SlideShare ist ein Scribd-Unternehmen logo

Html5 Application Security

C
chuckbt

HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.

1 von 21
Downloaden Sie, um offline zu lesen
Application Security for HTML5 Chuck Ben-Tzur October 23, 2012
Overview • Goal Review (some of) HTML5 new features and the related application security attacks scenarios, risks and recommendations. • Agenda – The History of HTML5 (The short version) – HTML5 Updates (The incomplete version) – Local Storage – Web Messaging – Web Sockets – Full Screen API (Phishing) – Implementation Considerations Originally delivered at Sector (Oct 2, 2012). Current version includes specific security controls demo and the Full Screen API. 2
History of HTML5 • HTML4 was published as a W3C Recommendation in… December 1997 • 2002 - W3C recommended XHTML 1.0 as the “next step in the evolution of the Internet” – no plans for future HTML versions. • 2004 - the Web Hypertext Application Technology Working Group (WHATWG) started working on the next version of HTML (not XHTML based). The WHATWG was founded by individuals from Apple, the Mozilla Foundation and Opera Software. • 2009 - W3C allowed the XHTML 2.0 working group to expire and started working with WHATWG on the development of HTML5 (WHATWG HTML). • Current target date for Recommendation status is 2014 for HTML 5.0 and 2016 for HTML 5.1 (better than 2022…) 3
HTML5 Updates • Markup – New tags such as <video>, <audio>, <canvas> – Deprecation of tags such as <frame>, <frameset>, <font> • Backward compatibility with older versions of HTML. • Scripting APIs - Offline Web Applications, Drag and Drop, Local Storage, 2D Drawing (Canvas), Web Sockets, Web Workers and more. • Detailed rules for lexing and parsing (browsers will produce the same result in the case of incorrect syntax). • Related Technologies (not part of the HTML5 specifications): Geo Locations, Microdata, File API, MathML 4
HTML5 Updates 5
Local Storage • Started as part of HTML5 (not anymore) • Like cookies but with better functionality: – Greater Storage Capacity (Cookies – 4K, Firefox and Chrome – 5MB, IE – 10MB) – Client Only access (Scripts) – not sent to the server (but may be leveraged as client side input!) – Better API as it is using structured data (Associative array – Key, Value pairs) • Storage types – Local (per domain, persists after browser is closed) – Session (limited to the window’s lifetime) • Managed and accessed using client side scripts only 6
Demo Applications • ACME Social Media Manager (www.acmesmm.com) – LocalStorage management (.htm) – Edit and Confirm post pages (.aspx) – Hiding keys with “_” prefix. • AtomInfoSec Website (www.evilsite.com:81) – Contains static script pages (.htm) – Pages background is light-blue • C# (.NET 4.0) • HTML5, JavaScript • Internet Explorer 9 (Local Storage and Web Messaging) • Google Chrome 22 (Web Socket) • Safari 5.1.7 (Full Screen) 7
Local Storage - Demo 8
Local Storage - Security • Follows “Same Origin” principle • Session Storage is not persistent • Large storage area creates a bigger attack surface • Not protected (e.g. encryption, object types) • No expiration date on the LocalStorage or the stored information • No HTTPOnly, secure or path attributes (similar to cookies functionality). • Accessible via console and file (cleartext XML) • Relies on client based security controls • Do not use for sensitive information 9
Web Messaging • Also known as “Cross Domain Messaging”. • Allows messaging between documents from different origins (to allow communication between two non-hostile pages). • messages can be posted to the following: – Other frames or iframes within the document – Windows explicitly opened through Javascript calls – The parent window • Initiated and managed using client side scripts only. 10
Web Messaging - Demo 11
Web Messaging - Security • Relies on client based security controls • Verify Origin: – Explicitly state the expected origin as the second argument to postMessage() method. – Check the origin attribute of the sender • Both pages should only interpret the exchanged messages as data. • Never evaluate received messages as code or insert it to a page DOM. • Check the origin properly exactly to match the FQDN. • Use the sandbox attribute for iFrame objects. 12
Web Socket • Providing for bi-directional, full-duplex communications channels between client and server. • Drastically reduces the amount of unnecessary traffic between server and browser. • Easy to initiate and manage using scripts. • Defines two new URI schemes (ws: and wss:) for unencrypted and encrypted connections . 13
Web Socket - Demo 14
Web Socket - Security • Not supported in all browsers (e.g. Internet Explorer 10, IIS8) • Using standard web ports (80, 443) impacting security controls such as Data Loss Prevention (DLP), Intrusion Prevention System (IPS) and Logging and Monitoring. • In a WebSocket port, the packets lack the traditional headers. Requires Deep Packet Inspection solutions as security controls. • Avoid backward compatibility - use only hybi-00 and RFC 6455 protocols. • Server must check the origin of the WebSocket client . • Leverage server side component to perform Input Validation. 15
FullScreen API • Posted on October 8th, 2012 by Feross Aboukhadijeh. • Mouse hovering over the link to see where it goes - a completely normal link. • On click, browser automatically enters FullScreen mode and load a fake version of website (including browser and OS images). • FullScreen API Implementation differs between browsers (different scripts and alerts). 16
FullScreen API - Demo 17
Implementation/Security Considerations • HTML5 Reduces the usage of Objects, ActiveX and other “out of browser” technologies. • HTML5 standard and browser support are still evolving. • HTML5 provides far more client side based activity and functionality, more access to the computer's resources (Upgrades the script kiddie “toolkit”) • Impact on risk and compliance efforts not clear (such as OWASP Top 10 and Risk Assessments) • Security tools are not up to date • Check online Resources for latest updates and security risks • Early adapters are usually the early victims 18
Resources - Specifications • HTML5 (Working Draft) http://www.w3.org/TR/2011/WD-html5-20110525/ • Web Hypertext Application Technology Working Group (WHATWG) http://www.whatwg.org/ • Local Storage (Candidate Recommendation) http://www.w3.org/TR/webstorage/ • HTML5 Web Messaging (Working Draft) http://www.w3.org/TR/2010/WD-webmessaging-20101118/ • Web Socket http://www.websocket.org/aboutwebsocket.html • HTML5 differences from HTML4 http://dev.w3.org/html5/html4-differences/ 19
Resources – HTML5 Security • HTML5 Security Resources Repository http://html5security.org/ • HTML5 Security Cheat Sheet https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet • Using the HTML5 FullScreen API for Phishing Attacks http://feross.org/html5-fullscreen-api-attack/ • This Presentation (Presented at Sector – October 2, 2012) http://www.atominformationsecurity.com//Resources/HTML5AppSec.pdf • Demo Code Used http://www.atominformationsecurity.com/Resources/HTML5AppSec.zip 20
Thank You cbentzur@atominfosec.com

Empfohlen

Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobileBlueinfy Solutions
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 

Empfohlen

Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobileBlueinfy Solutions
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...lucenerevolution
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacksBlueinfy Solutions
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Privacy &amp; Social Media
Privacy &amp; Social MediaPrivacy &amp; Social Media
Privacy &amp; Social Mediachuckbt
 
cross document messaging, html 5
cross document messaging, html 5cross document messaging, html 5
cross document messaging, html 5Kristoffer Snabb
 

Weitere ähnliche Inhalte

Was ist angesagt?

Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...lucenerevolution
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 

Was ist angesagt? (20)

Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...A Novel methodology for handling Document Level Security in Search Based Appl...
A Novel methodology for handling Document Level Security in Search Based Appl...
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 

Andere mochten auch

Privacy &amp; Social Media
Privacy &amp; Social MediaPrivacy &amp; Social Media
Privacy &amp; Social Mediachuckbt
 
cross document messaging, html 5
cross document messaging, html 5cross document messaging, html 5
cross document messaging, html 5Kristoffer Snabb
 
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETVirtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETKrishna T
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshellLennart Schoors
 

Andere mochten auch (9)

Privacy &amp; Social Media
Privacy &amp; Social MediaPrivacy &amp; Social Media
Privacy &amp; Social Media
 
cross document messaging, html 5
cross document messaging, html 5cross document messaging, html 5
cross document messaging, html 5
 
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETVirtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshell
 
Introduction to Html5
Introduction to Html5Introduction to Html5
Introduction to Html5
 
html5.ppt
html5.ppthtml5.ppt
html5.ppt
 

Ähnlich wie Html5 Application Security

Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersBrian Huff
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumSteven Miller
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NETYaniv Uriel
 
The Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesThe Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesWesley Hales
 
The Web, After HTML5
The Web, After HTML5The Web, After HTML5
The Web, After HTML5Jonathan Jeon
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8David Chou
 
HTML5 Webinar - Mind Storm Software
HTML5 Webinar - Mind Storm SoftwareHTML5 Webinar - Mind Storm Software
HTML5 Webinar - Mind Storm SoftwareRomin Irani
 
WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical OverviewVincent Perrin
 
HTML5 Programming
HTML5 ProgrammingHTML5 Programming
HTML5 Programminghotrannam
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 

Ähnlich wie Html5 Application Security (20)

Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud Developers
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
 
Transforming the web into a real application platform
Transforming the web into a real application platformTransforming the web into a real application platform
Transforming the web into a real application platform
 
Prueba ppt
Prueba pptPrueba ppt
Prueba ppt
 
Html5v1
Html5v1Html5v1
Html5v1
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming Curriculum
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
 
The Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesThe Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devices
 
The Web, After HTML5
The Web, After HTML5The Web, After HTML5
The Web, After HTML5
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
HTML5 Webinar - Mind Storm Software
HTML5 Webinar - Mind Storm SoftwareHTML5 Webinar - Mind Storm Software
HTML5 Webinar - Mind Storm Software
 
Html5
Html5Html5
Html5
 
WebSphere Portal Technical Overview
WebSphere Portal Technical OverviewWebSphere Portal Technical Overview
WebSphere Portal Technical Overview
 
9 10 july2020
9 10 july20209 10 july2020
9 10 july2020
 
HTML5 Programming
HTML5 ProgrammingHTML5 Programming
HTML5 Programming
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 

