• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Owasp talk-november-08
 

Owasp talk-november-08

on

  • 624 views

HTML5 and local storage security at OWASP Ireland chapter meeting in 2008 by David Rook.

HTML5 and local storage security at OWASP Ireland chapter meeting in 2008 by David Rook.

Statistics

Views

Total Views
624
Views on SlideShare
622
Embed Views
2

Actions

Likes
0
Downloads
3
Comments
0

1 Embed 2

http://digitalsplits.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Owasp talk-november-08 Owasp talk-november-08 Presentation Transcript

    • David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • The Internet is going offline and ......David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • The Internet is going offline and ...... The world is going to end (Title inspired by the world ending DNS bug and ClickJacking)David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • AgendaIntroductionThe web is on a diet, no more cookies!Access ControlSame Origin IssuesSQL IssuesDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Isn’t the idea to be online?Increased complexity and capability of webapplicationsTraditional applications going “online” such asdocuments, spreadsheets and task managersThis is a trend that many web applications willconsiderImproved application performanceDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • HTML history1955 - Tim Berners-LeeDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • HTML history1955 - Tim Berners-Lee1991 - HTML TagsDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • HTML history1955 - Tim Berners-Lee1991 - HTML Tags1995 - HTML 2David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • HTML history1955 - Tim Berners-Lee1991 - HTML Tags1995 - HTML 21997 - HTML 3.2David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • HTML history1955 - Tim Berners-Lee1991 - HTML Tags1995 - HTML 21997 - HTML 3.21999 - HTML 4.01David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • HTML history1955 - Tim Berners-Lee1991 - HTML Tags1995 - HTML 21997 - HTML 3.21999 - HTML 4.012008 - HTML 5 (draft)David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • So, why HTML 5?New elements such as <audio> and <video>Elements such as <font> and <center> removedNew APIs:Drag and DropTimed media playbackMessagingDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • So, why HTML 5?New elements such as <audio> and <video>Elements such as <font> and <center> removedNew APIs:Drag and DropTimed media playbackMessaging Offline StorageDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Google GearsA web browser pluginFirst to provide offline capabilitiesNow embracing/extending HTML 5Applications such as RTM and Google DocsCurrently at version 0.4David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • No more cookies!No longer sufficient for Web 2.0They are small (IE enforces a 4KB limit)Not designed for offline storageDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • SessionStorageThe closest thing to cookies in HTML 5Used when:A user is carrying out a single transactionA user wants to carry out multiple transactions in multiplewindowsOne object per originUses the sessionStorage DOM object to access dataDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • SessionStorageFor example, a page could have a checkbox that the user ticks to indicate that he wantsinsurance:<label> <input type="checkbox" onchange="sessionStorage.insurance = checked"> I want insurance on this trip.</label>A later page could then check, from script, whether the user had checked the checkbox or not:if (sessionStorage.insurance) { ... }David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • LocalStorageDesigned to allow client side storageUsed when:Storing users data on the client (i.e. documents)Data from multiple windows stored in one objectOne object per originUses the localStorage DOM object to access dataDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • LocalStorageThe site at example.com can display a count of how many times the user has loaded its pageby putting the following at the bottom of its page:<p> You have viewed this page <span id="count">an untold number of</span> time(s).</p><script> if (!localStorage.pageLoadCount) localStorage.pageLoadCount = 0; localStorage.pageLoadCount = parseInt(localStorage.pageLoadCount,10) + 1; document.getElementById(count).textContent =localStorage.pageLoadCount;</script>David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Local DatabasesEnables structured client side data storageUsed when:Data such as emails need to be stored locallyShopping carts, documents, authentication data etcOne object per originUses SQL Lite DatabasesDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Security Issues ....David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Access ControlNo requirement to ask for users authorisation in HTML 5Local objects only protected by local OS policiesCross domain requests will be supportedNo authentication with SQL LiteDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Same Origin IssuesSame Origin Policy based on current implementationsUse known vulnerabilities to access local dataBuxfer exampleDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Same Origin IssuesDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • SQL Database AttacksSQL Injection, the obvious attack?Same problems we are already seeing but on a wider scaleDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • SQL Database AttacksDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • SQL Database AttacksSQL Injection, the obvious attack?Same problems we are already seeing but on a wider scaleCross Domain Read and Write capabilitiesNo size limit enforced by default (Origins choice)Google Gears guidance?David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • SQL Database AttacksSQL Injection, the obvious attack?Same problems we are already seeing but on a wider scaleCross Domain Read and Write capabilitiesNo size limit enforced by default (Origins choice)Google Gears guidance?David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • TrendsWeb application adoption increasingBringing desktop functionality to your browserNo longer a strict client/server modelDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • TrendsDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • TrendsDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • TrendsWeb application adoption increasingBringing desktop functionality to your browserNo longer a strict client/server modelGoogle Gears the likely winnerDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Future WorkMore detailed research in this areaWhitepaper to be produced by us on this subjectProof of concept exploits hosted on Security NinjaProfitDavid Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!
    • Questions?David Rook Conor McGoveranSecurity Analyst - Realex Payments Managing Director - Onformonics LtdFounder of www.securityninja.co.uk Compliance Management SolutionsInformation Security Evangelist 1,0 - there, my two bits!