0
HTML5: Risky Business or Hidden
Security Tool Chest
Johannes B. Ullrich, Ph.D.
jullrich@sans.edu
About Me

• Dean of Research,
SANS Technology Institute
• Living in Jacksonville FL
(aka Southern GA)
• SANS Internet Stor...
What is HTML5

• Collection of JavaScript APIs supported by
some modern browsers in some ways and
sometimes they even work...
What is this talk about?

• Ideas to improve security by using HTML5
responsibly
• What are some of the security challenge...
Authentication

• Exclusive vs. Inclusive Authentication
Methods:
– Inclusive:
Proof the identity
of the user
– Exclusive:...
What the Factor?

Segway: Multi Factor Authentication
• Single Factor: Password
• Two Factor: Password AND (Token|Biometri...
HTML5 Components

•
•
•
•
•
•
•

Local Storage / Session Storage
Canvas
Geolocation
Media Capture
Notifications
Accelerome...
Local and Session Storage

• New JavaScript API to store data on client
• Protected by “same origin”
• Local Storage:
– No...
Local Storage: Persistent
Cookie

• Alternative to Flash cookie for “1 ½ Factor”
login
• Part of an “Evercookie”
• Can be ...
Session Storage: Identifying
users

• Can be used to store session token
• Breaks CSRF (good!)
• User is logged out when t...
Risks

• Risks:
Storing too much data on the client!
Can’t enforce “secure” transmission over SSL
Can’t protect from JavaS...
Can I use it?

http://caniuse.com/#feat=namevalue-storage
Canvas

• Allows drawing in the browser
• Interactive image applications
• Can be used for graphical login schemes
– CAPTC...
Image Login

• Display image, user identifies features
• Done in Windows 8/RT for mobile login
(“Pattern Login”, “Picture ...
“Connect the Dots”

• Implemented in Android
• Good user acceptance for mobile login
• No good studies yet as to how users...
Demo

• Demo: “Connect the Dots” for the web
• http://authonthemove.com
• See Github for code repository
Can I use it?

http://caniuse.com/#feat=canvas
Geolocation

• JavaScript API provides access to devices built
in sensors like GPS
• Can be very accurate
• Can also be sp...
Geolocation for Authentication

• Only useful on mobile devices
• Can be used to exclude users, but not to
replace traditi...
Can I use it?
Media Capture

• aka getUserMedia/Stream API
• Limited support (Chrome, Firefox, Blackberry)
• Some potential for biometri...
Implementations

• Face recognition libraries:
– http://neave.github.io/face-detection/
Difficulties

• Hard to acquire sufficient detail
• So far, in particular on mobile devices, more of
a gimmick then a seri...
Can I use it?

http://caniuse.com/#feat=stream
Accelerometer

•
•
•
•
•
•
•

Only useful for mobile devices
Move the phone in a pattern to authenticate
Detect step/walki...
Can I use it?

http://caniuse.com/#feat=deviceorientation
Notifications

• Popup Notifications sent by the server to
notify the user
• Initiated by server
– Local Notifications: Re...
Bad stuff happened!

• Notify the user of security relevant events:
– “Someone is trying to log in as you”

•
•
•
•

User ...
Can I use it?

http://caniuse.com/#feat=notifications
Encryption

• Client side encryption
• Allows encryption of specific sensitive fields
(e.g. payment data, passwords)
• Int...
Client side password hashing

• Server sends random “nonce” as part of login
form.
• Client calculates hash from password/...
Signup

•
•
•
•
•

Use enters password
Client hashes password
Password hash transmitted to server
Salt: Username? Provided...
Summary

• Lots of cool and useful tools in HTML5
• Use them as appropriate
• “HTML5” itself isn’t the risk. Bad coding is...
Thanks!

! Thanks !
Questions?
jullrich@sans.edu
http://authonthemove.com
http://isc.sans.edu
Daily Updates * Daily Podcas...
Upcoming SlideShare
Loading in...5
×

Owasp2013 johannesullrich

317

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
317
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Owasp2013 johannesullrich"

  1. 1. HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D. jullrich@sans.edu
  2. 2. About Me • Dean of Research, SANS Technology Institute • Living in Jacksonville FL (aka Southern GA) • SANS Internet Storm Center https://isc.sans.edu • Created DShield.org • Instructor for SANS • Past: Physicist, Web Developer Hosted by OWASP & the NYC Chapter
  3. 3. What is HTML5 • Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work. • Features to enable modern desktop like applications and support mobile devices • 5th Revision of the HTML Standard
  4. 4. What is this talk about? • Ideas to improve security by using HTML5 responsibly • What are some of the security challenges that HTML5 addresses well (or doesn’t) • What are some of the limitations we have to consider
  5. 5. Authentication • Exclusive vs. Inclusive Authentication Methods: – Inclusive: Proof the identity of the user – Exclusive: Disproof the identity of the user
  6. 6. What the Factor? Segway: Multi Factor Authentication • Single Factor: Password • Two Factor: Password AND (Token|Biometric) • 1 ½ Factor: Password and Cookie • ½ Factor: Password OR (Token|Biometric)
  7. 7. HTML5 Components • • • • • • • Local Storage / Session Storage Canvas Geolocation Media Capture Notifications Accelerometer Encryption
  8. 8. Local and Session Storage • New JavaScript API to store data on client • Protected by “same origin” • Local Storage: – No defined expiration – Accessible by all browser windows • Session Storage: – Expired when window is closed – Scope limited to current window
  9. 9. Local Storage: Persistent Cookie • Alternative to Flash cookie for “1 ½ Factor” login • Part of an “Evercookie” • Can be used for good (additional authentication) or evil (more user tracking) • Exposed to XSS attacks • Similar to cookies in scope and security
  10. 10. Session Storage: Identifying users • Can be used to store session token • Breaks CSRF (good!) • User is logged out when they close the browser window (not entire browser) • Multiple users can use the same browser (is this a good thing?) • Easier log out, more secure session tracking, can be used alongside cookies.
  11. 11. Risks • Risks: Storing too much data on the client! Can’t enforce “secure” transmission over SSL Can’t protect from JavaScript/XSS (no httponly) Examples: – storing confidential data on mobile devices – Pushing data to the client the client is not authorized to see.
  12. 12. Can I use it? http://caniuse.com/#feat=namevalue-storage
  13. 13. Canvas • Allows drawing in the browser • Interactive image applications • Can be used for graphical login schemes – CAPTCHAs – Pattern based login
  14. 14. Image Login • Display image, user identifies features • Done in Windows 8/RT for mobile login (“Pattern Login”, “Picture Password”) Image: Microsoft
  15. 15. “Connect the Dots” • Implemented in Android • Good user acceptance for mobile login • No good studies yet as to how users select patterns Image: Extremetech.com
  16. 16. Demo • Demo: “Connect the Dots” for the web • http://authonthemove.com • See Github for code repository
  17. 17. Can I use it? http://caniuse.com/#feat=canvas
  18. 18. Geolocation • JavaScript API provides access to devices built in sensors like GPS • Can be very accurate • Can also be spoofed easily Image: Mozilla.org
  19. 19. Geolocation for Authentication • Only useful on mobile devices • Can be used to exclude users, but not to replace traditional authentication • Observe sudden changes in location • Combine with careful browser fingerprinting techniques
  20. 20. Can I use it?
  21. 21. Media Capture • aka getUserMedia/Stream API • Limited support (Chrome, Firefox, Blackberry) • Some potential for biometrics: – Face recognition – Hand signals / gestures – Fingerprint?
  22. 22. Implementations • Face recognition libraries: – http://neave.github.io/face-detection/
  23. 23. Difficulties • Hard to acquire sufficient detail • So far, in particular on mobile devices, more of a gimmick then a serious authentication feature • Possibility to use “finger print”, but current cameras not sufficient to acquire image
  24. 24. Can I use it? http://caniuse.com/#feat=stream
  25. 25. Accelerometer • • • • • • • Only useful for mobile devices Move the phone in a pattern to authenticate Detect step/walking pattern Detect if user/phone is at rest or on the move Can be spoofed (but not readily) Not easy to reproduce Adding sensors like compass may help.
  26. 26. Can I use it? http://caniuse.com/#feat=deviceorientation
  27. 27. Notifications • Popup Notifications sent by the server to notify the user • Initiated by server – Local Notifications: Require browser to be open, widely supported – Push Notifications: Safari Only
  28. 28. Bad stuff happened! • Notify the user of security relevant events: – “Someone is trying to log in as you” • • • • User needs to accept notifications Notifications no 100% reliable Not “out of band” (can be faked, intercepted) Safari Notifications may be useful for one time passwords (OTP)
  29. 29. Can I use it? http://caniuse.com/#feat=notifications
  30. 30. Encryption • Client side encryption • Allows encryption of specific sensitive fields (e.g. payment data, passwords) • Intermediate services (proxies, web services) don’t need to know the information • Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/ • Until then: https://www.pidder.de/pidcrypt/
  31. 31. Client side password hashing • Server sends random “nonce” as part of login form. • Client calculates hash from password/nonce • Passes hash to server • Server verifies hash • Advantage: Server never gets to know the “real” password.
  32. 32. Signup • • • • • Use enters password Client hashes password Password hash transmitted to server Salt: Username? Provided by server? Changing password: Same procedure, salt may change.
  33. 33. Summary • Lots of cool and useful tools in HTML5 • Use them as appropriate • “HTML5” itself isn’t the risk. Bad coding is the risk • Understand privacy issues • Understand user behavior • Share your code an experiences (OWASP!!)
  34. 34. Thanks! ! Thanks ! Questions? jullrich@sans.edu http://authonthemove.com http://isc.sans.edu Daily Updates * Daily Podcast * Live Data Feeds
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×