owasp talk-november-08
DESCRIPTION
HTML5 and local storage security at OWASP Ireland chapter meeting in 2008 by David Rook.TRANSCRIPT
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
The Internet is going offline and ......
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
The Internet is going offline and ......
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
The world is going to end(Title inspired by the world ending DNS bug and ClickJacking)
Agenda
Introduction
The web is on a diet, no more cookies!
Access Control
Same Origin Issues
SQL Issues
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Isn’t the idea to be online?Increased complexity and capability of web applications
Traditional applications going “online” such as documents, spreadsheets and task managers
This is a trend that many web applications will consider
Improved application performance
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
HTML history
1955 - Tim Berners-Lee
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
HTML history
1955 - Tim Berners-Lee
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
1991 - HTML Tags
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
HTML history
1955 - Tim Berners-Lee
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
1991 - HTML Tags1995 - HTML 2
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
HTML history
1955 - Tim Berners-Lee
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
1991 - HTML Tags1995 - HTML 21997 - HTML 3.2
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
HTML history
1955 - Tim Berners-Lee
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
1991 - HTML Tags1995 - HTML 21997 - HTML 3.21999 - HTML 4.01
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
HTML history
1955 - Tim Berners-Lee
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
1991 - HTML Tags1995 - HTML 21997 - HTML 3.21999 - HTML 4.012008 - HTML 5 (draft)
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
So, why HTML 5?
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
New elements such as <audio> and <video>
Elements such as <font> and <center> removed
New APIs:
Drag and DropTimed media playbackMessaging
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
So, why HTML 5?
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
New elements such as <audio> and <video>
Elements such as <font> and <center> removed
New APIs:
Drag and DropTimed media playbackMessaging
Offline StorageConor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Google Gears
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
A web browser plugin
First to provide offline capabilities
Now embracing/extending HTML 5
Applications such as RTM and Google Docs
Currently at version 0.4
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
No more cookies!
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
No longer sufficient for Web 2.0
They are small (IE enforces a 4KB limit)
Not designed for offline storage
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
SessionStorage
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
The closest thing to cookies in HTML 5
Used when:
A user is carrying out a single transaction
A user wants to carry out multiple transactions in multiple windows
One object per origin
Uses the sessionStorage DOM object to access data
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
SessionStorage
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
For example, a page could have a checkbox that the user ticks to indicate that he wants insurance:
<label> <input type="checkbox" onchange="sessionStorage.insurance = checked"> I want insurance on this trip.</label>
A later page could then check, from script, whether the user had checked the checkbox or not:
if (sessionStorage.insurance) { ... }
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
LocalStorage
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Designed to allow client side storage
Used when:
Storing users data on the client (i.e. documents)
Data from multiple windows stored in one object
One object per origin
Uses the localStorage DOM object to access data
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
LocalStorage
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
The site at example.com can display a count of how many times the user has loaded its page by putting the following at the bottom of its page:
<p> You have viewed this page <span id="count">an untold number of</span> time(s).</p>
<script> if (!localStorage.pageLoadCount) localStorage.pageLoadCount = 0; localStorage.pageLoadCount = parseInt(localStorage.pageLoadCount, 10) + 1; document.getElementById('count').textContent = localStorage.pageLoadCount;</script>
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Local Databases
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Enables structured client side data storage
Used when:
Data such as emails need to be stored locally
Shopping carts, documents, authentication data etc
One object per origin
Uses SQL Lite Databases
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Security Issues ....
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Access Control
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
No requirement to ask for users authorisation in HTML 5
Local objects only protected by local OS policies
Cross domain requests will be supported
No authentication with SQL Lite
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Same Origin Issues
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Same Origin Policy based on current implementations
Use known vulnerabilities to access local data
Buxfer example
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Same Origin Issues
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
SQL Database Attacks
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
SQL Injection, the obvious attack?
Same problems we are already seeing but on a wider scale
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
SQL Database Attacks
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
SQL Database Attacks
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
SQL Injection, the obvious attack?
Same problems we are already seeing but on a wider scale
Cross Domain Read and Write capabilities
No size limit enforced by default (Origins choice)
Google Gears guidance?
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
SQL Database Attacks
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
SQL Injection, the obvious attack?
Same problems we are already seeing but on a wider scale
Cross Domain Read and Write capabilities
No size limit enforced by default (Origins choice)
Google Gears guidance?
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Trends
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Web application adoption increasing
Bringing desktop functionality to your browser
No longer a strict client/server model
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Trends
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Trends
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Trends
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Web application adoption increasing
Bringing desktop functionality to your browser
No longer a strict client/server model
Google Gears the likely winner
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Future Work
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Whitepaper to be produced by us on this subject
Proof of concept exploits hosted on Security Ninja
More detailed research in this area
Profit
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!
Questions?
David RookSecurity Analyst - Realex PaymentsFounder of www.securityninja.co.ukInformation Security Evangelist
Conor McGoveranManaging Director - Onformonics LtdCompliance Management Solutions1,0 - there, my two bits!