HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

Similar documents
HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 a clear & present danger

RKN 2015 Application Layer Short Summary

C Arrays and Pointers

National Cyber Storm Competition Hands-On Security Challenges OWASP AppSec Beijing 2013

Chrome Extension Security Architecture

Exploit Mitigation - PIE

Web Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech

Advanced Web Security

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

COMP9321 Web Application Engineering

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Copyright

Remote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

WHY CSRF WORKS. Implicit authentication by Web browsers

Social Engineering The devil is in the details

Common Websites Security Issues. Ziv Perry

Match the attack to its description:

WEB SECURITY: XSS & CSRF

Application vulnerabilities and defences

Browser code isolation

WEB APPLICATION PENETRATION TESTING EXTREME VERSION 1

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

COMP9321 Web Application Engineering

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

For Bitcoins and Bounties James Kettle

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Penetration Test Report

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

CIS 4360 Secure Computer Systems XSS

Copyright is owned by the Author of the thesis. Permission is given for a copy to be downloaded by an individual for the purpose of research and

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

CSC 482/582: Computer Security. Cross-Site Security

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Preparing for the Cross Site Request Forgery Defense

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

COMET, HTML5 WEBSOCKETS OVERVIEW OF WEB BASED SERVER PUSH TECHNOLOGIES. Comet HTML5 WebSockets. Peter R. Egli INDIGOO.COM. indigoo.com. 1/18 Rev. 2.

P2_L12 Web Security Page 1

Web Security II. Slides from M. Hicks, University of Maryland

Eradicating DNS Rebinding with the Extended Same-Origin Policy

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Certified Secure Web Application Engineer

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Hacking Intranet Websites from the Outside

More attacks on clients: Click-jacking/UI redressing, CSRF

CSWAE Certified Secure Web Application Engineer

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

COMP9321 Web Application Engineering

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Multi-Post XSRF Web App Exploitation, total pwnage

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

last time: command injection


2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web basics: HTTP cookies

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Application Vulnerabilities: OWASP Top 10 Revisited

Windows Phone 8 Security

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

Web basics: HTTP cookies

Integrity attacks (from data to code): Cross-site Scripting - XSS

Content Security Policy

Password Managers: Attacks and Defenses

GOING WHERE NO WAFS HAVE GONE BEFORE

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Top 10 AJAX security holes & driving factors

Writing Secure Chrome Apps and Extensions

C1: Define Security Requirements

OWASP TOP 10. By: Ilia

Fundamentals of Website Development

HTTP Security Headers Explained

EasyCrypt passes an independent security audit

Welcome to the OWASP TOP 10

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Human vs Artificial intelligence Battle of Trust

Aguascalientes Local Chapter. Kickoff

Enterprise D/DoS Mitigation Solution offering

Exploiting and Defending: Common Web Application Vulnerabilities

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

CSCD 303 Essential Computer Security Fall 2018

Sichere Software vom Java-Entwickler

Mobile LOIC Counter Measures

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

October 08: Introduction to Web Security

Transcription:

HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

What is this talk about? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Agenda What is HTML5? Vulnerabilities, Threats & Countermeasures Conclusion Demo CORS Demo Web Workers Quiz and Q&A Slide 3

The Voting Device Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

The Voting Device It enables you to participate on votings The device has no batteries, so it works autarkic You power it by shaking it until green light flashes Slide 5

The Voting Let s give it a try... Slide 6

What is HTML5? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

History HTML 4.01 XHTML 1.0 XHTML 1.1 WHATWG XHTML 2.0 Web Applications 1.0 HTML5 Slide 8

History HTML5 is not finished! The specification achieved CANDIDATE RECOMMENDATION status on 17 December 2012. Newest version is from 6 August 2013. However, it is still a draft version and may be updated. Slide 9

HTML5 TEST - http://html5test.com/ Slide 10

Overview Slide 11

Vulnerabilities, Threats and Countermeasures (if any) Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Cross-Origin Resource Sharing Slide 13

Cross-Origin Resource Sharing I Slide 14

Cross-Origin Resource Sharing II GET / HTTP/1.1 Host: domainb.csnc.ch Origin: http://domaina.csnc.ch HTTP/1.1 200 OK Content-Type: text/html Access-Control-Allow-Origin: http://domaina.csnc.ch Slide 15

CORS Vulnerabilities & Threats I Accessing internal websites Scanning the internal network Slide 16

CORS Vulnerabilities & Threats II Remote attacking a web server Easier exploiting of Cross-Site Request Forgery (XSRF) Establishing a remote shell (DEMO) Slide 17

Countermeasures Use the Access-Control-Allow-Origin header to restrict the allowed domains. Never set the header to *. Do not base access control on the origin header. To mitigate DDoS attacks the Web Application Firewall (WAF) needs to block CORS requests if they arrive in a high frequency. Slide 18

Web Storage Slide 19

Web Storage Slide 20

Web Storage Vuln. & Threats Session Hijacking If session identifier is stored in local storage, it can be stolen with JavaScript. No HTTPOnly flag. Disclosure of Confidential Data If sensitive data is stored in the local storage, it can be stolen with JavaScript. User Tracking Additional possibility to identify a user. Persistent attack vectors Attack vectors can be stored persistently in the victim s browser. Slide 21

Countermeasures Use cookies instead of Local Storage for session handling. Do not store sensitive data in Local Storage. Slide 22

Offline Web Application Slide 23

Offline Web Application <!DOCTYPE HTML> <html manifest="/cache.manifest"> <body>... Example cache.manifest CACHE MANIFEST /style.css /helper.js /csnc-logo.jpg NETWORK: /visitor_counter.jsp FALLBACK: / /offline_error_message.html Slide 24

OWA Vulnerabilities & Threats Cache Poisoning Caching of the root directory possible. HTTP and HTTPs caching possible. Persistent attack vectors Attack vectors can be stored persistently in the victim s browser. User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the cached files. Slide 25

Offline Web Application Attack 1/2 Slide 26

Offline Web Application Attack 2/2 Slide 27

Countermeasures User Training => Do not accept caching of web applications! => Clear the cache including Local Storage and Offline Web Applications! Slide 28

Web Messaging Slide 29

Web Messaging Embedding HTML Page html5demos.com postmessage() <IFrame src="jsbin.com" [ ] Send Message: var win = document.getelementbyid("iframe").contentwindow; win.postmessage( document.getelementbyid("message").value, "http://jsbin.com" ); Slide 30

Web Messaging Embedding HTML Page html5demos.com postmessage() <IFrame src="jsbin.com" [ ] Receive Message: window.onmessage = function(e){ if ( e.origin!== "http://html5demos.com" ) { } return; document.getelementbyid("test").innerhtml = e.origin + " said: " + e.data; }; Slide 31

Web Messaging Embedding HTML Page html5demos.com postmessage() <IFrame src="jsbin.com" [ ] Stealing confidential data Sensitive data may be sent accidently to a malicious IFrame. Expands attack surface to the client IFrames can send malicious content to other IFrames. Input validation on the server is not longer sufficient. Slide 32

Web Messaging - DEMO Embedding HTML Page html5demos.com postmessage() XSS <IFrame src="jsbin.com" [ ] Slide 33

Countermeasures The target in postmessage() should be defined explicitly and not set to *. The receiving IFrame should not accept messages from any domain. E.g. e.origin == "http://internal.csnc.ch" The received message needs to be validated on the client to avoid malicious content being executed. Slide 34

Custom scheme and content handlers Slide 35

Custom scheme and content handlers Stealing confidential data An attacker tricks the user to register a malicious website as the e-mail protocol handler. Sending e-mails through this web application gives the attacker access to the content of the e-mail. User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the protocol handler. Slide 36

Countermeasures User Training => Do not accept registration of protocol handlers! Slide 37

Web Sockets API Slide 38

Web Sockets API Slide 39

Web Sockets API Vuln. & Threats Cache Poisoning A misunderstanding proxy could lead to a cache poisoning vulnerability. Fixed by introducing masking of the web socket data frames. Scanning the internal network The browser of a victim can be used for port scanning of internal networks. Establishing a remote shell Web Sockets can be used to establish a remote shell to a victim s browser. Slide 40

Countermeasures The risks of the Web Sockets API needs to be accepted. The user could disable it in the browser. Slide 41

Geolocation API Slide 42

Geolocation API User Tracking User tracking based on the location of a user. If users are registered, their physical movement profile could be tracked. The anonymity of users could be broken. Slide 43

Countermeasures User Training => Do not accept to share location information! Slide 44

Web Workers Slide 45

Web Workers Web Workers provide the possibility for JavaScript to run in the background Prior to Web Workers using JavaScript for long processing jobs was not feasible because it is slower than native code and the browsers freezes till the processing is completed Web Workers alone are not a security issue. But they can be used indirectly for launching work intensive attacks without the user noticing it. Slide 46

Worst Case Scenarios Feature! Cracking Hashes in JS Cloud (DEMO). Powerful DDoS attacks. Web-based Botnet. Slide 47

Conclusion Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Some HTML5 features are the vulnerabilities themselves. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Not all issues can be mitigated through secure server-side implementation. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Cross-Site Scripting (XSS) becomes even worse. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

USE IE 6 ;) Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO Exploiting Cross-Origin Resource Sharing Shell of the Future Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO CORS Shell of the Future Simplified: Slide 54

DEMO Exploiting Web Workers Ravan Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO Web Workers Ravan http://www.andlabs.org/tools/ravan.html Slide 56

DEMO Web Workers Ravan http://www.andlabs.org/tools/ravan.html 14d6a3e0201f58bfe7c01e775973e80e Slide 57

Quiz and Q&A Slide 58

DEMO Web Workers Ravan http://www.andlabs.org/tools/ravan.html BREAK HTML5 Web Security Video (May 2011): http://www.youtube.com/watch?v=eju4e5mhen0 Test HTML5 security yourself: https://www.hacking-lab.com/sh/gb5vf4q Slide 59

References Master Thesis HTML 5 web security Michael Schmidt 31 March 2011 Article HTML5 web security (extract of master thesis) Michael Schmidt, Thomas Röthlisberger 6 December 2011 http://media.hacking-lab.com/hlnews/html5_web_security_v1.0.pdf Attack and Defense Labs Lavakumar Kuppan http://www.andlabs.org HTML 5 Demos and Examples Remy Sharp (https://twitter.com/rem) http://html5demos.com/ A vocabulary and associated APIs for HTML and XHTML W3C, HTML5 specification 6 August 2013 http://www.w3.org/tr/html5/ Slide 60

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback