I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012

1. Everybody loves html5,
h4ck3rs too

2. ~#Whoami
2
Nahidul Kibria
Co-Leader, OWASP Bangladesh,
Senior Software Engineer, KAZ Software Ltd.
Security Enthusiastic

3. Which part you care
Everybody loves html5…Well
h4ck3rs too… What!!!
3

4. 4

5. What is HTML5
 Next major version of HTML.
 The Hypertext Markup Language version 5
(HTML5) is the successor of HTML 4.01,
XHTML 1.0 and XHTML 1.1
 Adds new tags, event handlers to HTML.
Many more….
 HTML5 is not finished
5

6. HTML5 is already here.
HTML5 TEST - http://html5test.com/
6
Many features
supported by
latest versions of
FireFox, Chrome,
Safari and Opera
.

7. Standard web model

8. HTML5 OVERVIEW
Web
sockets
COR
Iframe
Sandboxing
Web Messaging

9. WEB BROWSER
SECURITY MODELS
The same origin policy
The cookies security mode
The Flash security model/SandBox

10. Same Origin Policy
The same origin policy prevents document or script
loaded from one origin, from getting or setting
properties from a of a document from a different
origin.
An origin is defined as the combination of
• host name,
• protocol,
• and port number;

11. The Browser “Same Origin” Policy
11
bank.com
blog.net
XHR
XHR
document,
cookies
TAG
TAG
JS

12. What Happens if the Same
Origin Policy Is Broken?

13. Some major HTML5 feature
• CORS-Cross-Origin Resource Sharing
• WebSockets
• WebWorkers
• Javascript APIs
13

14. Today I want to show you
how far an attacker go
with simple JavaScript and html5
So you can convince your boss
to give effort on security measure
My intention is not make you panic
Disclaimer

15. 15
Cross Origin Request (COR)
• Originally Ajax calls were subject to Same Origin
Policy
• Site A cannot make XMLHttpRequests to Site B
• HTML5 makes it possible to make these cross do
main
• Calls site A can now make XMLHttpRequests
to Site B as long as Site B allows it.
Response from Site B should include a header:
Access ‐Control ‐Allow‐Origin: Site A

16. 16
Cross-Origin Resource Sharing
<allow-access-from domain="*">

17. The OWASP Foundation
http://www.owasp.org
CORS-Cross-Origin Resource Sharing
Why programmer happy?
Lets see from attacker view

18. XSS-Cross Site Scripting
18

19. Demo
19

20. xss attack vector
20

21. Impact of xss
History Stealing
Intranet Hacking
XSS Defacements
DNS pinning
IMAP3
MHTML
Hacking JSON
Cookie stealing
Clipboard stealing

22. Cookie stealing
Pr3venting

23. XSS Defacements

24. If you still cannot manage your boss
More Evil use
I do not care
Show me how my
org is effected

25. Attacking intranet
25

26. Obtaining NAT’ed IP
Addresses
Java
applet
Java
applet
Java
applet

27. If the victim’s Web browser is a Mozilla/Firefox, it’s
possible to skip the applet
27
<script>
function natIP() {
var w = window.location;
var host = w.host;
var port = w.port || 80;
var Socket = (new
java.net.Socket(host, port)).getLocalAddress().getHostAddress();
return Socket;
}
</script>

28. Demo
Not only NAT’ed IP ,You can lots more
system info
28

29. Port Scanning
29
O’ Really

30. Port Scanning
window.onerror = err;
<script src=http://ip/></script>
if (! msg.match(/Error loading script/))
//ip does not exit’s
Else
Find internal ip

31. Blind Web Server Fingerprinting
Apache Web Server /icons/apache_pb.gif
HP Printer /hp/device/hp_invent_logo.gif
<img src="http://intranet_ip/unique_image_url"
onerror="fingerprint()" />

32. HTML5 Made it easy
32
www.andlabs.org/tools/jsrecon.html
Demo

33. What just happed
33

34. Port Scanning: Beating protections
Blocking example for known ports
(Firefox, WebSockets and CORS)
➔ http://example.com:22
Workaround!
➔ ftp://example.com:22
It works on Internet Explorer, Mozilla Firefox,
Google Chrome and Safari
Based on timeouts, it can be configured
34
WTFun

