everybody loves html5, h4ck3rs too
DESCRIPTION
Everybody loves html5, h4ck3rs too. ~# Whoami. Security Enthusiastic. Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. . Which part you care. Everybody loves html5…Well h4ck3rs too… What!!!. What is HTML5. Next major version of HTML. - PowerPoint PPT PresentationTRANSCRIPT
Everybody loves html5,h4ck3rs too
2
~#WhoamiNahidul KibriaCo-Leader, OWASP Bangladesh,
Senior Software Engineer, KAZ Software Ltd.
Security Enthusiastic
3
Which part you careEverybody loves html5…Well
h4ck3rs too… What!!!
4
What is HTML5 Next major version of HTML. The Hypertext Markup Language
version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1
Adds new tags, event handlers to HTML. Many more….
HTML5 is not finished
5
HTML5 is already here.HTML5 TEST - http://html5test.com/
6
Many features supported by
latest versions of
FireFox, Chrome, Safari and
Opera.
Standard web model
HTML5 OVERVIEW
Web sockets
COR
Iframe Sandboxin
g
Web Messaging
WEB BROWSER SECURITY MODELS
The same origin policyThe cookies security modeThe Flash security model/SandBox
Same Origin PolicyThe same origin policy prevents document or
script loaded from one origin, from getting or setting properties from a of a document from a different origin.
An origin is defined as the combination of
• host name,
• protocol,
• and port number;
The Browser “Same Origin” Policy
11
bank.com
blog.net
XHR
XHR
document, cookies
TAG
TAG
JS
What Happens if the Same Origin Policy Is Broken?
13
Some major HTML5 feature• CORS-Cross-Origin Resource
Sharing • WebSockets• WebWorkers• Javascript APIs
Today I want to show you how far and attacker go with simple JavaScript and html5
So you can convince your boss to give effort on security measure
My intention is not make you panic
Disclaimer
15
Cross Origin Request (COR)• Originally Ajax calls were subject to
Same Origin Policy
• Site A cannot make XMLHttpRequests to Site B
• HTML5 makes it possible to make these cross domain
• Calls site A can now make XMLHttpRequests to Site B as long as Site B allows it.
Response from Site B should include a header:
Access ‐Control ‐Allow‐Origin: Site A
16
Cross-Origin Resource Sharing
<allow-access-from domain="*">
The OWASP Foundationhttp://www.owasp.org
CORS-Cross-Origin Resource Sharing
17
Why programmer happy?
Lets see from attacker view
18
XSS-Cross Site Scripting
19
Demo
20
xss attack vector
Impact of xssHistory Stealing
Intranet Hacking
XSS Defacements
DNS pinning
IMAP3
MHTML
Hacking JSON
Cookie stealing
Clipboard stealing
Cookie stealing
Pr3venting
XSS Defacements
If you still cannot manage your bossMore Evil use
I do not careShow me how my
org is effected
25
Attacking intranet
Obtaining NAT’ed IP Addresses
Java applet
Java apple
t
Java appl
et
27
If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet
<script> function natIP() { var w = window.location; var host = w.host; var port = w.port || 80; var Socket = (new java.net.Socket(host, port)).getLocalAddress().getHostAddress(); return Socket; } </script>
28
Demo
Not only NAT’ed IP ,You can lots more system info
29
Port ScanningO’ Really
Port Scanningwindow.onerror = err;
<script src=http://ip/></script>
if (! msg.match(/Error loading script/))//ip does not exit’sElseFind internal ip
Blind Web Server FingerprintingApache Web Server /icons/apache_pb.gifHP Printer /hp/device/hp_invent_logo.gif
<img src="http://intranet_ip/unique_image_url" onerror="fingerprint()" />
32
HTML5 Made it easy
www.andlabs.org/tools/jsrecon.html
Demo
33
What just happed
34
Port Scanning: Beating protectionsBlocking example for known ports
(Firefox, WebSockets and CORS)➔ http://example.com:22Workaround!➔ ftp://example.com:22It works on Internet Explorer, Mozilla
Firefox, Google Chrome and SafariBased on timeouts, it can be configured
WTFun
35
Port Scanning: result
36
Self‐triggering XSS exploits with HTML5
A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS
<input type="text" value="‐>Injecting here" onmouseover="alert('Injected val')">
• HTML5 turns this in to self ‐triggering XSS <input type="text” value="‐‐>Injecting
here" onfocus="alert('Injected value')" autofocus>
37
Black‐list XSS filtersHtml5 introduce many new tag
38
How your browser become a proxy of
an attacker?