Html5 Application Security

  • 1. Application Security for HTML5 Chuck Ben-Tzur October 23, 2012
  • 2. Overview • Goal Review (some of) HTML5 new features and the related application security attacks scenarios, risks and recommendations. • Agenda – The History of HTML5 (The short version) – HTML5 Updates (The incomplete version) – Local Storage – Web Messaging – Web Sockets – Full Screen API (Phishing) – Implementation Considerations Originally delivered at Sector (Oct 2, 2012). Current version includes specific security controls demo and the Full Screen API. 2
  • 3. History of HTML5 • HTML4 was published as a W3C Recommendation in… December 1997 • 2002 - W3C recommended XHTML 1.0 as the “next step in the evolution of the Internet” – no plans for future HTML versions. • 2004 - the Web Hypertext Application Technology Working Group (WHATWG) started working on the next version of HTML (not XHTML based). The WHATWG was founded by individuals from Apple, the Mozilla Foundation and Opera Software. • 2009 - W3C allowed the XHTML 2.0 working group to expire and started working with WHATWG on the development of HTML5 (WHATWG HTML). • Current target date for Recommendation status is 2014 for HTML 5.0 and 2016 for HTML 5.1 (better than 2022…) 3
  • 4. HTML5 Updates • Markup – New tags such as <video>, <audio>, <canvas> – Deprecation of tags such as <frame>, <frameset>, <font> • Backward compatibility with older versions of HTML. • Scripting APIs - Offline Web Applications, Drag and Drop, Local Storage, 2D Drawing (Canvas), Web Sockets, Web Workers and more. • Detailed rules for lexing and parsing (browsers will produce the same result in the case of incorrect syntax). • Related Technologies (not part of the HTML5 specifications): Geo Locations, Microdata, File API, MathML 4
  • 6. Local Storage • Started as part of HTML5 (not anymore) • Like cookies but with better functionality: – Greater Storage Capacity (Cookies – 4K, Firefox and Chrome – 5MB, IE – 10MB) – Client Only access (Scripts) – not sent to the server (but may be leveraged as client side input!) – Better API as it is using structured data (Associative array – Key, Value pairs) • Storage types – Local (per domain, persists after browser is closed) – Session (limited to the window’s lifetime) • Managed and accessed using client side scripts only 6
  • 7. Demo Applications • ACME Social Media Manager (www.acmesmm.com) – LocalStorage management (.htm) – Edit and Confirm post pages (.aspx) – Hiding keys with “_” prefix. • AtomInfoSec Website (www.evilsite.com:81) – Contains static script pages (.htm) – Pages background is light-blue • C# (.NET 4.0) • HTML5, JavaScript • Internet Explorer 9 (Local Storage and Web Messaging) • Google Chrome 22 (Web Socket) • Safari 5.1.7 (Full Screen) 7
  • 9. Local Storage - Security • Follows “Same Origin” principle • Session Storage is not persistent • Large storage area creates a bigger attack surface • Not protected (e.g. encryption, object types) • No expiration date on the LocalStorage or the stored information • No HTTPOnly, secure or path attributes (similar to cookies functionality). • Accessible via console and file (cleartext XML) • Relies on client based security controls • Do not use for sensitive information 9
  • 10. Web Messaging • Also known as “Cross Domain Messaging”. • Allows messaging between documents from different origins (to allow communication between two non-hostile pages). • messages can be posted to the following: – Other frames or iframes within the document – Windows explicitly opened through Javascript calls – The parent window • Initiated and managed using client side scripts only. 10
  • 11. Web Messaging - Demo 11
  • 12. Web Messaging - Security • Relies on client based security controls • Verify Origin: – Explicitly state the expected origin as the second argument to postMessage() method. – Check the origin attribute of the sender • Both pages should only interpret the exchanged messages as data. • Never evaluate received messages as code or insert it to a page DOM. • Check the origin properly exactly to match the FQDN. • Use the sandbox attribute for iFrame objects. 12
  • 13. Web Socket • Providing for bi-directional, full-duplex communications channels between client and server. • Drastically reduces the amount of unnecessary traffic between server and browser. • Easy to initiate and manage using scripts. • Defines two new URI schemes (ws: and wss:) for unencrypted and encrypted connections . 13
  • 14. Web Socket - Demo 14
  • 15. Web Socket - Security • Not supported in all browsers (e.g. Internet Explorer 10, IIS8) • Using standard web ports (80, 443) impacting security controls such as Data Loss Prevention (DLP), Intrusion Prevention System (IPS) and Logging and Monitoring. • In a WebSocket port, the packets lack the traditional headers. Requires Deep Packet Inspection solutions as security controls. • Avoid backward compatibility - use only hybi-00 and RFC 6455 protocols. • Server must check the origin of the WebSocket client . • Leverage server side component to perform Input Validation. 15
  • 16. FullScreen API • Posted on October 8th, 2012 by Feross Aboukhadijeh. • Mouse hovering over the link to see where it goes - a completely normal link. • On click, browser automatically enters FullScreen mode and load a fake version of website (including browser and OS images). • FullScreen API Implementation differs between browsers (different scripts and alerts). 16
  • 17. FullScreen API - Demo 17
  • 18. Implementation/Security Considerations • HTML5 Reduces the usage of Objects, ActiveX and other “out of browser” technologies. • HTML5 standard and browser support are still evolving. • HTML5 provides far more client side based activity and functionality, more access to the computer's resources (Upgrades the script kiddie “toolkit”) • Impact on risk and compliance efforts not clear (such as OWASP Top 10 and Risk Assessments) • Security tools are not up to date • Check online Resources for latest updates and security risks • Early adapters are usually the early victims 18
  • 19. Resources - Specifications • HTML5 (Working Draft) http://www.w3.org/TR/2011/WD-html5-20110525/ • Web Hypertext Application Technology Working Group (WHATWG) http://www.whatwg.org/ • Local Storage (Candidate Recommendation) http://www.w3.org/TR/webstorage/ • HTML5 Web Messaging (Working Draft) http://www.w3.org/TR/2010/WD-webmessaging-20101118/ • Web Socket http://www.websocket.org/aboutwebsocket.html • HTML5 differences from HTML4 http://dev.w3.org/html5/html4-differences/ 19
  • 20. Resources – HTML5 Security • HTML5 Security Resources Repository http://html5security.org/ • HTML5 Security Cheat Sheet https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet • Using the HTML5 FullScreen API for Phishing Attacks http://feross.org/html5-fullscreen-api-attack/ • This Presentation (Presented at Sector – October 2, 2012) http://www.atominformationsecurity.com//Resources/HTML5AppSec.pdf • Demo Code Used http://www.atominformationsecurity.com/Resources/HTML5AppSec.zip 20