SlideShare a Scribd company logo

Html5: attack and defense

K
Ksenia Peguero

From the Security BSides London 2013 conference.

Technology
1 of 14
Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
Who Am I? • Software security consultant at Cigital • In security for 4 years 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 2 • MS in Computer Science from George Washington University, USA • Ballroom dancer
HTML5 – a Living Standard • Cross-origin Resource Sharing (CORS) • Cross-document Messaging • Web Storage • IFRAME Sandboxing • Browser History Management • Geo-location Functionality • etc 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 3
Software Confidence. Achieved.
Configuring CORS correctly Configure the Access-Control-Allow-Origin header: • Do not use wildcards • Follow the principle of least privilege • Configure PROD environment separately from TEST environment Server configurations: • IIS7 – web.config • Apache – mod_headers 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 5 OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X- Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US- ASCII Connection: keep-alive Content-Length: 0 Header set Access-Control-Allow-Origin http://www.example.com, https://login.example.com
Web Messaging API • WHO can send messages? • Frames, iframes, parent window • HOW do they send messages? • postMessage(message, target) • window.addEventListener • WHAT is sent in the message? • Text data • Origin • Source 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 6 Attack Attack
Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 7
How to Do Web Messaging Securely • Validate origin • Validate data (on the client side) v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. window.addEventListener("message", receiveMessage, false); … function receiveMessage(event){ … if (event.origin !== "http://www.example.com") return; if (!validateEmail(event.data)) return; div.getElementById('user_email_address').textContent = event.data; …} if (event.origin !== "http://www.example.com") if (!validateEmail(event.data))
Web Storage Attacks 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 9 LocalStorage SessionStorage Issues: • Client-side trust • Cross-directory attacks: • http://myplatform.com/johnneumann/ • http://myplatform.com/adalovelace/ stored indefinitely tab storage
Protecting Web Storage • Do not store sensitive information in localStorage. • Use sessionStorage whenever possible. • Clean up localStorage when you don't need it. 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 10 function session_store (user) { sessionStorage.setItem("username", user.name); } function get_user () { var results = sessionStorage.getItem("username"); document.getElementById("divb").textContent = "Thanks for registering:" + results; sessionStorage.clear(); } sessionStorage.clear();
<iframe src="http://www.untrustedpartyiframe.com"> </iframe> Sandbox Attribute Same Origin Policy A set of restrictions for the inline iframe: •"" (no trust) •allow-same-origin •allow-top-navigation •allow-forms •allow-scripts 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 11 <iframe src="http://www.untrustedpartyiframe.com" sandbox="allow-same-origin"> </iframe> <iframe src="http://www.untrustedpartyiframe.com" sandbox=""> </iframe>
Sandboxing vs Clickjacking Frame-busting code: WebBanking.html 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 12 Disabling frame-busting code: AttackerPage.html <script> if(top != self) { top.location = self.location; } </script> <iframe src="http://bank.com/WebBanking.html" sandbox=""> </iframe>
Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 13
Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 14

Recommended

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFOWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFPaul Mooney
 

Recommended

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFOWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRFPaul Mooney
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworkslastrand
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberosIasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberosCodecamp Romania
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by DesignOmegapoint Academy
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseDigicomp Academy AG
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassleIonic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassleIonic Framework
 
Html5 local storage
Html5 local storageHtml5 local storage
Html5 local storageARIF MAHMUD RANA
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 

More Related Content

What's hot

Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Private Cloud
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworkslastrand
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
 
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberosIasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberosCodecamp Romania
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 

What's hot (8)

Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
 
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberosIasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 

Similar to Html5: attack and defense

iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by DesignOmegapoint Academy
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseDigicomp Academy AG
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassleIonic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassleIonic Framework
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO AuthenticationFIDO Alliance
 
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...HostedbyConfluent
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 

Similar to Html5: attack and defense (20)

iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by Design
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassleIonic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
 
Html5 local storage
Html5 local storageHtml5 local storage
Html5 local storage
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
 
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 

More from Ksenia Peguero

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 

More from Ksenia Peguero (6)

Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript Insecurity
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Html5: attack and defense

  • 2. Who Am I? • Software security consultant at Cigital • In security for 4 years 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 2 • MS in Computer Science from George Washington University, USA • Ballroom dancer
  • 3. HTML5 – a Living Standard • Cross-origin Resource Sharing (CORS) • Cross-document Messaging • Web Storage • IFRAME Sandboxing • Browser History Management • Geo-location Functionality • etc 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 3
  • 5. Configuring CORS correctly Configure the Access-Control-Allow-Origin header: • Do not use wildcards • Follow the principle of least privilege • Configure PROD environment separately from TEST environment Server configurations: • IIS7 – web.config • Apache – mod_headers 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 5 OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X- Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US- ASCII Connection: keep-alive Content-Length: 0 Header set Access-Control-Allow-Origin http://www.example.com, https://login.example.com
  • 6. Web Messaging API • WHO can send messages? • Frames, iframes, parent window • HOW do they send messages? • postMessage(message, target) • window.addEventListener • WHAT is sent in the message? • Text data • Origin • Source 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 6 Attack Attack
  • 7. Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 7
  • 8. How to Do Web Messaging Securely • Validate origin • Validate data (on the client side) v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. window.addEventListener("message", receiveMessage, false); … function receiveMessage(event){ … if (event.origin !== "http://www.example.com") return; if (!validateEmail(event.data)) return; div.getElementById('user_email_address').textContent = event.data; …} if (event.origin !== "http://www.example.com") if (!validateEmail(event.data))
  • 9. Web Storage Attacks 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 9 LocalStorage SessionStorage Issues: • Client-side trust • Cross-directory attacks: • http://myplatform.com/johnneumann/ • http://myplatform.com/adalovelace/ stored indefinitely tab storage
  • 10. Protecting Web Storage • Do not store sensitive information in localStorage. • Use sessionStorage whenever possible. • Clean up localStorage when you don't need it. 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 10 function session_store (user) { sessionStorage.setItem("username", user.name); } function get_user () { var results = sessionStorage.getItem("username"); document.getElementById("divb").textContent = "Thanks for registering:" + results; sessionStorage.clear(); } sessionStorage.clear();
  • 11. <iframe src="http://www.untrustedpartyiframe.com"> </iframe> Sandbox Attribute Same Origin Policy A set of restrictions for the inline iframe: •"" (no trust) •allow-same-origin •allow-top-navigation •allow-forms •allow-scripts 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 11 <iframe src="http://www.untrustedpartyiframe.com" sandbox="allow-same-origin"> </iframe> <iframe src="http://www.untrustedpartyiframe.com" sandbox=""> </iframe>
  • 12. Sandboxing vs Clickjacking Frame-busting code: WebBanking.html 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 12 Disabling frame-busting code: AttackerPage.html <script> if(top != self) { top.location = self.location; } </script> <iframe src="http://bank.com/WebBanking.html" sandbox=""> </iframe>
  • 13. Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 13
  • 14. Software Confidence. Achieved.v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 14