Everybody loves html5,h4ck3rs too
-
Upload
nahidul-kibria -
Category
Technology
-
view
80 -
download
3
Transcript of Everybody loves html5,h4ck3rs too
![Page 1: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/1.jpg)
Everybody loves html5,h4ck3rs too
![Page 2: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/2.jpg)
~#Whoami
2
Nahidul Kibria
Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd.
Security Enthusiastic
![Page 3: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/3.jpg)
Which part you care
Everybody loves html5…Well
h4ck3rs too… What!!!
3
![Page 4: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/4.jpg)
4
![Page 5: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/5.jpg)
What is HTML5
Next major version of HTML.
The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1
Adds new tags, event handlers to HTML. Many more….
HTML5 is not finished
5
![Page 6: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/6.jpg)
HTML5 is already here.
HTML5 TEST - http://html5test.com/
6
Many features
supported by
latest versions of
FireFox, Chrome,
Safari and Opera
.
![Page 7: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/7.jpg)
Standard web model
![Page 8: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/8.jpg)
HTML5 OVERVIEW
Web
sockets
COR
Iframe
Sandboxing
Web Messaging
![Page 9: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/9.jpg)
WEB BROWSER SECURITY MODELS
The same origin policy
The cookies security mode
The Flash security model/SandBox
![Page 10: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/10.jpg)
Same Origin Policy
The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin.
An origin is defined as the combination of
• host name,
• protocol,
• and port number;
![Page 11: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/11.jpg)
The Browser “Same Origin” Policy
11
bank.com
blog.net
XHR
XHR
document,
cookies
TAG
TAG
JS
![Page 12: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/12.jpg)
What Happens if the Same Origin Policy Is Broken?
![Page 13: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/13.jpg)
Some major HTML5 feature
• CORS-Cross-Origin Resource Sharing
• WebSockets
• WebWorkers
• Javascript APIs
13
![Page 14: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/14.jpg)
Today I want to show you
how far an attacker go
with simple JavaScript and html5
So you can convince your boss
to give effort on security measure
My intention is not make you panic
Disclaimer
![Page 15: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/15.jpg)
15
Cross Origin Request (COR)
• Originally Ajax calls were subject to Same OriginPolicy
• Site A cannot make XMLHttpRequests to Site B
• HTML5 makes it possible to make these cross domain
• Calls site A can now make XMLHttpRequeststo Site B as long as Site B allows it.
Response from Site B should include a header:
Access ‐Control ‐Allow‐Origin: Site A
![Page 16: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/16.jpg)
16
Cross-Origin Resource Sharing
<allow-access-from domain="*">
![Page 17: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/17.jpg)
The OWASP Foundationhttp://www.owasp.org
CORS-Cross-Origin Resource Sharing
1
Why programmer happy?
Lets see from attacker view
![Page 18: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/18.jpg)
XSS-Cross Site Scripting
18
![Page 19: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/19.jpg)
Demo
19
![Page 20: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/20.jpg)
xss attack vector
20
![Page 21: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/21.jpg)
Impact of xss
History Stealing
Intranet Hacking
XSS Defacements
DNS pinning
IMAP3
MHTML
Hacking JSON
Cookie stealing
Clipboard stealing
![Page 22: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/22.jpg)
Cookie stealing
Pr3venting
![Page 23: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/23.jpg)
XSS Defacements
![Page 24: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/24.jpg)
If you still cannot manage your bossMore Evil use
I do not care
Show me how my
org is effected
![Page 25: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/25.jpg)
Attacking intranet
25
![Page 26: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/26.jpg)
Obtaining NAT’ed IP Addresses
Java applet
Java applet
Java applet
![Page 27: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/27.jpg)
If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet
27
<script>function natIP() {
var w = window.location;var host = w.host;var port = w.port || 80;var Socket = (new
java.net.Socket(host, port)).getLocalAddress().getHostAddress();return Socket;
}</script>
![Page 28: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/28.jpg)
Demo
Not only NAT’ed IP ,You can lots more system info
28
![Page 29: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/29.jpg)
Port Scanning
29
O’ Really
![Page 30: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/30.jpg)
Port Scanningwindow.onerror = err;
<script src=http://ip/></script>
if (! msg.match(/Error loading script/))
//ip does not exit’s
Else
Find internal ip
![Page 31: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/31.jpg)
Blind Web Server Fingerprinting
Apache Web Server /icons/apache_pb.gif
HP Printer /hp/device/hp_invent_logo.gif
<img src="http://intranet_ip/unique_image_url"onerror="fingerprint()" />
![Page 32: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/32.jpg)
HTML5 Made it easy
32
www.andlabs.org/tools/jsrecon.html
Demo
![Page 33: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/33.jpg)
What just happed
33
![Page 34: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/34.jpg)
Port Scanning: Beating protections
Blocking example for known ports
(Firefox, WebSockets and CORS)
➔ http://example.com:22
Workaround!
