Everybody loves html5,h4ck3rs too

2

~#WhoamiNahidul KibriaCo-Leader, OWASP Bangladesh,

Senior Software Engineer, KAZ Software Ltd.   

Security Enthusiastic

3

Which part you careEverybody loves html5…Well

h4ck3rs too… What!!!

4

What is HTML5 Next major version of HTML. The Hypertext Markup Language

version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1

Adds new tags, event handlers to HTML. Many more….

HTML5 is not finished

5

HTML5 is already  here.HTML5 TEST - http://html5test.com/

6

Many  features  supported by

latest versions of

FireFox, Chrome, Safari and  

Opera.

Standard web model

HTML5 OVERVIEW

Web sockets

COR

Iframe Sandboxin

g

Web Messaging

WEB BROWSER SECURITY MODELS

The same origin policyThe cookies security modeThe Flash security model/SandBox

Same Origin PolicyThe same origin policy prevents document or

script loaded from one origin, from getting or setting properties from a of a document from a different origin.

An origin is defined as the combination of

• host name,

• protocol,

• and port number;

The Browser “Same Origin” Policy

11

bank.com

blog.net

XHR

XHR

document, cookies

TAG

TAG

JS

What Happens if the Same Origin Policy Is Broken?

13

Some major HTML5 feature• CORS-Cross-Origin Resource

Sharing • WebSockets• WebWorkers• Javascript APIs

Today I want to show you how far and attacker go with simple JavaScript and html5

So you can convince your boss to give effort on security measure

My intention is not make you panic

Disclaimer

15

Cross Origin Request (COR)• Originally  Ajax   calls  were subject   to  

Same Origin Policy

• Site  A  cannot   make XMLHttpRequests to  Site  B

• HTML5   makes  it  possible  to   make these  cross  domain 

• Calls site  A  can   now   make XMLHttpRequests to  Site  B  as  long  as  Site  B  allows  it.

Response   from  Site  B  should   include   a  header:

Access ‐Control ‐Allow‐Origin:  Site  A

16

Cross-Origin Resource Sharing

<allow-access-from domain="*">

The OWASP Foundationhttp://www.owasp.org

CORS-Cross-Origin Resource Sharing

17

Why programmer happy?

Lets see from attacker view

18

XSS-Cross Site Scripting

19

Demo

20

xss attack vector

Impact of xssHistory Stealing

Intranet Hacking

XSS Defacements

DNS pinning

IMAP3

MHTML

Hacking JSON

Cookie stealing

Clipboard stealing

Cookie stealing

Pr3venting

XSS Defacements

If you still cannot manage your bossMore Evil use

I do not careShow me how my

org is effected

25

Attacking intranet

Obtaining NAT’ed IP Addresses

Java applet

Java apple

t

Java appl

et

27

If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet

<script> function natIP() { var w = window.location; var host = w.host; var port = w.port || 80; var Socket = (new java.net.Socket(host, port)).getLocalAddress().getHostAddress(); return Socket; } </script>

28

Demo

Not only NAT’ed IP ,You can lots more system info

29

Port ScanningO’ Really

Port Scanningwindow.onerror = err;

<script src=http://ip/></script>

if (! msg.match(/Error loading script/))//ip does not exit’sElseFind internal ip

Blind Web Server FingerprintingApache Web Server /icons/apache_pb.gifHP Printer /hp/device/hp_invent_logo.gif

<img src="http://intranet_ip/unique_image_url" onerror="fingerprint()" />

32

HTML5 Made it easy

www.andlabs.org/tools/jsrecon.html

Demo

33

What just happed

34

Port Scanning: Beating protectionsBlocking example for known ports

(Firefox, WebSockets and CORS)➔ http://example.com:22Workaround!➔ ftp://example.com:22It works on Internet Explorer, Mozilla

