I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
5. What is HTML5
Next major version of HTML.
The Hypertext Markup Language version 5
(HTML5) is the successor of HTML 4.01,
XHTML 1.0 and XHTML 1.1
Adds new tags, event handlers to HTML.
Many more….
HTML5 is not finished
5
6. HTML5 is already here.
HTML5 TEST - http://html5test.com/
6
Many features
supported by
latest versions of
FireFox, Chrome,
Safari and Opera
.
10. Same Origin Policy
The same origin policy prevents document or script
loaded from one origin, from getting or setting
properties from a of a document from a different
origin.
An origin is defined as the combination of
• host name,
• protocol,
• and port number;
11. The Browser “Same Origin” Policy
11
bank.com
blog.net
XHR
XHR
document,
cookies
TAG
TAG
JS
13. Some major HTML5 feature
• CORS-Cross-Origin Resource Sharing
• WebSockets
• WebWorkers
• Javascript APIs
13
14. Today I want to show you
how far an attacker go
with simple JavaScript and html5
So you can convince your boss
to give effort on security measure
My intention is not make you panic
Disclaimer
15. 15
Cross Origin Request (COR)
• Originally Ajax calls were subject to Same Origin
Policy
• Site A cannot make XMLHttpRequests to Site B
• HTML5 makes it possible to make these cross do
main
• Calls site A can now make XMLHttpRequests
to Site B as long as Site B allows it.
Response from Site B should include a header:
Access ‐Control ‐Allow‐Origin: Site A
27. If the victim’s Web browser is a Mozilla/Firefox, it’s
possible to skip the applet
27
<script>
function natIP() {
var w = window.location;
var host = w.host;
var port = w.port || 80;
var Socket = (new
java.net.Socket(host, port)).getLocalAddress().getHostAddress();
return Socket;
}
</script>
30. Port Scanning
window.onerror = err;
<script src=http://ip/></script>
if (! msg.match(/Error loading script/))
//ip does not exit’s
Else
Find internal ip
31. Blind Web Server Fingerprinting
Apache Web Server /icons/apache_pb.gif
HP Printer /hp/device/hp_invent_logo.gif
<img src="http://intranet_ip/unique_image_url"
onerror="fingerprint()" />
32. HTML5 Made it easy
32
www.andlabs.org/tools/jsrecon.html
Demo
34. Port Scanning: Beating protections
Blocking example for known ports
(Firefox, WebSockets and CORS)
➔ http://example.com:22
Workaround!
➔ ftp://example.com:22
It works on Internet Explorer, Mozilla Firefox,
Google Chrome and Safari
Based on timeouts, it can be configured
34
WTFun
36. Self‐triggering XSS exploits with
HTML5
A common XSS occurrence is injection inside some
attribute of INPUT tags. Current techniques require
user interaction to trigger this XSS
<input type="text" value="‐>Injecting here"
onmouseover="alert('Injected val')">
• HTML5 turns this in to self ‐triggering XSS
<input type="text” value="‐‐>Injecting here"
onfocus="alert('Injected value')"
autofocus>
36
43. The OWASP Foundation
http://www.owasp.org
Cross-Site
Request Forgery
bank.com
attacker’s post at blog.net
Go to Transfer Assets
https://bank.com/fn?param=1Select FROM Fund
https://bank.com/fn?param=1Select TO Fund
https://bank.com/fn?param=1Select Dollar Amount
https://bank.com/fn?param=1Submit Transaction
https://bank.com/fn?param=1Confirm Transaction
https://bank.com/fn?param=1
44. The OWASP Foundation
http://www.owasp.org
Demo
XSS & CSRF- Killer Combo
Programmers Prepare, Users Beware
<form method="POST" name="form0"
action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php">
<input type="hidden" name="csrf-token" value="SecurityIsDisabled"/>
<input type="hidden" name="blog_entry" value="This is come from CSRF"/>
<input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/>
</form>
45. The OWASP Foundation
http://www.owasp.org
How Does CSRF Work?
Tags
<img src=“https://bank.com/fn?param=1”>
<iframe src=“https://bank.com/fn?param=1”>
<script src=“https://bank.com/fn?param=1”>
Autoposting Forms
<body onload="document.forms[0].submit()">
<form method="POST" action=“https://bank.com/fn”>
<input type="hidden" name="sp" value="8109"/>
</form>
XmlHttpRequest
Subject to same origin policy
46. What Can Attackers Do with CSRF?
46
Anything an authenticated user can do
• Click links
• Fill out and submit forms
• Follow all the steps of a wizard interface
47. Using CSRF to Attack Internal Pages
47
attacker.com
internal.mybank.com
Allow
ed!
CSRF
Intern
al Site
TAG
internal browser
48. Web Workers
Web Workers provide the possibility for JavaScript to run in the background.
Web Workers alone are not a security issue.
But they can be used indirectly for launching work intensive attacks without the user
noticing it.
48
http://www.andlabs.org/tools/ravan.html
50. Web Storage Vuln. & Threats
Session Hijacking
• If session identifier is stored in local storage, it can be stolen with JavaScript.
• No HTTPOnly flag.
Disclosure of Confidential Data
• If sensitive data is stored in the local storage, it can be stolen with JavaScript.
User Tracking
• Additional possibility to identify a user.
Persistent attack vectors
• Attacker can be store persistently on the user browser
50
54. In summary
54
Web Worker Cracking Hashes in JS Cloud=
Web
Worker
Cross-origin
resource
sharing
+ = Powerful DDoS attacks
Web
Worker +
Cross-origin
resource
sharing
+
Web
socket = Web-based Botnet.
55. Is HTML5 hopelessly
(in)secure?
Ahem no…but security has been a major
consideration in the design of the
specification But it is incredibly hard to
add features in any technology without
increasing the possibility of abused.
55
Because we are here the security guy we care second part
B4 go to the HTML5
See Also: http://taossa.com/index.php/2007/02/08/same-origin-policy/
My intention is not make you panic
if the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet requirement and invoke a Java socket directly from JavaScript space. The net-net effect between these two techniques is more or less the same.