http://erlend.oftedal.no/blog/?blogid=107
The OWASP Foundationhttp://www.owasp.org
CSRF(Cross-Site Request Forgery)
The Sleeping Giant
Victim logon to bank.com
The OWASP Foundationhttp://www.owasp.org
Converting POST to GET
The OWASP Foundationhttp://www.owasp.org
Credentials Included
bank.com
blog.net
https://bank.com/fn?param=1JSESSIONID=AC934234…
The OWASP Foundationhttp://www.owasp.org
Cross-Site Request Forgery
bank.com
attacker’s post at blog.net
Go to Transfer Assetshttps://bank.com/fn?param=1 Select FROM Fundhttps://bank.com/fn?param=1 Select TO Fundhttps://bank.com/fn?param=1 Select Dollar Amounthttps://bank.com/fn?param=1 Submit Transactionhttps://bank.com/fn?param=1 Confirm Transactionhttps://bank.com/fn?param=1
The OWASP Foundationhttp://www.owasp.org
DemoXSS & CSRF- Killer Combo
Programmers Prepare, Users Beware<form method="POST" name="form0" action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php"><input type="hidden" name="csrf-token" value="SecurityIsDisabled"/><input type="hidden" name="blog_entry" value="This is come from CSRF"/><input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/></form>
The OWASP Foundationhttp://www.owasp.orgHow Does CSRF
Work?Tags
<img src=“https://bank.com/fn?param=1”><iframe src=“https://bank.com/fn?param=1”><script src=“https://bank.com/fn?param=1”>
Autoposting Forms<body onload="document.forms[0].submit()">
<form method="POST" action=“https://bank.com/fn”> <input type="hidden" name="sp" value="8109"/>
</form>
XmlHttpRequestSubject to same origin policy
What Can Attackers Do with CSRF?
46
Anything an authenticated user can do• Click links• Fill out and submit forms• Follow all the steps of a wizard
interface
Using CSRF to Attack Internal Pages
47
attacker.com
internal.mybank.com
Allowed!
CSRF
Internal Site
TAG
internal browser
48
Web Workers Web Workers provide the possibility for JavaScript to run in the
background.
Web Workers alone are not a security issue.
But they can be used indirectly for launching work intensive attacks without the user noticing it.
http://www.andlabs.org/tools/ravan.html
49
Web Storage
50
Web Storage Vuln. & Threats
Session Hijacking
• If session identifier is stored in local storage, it can be stolen with JavaScript.
• No HTTPOnly flag.
Disclosure of Confidential Data
• If sensitive data is stored in the local storage, it can be stolen with JavaScript.
User Tracking
• Additional possibility to identify a user.
Persistent attack vectors
• Attacker can be store persistently on the user browser
51
Offline Web Application
Cache Poisoning
• Caching of the root directory possible.
• HTTP and HTTPs caching possible.
52
Ok Enough, Just tell me can attacker Get a remote (Control)shell of my PC??
53
Infection method known as Drive by download
54
In summaryWeb Worker Cracking Hashes in JS Cloud=
Web Worker
Cross-origin
resource sharing
+ =Powerful DDoS attacks
Web Worker +
Cross-origin
resource sharing
+ Web socket = Web-based Botnet.
55
Is HTML5 hopelessly (in)secure?
Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.
56
Reference Compass Security AG http://userguidepdf.info/html5-we
b-security-v1.html
http://html5sec.org https://www.owasp.org/index.php/HTML5
_Security_Cheat_Sheet http://dev.w3.org/html5/spec/Overview.ht
ml
57
Twitter:@nahidupa
Be secure & safe
HTML5 make everybody happy including h4ck3rs and make security professional busy.