HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

Size: px

Start display at page:

Download "HTML5 Web Security. Thomas Röthlisberger IT Security Analyst"

Ethelbert Cobb
5 years ago
Views:

1 HTML5 Web Security Thomas Röthlisberger IT Security Analyst Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

2 What is this talk about? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

3 Agenda What is HTML5? Vulnerabilities, Threats & Countermeasures Conclusion Demo CORS Demo Web Workers Quiz and Q&A Slide 3

4 The Voting Device Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

5 The Voting Device It enables you to participate on votings The device has no batteries, so it works autarkic You power it by shaking it until green light flashes Slide 5

6 The Voting Let s give it a try... Slide 6

7 What is HTML5? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

8 History HTML 4.01 XHTML 1.0 XHTML 1.1 WHATWG XHTML 2.0 Web Applications 1.0 HTML5 Slide 8

9 History HTML5 is not finished! The specification achieved CANDIDATE RECOMMENDATION status on 17 December However, it is still a draft version and may be updated. Slide 9

10 HTML5 TEST - out of a total of 500 points Slide 10

11 Overview Slide 11

12 Vulnerabilities, Threats and Countermeasures (if any) Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

13 Cross-Origin Resource Sharing Slide 13

14 Cross-Origin Resource Sharing I Slide 14

15 Cross-Origin Resource Sharing II GET / HTTP/1.1 Host: domainb.csnc.ch Origin: HTTP/ OK Content-Type: text/html Access-Control-Allow-Origin: Slide 15

16 CORS Vulnerabilities & Threats I Accessing internal websites Scanning the internal network Slide 16

17 CORS Vulnerabilities & Threats II Remote attacking a web server Easier exploiting of Cross-Site Request Forgery (XSRF) Establishing a remote shell (DEMO) Slide 17

18 Countermeasures Use the Access-Control-Allow-Origin header to restrict the allowed domains. Never set the header to *. Do not base access control on the origin header. To mitigate DDoS attacks the Web Application Firewall (WAF) needs to block CORS requests if they arrive in a high frequency. Slide 18

19 Web Storage Slide 19

20 Web Storage Slide 20

21 Web Storage Vuln. & Threats Session Hijacking If session identifier is stored in local storage, it can be stolen with JavaScript. No HTTPOnly flag. Disclosure of Confidential Data If sensitive data is stored in the local storage, it can be stolen with JavaScript. User Tracking Additional possibility to identify a user. Persistent attack vectors Attack vectors can be stored persistently in the victim s browser. Slide 21

22 Countermeasures Use cookies instead of Local Storage for session handling. Do not store sensitive data in Local Storage. Slide 22

23 Offline Web Application Slide 23

24 Offline Web Application <!DOCTYPE HTML> <html manifest="/cache.manifest"> <body>... Example cache.manifest CACHE MANIFEST /style.css /helper.js /csnc-logo.jpg NETWORK: /visitor_counter.jsp FALLBACK: / /offline_error_message.html Slide 24

25 OWA Vulnerabilities & Threats Cache Poisoning Caching of the root directory possible. HTTP and HTTPs caching possible. Persistent attack vectors Attack vectors can be stored persistently in the victim s browser. User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the cached files. Slide 25

26 Offline Web Application Attack 1/2 Slide 26

27 Offline Web Application Attack 2/2 Slide 27

28 Countermeasures User Training => Do not accept caching of web applications! => Clear the cache including Local Storage and Offline Web Applications! Slide 28

29 Web Messaging Slide 29

Web Messaging Embedding HTML Page internal.csnc.ch postmessage() <IFrame src="external.csnc.ch" [ ] Stealing confidential data Sensitive data may be sent accidently to a malicious IFrame.

30 Web Messaging Embedding HTML Page internal.csnc.ch postmessage() <IFrame src="external.csnc.ch" [ ] Stealing confidential data Sensitive data may be sent accidently to a malicious IFrame. Expands attack surface to the client IFrames can send malicious content to other IFrames. Input validation on the server is not longer sufficient. Slide 30

31 Countermeasures The target in postmessage() should be defined explicitly and not set to *. The receiving IFrame should not accept messages from any domain. E.g. e.origin == " The received message needs to be validated on the client to avoid malicious content being executed. Slide 31

32 Custom scheme and content handlers Slide 32

Sending e-mails through this web application gives the attacker access to the content of the

33 Custom scheme and content handlers Stealing confidential data An attacker tricks the user to register a malicious website as the protocol handler. Sending s through this web application gives the attacker access to the content of the . User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the protocol handler. Slide 33

34 Countermeasures User Training => Do not accept registration of protocol handlers! Slide 34

35 Web Sockets API Slide 35

36 Web Sockets API Slide 36

Fixed by introducing masking of the web socket data frames.

37 Web Sockets API Vuln. & Threats Cache Poisoning A misunderstanding proxy could lead to a cache poisoning vulnerability. Fixed by introducing masking of the web socket data frames. Scanning the internal network The browser of a victim can be used for port scanning of internal networks. Establishing a remote shell Web Sockets can be used to establish a remote shell to a victim s browser. Slide 37

38 Countermeasures The risks of the Web Sockets API needs to be accepted. The user could disable it in the browser. Slide 38

39 Geolocation API Slide 39

40 Geolocation API User Tracking User tracking based on the location of a user. If users are registered, their physical movement profile could be tracked. The anonymity of users could be broken. Slide 40

41 Countermeasures User Training => Do not accept to share location information! Slide 41

42 Web Workers Slide 42

Web Workers Web Workers provide the possibility for JavaScript to run in the background Prior to Web Workers using JavaScript for long processing jobs was not feasible because it is slower than

43 Web Workers Web Workers provide the possibility for JavaScript to run in the background Prior to Web Workers using JavaScript for long processing jobs was not feasible because it is slower than native code and the browsers freezes till the processing is completed Web Workers alone are not a security issue. But they can be used indirectly for launching work intensive attacks without the user noticing it. Slide 43

44 Worst Case Scenarios Feature! Cracking Hashes in JS Cloud (DEMO). Powerful DDoS attacks. Web-based Botnet. Slide 44

45 Conclusion Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

46 Some HTML5 features are the vulnerabilities themselves. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

47 Not all issues can be mitigated through secure server-side implementation. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

48 Cross-Site Scripting (XSS) becomes even worse. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

49 USE IE 6 ;) Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax team@csnc.ch

50 DEMO Exploiting Cross-Origin Resource Sharing Shell of the Future Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

51 DEMO CORS Shell of the Future Simplified: Slide 51

52 DEMO Exploiting Web Workers Ravan Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel Fax

53 DEMO Web Workers Ravan Slide 53

54 DEMO Web Workers Ravan 14d6a3e0201f58bfe7c01e775973e80e Slide 54

55 Quiz and Q&A Slide 55

56 DEMO Web Workers Ravan BREAK Presentation Video Online: Try HTML5 cases at home: Slide 56

57 References Master Thesis HTML 5 web security Michael Schmidt 31 March 2011 Article HTML5 web security (extract of master thesis) Michael Schmidt, Thomas Röthlisberger 6 December Attack and Defense Labs Lavakumar Kuppan A vocabulary and associated APIs for HTML and XHTML W3C, HTML5 specification 17 December Slide 57

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch