Owasp2013 johannesullrich


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Owasp2013 johannesullrich

  1. 1. HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D. jullrich@sans.edu
  2. 2. About Me • Dean of Research, SANS Technology Institute • Living in Jacksonville FL (aka Southern GA) • SANS Internet Storm Center https://isc.sans.edu • Created DShield.org • Instructor for SANS • Past: Physicist, Web Developer Hosted by OWASP & the NYC Chapter
  3. 3. What is HTML5 • Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work. • Features to enable modern desktop like applications and support mobile devices • 5th Revision of the HTML Standard
  4. 4. What is this talk about? • Ideas to improve security by using HTML5 responsibly • What are some of the security challenges that HTML5 addresses well (or doesn’t) • What are some of the limitations we have to consider
  5. 5. Authentication • Exclusive vs. Inclusive Authentication Methods: – Inclusive: Proof the identity of the user – Exclusive: Disproof the identity of the user
  6. 6. What the Factor? Segway: Multi Factor Authentication • Single Factor: Password • Two Factor: Password AND (Token|Biometric) • 1 ½ Factor: Password and Cookie • ½ Factor: Password OR (Token|Biometric)
  7. 7. HTML5 Components • • • • • • • Local Storage / Session Storage Canvas Geolocation Media Capture Notifications Accelerometer Encryption
  8. 8. Local and Session Storage • New JavaScript API to store data on client • Protected by “same origin” • Local Storage: – No defined expiration – Accessible by all browser windows • Session Storage: – Expired when window is closed – Scope limited to current window
  9. 9. Local Storage: Persistent Cookie • Alternative to Flash cookie for “1 ½ Factor” login • Part of an “Evercookie” • Can be used for good (additional authentication) or evil (more user tracking) • Exposed to XSS attacks • Similar to cookies in scope and security
  10. 10. Session Storage: Identifying users • Can be used to store session token • Breaks CSRF (good!) • User is logged out when they close the browser window (not entire browser) • Multiple users can use the same browser (is this a good thing?) • Easier log out, more secure session tracking, can be used alongside cookies.
  11. 11. Risks • Risks: Storing too much data on the client! Can’t enforce “secure” transmission over SSL Can’t protect from JavaScript/XSS (no httponly) Examples: – storing confidential data on mobile devices – Pushing data to the client the client is not authorized to see.
  12. 12. Can I use it? http://caniuse.com/#feat=namevalue-storage
  13. 13. Canvas • Allows drawing in the browser • Interactive image applications • Can be used for graphical login schemes – CAPTCHAs – Pattern based login
  14. 14. Image Login • Display image, user identifies features • Done in Windows 8/RT for mobile login (“Pattern Login”, “Picture Password”) Image: Microsoft
  15. 15. “Connect the Dots” • Implemented in Android • Good user acceptance for mobile login • No good studies yet as to how users select patterns Image: Extremetech.com
  16. 16. Demo • Demo: “Connect the Dots” for the web • http://authonthemove.com • See Github for code repository
  17. 17. Can I use it? http://caniuse.com/#feat=canvas
  18. 18. Geolocation • JavaScript API provides access to devices built in sensors like GPS • Can be very accurate • Can also be spoofed easily Image: Mozilla.org
  19. 19. Geolocation for Authentication • Only useful on mobile devices • Can be used to exclude users, but not to replace traditional authentication • Observe sudden changes in location • Combine with careful browser fingerprinting techniques
  20. 20. Can I use it?
  21. 21. Media Capture • aka getUserMedia/Stream API • Limited support (Chrome, Firefox, Blackberry) • Some potential for biometrics: – Face recognition – Hand signals / gestures – Fingerprint?
  22. 22. Implementations • Face recognition libraries: – http://neave.github.io/face-detection/
  23. 23. Difficulties • Hard to acquire sufficient detail • So far, in particular on mobile devices, more of a gimmick then a serious authentication feature • Possibility to use “finger print”, but current cameras not sufficient to acquire image
  24. 24. Can I use it? http://caniuse.com/#feat=stream
  25. 25. Accelerometer • • • • • • • Only useful for mobile devices Move the phone in a pattern to authenticate Detect step/walking pattern Detect if user/phone is at rest or on the move Can be spoofed (but not readily) Not easy to reproduce Adding sensors like compass may help.
  26. 26. Can I use it? http://caniuse.com/#feat=deviceorientation
  27. 27. Notifications • Popup Notifications sent by the server to notify the user • Initiated by server – Local Notifications: Require browser to be open, widely supported – Push Notifications: Safari Only
  28. 28. Bad stuff happened! • Notify the user of security relevant events: – “Someone is trying to log in as you” • • • • User needs to accept notifications Notifications no 100% reliable Not “out of band” (can be faked, intercepted) Safari Notifications may be useful for one time passwords (OTP)
  29. 29. Can I use it? http://caniuse.com/#feat=notifications
  30. 30. Encryption • Client side encryption • Allows encryption of specific sensitive fields (e.g. payment data, passwords) • Intermediate services (proxies, web services) don’t need to know the information • Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/ • Until then: https://www.pidder.de/pidcrypt/
  31. 31. Client side password hashing • Server sends random “nonce” as part of login form. • Client calculates hash from password/nonce • Passes hash to server • Server verifies hash • Advantage: Server never gets to know the “real” password.
  32. 32. Signup • • • • • Use enters password Client hashes password Password hash transmitted to server Salt: Username? Provided by server? Changing password: Same procedure, salt may change.
  33. 33. Summary • Lots of cool and useful tools in HTML5 • Use them as appropriate • “HTML5” itself isn’t the risk. Bad coding is the risk • Understand privacy issues • Understand user behavior • Share your code an experiences (OWASP!!)
  34. 34. Thanks! ! Thanks ! Questions? jullrich@sans.edu http://authonthemove.com http://isc.sans.edu Daily Updates * Daily Podcast * Live Data Feeds