Download as PDF, PPTX
![Reference
[1]HTML5 Security CheatSheet ‐ http://code.google.com/p/html5security/
[2]Shell of the Future ‐ http://www.andlabs.org/tools.html#sotf
[3] Next Generation Clickjacking ‐
http://www.contextis.co.uk/resources/white‐papers/clickjacking/Context‐Clic
kjacking_white_paper.pdf
[4]OWASP ClickJacking Guide ‐ http://www.owasp.org/index.php/Clickjacking
[5]http://html5sec.org/
[6]Hacking Facebook with HTML5 ‐ http://m‐austin.com/blog/?p=19
[7]http://html5demos.com
[8] https://www.owasp.org/index.php/Clickjacking
[9] http://www.andlabs.org/](https://image.slidesharecdn.com/html5security-120704010032-phpapp02/85/Html5-security-26-320.jpg)
Html5 security
- 1. Introduction to HTML5security Speaker :luke
- 2. Outline • What isHTML5 • Web Security related to HTML5 • Conclusion & looking forward
- 3.
- 4. HTML5 • New protocolof HTML HTML5 + CSS3+ JavaScript Compare to XML and XHTML • Protocol design WHATWG (Apple Mozilla Google Opera) in 2004 W3C IETF • Still in progress http://www.html5test.com/
- 5.
- 6. What’s in HTML5 • New Tag: <button> <canvas> <audio> <video> • New Tag attribute: autocomplete ,autofocus ,regex • New form controls for date ,time, email • Geolocation(demo: http://html5demos.com/geo) • Client-side storge localStorge sessionStorge and WebSQL (demo:http://html5demos.com/database-rollback) • WebSockets new way of communication • WebWorkers allow multithread javascript in the background
- 7. What’s out inHTML5 • Present element <font><center> • Present attribute<align><border><frame><frame set> • Old special effects<marquee>,<bgsound> Follow the rule : Presentation and content are divided
- 8. Security Issues inHTML5
- 9. Basic ideas aboutthe new vulnerability New security problem because of new method brought into web application the security issues in web application has not been changed New security has been found worth to investigate
- 10. Security concern 1 client Attack surface : client-side • client-side and offline storage • allows greater amount of data to be stored
- 11. Security concern 2 web sql • Bring SQL to the client-side • Core methods: – openDatabase(“Database”,”Database version”,”Database Description”,”Estimated Size”) – Transaction (“SQL statement”) • The usual attack : XSS,SQL injection can be used here.
- 12. Security concern 3 Application cache • Useful for offline browsing speed and reduce server load • The size limit for cached data for site :5MB • Example 1 enabling application cache: <html manfest=“example.manifest”> ….. </html> • Example 2 update applicaton cache: applicationCache.addEventListener(‘checking’,updateCacheStatus,false); • Poisoning the Application cache • Any website can create a cache in the client • Any file can be cached even in the /root directory
- 13. Security concern 4 html5 sandbox • Sandbox is used to protect website from 3- party software <iframe src="untrusted.html" sandbox></iframe> • can be used to clickjacking attack <iframe sandbox=“allow-same-origin allow-form allow-scripts”>
- 14. Security concern 5 CROS • Cros (Cross Origin Resource Sharing ) • Allow cross domain AJAX var xhr = new XMLHttpRequset() xhr.open(“post”,http://victim, ture ) xhr.setRequsetHeader(“Content-Type ”,”text/plain”); xhr.withCredentials = “ture”;//send cookies Xhr.send(Anything I want ) • Silent file upload Fuction fileUpload(url,filedata,fileName){ Var fileSize = fileData.length, Boundary =‘xxxxxxxxxxxx’ xhr = new XMLHttpRequest(); xhr.open(“POST”,url,true); Xhr.withCredentials(“Content-Type”,”multipart/form-data”,boundary=“+boundary) Xhr.setRequestHeader(“cotent-Length”,fileSize);}
- 15. Demo Allow cross domainAJAX http://victim.kotowicz.net/crossdomain-upload/vuln/index.php http://attacker.kotowicz.net/crossdomain-upload/evil/upload.html Silent file upload http://kotowicz.net/wu/ http://attacker.kotowicz.net/wu/evil.html
