HTML5 Security (236667319)

8/11/2019 HTML5 Security (236667319)

http://slidepdf.com/reader/full/html5-security-236667319 1/36

Copyright Justin C. Klein Keane @madirish2600

HTML 5 Security

8/11/2019 HTML5 Security (236667319)



About Me

● Security

researcher

and

engineer

● Work at University of Pennsylvania

●

OWASP Philadelphia chapter leader● Working on y first !ook

● Professor at "re#el University

● $ecovering %e! application developer &'

8/11/2019 HTML5 Security (236667319)



TL"$

● HTM5 %ill !e the source of uch(

– Lamentation

– $e)oicing

● *or(

– "evelopers

–

Attackers – "efenders

8/11/2019 HTML5 Security (236667319)



A!out HTML 5

● +e% HTML standard

– Like ,avaScript- dependent on !ro%ser ipleentation

– .ro%ser support varies

–

$earka!ly- o!ile tends to have ore support● "esigned to address persistent headaches of %e!

developers /and get rid of plugins0'

● Makes %e! apps uch closer to native apps

● At core( 10"O2T3P4 htl1htl 16htl

● Spec availa!le at %%%7%87org

8/11/2019 HTML5 Security (236667319)



Take +ote

“Some features of HTML trade user conveniencefor a measure of user privacy.”

“When HTML is used to create interactive sites,care needs to be taken to avoid introducingvunerabiities through !hich attackers can

compromise the integrity of the site itsef or of thesite"s users.”

http(66%%%7%87org6htl6%g6drafts6htl6aster6introduction7htl

8/11/2019 HTML5 Security (236667319)



Ho% HTML 5 Works

● Adding ne% HTML tags(

– 1canvas- 1article- etc7

● Add ne% "OM functions(

– docuent7register/9ne%:tag9'&● There go your tag specific ;SS filters777

● Add ne% "OM eleents

– %indo%<9localStorage9=& – navigator7geolocation7get2urrentPosition/'&

8/11/2019 HTML5 Security (236667319)



Popular *eatures(That

I

won't rea lly discuss)

● 2anvas eleent for dynaic dra%ing

● >ideo and audio tags for e!edding ultiedia %ithout plugins

● 2ontent specific tags

● +e% for controls /calendar pop:ups- tie datatypes- e:ail validation- etc7'

●

+ative client side for validation● +e% history AP?

● "rag and drop

8/11/2019 HTML5 Security (236667319)



.anana .read

8/11/2019 HTML5 Security (236667319)



2ross Site Scripting /;SS'

● A !it a!out ;SS since HTML 5 has a !igipact

● ;SS is @ar!itrary script in)ection

–"isplay ar!itrary eleents- e#portar!itrary data including 2ookies- orperfor ar!itrary anipulation of "OM

● HTML 5 !oth helps and hurts ;SS

8/11/2019 HTML5 Security (236667319)



$eflected ;SS

8/11/2019 HTML5 Security (236667319)



Stored ;SS

8/11/2019 HTML5 Security (236667319)



.e4* Makes it 4asy

8/11/2019 HTML5 Security (236667319)



Minial ?n)ection

8/11/2019 HTML5 Security (236667319)



+e% Security Model

●

O ld

Same

Origin

Policy

is

relaxed● +e% policy is 2ross Origin $esource

Sharing /2O$S' – redefines ;SS attack surface

● Assuption( sae origin BB trust

● ?n HTML 5 origin policy is orenuanced

8/11/2019 HTML5 Security (236667319)



2ontent Security Policy

● 2ontent Security Policy /2SP' defined in headers

● Specify the source of trusted content

– 2ontent- font- frae- ig- edia- o!)ect- style

– /httpChttps'- none- self- unsafe:inline- unsafe:eval● ?nline code is considered unsafe0

● All 2SS- ,avaScript ust !e e#ternal /7)s files'

●

+o ore in)ected ;SS000 – +one of your e#isting apps %ill %ork (/

8/11/2019 HTML5 Security (236667319)



2SP in Practice

8/11/2019 HTML5 Security (236667319)



2SP $esults

8/11/2019 HTML5 Security (236667319)



2SP $eporting

● 2SP can specify reporting

● Allo%s !ro%sers to report !ack to a specificserver U$? %hen soething is !locked

● Protect :DetectD $eact

● 2an !e set to report only for de!ugging

8/11/2019 HTML5 Security (236667319)



$eporting

8/11/2019 HTML5 Security (236667319)



4#aple $eport

8/11/2019 HTML5 Security (236667319)



+e% i*rae Security

● Sand!o# attri!ute

– 4ffectively isolates origin

– Prevents loading of plugins

–

2an prevent ,avaScript – 2an force a uniEue origin /even sae origin fails'

– 2an !lock for su!ission

– And ore777

– Whitelist selectively allo%s functionality(● <iframe src=”blah” sandbox=”allow-forms allow-popups allow-

scripts”></iframe>

8/11/2019 HTML5 Security (236667319)



We! Storage

● We! storage

– +oSFL key:value store- uch like cookies

– Siple and easy to use

– Set and called via ,avascript %ith localStorage or sessionStorage

– Session storage persists erely for the localsession /no persistence'

– @ # mosty arbitrary imit of five megabytes per originis suggested.

8/11/2019 HTML5 Security (236667319)



Cool

Uses

● Storing

form

state

(no

more

Back

button

returning to a !lank for'

● $eplace cookies

● Store serialiGed ,SO+ o!)ects and othercople# structures

● Persist data solely on the client0

8/11/2019 HTML5 Security (236667319)



4#aple

8/11/2019 HTML5 Security (236667319)



Where "id ?t oI

8/11/2019 HTML5 Security (236667319)



Security( LocalStorage

●

SQL

in jection

moves

to

the

client!● Persistent ;SS oves to the client

● Offline stores ay !ecoe a target of al%are

●

+e% sources- and volues- of forensic evidence● 2ross directory attacks

– “"ifferent authors sharing one host nae- for e#aple users hosting content ongeocities7co - all share one loca l storage o!)ect7 There is no feature to restrict the

access !y pathnae7 Authors on shared hosts are therefore urged to avoid using thesefeatures- as it %ould !e trivial for other authors to read the data and over%rite it7

● "+S spoofing could e#pose data store

● http://dev. w3.org/htm l5/ webstorage/#security-storage

8/11/2019 HTML5 Security (236667319)



*ile Storage

● 2hroe supports %8c *ileSyste AP?

● MoGilla supporting "eviceStorage AP?

● .oth essentially address the sae need

● Still very uch developing

8/11/2019 HTML5 Security (236667319)



*ilesyste AP?

● Allo%s applications access to local filesyste

● Useful for large files

– Uploads- do%nloads- and usage

8/11/2019 HTML5 Security (236667319)



*ilesyste Security

● 2reates all sorts of ne% security challenges( – Target of al%are for theft

– "enial of service

– Theft or erasure of private data /client side al%are' – Storing alicious e#ecuta!les client side

– Storing dangerous or illegal files on a filesystesurreptitiously

8/11/2019 HTML5 Security (236667319)



We! Sockets

●

Ans%er to A,A;● Allo%s for synchronous

connections !et%een the clientand a reote server

● Origin policies apply

– connect:src in 2SP

● %s(66 and %ss(66 protocolidentifiers

● Uses port JK68 !y default

● >alid http upgrades to %e!socket

var

host

=

'ws://url.

tld/ref

var conn = new WebSockethost!"

conn#onopen = function ! $%

conn#onmessage = function! $%

Security ?plications of We!

8/11/2019 HTML5 Security (236667319)



Security ?plications of We!Sockets

● +o native authentication● +e% "oS surface

● 2usto socket code could contain vulnera!ilities

including overflo%s● 2ould ake for interesting 22 and data e#filtration

route

● +o iplicit security6validation

● Like A,A; it provides a ne% @hidden attack surfacethat is difficult to audit

> hi

8/11/2019 HTML5 Security (236667319)



>ector raphics

● Allo%s for dynaic iage generation in HTM● reat for scaling and responsive design

● 4liinates uch of the need for e!eddedgraphics

S> S i ?

8/11/2019 HTML5 Security (236667319)



S> Security ?ssues

● raphics defined in HTML – This leads to interesting ne% ;SS attacks

– 2lick)acking )ust got easier

● Potential for ne% client "oS or crash

+ 2 l iti

8/11/2019 HTML5 Security (236667319)



+e% 2ople#ities

● 2ople#ity !rings ne% security challenges● "evelopers eager to ipleent features ay

not understand security challenges

● Testers ay not !e failiar %ith ne% features-or security risks

● Totally ne% security odel at the !ro%ser lev

● $eplacing 8rd party plugins ay !ring %in

Oth S it ?

8/11/2019 HTML5 Security (236667319)



Other Security ?ssues

●

+e% dynaic attri!utes create ne% "OM !ased ;SS attacks

– foraction- oninput- onerror- onforinput- onforchange-etc7

● Older security li!raries ay not recogniGe ne% security threa

● reater capa!ility and counications ay ake the !ro%sea target for al%are

● *un ne%geolocation.GetCurrentPosition()

● Useget&ser'edia!to capture audio6video0

Th k 0

8/11/2019 HTML5 Security (236667319)



Thanks0

FuestionsI

Documents

HTML5 Security (236667319)