Firefox, Google Chrome and SafariBased on timeouts, it can be configured

WTFun

35

Port Scanning: result

36

Self‐triggering XSS exploits  with HTML5

A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS

<input type="text" value="‐>Injecting here" onmouseover="alert('Injected val')">

• HTML5   turns  this   in   to   self ‐triggering  XSS <input type="text” value="‐‐>Injecting

here" onfocus="alert('Injected  value')" autofocus>

37

Black‐list XSS filtersHtml5 introduce many new tag

38

How your browser become a proxy of

an attacker?

http://erlend.oftedal.no/blog/?blogid=107

The OWASP Foundationhttp://www.owasp.org

CSRF(Cross-Site Request Forgery)

The Sleeping Giant

Victim logon to bank.com

The OWASP Foundationhttp://www.owasp.org

Converting POST to GET

The OWASP Foundationhttp://www.owasp.org

Credentials Included

bank.com

blog.net

https://bank.com/fn?param=1JSESSIONID=AC934234…

The OWASP Foundationhttp://www.owasp.org

Cross-Site Request Forgery

bank.com

attacker’s post at blog.net

Go to Transfer Assetshttps://bank.com/fn?param=1 Select FROM Fundhttps://bank.com/fn?param=1 Select TO Fundhttps://bank.com/fn?param=1 Select Dollar Amounthttps://bank.com/fn?param=1 Submit Transactionhttps://bank.com/fn?param=1 Confirm Transactionhttps://bank.com/fn?param=1

The OWASP Foundationhttp://www.owasp.org

DemoXSS & CSRF- Killer Combo

Programmers Prepare, Users Beware<form method="POST" name="form0" action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php"><input type="hidden" name="csrf-token" value="SecurityIsDisabled"/><input type="hidden" name="blog_entry" value="This is come from CSRF"/><input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/></form>

The OWASP Foundationhttp://www.owasp.orgHow Does CSRF

Work?Tags

<img src=“https://bank.com/fn?param=1”><iframe src=“https://bank.com/fn?param=1”><script src=“https://bank.com/fn?param=1”>

Autoposting Forms<body onload="document.forms[0].submit()">

<form method="POST" action=“https://bank.com/fn”> <input type="hidden" name="sp" value="8109"/>

</form>

XmlHttpRequestSubject to same origin policy

What Can Attackers Do with CSRF?

46

Anything an authenticated user can do• Click links• Fill out and submit forms• Follow all the steps of a wizard

interface

Using CSRF to Attack Internal Pages

47

attacker.com

internal.mybank.com

Allowed!

CSRF

Internal Site

TAG

internal browser

48

Web Workers Web Workers provide the possibility for JavaScript to run in the

background.

Web Workers alone are not a security issue.

But they can be used indirectly for launching work intensive attacks without the user noticing it.

http://www.andlabs.org/tools/ravan.html

49

Web Storage

50

Web Storage Vuln. & Threats

Session Hijacking

• If session identifier is stored in local storage, it can be stolen with JavaScript.

• No HTTPOnly flag.

Disclosure of Confidential Data

• If sensitive data is stored in the local storage, it can be stolen with JavaScript.

User Tracking

• Additional possibility to identify a user.

Persistent attack vectors

• Attacker can be store persistently on the user browser

51

Offline Web Application

Cache Poisoning

• Caching of the root directory possible.

• HTTP and HTTPs caching possible.

52

Ok Enough, Just tell me can attacker Get a remote (Control)shell of my PC??

53

Infection method known as Drive by download

54

In summaryWeb Worker Cracking Hashes in JS Cloud=

Web Worker

Cross-origin

resource sharing

+ =Powerful DDoS attacks

Web Worker +

Cross-origin

resource sharing

+ Web socket = Web-based Botnet.

55

Is HTML5 hopelessly (in)secure?

Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.

56

Reference Compass Security AG http://userguidepdf.info/html5-we

b-security-v1.html

http://html5sec.org https://www.owasp.org/index.php/HTML5

_Security_Cheat_Sheet http://dev.w3.org/html5/spec/Overview.ht

ml

57

Twitter:@nahidupa

Be secure & safe

HTML5 make everybody happy including h4ck3rs and make security professional busy.