- 16. Security concern 5 clickjacking Clickjacking also called UI redressing <iframe src=outer.html width=20 height=20 scrolling=nostyle="opacity:0;"></iframe> <!-- outer.html --> <iframe src="//victim" width=5000 height=5000 style="position: absolute; top:- 300px; left: -350px;"></iframe>
- 17. Security concern 5 clickjacking Most Alexa top 500 website use frame busting to protect from clickjackng If (top!=self) If (top.location != self.location) Can be easy bypassed by in HTML5 <iframe sandbox src="//victim"></iframe>
- 18. Security concern 5 XSS New Tag and new Attribute cause XSS <video onerror=“javascript:alert(1)”><source> <audio onerror=“javascript:alert(1)”><source> Before HTML5: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onmouseover=ʺalert(ʹInjected valueʹ)ʺ> With HTML5: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onfocus=ʺalert(ʹInjected valueʹ)ʺ autofocus>
- 19. Security concern 5Drag and Drop API <div draggable=ʺtrueʺ ondragstart=ʺevent.dataTransfer.setData(ʹtext/plainʹ, ʹEvil dataʹ)ʺ> <h3>DRAG ME!!</h3> </div>
- 20. Security concern 6 html5 shell GET http://www.google.com Send request to the web server Pentester’s browser Proxy Send Google home page to Pentester’s browser Send the response body to he proxy Web server Send the response body to the shell of the web server Google web server Send the request responds with the to the victim’s HTML fot its homepage browser Victim’s browser www.google.com Request the google web server for http://www.google.c
- 21. Security concern 7network reconnaissance Cross domain XMLHttpRequests and WebSockets Port Status WebSocket COR Open (application type <100ms <100ms 1&2) Closed ~1000ms ~1000ms Filtered >30000ms >30000ms
- 22. Security concern 8 HTML5 Botnets Webworkers is a threading model for javascript Background JavaScript threads that were started using Botnet creation: WebWorkers can send cross domain XMLHttpRequests even though the remote website does not support it. • Reaching out testvictimsthat around A to showed • Extending execution lifetimehas 600 zombies can send around If you a small botnet just Html5 botnets based attack • Application –level DDos attacks • Email Spam • Distributed password cracking
- 23. Distributed password cracking easyto launch a password cracker under HTML5 http://www.andlabs.org/tools/ravan.html that one browser possible Test show can observe password guessing rates Submit hash of 100,000 MD5/second in JavaScript Ravan Ravan Mater 100-115 times slower than that native Web Manage Cracking Backend code (like LC5),but if you control 100 zombies.it has the same cracking rate. rk Wo lt t su Ge Re it bm Su Work farm
- 24. Top10 Risks inhtml5 1. ClickJacking & Phishing by mixing layers and iframe 2. CSRF and leveraging CORS to bypasses SOP 3. Attacking WebSQL and client side SQL injection 4. Stealing information from Storage and Global variables 5. HTML5 tag abuse and XSS 6. HTML5 and DOM based XSS and redirects 7. DOM injections and Hijacking with HTML 5 8. Abusing thick client features 9. Using WebSockets for stealth attacks 10. Abusing WebWorker functionality
- 25. Conclusion • HTML5 &DOM-level3&XHR-level2 via javascript are involved in creating the next generation application • As the people heavily use web browser .More features will bring into HTML5 • More enhanced features in HTML5 will bring threat and challenges • More security issues will be discovered in the future
- 26. Reference [1]HTML5 Security CheatSheet‐ http://code.google.com/p/html5security/ [2]Shell of the Future ‐ http://www.andlabs.org/tools.html#sotf [3] Next Generation Clickjacking ‐ http://www.contextis.co.uk/resources/white‐papers/clickjacking/Context‐Clic kjacking_white_paper.pdf [4]OWASP ClickJacking Guide ‐ http://www.owasp.org/index.php/Clickjacking [5]http://html5sec.org/ [6]Hacking Facebook with HTML5 ‐ http://m‐austin.com/blog/?p=19 [7]http://html5demos.com [8] https://www.owasp.org/index.php/Clickjacking [9] http://www.andlabs.org/
- 27. Thanks for listening any suggestion and comment