Html5 security

Introduction to HTML5 security

Speaker :luke

Outline

• What is HTML5

• Web Security related to HTML5

• Conclusion & looking forward

HTML5

HTML5

• New protocol of HTML HTML5 + CSS3+ JavaScript

Compare to XML and XHTML

• Protocol design WHATWG (Apple Mozilla Google Opera) in 2004

W3C

IETF

• Still in progress http://www.html5test.com/

HTML5

What’s in HTML5

• New Tag: <button> <canvas> <audio> <video>

• New Tag attribute: autocomplete ,autofocus ,regex

• New form controls for date ,time, email

• Geolocation(demo: http://html5demos.com/geo)

• Client-side storge localStorge sessionStorge and WebSQL

(demo:http://html5demos.com/database-rollback)

• WebSockets new way of communication

• WebWorkers allow multithread javascript in the background

What’s out in HTML5

• Present element <font><center>

• Present attribute<align><border><frame><frame set>

• Old special effects<marquee>,<bgsound>

Follow the rule :

Presentation and content are divided

Security Issues in HTML5

Basic ideas about the new vulnerability

New security problem because of new method brought into web application

the security issues in web application has not been changed

New security has been found worth to investigate

Security concern 1 client

Attack surface : client-side

• client-side and offline storage

• allows greater amount of data to be stored

Security concern 2 web sql

• Bring SQL to the client-side

• Core methods:

– openDatabase(“Database”,”Database version”,”Database Description”,”Estimated Size”)

– Transaction (“SQL statement”)

• The usual attack : XSS,SQL injection can be used here.

Security concern 3 Application cache • Useful for offline browsing speed and reduce

server load • The size limit for cached data for site :5MB • Example 1 enabling application cache:

<html manfest=“example.manifest”> ….. </html>

• Example 2 update applicaton cache: applicationCache.addEventListener(‘checking’,updateCacheStatus,false);

• Poisoning the Application cache • Any website can create a cache in the client • Any file can be cached even in the /root directory

Security concern 4 html5 sandbox

• Sandbox is used to protect website from 3-party software

<iframe src="untrusted.html" sandbox></iframe>

• can be used to clickjacking attack

<iframe sandbox=“allow-same-origin allow-form allow-scripts”>

Security concern 5 CROS • Cros (Cross Origin Resource Sharing )

• Allow cross domain AJAX

• Silent file upload

var xhr = new XMLHttpRequset() xhr.open(“post”，http://victim, ture ) xhr.setRequsetHeader(“Content-Type ”,”text/plain”); xhr.withCredentials = “ture”;//send cookies Xhr.send(Anything I want )

Fuction fileUpload(url,filedata,fileName){ Var fileSize = fileData.length, Boundary =‘xxxxxxxxxxxx’ xhr = new XMLHttpRequest(); xhr.open(“POST”,url,true); Xhr.withCredentials(“Content-Type”,”multipart/form-data”,boundary=“+boundary)

Xhr.setRequestHeader(“cotent-Length”,fileSize);}

Demo

Allow cross domain AJAX http://victim.kotowicz.net/crossdomain-upload/vuln/index.php

http://attacker.kotowicz.net/crossdomain-upload/evil/upload.html

Silent file upload http://kotowicz.net/wu/

http://attacker.kotowicz.net/wu/evil.html

Security concern 5 clickjacking

Clickjacking also called UI redressing

<iframe src=outer.html width=20 height=20 scrolling=nostyle="opacity:0;"></iframe>

<!-- outer.html --> <iframe src="//victim" width=5000 height=5000 style="position: absolute; top:-300px; left: -350px;"></iframe>

Security concern 5 clickjacking

Can be easy bypassed by in HTML5 <iframe sandbox src="//victim"></iframe>

Most Alexa top 500 website use frame busting to protect from clickjackng

If (top!=self)

If (top.location != self.location)

Security concern 5 XSS

New Tag and new Attribute cause XSS

<video onerror=“javascript:alert(1)”><source> <audio onerror=“javascript:alert(1)”><source>

Before HTML5: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onmouseover=ʺalert(ʹInjected valueʹ)ʺ> With HTML5: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onfocus=ʺalert(ʹInjected valueʹ)ʺ autofocus>

Security concern 5 Drag and Drop API

<div draggable=ʺtrueʺ ondragstart=ʺevent.dataTransfer.setData(ʹtext/plainʹ, ʹEvil dataʹ)ʺ>

<h3>DRAG ME!!</h3>

</div>

Security concern 6 html5 shell

Proxy

Web server

Send request to the web server

Send the response body to

he proxy

Pentester’s browser

GET http://www.google.com

Victim’s browser

Send the response body to the shell of the

web serverSend the request to the victim’s

browser

www.google.com

Google web server responds with the

HTML fot its homepage

Request the google web server for

http://www.google.c

Send Google home page to Pentester’s browser

Security concern 7 network reconnaissance

Cross domain XMLHttpRequests and WebSockets

Port Status WebSocket COR

Open (application type 1&2)

<100ms <100ms

Closed ~1000ms ~1000ms

Filtered >30000ms >30000ms

Security concern 8 HTML5 Botnets

Webworkers is a threading model for javascript

Botnet creation: • Reaching out to victims

• Extending execution lifetime

Html5 botnets based attack • Application –level DDos attacks

• Email Spam

• Distributed password cracking

Background JavaScript threads that were started using WebWorkers can send cross domain XMLHttpRequests even

though the remote website does not support it. A test showed that around

If you a small botnet just has 600 zombies can send around

Distributed password cracking

easy to launch a password cracker under HTML5 http://www.andlabs.org/tools/ravan.html

Work farm

Ravan MaterRavan Web

Backend

Get Work

Submit Result

Manage Cracking

Submit hash

Test show that one browser possible can observe password guessing rates of 100,000 MD5/second in JavaScript 100-115 times slower than that native code (like LC5),but if you control 100

zombies.it has the same cracking rate.

Top10 Risks in html5

1. ClickJacking & Phishing by mixing layers and iframe

2. CSRF and leveraging CORS to bypasses SOP

3. Attacking WebSQL and client side SQL injection

4. Stealing information from Storage and Global variables

5. HTML5 tag abuse and XSS

6. HTML5 and DOM based XSS and redirects

7. DOM injections and Hijacking with HTML 5

8. Abusing thick client features

9. Using WebSockets for stealth attacks

10. Abusing WebWorker functionality

Conclusion

• HTML5 &DOM-level3 &XHR-level2 via javascript are involved in creating the next generation application

• As the people heavily use web browser .More features will bring into HTML5

• More enhanced features in HTML5 will bring threat and challenges

• More security issues will be discovered in the future

Reference

[1]HTML5 Security CheatSheet ‐ http://code.google.com/p/html5security/

[2]Shell of the Future ‐ http://www.andlabs.org/tools.html#sotf

[3] Next Generation Clickjacking ‐ http://www.contextis.co.uk/resources/white‐papers/clickjacking/Context‐Clickjacking_white_paper.pdf

[4]OWASP ClickJacking Guide ‐ http://www.owasp.org/index.php/Clickjacking

[5]http://html5sec.org/

[6]Hacking Facebook with HTML5 ‐ http://m‐austin.com/blog/?p=19

[7]http://html5demos.com

[8] https://www.owasp.org/index.php/Clickjacking

[9] http://www.andlabs.org/

Thanks for listening

any suggestion and comment