HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

Similar documents
HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 a clear & present danger

RKN 2015 Application Layer Short Summary

C Arrays and Pointers

National Cyber Storm Competition Hands-On Security Challenges OWASP AppSec Beijing 2013

Chrome Extension Security Architecture

Exploit Mitigation - PIE

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

COMP9321 Web Application Engineering

Remote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Copyright

WHY CSRF WORKS. Implicit authentication by Web browsers

Social Engineering The devil is in the details

Advanced Web Security

Common Websites Security Issues. Ziv Perry

Application vulnerabilities and defences

WEB APPLICATION PENETRATION TESTING EXTREME VERSION 1

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Web Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

COMP9321 Web Application Engineering

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

WEB SECURITY: XSS & CSRF

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Copyright is owned by the Author of the thesis. Permission is given for a copy to be downloaded by an individual for the purpose of research and

P2_L12 Web Security Page 1

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

CSC 482/582: Computer Security. Cross-Site Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Preparing for the Cross Site Request Forgery Defense

Web Security II. Slides from M. Hicks, University of Maryland

Certified Secure Web Application Engineer

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

For Bitcoins and Bounties James Kettle

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Penetration Test Report

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

CSWAE Certified Secure Web Application Engineer

More attacks on clients: Click-jacking/UI redressing, CSRF

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

COMP9321 Web Application Engineering

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Multi-Post XSRF Web App Exploitation, total pwnage


The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Match the attack to its description:

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

CIS 4360 Secure Computer Systems XSS

Web basics: HTTP cookies

Hacking Intranet Websites from the Outside

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Eradicating DNS Rebinding with the Extended Same-Origin Policy

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Windows Phone 8 Security

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web basics: HTTP cookies

Integrity attacks (from data to code): Cross-site Scripting - XSS

Password Managers: Attacks and Defenses

GOING WHERE NO WAFS HAVE GONE BEFORE

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Herding Cats. Carl Brothers, F5 Field Systems Engineer

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

last time: command injection

Browser code isolation

Top 10 AJAX security holes & driving factors

C1: Define Security Requirements

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Welcome to the OWASP TOP 10

EasyCrypt passes an independent security audit

Enterprise D/DoS Mitigation Solution offering

Human vs Artificial intelligence Battle of Trust

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

COMET, HTML5 WEBSOCKETS OVERVIEW OF WEB BASED SERVER PUSH TECHNOLOGIES. Comet HTML5 WebSockets. Peter R. Egli INDIGOO.COM. indigoo.com. 1/18 Rev. 2.

Exploiting and Defending: Common Web Application Vulnerabilities

Sichere Software vom Java-Entwickler

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

Content Security Policy

October 08: Introduction to Web Security

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Application Layer Introduction; HTTP; FTP

PRESENTED BY:

Web Vulnerabilities. And The People Who Love Them

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Solutions Business Manager Web Application Security Assessment

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Web Application Security. Philippe Bogaerts

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Transcription:

HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

What is this talk about? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Agenda What is HTML5? Vulnerabilities, Threats & Countermeasures Conclusion Demo CORS Demo Web Workers Quiz and Q&A Slide 3

The Voting Device Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

The Voting Device It enables you to participate on votings The device has no batteries, so it works autarkic You power it by shaking it until green light flashes Slide 5

The Voting Let s give it a try... Slide 6

What is HTML5? Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

History HTML 4.01 XHTML 1.0 XHTML 1.1 WHATWG XHTML 2.0 Web Applications 1.0 HTML5 Slide 8

History HTML5 is not finished! The specification achieved CANDIDATE RECOMMENDATION status on 17 December 2012. However, it is still a draft version and may be updated. Slide 9

HTML5 TEST - http://html5test.com/ out of a total of 500 points Slide 10

Overview Slide 11

Vulnerabilities, Threats and Countermeasures (if any) Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Cross-Origin Resource Sharing Slide 13

Cross-Origin Resource Sharing I Slide 14

Cross-Origin Resource Sharing II GET / HTTP/1.1 Host: domainb.csnc.ch Origin: http://domaina.csnc.ch HTTP/1.1 200 OK Content-Type: text/html Access-Control-Allow-Origin: http://domaina.csnc.ch Slide 15

CORS Vulnerabilities & Threats I Accessing internal websites Scanning the internal network Slide 16

CORS Vulnerabilities & Threats II Remote attacking a web server Easier exploiting of Cross-Site Request Forgery (XSRF) Establishing a remote shell (DEMO) Slide 17

Countermeasures Use the Access-Control-Allow-Origin header to restrict the allowed domains. Never set the header to *. Do not base access control on the origin header. To mitigate DDoS attacks the Web Application Firewall (WAF) needs to block CORS requests if they arrive in a high frequency. Slide 18

