.google.c
    • Security concern 7 network reconnaissanceCross domain XMLHttpRequests and WebSockets Port Status WebSocket COR Open (application type <100ms <100ms 1&2) Closed ~1000ms ~1000ms Filtered >30000ms >30000ms
    • Security concern 8 HTML5 BotnetsWebworkers is a threading model for javascript Background JavaScript threads that were started usingBotnet creation: WebWorkers can send cross domain XMLHttpRequests even though the remote website does not support it. • Reaching out testvictimsthat around A to showed • Extending execution lifetimehas 600 zombies can send around If you a small botnet justHtml5 botnets based attack • Application –level DDos attacks • Email Spam • Distributed password cracking
    • Distributed password crackingeasy to launch a password cracker under HTML5http://www.andlabs.org/tools/ravan.html that one browser possible Test show can observe password guessing rates Submit hash of 100,000 MD5/second in JavaScript Ravan Ravan Mater 100-115 times slower than that native Web Manage Cracking Backend code (like LC5),but if you control 100 zombies.it has the same cracking rate. rk Wo lt t su Ge Re it bm Su Work farm
    • Top10 Risks in html51. ClickJacking & Phishing by mixing layers and iframe2. CSRF and leveraging CORS to bypasses SOP3. Attacking WebSQL and client side SQL injection4. Stealing information from Storage and Global variables5. HTML5 tag abuse and XSS6. HTML5 and DOM based XSS and redirects7. DOM injections and Hijacking with HTML 58. Abusing thick client features9. Using WebSockets for stealth attacks10. Abusing WebWorker functionality
    • Conclusion• HTML5 &DOM-level3 &XHR-level2 via javascript are involved in creating the next generation application• As the people heavily use web browser .More features will bring into HTML5• More enhanced features in HTML5 will bring threat and challenges• More security issues will be discovered in the future
    • Reference[1]HTML5 Security CheatSheet ‐ http://code.google.com/p/html5security/[2]Shell of the Future ‐ http://www.andlabs.org/tools.html#sotf[3] Next Generation Clickjacking ‐http://www.contextis.co.uk/resources/white‐papers/clickjacking/Context‐Clickjacking_white_paper.pdf[4]OWASP ClickJacking Guide ‐ http://www.owasp.org/index.php/Clickjacking[5]http://html5sec.org/[6]Hacking Facebook with HTML5 ‐ http://m‐austin.com/blog/?p=19[7]http://html5demos.com[8] https://www.owasp.org/index.php/Clickjacking[9] http://www.andlabs.org/
    • Thanks for listening any suggestion and comment