Html5: attack and defense

549 views

Published on

From the Security BSides London 2013 conference.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
549
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Html5: attack and defense

  1. 1. Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
  2. 2. Who Am I? • Software security consultant at Cigital • In security for 4 years 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 2 • MS in Computer Science from George Washington University, USA • Ballroom dancer
  3. 3. HTML5 – a Living Standard • Cross-origin Resource Sharing (CORS) • Cross-document Messaging • Web Storage • IFRAME Sandboxing • Browser History Management • Geo-location Functionality • etc 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 3
  4. 4. Software Confidence. Achieved.
  5. 5. Configuring CORS correctly Configure the Access-Control-Allow-Origin header: • Do not use wildcards • Follow the principle of least privilege • Configure PROD environment separately from TEST environment Server configurations: • IIS7 – web.config • Apache – mod_headers 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 5 OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X- Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US- ASCII Connection: keep-alive Content-Length: 0 Header set Access-Control-Allow-Origin http://www.example.com, https://login.example.com
  6. 6. Web Messaging API • WHO can send messages? • Frames, iframes, parent window • HOW do they send messages? • postMessage(message, target) • window.addEventListener • WHAT is sent in the message? • Text data • Origin • Source 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 6 Attack Attack
  7. 7. Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 7
  8. 8. How to Do Web Messaging Securely • Validate origin • Validate data (on the client side) v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. window.addEventListener("message", receiveMessage, false); … function receiveMessage(event){ … if (event.origin !== "http://www.example.com") return; if (!validateEmail(event.data)) return; div.getElementById('user_email_address').textContent = event.data; …} if (event.origin !== "http://www.example.com") if (!validateEmail(event.data))
  9. 9. Web Storage Attacks 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 9 LocalStorage SessionStorage Issues: • Client-side trust • Cross-directory attacks: • http://myplatform.com/johnneumann/ • http://myplatform.com/adalovelace/ stored indefinitely tab storage
  10. 10. Protecting Web Storage • Do not store sensitive information in localStorage. • Use sessionStorage whenever possible. • Clean up localStorage when you don't need it. 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 10 function session_store (user) { sessionStorage.setItem("username", user.name); } function get_user () { var results = sessionStorage.getItem("username"); document.getElementById("divb").textContent = "Thanks for registering:" + results; sessionStorage.clear(); } sessionStorage.clear();
  11. 11. <iframe src="http://www.untrustedpartyiframe.com"> </iframe> Sandbox Attribute Same Origin Policy A set of restrictions for the inline iframe: •"" (no trust) •allow-same-origin •allow-top-navigation •allow-forms •allow-scripts 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 11 <iframe src="http://www.untrustedpartyiframe.com" sandbox="allow-same-origin"> </iframe> <iframe src="http://www.untrustedpartyiframe.com" sandbox=""> </iframe>
  12. 12. Sandboxing vs Clickjacking Frame-busting code: WebBanking.html 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 12 Disabling frame-busting code: AttackerPage.html <script> if(top != self) { top.location = self.location; } </script> <iframe src="http://bank.com/WebBanking.html" sandbox=""> </iframe>
  13. 13. Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 13
  14. 14. Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 14

×