35. 35
Port Scanning: result

36. Self‐triggering XSS exploits with
HTML5
A common XSS occurrence is injection inside some
attribute of INPUT tags. Current techniques require
user interaction to trigger this XSS
<input type="text" value="‐>Injecting here"
onmouseover="alert('Injected val')">
• HTML5 turns this in to self ‐triggering XSS
<input type="text” value="‐‐>Injecting here"
onfocus="alert('Injected value')"
autofocus>
36

37. Black‐list XSS filters
Html5 introduce many new tag
37

38. How your browser
become a proxy of an
attacker?
38
http://erlend.oftedal.no/blog/?blogid=107

39. The OWASP Foundation
http://www.owasp.org
CSRF(Cross-Site Request
Forgery)
The Sleeping Giant

40. Victim logon to bank.com

41. The OWASP Foundation
http://www.owasp.org
Converting POST to
GET

42. The OWASP Foundation
http://www.owasp.org
Credentials Included
bank.com
blog.net
https://bank.com/fn?param=1
JSESSIONID=AC934234…

43. The OWASP Foundation
http://www.owasp.org
Cross-Site
Request Forgery
bank.com
attacker’s post at blog.net
Go to Transfer Assets
https://bank.com/fn?param=1Select FROM Fund
https://bank.com/fn?param=1Select TO Fund
https://bank.com/fn?param=1Select Dollar Amount
https://bank.com/fn?param=1Submit Transaction
https://bank.com/fn?param=1Confirm Transaction
https://bank.com/fn?param=1

44. The OWASP Foundation
http://www.owasp.org
Demo
XSS & CSRF- Killer Combo
Programmers Prepare, Users Beware
<form method="POST" name="form0"
action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php">
<input type="hidden" name="csrf-token" value="SecurityIsDisabled"/>
<input type="hidden" name="blog_entry" value="This is come from CSRF"/>
<input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/>
</form>

45. The OWASP Foundation
http://www.owasp.org
How Does CSRF Work?
Tags
<img src=“https://bank.com/fn?param=1”>
<iframe src=“https://bank.com/fn?param=1”>
<script src=“https://bank.com/fn?param=1”>
Autoposting Forms
<body onload="document.forms[0].submit()">
<form method="POST" action=“https://bank.com/fn”>
<input type="hidden" name="sp" value="8109"/>
</form>
XmlHttpRequest
Subject to same origin policy

46. What Can Attackers Do with CSRF?
46
Anything an authenticated user can do
• Click links
• Fill out and submit forms
• Follow all the steps of a wizard interface

47. Using CSRF to Attack Internal Pages
47
attacker.com
internal.mybank.com
Allow
ed!
CSRF
Intern
al Site
TAG
internal browser

48. Web Workers
 Web Workers provide the possibility for JavaScript to run in the background.
 Web Workers alone are not a security issue.
 But they can be used indirectly for launching work intensive attacks without the user
noticing it.
48
http://www.andlabs.org/tools/ravan.html

49. Web Storage
49

50. Web Storage Vuln. & Threats
Session Hijacking
• If session identifier is stored in local storage, it can be stolen with JavaScript.
• No HTTPOnly flag.
Disclosure of Confidential Data
• If sensitive data is stored in the local storage, it can be stolen with JavaScript.
User Tracking
• Additional possibility to identify a user.
Persistent attack vectors
• Attacker can be store persistently on the user browser
50

51. Offline Web Application
51
Cache Poisoning
• Caching of the root directory
possible.
• HTTP and HTTPs caching possible.

52. 52
Ok Enough, Just tell
me can attacker Get a
remote (Control)shell
of my PC??

53. Infection method known as Drive by
download
53

54. In summary
54
Web Worker Cracking Hashes in JS Cloud=
Web
Worker
Cross-origin
resource
sharing
+ = Powerful DDoS attacks
Web
Worker +
Cross-origin
resource
sharing
+
Web
socket = Web-based Botnet.

55. Is HTML5 hopelessly
(in)secure?
Ahem no…but security has been a major
consideration in the design of the
specification But it is incredibly hard to
add features in any technology without
increasing the possibility of abused.
55

56. Reference
 Compass Security AG
 http://userguidepdf.info/html5-web-
security-v1.html
 http://html5sec.org
 https://www.owasp.org/index.php/HTML5_Sec
urity_Cheat_Sheet
 http://dev.w3.org/html5/spec/Overview.html
56

57. 57
Twitter:@nahidupa
Be secure & safe
HTML5 make everybody happy including h4ck3rs and make security professional busy.