➔ ftp://example.com:22
It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari
Based on timeouts, it can be configured
34
WTFun
![Page 35: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/35.jpg)
35
Port Scanning: result
![Page 36: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/36.jpg)
Self‐triggering XSS exploits with
HTML5A common XSS occurrence is injection inside some
attribute of INPUT tags. Current techniques require user interaction to trigger this XSS
<input type="text" value="‐>Injecting here"onmouseover="alert('Injected val')">
• HTML5 turns this in to self ‐triggering XSS
<input type="text” value="‐‐>Injecting here"onfocus="alert('Injected value')"autofocus>
36
![Page 37: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/37.jpg)
Black‐list XSS filtersHtml5 introduce many new tag
37
![Page 38: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/38.jpg)
How your browser become a proxy of an
attacker?
38
http://erlend.oftedal.no/blog/?blogid=107
![Page 39: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/39.jpg)
The OWASP Foundationhttp://www.owasp.org
CSRF(Cross-Site Request Forgery)
The Sleeping Giant
![Page 40: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/40.jpg)
Victim logon to bank.com
![Page 41: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/41.jpg)
The OWASP Foundationhttp://www.owasp.org
Converting POST to GET
![Page 42: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/42.jpg)
The OWASP Foundationhttp://www.owasp.org
Credentials Includedbank.com
blog.net
https://bank.com/fn?param=1
JSESSIONID=AC934234…
![Page 43: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/43.jpg)
The OWASP Foundationhttp://www.owasp.org
Cross-Site Request Forgery
bank.com
attacker’s post at blog.net
Go to Transfer Assets
https://bank.com/fn?param=1Select FROM Fund
https://bank.com/fn?param=1Select TO Fund
https://bank.com/fn?param=1Select Dollar Amount
https://bank.com/fn?param=1Submit Transaction
https://bank.com/fn?param=1Confirm Transaction
https://bank.com/fn?param=1
![Page 44: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/44.jpg)
The OWASP Foundationhttp://www.owasp.org
Demo
XSS & CSRF- Killer ComboProgrammers Prepare, Users Beware
<form method="POST" name="form0"
action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php">
<input type="hidden" name="csrf-token" value="SecurityIsDisabled"/>
<input type="hidden" name="blog_entry" value="This is come from CSRF"/>
<input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/>
</form>
![Page 45: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/45.jpg)
The OWASP Foundationhttp://www.owasp.org
How Does CSRF Work?Tags
<img src=“https://bank.com/fn?param=1”>
<iframe src=“https://bank.com/fn?param=1”>
<script src=“https://bank.com/fn?param=1”>
Autoposting Forms<body onload="document.forms[0].submit()">
<form method="POST" action=“https://bank.com/fn”>
<input type="hidden" name="sp" value="8109"/>
</form>
XmlHttpRequestSubject to same origin policy
![Page 46: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/46.jpg)
What Can Attackers Do with CSRF?
46
Anything an authenticated user can do
• Click links
• Fill out and submit forms
• Follow all the steps of a wizard interface
![Page 47: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/47.jpg)
Using CSRF to Attack Internal Pages
47
attacker.com
internal.mybank.com
Allow
ed!
CSRF
Intern
al Site
TAG
internal browser
![Page 48: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/48.jpg)
Web Workers Web Workers provide the possibility for JavaScript to run in the background.
Web Workers alone are not a security issue.
But they can be used indirectly for launching work intensive attacks without the user noticing it.
48
http://www.andlabs.org/tools/ravan.html
![Page 49: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/49.jpg)
Web Storage
49
![Page 50: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/50.jpg)
Web Storage Vuln. & Threats
Session Hijacking
• If session identifier is stored in local storage, it can be stolen with JavaScript.
• No HTTPOnly flag.
Disclosure of Confidential Data
• If sensitive data is stored in the local storage, it can be stolen with JavaScript.
User Tracking
• Additional possibility to identify a user.
Persistent attack vectors
• Attacker can be store persistently on the user browser
50
![Page 51: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/51.jpg)
Offline Web Application
51
Cache Poisoning
• Caching of the root directory possible.
• HTTP and HTTPs caching possible.
![Page 52: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/52.jpg)
52
Ok Enough, Just tell
me can attacker Get a
remote (Control)shell
of my PC??
![Page 53: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/53.jpg)
Infection method known as Drive by download
53
![Page 54: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/54.jpg)
In summary
54
Web Worker Cracking Hashes in JS Cloud=
Web
Worker
Cross-origin
resource
sharing+ = Powerful DDoS attacks
Web
Worker +Cross-origin
resource
sharing+
Web
socket = Web-based Botnet.
![Page 55: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/55.jpg)
Is HTML5 hopelessly(in)secure?
Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.
55
![Page 56: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/56.jpg)
Reference
Compass Security AG
http://userguidepdf.info/html5-web-security-v1.html
http://html5sec.org
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
http://dev.w3.org/html5/spec/Overview.html
56
![Page 57: Everybody loves html5,h4ck3rs too](https://reader034.fdocuments.in/reader034/viewer/2022042817/55a66dc01a28ab714f8b4613/html5/thumbnails/57.jpg)
57
Twitter:@nahidupa
Be secure & safe
HTML5 make everybody happy including h4ck3rs and make security professional busy.