1 / 57

Everybody loves html5, h4ck3rs too

Everybody loves html5, h4ck3rs too. ~# Whoami. Security Enthusiastic. Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd.   . Which part you care. Everybody loves html5…Well h4ck3rs too… What!!!. What is HTML5. Next major version of HTML.

finna
Download Presentation

Everybody loves html5, h4ck3rs too

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Everybody loves html5,h4ck3rs too

  2. ~#Whoami Security Enthusiastic Nahidul Kibria Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd.   

  3. Which part you care • Everybody loves html5…Well • h4ck3rs too… What!!!

  4. What is HTML5 • Next major version of HTML. • The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1 • Adds new tags, event handlers to HTML. Many more…. • HTML5 is not finished

  5. HTML5 is already  here. • HTML5 TEST - http://html5test.com/ Many  features   supported by latest versions of FireFox, Chrome, Safari and   Opera.

  6. Standard web model

  7. COR Web sockets Iframe Sandboxing Web Messaging Html5 OVERVIEW

  8. WEB BROWSER SECURITY MODELS • The same origin policy • The cookies security mode • The Flash security model/SandBox

  9. Same Origin Policy The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin. An origin is defined as the combination of • host name, • protocol, • and port number;

  10. The Browser “Same Origin” Policy bank.com XHR TAG TAG XHR JS blog.net document, cookies

  11. What Happens if the Same Origin Policy Is Broken?

  12. Some major HTML5 feature • CORS-Cross-Origin Resource Sharing • WebSockets • WebWorkers • Javascript APIs

  13. Disclaimer Today I want to show you how far and attacker go with simple JavaScript and html5 So you can convince your boss to give effort on security measure My intention is not make you panic

  14. Cross Origin Request (COR) • Originally  Ajax   calls  were subject   to   Same Origin Policy • Site  A  cannot   make XMLHttpRequests to  Site  B • HTML5   makes  it  possible  to   make these  cross  domain  • Calls site  A  can   now   make XMLHttpRequests to  Site  B  as  long  as  Site  B  allows  it. • Response   from  Site  B  should   include   a  header: • Access ‐Control ‐Allow‐Origin:  Site  A

  15. Cross-Origin Resource Sharing <allow-access-from domain="*">

  16. Why programmer happy? CORS-Cross-Origin Resource Sharing Lets see from attacker view

  17. XSS-Cross Site Scripting

  18. Demo

  19. xss attack vector

  20. Impact of xss • History Stealing • Intranet Hacking • XSS Defacements • DNS pinning • IMAP3 • MHTML • Hacking JSON • Cookie stealing • Clipboard stealing

  21. Cookie stealing Pr3venting

  22. XSS Defacements

  23. If you still cannot manage your bossMore Evil use I do not care Show me how my org is effected

  24. Attacking intranet

  25. Obtaining NAT’ed IP Addresses

  26. If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet <script> functionnatIP() { var w = window.location; var host = w.host; var port = w.port || 80; var Socket = (new java.net.Socket(host, port)).getLocalAddress().getHostAddress(); return Socket; } </script>

  27. Demo • Not only NAT’ed IP ,You can lots more system info

  28. Port Scanning O’ Really

  29. Port Scanning window.onerror = err; <script src=http://ip/></script> if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip

  30. Blind Web Server Fingerprinting Apache Web Server /icons/apache_pb.gif HP Printer /hp/device/hp_invent_logo.gif • <imgsrc="http://intranet_ip/unique_image_url"onerror="fingerprint()"/>

  31. HTML5 Made it easy www.andlabs.org/tools/jsrecon.html Demo

  32. What just happed

  33. Port Scanning: Beating protections • Blocking example for known ports • (Firefox, WebSockets and CORS) • ➔ http://example.com:22 • Workaround! • ➔ ftp://example.com:22 • It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari • Based on timeouts, it can be configured WTFun

  34. Port Scanning: result

  35. Self‐triggering XSS exploits  with HTML5 • A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS • <inputtype="text"value="‐>Injecting here"onmouseover="alert('Injectedval')"> • • HTML5   turns  this   in   to   self ‐triggering  XSS • <inputtype="text” value="‐‐>Injecting here"onfocus="alert('Injected value')"autofocus>

  36. Black‐list XSS filters • Html5 introduce many new tag

  37. How your browser become a proxy of an attacker? http://erlend.oftedal.no/blog/?blogid=107

  38. CSRF(Cross-Site Request Forgery) • The Sleeping Giant

  39. Victim logon to bank.com

  40. Converting POST to GET

  41. bank.com Credentials Included https://bank.com/fn?param=1 JSESSIONID=AC934234… blog.net

  42. bank.com Cross-Site Request Forgery Go to Transfer Assets https://bank.com/fn?param=1 Select FROM Fund https://bank.com/fn?param=1 Select TO Fund https://bank.com/fn?param=1 Select Dollar Amount https://bank.com/fn?param=1 Submit Transaction https://bank.com/fn?param=1 Confirm Transaction https://bank.com/fn?param=1 attacker’s post at blog.net

  43. Demo <form method="POST" name="form0" action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php"> <input type="hidden" name="csrf-token" value="SecurityIsDisabled"/> <input type="hidden" name="blog_entry" value="This is come from CSRF"/> <input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/> </form> • XSS & CSRF- Killer Combo • Programmers Prepare, Users Beware

  44. How Does CSRF Work? • Tags <imgsrc=“https://bank.com/fn?param=1”> <iframesrc=“https://bank.com/fn?param=1”> <script src=“https://bank.com/fn?param=1”> • Autoposting Forms <body onload="document.forms[0].submit()"> <form method="POST" action=“https://bank.com/fn”> <input type="hidden" name="sp" value="8109"/> </form> • XmlHttpRequest • Subject to same origin policy

  45. What Can Attackers Do with CSRF? • Anything an authenticated user can do • Click links • Fill out and submit forms • Follow all the steps of a wizard interface

  46. Using CSRF to Attack Internal Pages attacker.com internal browser CSRF TAG Internal Site Allowed! internal.mybank.com

  47. Web Workers • Web Workers provide the possibility for JavaScript to run in the background. • Web Workers alone are not a security issue. • But they can be used indirectly for launching work intensive attacks without the user noticing it. http://www.andlabs.org/tools/ravan.html

  48. Web Storage

  49. Web Storage Vuln. & Threats • Session Hijacking • If session identifier is stored in local storage, it can be stolen with JavaScript. • No HTTPOnly flag. • Disclosure of Confidential Data • If sensitive data is stored in the local storage, it can be stolen with JavaScript. • User Tracking • Additional possibility to identify a user. • Persistent attack vectors • Attacker can be store persistently on the user browser

More Related