From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Owasp talk-november-08
1. David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
2. The Internet is going offline
and ......
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
3. The Internet is going offline
and ......
The world is going to end
(Title inspired by the world ending DNS bug and ClickJacking)
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
4. Agenda
Introduction
The web is on a diet, no more cookies!
Access Control
Same Origin Issues
SQL Issues
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
5. Isn’t the idea to be online?
Increased complexity and capability of web
applications
Traditional applications going “online” such as
documents, spreadsheets and task managers
This is a trend that many web applications will
consider
Improved application performance
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
6. HTML history
1955 - Tim Berners-Lee
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
7. HTML history
1955 - Tim Berners-Lee
1991 - HTML Tags
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
8. HTML history
1955 - Tim Berners-Lee
1991 - HTML Tags
1995 - HTML 2
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
9. HTML history
1955 - Tim Berners-Lee
1991 - HTML Tags
1995 - HTML 2
1997 - HTML 3.2
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
10. HTML history
1955 - Tim Berners-Lee
1991 - HTML Tags
1995 - HTML 2
1997 - HTML 3.2
1999 - HTML 4.01
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
11. HTML history
1955 - Tim Berners-Lee
1991 - HTML Tags
1995 - HTML 2
1997 - HTML 3.2
1999 - HTML 4.01
2008 - HTML 5 (draft)
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
12. So, why HTML 5?
New elements such as <audio> and <video>
Elements such as <font> and <center> removed
New APIs:
Drag and Drop
Timed media playback
Messaging
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
13. So, why HTML 5?
New elements such as <audio> and <video>
Elements such as <font> and <center> removed
New APIs:
Drag and Drop
Timed media playback
Messaging
Offline Storage
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
14. Google Gears
A web browser plugin
First to provide offline capabilities
Now embracing/extending HTML 5
Applications such as RTM and Google Docs
Currently at version 0.4
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
15. No more cookies!
No longer sufficient for Web 2.0
They are small (IE enforces a 4KB limit)
Not designed for offline storage
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
16. SessionStorage
The closest thing to cookies in HTML 5
Used when:
A user is carrying out a single transaction
A user wants to carry out multiple transactions in multiple
windows
One object per origin
Uses the sessionStorage DOM object to access data
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
17. SessionStorage
For example, a page could have a checkbox that the user ticks to indicate that he wants
insurance:
<label>
<input type="checkbox" onchange="sessionStorage.insurance = checked">
I want insurance on this trip.
</label>
A later page could then check, from script, whether the user had checked the checkbox or not:
if (sessionStorage.insurance) { ... }
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
18. LocalStorage
Designed to allow client side storage
Used when:
Storing users data on the client (i.e. documents)
Data from multiple windows stored in one object
One object per origin
Uses the localStorage DOM object to access data
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
19. LocalStorage
The site at example.com can display a count of how many times the user has loaded its page
by putting the following at the bottom of its page:
<p>
You have viewed this page
<span id="count">an untold number of</span>
time(s).
</p>
<script>
if (!localStorage.pageLoadCount)
localStorage.pageLoadCount = 0;
localStorage.pageLoadCount = parseInt(localStorage.pageLoadCount,
10) + 1;
document.getElementById('count').textContent =
localStorage.pageLoadCount;
</script>
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
20. Local Databases
Enables structured client side data storage
Used when:
Data such as emails need to be stored locally
Shopping carts, documents, authentication data etc
One object per origin
Uses SQL Lite Databases
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
21. David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
22. Security Issues ....
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
23. Access Control
No requirement to ask for users authorisation in HTML 5
Local objects only protected by local OS policies
Cross domain requests will be supported
No authentication with SQL Lite
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
24. Same Origin Issues
Same Origin Policy based on current implementations
Use known vulnerabilities to access local data
Buxfer example
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
25. Same Origin Issues
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
26. SQL Database Attacks
SQL Injection, the obvious attack?
Same problems we are already seeing but on a wider scale
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
27. SQL Database Attacks
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
28. SQL Database Attacks
SQL Injection, the obvious attack?
Same problems we are already seeing but on a wider scale
Cross Domain Read and Write capabilities
No size limit enforced by default (Origins choice)
Google Gears guidance?
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
29. SQL Database Attacks
SQL Injection, the obvious attack?
Same problems we are already seeing but on a wider scale
Cross Domain Read and Write capabilities
No size limit enforced by default (Origins choice)
Google Gears guidance?
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
30. Trends
Web application adoption increasing
Bringing desktop functionality to your browser
No longer a strict client/server model
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
31. Trends
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
32. Trends
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
33. Trends
Web application adoption increasing
Bringing desktop functionality to your browser
No longer a strict client/server model
Google Gears the likely winner
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
34. Future Work
More detailed research in this area
Whitepaper to be produced by us on this subject
Proof of concept exploits hosted on Security Ninja
Profit
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!
35. Questions?
David Rook Conor McGoveran
Security Analyst - Realex Payments Managing Director - Onformonics Ltd
Founder of www.securityninja.co.uk Compliance Management Solutions
Information Security Evangelist 1,0 - there, my two bits!