Web Storage Slide 19

Web Storage Slide 20

Web Storage Vuln. & Threats Session Hijacking If session identifier is stored in local storage, it can be stolen with JavaScript. No HTTPOnly flag. Disclosure of Confidential Data If sensitive data is stored in the local storage, it can be stolen with JavaScript. User Tracking Additional possibility to identify a user. Persistent attack vectors Attack vectors can be stored persistently in the victim s browser. Slide 21

Countermeasures Use cookies instead of Local Storage for session handling. Do not store sensitive data in Local Storage. Slide 22

Offline Web Application Slide 23

Offline Web Application <!DOCTYPE HTML> <html manifest="/cache.manifest"> <body>... Example cache.manifest CACHE MANIFEST /style.css /helper.js /csnc-logo.jpg NETWORK: /visitor_counter.jsp FALLBACK: / /offline_error_message.html Slide 24

OWA Vulnerabilities & Threats Cache Poisoning Caching of the root directory possible. HTTP and HTTPs caching possible. Persistent attack vectors Attack vectors can be stored persistently in the victim s browser. User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the cached files. Slide 25

Offline Web Application Attack 1/2 Slide 26

Offline Web Application Attack 2/2 Slide 27

Countermeasures User Training => Do not accept caching of web applications! => Clear the cache including Local Storage and Offline Web Applications! Slide 28

Web Messaging Slide 29

Web Messaging Embedding HTML Page internal.csnc.ch postmessage() <IFrame src="external.csnc.ch" [ ] Stealing confidential data Sensitive data may be sent accidently to a malicious IFrame. Expands attack surface to the client IFrames can send malicious content to other IFrames. Input validation on the server is not longer sufficient. Slide 30

Countermeasures The target in postmessage() should be defined explicitly and not set to *. The receiving IFrame should not accept messages from any domain. E.g. e.origin == "http://internal.csnc.ch" The received message needs to be validated on the client to avoid malicious content being executed. Slide 31

Custom scheme and content handlers Slide 32

Custom scheme and content handlers Stealing confidential data An attacker tricks the user to register a malicious website as the e-mail protocol handler. Sending e-mails through this web application gives the attacker access to the content of the e-mail. User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the protocol handler. Slide 33

Countermeasures User Training => Do not accept registration of protocol handlers! Slide 34

Web Sockets API Slide 35

Web Sockets API Slide 36

Web Sockets API Vuln. & Threats Cache Poisoning A misunderstanding proxy could lead to a cache poisoning vulnerability. Fixed by introducing masking of the web socket data frames. Scanning the internal network The browser of a victim can be used for port scanning of internal networks. Establishing a remote shell Web Sockets can be used to establish a remote shell to a victim s browser. Slide 37

Countermeasures The risks of the Web Sockets API needs to be accepted. The user could disable it in the browser. Slide 38

Geolocation API Slide 39

Geolocation API User Tracking User tracking based on the location of a user. If users are registered, their physical movement profile could be tracked. The anonymity of users could be broken. Slide 40

Countermeasures User Training => Do not accept to share location information! Slide 41

Web Workers Slide 42

Web Workers Web Workers provide the possibility for JavaScript to run in the background Prior to Web Workers using JavaScript for long processing jobs was not feasible because it is slower than native code and the browsers freezes till the processing is completed Web Workers alone are not a security issue. But they can be used indirectly for launching work intensive attacks without the user noticing it. Slide 43

Worst Case Scenarios Feature! Cracking Hashes in JS Cloud (DEMO). Powerful DDoS attacks. Web-based Botnet. Slide 44

Conclusion Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Some HTML5 features are the vulnerabilities themselves. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Not all issues can be mitigated through secure server-side implementation. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Cross-Site Scripting (XSS) becomes even worse. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

USE IE 6 ;) Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO Exploiting Cross-Origin Resource Sharing Shell of the Future Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO CORS Shell of the Future Simplified: Slide 51

DEMO Exploiting Web Workers Ravan Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO Web Workers Ravan http://www.andlabs.org/tools/ravan.html Slide 53

DEMO Web Workers Ravan http://www.andlabs.org/tools/ravan.html 14d6a3e0201f58bfe7c01e775973e80e Slide 54

Quiz and Q&A Slide 55

DEMO Web Workers Ravan http://www.andlabs.org/tools/ravan.html BREAK Presentation Video Online: http://www.youtube.com/watch?v=eju4e5mhen0 Try HTML5 cases at home: https://www.hacking-lab.com/sh/gb5vf4q Slide 56

References Master Thesis HTML 5 web security Michael Schmidt 31 March 2011 Article HTML5 web security (extract of master thesis) Michael Schmidt, Thomas Röthlisberger 6 December 2011 http://media.hacking-lab.com/hlnews/html5_web_security_v1.0.pdf Attack and Defense Labs Lavakumar Kuppan http://www.andlabs.org A vocabulary and associated APIs for HTML and XHTML W3C, HTML5 specification 17 December 2012 http://www.w3.org/tr/html5/ Slide 57

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback