HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys

Similar documents
RKN 2015 Application Layer Short Summary

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Tabular Presentation of the Application Software Extended Package for Web Browsers

EasyCrypt passes an independent security audit

Using HTML5 To Make JavaScript (Mostly) Secure. Mike Shema Hacker Halted US September 20, 2013

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

WHY CSRF WORKS. Implicit authentication by Web browsers

Extending the browser to secure applications

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Browser code isolation

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Content Security Policy

Chrome Extension Security Architecture

Match the attack to its description:

Origin Policy Enforcement in Modern Browsers

Robust Defenses for Cross-Site Request Forgery

Founded the web application security lab

Content Security Policy

CIS 4360 Secure Computer Systems XSS

Application Software Extended Package for Web Browsers. Version: National Information Assurance Partnership

Robust Defenses for Cross-Site Request Forgery

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

Application Software Extended Package for Web Browsers. Version: National Information Assurance Partnership

W3Conf, November 15 & 16, Brad Scott

Certified Secure Web Application Security Test Checklist

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Acknowledgments... xix

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Application security : going quicker

I, J, K. Lightweight directory access protocol (LDAP), 162

OWASP Top 10 The Ten Most Critical Web Application Security Risks

CSE484 Final Study Guide

Certified Secure Web Application Secure Development Checklist

Common Websites Security Issues. Ziv Perry

CS 161 Computer Security

IronWASP (Iron Web application Advanced Security testing Platform)

Solutions Business Manager Web Application Security Assessment

OAuth 2 and Native Apps

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Client Side Security And Testing Tools

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

CSC 482/582: Computer Security. Cross-Site Security

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web Security. Course: EPL 682 Name: Savvas Savva

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CS 161 Computer Security

OpenID Security Analysis and Evaluation

Requirements from the Application Software Extended Package for Web Browsers

Security For The People End-User Authentication Security On The Internet. Mark Stanislav

Modern client-side defenses. Deian Stefan

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

So we broke all CSPs. You won't guess what happened next!

Writing Secure Chrome Apps and Extensions

HTML5 a clear & present danger

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

COMP9321 Web Application Engineering

Cookies, sessions and authentication

Web Application Penetration Testing

CS 161 Computer Security

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Index LICENSED PRODUCT NOT FOR RESALE

Defense-in-depth techniques. for modern web applications

October 08: Introduction to Web Security

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Hacking with WebSockets. Mike Shema Sergey Shekyan Vaagn Toukharian

Bugcrowd v1.6 - Nov. 2, 2018

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Developing Web Applications

Sichere Software vom Java-Entwickler

More attacks on clients: Click-jacking/UI redressing, CSRF

Human vs Artificial intelligence Battle of Trust

Man-In-The-Browser Attacks. Daniel Tomescu

Web Security: Vulnerabilities & Attacks

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Evaluating the Security Risks of Static vs. Dynamic Websites

COMET, HTML5 WEBSOCKETS OVERVIEW OF WEB BASED SERVER PUSH TECHNOLOGIES. Comet HTML5 WebSockets. Peter R. Egli INDIGOO.COM. indigoo.com. 1/18 Rev. 2.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

s642 web security computer security adam everspaugh

USING HTML5 WEBSOCKETS SECURELY

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Applications Security

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

WEB SECURITY: XSS & CSRF

haltdos - Web Application Firewall

Contents. xvii xix xxiil. xxvii

As a Software company Customer, my data must be protected from unintentional disclosure to other customers or external parties.

Vulnerabilities in online banking applications

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

Fundamentals of Web Development. Web Development. Fundamentals of. Global edition. Global edition. Randy Connolly Ricardo Hoar

Transcription:

HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys

A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification defines the 5th major revision of the core language of the World Wide Web: the Hypertext Markup Is my Language Geocities (HTML). In this site version, secure? new features are introduced to help Web application authors, new elements are introduced based on research into prevailing authoring practices, and special attention has been given to defining clear conformance criteria for user agents in an effort to improve interoperability. HTML4 HTML5 Web 2.0 2

The Path to HTML5 3350 B.C. Cuneiform enables stone markup languages. July 1984 Cyberspace. A consensual hallucination... Neuromancer, p. 0x33. Dec 1990 CERN httpd starts serving HTML. Nov 1995 HTML 2.0 standardized in RFC 1866. Dec 1999 HTML 4.01 finalized.

HTML5. Meaning vs. Mythology <!doctype html> Cross Origin Resource Sharing WebSocket API Web Storage Web Workers Social [ ] [ ] as a Service Web 2.0++ Flash, Silverlight CSRF Clickjacking

Default Secure Takes Time Mar 2012 Nov 2009 Apr 2002

Default Insecure Is Enduring Dec 2005 Mar 2012

Developer Insecure Is Eternal Advanced Persistent Ignorance

JavaScript: Client(?!) Code The global scope of superglobals The prototypes of mass assignment The eval() of SQL injection The best way to create powerful browser apps The main accomplice to HTML5

History of Web Designs Cookies Implementation by fiat, not by standard A path of ornamentation, not origin HTTP/HTTPS, JavaScript/non-JavaScript Same Origin Policy Access everything, read some things No privilege or all privilege, not least privilege User Agent sniffing HTTPS Not the default Relies on DNS

The Dramatic Journey to HTML5 (WAP, WML) (XHTML) CSRF Clickjacking <video> WebGL WebSocket API

Mixing Markup & Methods HTML2 (1995) HTML4 (1998) <img src="javascript:errurl='http:// site/users/anon/hotmail/ getmsg.htm';nomenulinks=top.subme nu.document.links.length;for(i=0; i<nomenulinks-1;i++) {top.submenu.document.links[i].ta rget='work'; top.submenu.document.links[i].hre f=errurl;} noworklinks=top.work.document.lin ks.length; for(i=0;i<noworklinks-1;i++) {top.work.document.links[i].targe t='work'; top.work.document.links[i].href=e rrurl;

HTML5 Injection Legacy and non-standard modes won t disappear Look at this from the historical perspective of design and implementation Section 8.2 unifies parsing HTML Same old same origin <div id=mycode style="background: url('java script:eval(document.all.mycode.expr)')" expr="..."></div>

HTML5 Form Validation <input pattern="[a-z]+" name="alpha_only"... <input... autofocus onfocus="... Yes, you can re-add that logic server-side, but why would you want to add that kind of logic twice. -- illustrative mailing list comment from 2011

Defense from Design Sandboxing iframes, form submission, javascript execution Improving granularity of Same Origin Policy Cross Origin Resource Sharing Better than JSONP Content Security Policy Monitor/enforce eases adoption

The Other HTML5 Web Storage API Transparent resource Privacy extraction, not SQL injection WebSocket API Another vector for launching DoS attacks from the browser Does not confer authentication & authorization to a protocol layered over WebSockets A chance to reinvent protocol vulnerabilities

Reinventing Protocol Vulns Prefixed strings Identification Authorization Information leakage Replay Spoofing eval()

More Processing in the Browser Same Origin Policy still a coarse-grained control Bring HTML5 to HTML4 Emulate IndexedDB, etc. Leveraging JavaScript s global scope DOM-based XSS evals, xhrs More work for blacklists and filters

Improving Browsers Process separation Sandboxed plugins Bug bounties X-Frame-Options XSS Auditors HTML5 should be the only version number you need

Never Mind the IDN, Here s the...

Mobile: What Design? User expectations Who cares about the URL anymore? It s hardly even visible. Embedded browser-like features are not embedded browsers Same Origin Policy enforcement Certification verification User tracking

Privacy: 1 Billion Reasons To Care Geolocation Supercookies Do-Not-Track HSTS Soylent Grün ist Menschenfleisch!

Threats, Troubles, Trends Frames Sharing, nesting, moving between Origins Plugins Outside of sandbox, outside of HTML5 Worse security than browsers More specs Hardware access, monitoring Passwords Plaintext from browser to server, encrypted on server OAuth & OpenID?

JavaScript Libraries Ext JS 1.1.1 to 4.0.7 jquery 1.0.2 to 1.2.5 Modernizer 1.1 to 2.5.3 MooTools 1.1 to 1.4.5 Prototype 1.3.0 to 1.7.0 YAHOO 2.2.0 to 2.9.0 YUI 3.0.0 to 3.4.1

Recognizing Positive Security Acknowledges threats intended to counter, and those it doesn t Encrypted transport Adherence to Same Origin Preflight checks for authorization Authentication & authorization grants have short lifetimes Requires least privilege, least data Parsing failures fail, not fix up

HTML5 Is Good For You Beware of legacy support for and within old browsers Abolish plugins Deploy headers: X-Frame-Options, HSTS, CSP Data security is better

Questions? Thank You! http://deadliestwebattacks.com/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback