SlideShare ist ein Scribd-Unternehmen logo
1 von 34
HTML5: Risky Business or Hidden
Security Tool Chest
Johannes B. Ullrich, Ph.D.
jullrich@sans.edu
About Me

• Dean of Research,
SANS Technology Institute
• Living in Jacksonville FL
(aka Southern GA)
• SANS Internet Storm Center
https://isc.sans.edu
• Created DShield.org
• Instructor for SANS
• Past: Physicist, Web Developer
Hosted by OWASP & the NYC Chapter
What is HTML5

• Collection of JavaScript APIs supported by
some modern browsers in some ways and
sometimes they even work.
• Features to enable modern desktop like
applications and support mobile devices
• 5th Revision of the HTML Standard
What is this talk about?

• Ideas to improve security by using HTML5
responsibly
• What are some of the security challenges that
HTML5 addresses well (or doesn’t)
• What are some of the limitations we have to
consider
Authentication

• Exclusive vs. Inclusive Authentication
Methods:
– Inclusive:
Proof the identity
of the user
– Exclusive:
Disproof the identity
of the user
What the Factor?

Segway: Multi Factor Authentication
• Single Factor: Password
• Two Factor: Password AND (Token|Biometric)
• 1 ½ Factor: Password and Cookie
• ½ Factor: Password
OR (Token|Biometric)
HTML5 Components

•
•
•
•
•
•
•

Local Storage / Session Storage
Canvas
Geolocation
Media Capture
Notifications
Accelerometer
Encryption
Local and Session Storage

• New JavaScript API to store data on client
• Protected by “same origin”
• Local Storage:
– No defined expiration
– Accessible by all browser windows

• Session Storage:
– Expired when window is closed
– Scope limited to current window
Local Storage: Persistent
Cookie

• Alternative to Flash cookie for “1 ½ Factor”
login
• Part of an “Evercookie”
• Can be used for good (additional
authentication) or evil (more user tracking)
• Exposed to XSS attacks
• Similar to cookies in scope and security
Session Storage: Identifying
users

• Can be used to store session token
• Breaks CSRF (good!)
• User is logged out when they close the
browser window (not entire browser)
• Multiple users can use the same browser (is
this a good thing?)
• Easier log out, more secure session
tracking, can be used alongside cookies.
Risks

• Risks:
Storing too much data on the client!
Can’t enforce “secure” transmission over SSL
Can’t protect from JavaScript/XSS (no httponly)
Examples:
– storing confidential data on mobile devices
– Pushing data to the client the client is not
authorized to see.
Can I use it?

http://caniuse.com/#feat=namevalue-storage
Canvas

• Allows drawing in the browser
• Interactive image applications
• Can be used for graphical login schemes
– CAPTCHAs
– Pattern based login
Image Login

• Display image, user identifies features
• Done in Windows 8/RT for mobile login
(“Pattern Login”, “Picture Password”)

Image:
Microsoft
“Connect the Dots”

• Implemented in Android
• Good user acceptance for mobile login
• No good studies yet as to how users select
patterns

Image:
Extremetech.com
Demo

• Demo: “Connect the Dots” for the web
• http://authonthemove.com
• See Github for code repository
Can I use it?

http://caniuse.com/#feat=canvas
Geolocation

• JavaScript API provides access to devices built
in sensors like GPS
• Can be very accurate
• Can also be spoofed easily

Image: Mozilla.org
Geolocation for Authentication

• Only useful on mobile devices
• Can be used to exclude users, but not to
replace traditional authentication
• Observe sudden changes in location
• Combine with careful browser fingerprinting
techniques
Can I use it?
Media Capture

• aka getUserMedia/Stream API
• Limited support (Chrome, Firefox, Blackberry)
• Some potential for biometrics:
– Face recognition
– Hand signals / gestures
– Fingerprint?
Implementations

• Face recognition libraries:
– http://neave.github.io/face-detection/
Difficulties

• Hard to acquire sufficient detail
• So far, in particular on mobile devices, more of
a gimmick then a serious authentication
feature
• Possibility to use “finger print”, but current
cameras not sufficient to acquire image
Can I use it?

http://caniuse.com/#feat=stream
Accelerometer

•
•
•
•
•
•
•

Only useful for mobile devices
Move the phone in a pattern to authenticate
Detect step/walking pattern
Detect if user/phone is at rest or on the move
Can be spoofed (but not readily)
Not easy to reproduce
Adding sensors like compass may help.
Can I use it?

http://caniuse.com/#feat=deviceorientation
Notifications

• Popup Notifications sent by the server to
notify the user
• Initiated by server
– Local Notifications: Require browser to be
open, widely supported
– Push Notifications: Safari Only
Bad stuff happened!

• Notify the user of security relevant events:
– “Someone is trying to log in as you”

•
•
•
•

User needs to accept notifications
Notifications no 100% reliable
Not “out of band” (can be faked, intercepted)
Safari Notifications may be useful for one time
passwords (OTP)
Can I use it?

http://caniuse.com/#feat=notifications
Encryption

• Client side encryption
• Allows encryption of specific sensitive fields
(e.g. payment data, passwords)
• Intermediate services (proxies, web services)
don’t need to know the information
• Upcoming: CryptoAPI (June 2013)
http://www.w3.org/TR/WebCryptoAPI/
• Until then: https://www.pidder.de/pidcrypt/
Client side password hashing

• Server sends random “nonce” as part of login
form.
• Client calculates hash from password/nonce
• Passes hash to server
• Server verifies hash
• Advantage: Server never gets to know the
“real” password.
Signup

•
•
•
•
•

Use enters password
Client hashes password
Password hash transmitted to server
Salt: Username? Provided by server?
Changing password: Same procedure, salt may
change.
Summary

• Lots of cool and useful tools in HTML5
• Use them as appropriate
• “HTML5” itself isn’t the risk. Bad coding is the
risk
• Understand privacy issues
• Understand user behavior
• Share your code an experiences (OWASP!!)
Thanks!

! Thanks !
Questions?
jullrich@sans.edu
http://authonthemove.com
http://isc.sans.edu
Daily Updates * Daily Podcast * Live Data Feeds

Weitere ähnliche Inhalte

Was ist angesagt?

Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)PacSecJP
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 

Was ist angesagt? (20)

Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat	ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Security testing
Security testingSecurity testing
Security testing
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineering
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 

Andere mochten auch

Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Telecom security issues (Raoul Chiesa, day 1 )
Telecom security issues   (Raoul Chiesa, day 1 ) Telecom security issues   (Raoul Chiesa, day 1 )
Telecom security issues (Raoul Chiesa, day 1 ) ClubHack
 
Information Security
Information SecurityInformation Security
Information SecuritySamilMehdiyev
 
Pptv lb日志实时分析平台
Pptv lb日志实时分析平台Pptv lb日志实时分析平台
Pptv lb日志实时分析平台drewz lin
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
1 security goals
1   security goals1   security goals
1 security goalsdrewz lin
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherGopal Sakarkar
 

Andere mochten auch (19)

Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
 
Telecom security issues (Raoul Chiesa, day 1 )
Telecom security issues   (Raoul Chiesa, day 1 ) Telecom security issues   (Raoul Chiesa, day 1 )
Telecom security issues (Raoul Chiesa, day 1 )
 
Information Security
Information SecurityInformation Security
Information Security
 
Pptv lb日志实时分析平台
Pptv lb日志实时分析平台Pptv lb日志实时分析平台
Pptv lb日志实时分析平台
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
1 security goals
1   security goals1   security goals
1 security goals
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar Cipher
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 

Ähnlich wie Owasp2013 johannesullrich

Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not FoundCodemotion
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinarkdinerman
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Eoin Keary
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)Lab Mobile Filkom UB
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016jtmelton
 
Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1Julio Camarero
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Win j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateevWin j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateevMihail Mateev
 

Ähnlich wie Owasp2013 johannesullrich (20)

Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
20181023 progressive web_apps_are_here_sfcampua
20181023 progressive web_apps_are_here_sfcampua20181023 progressive web_apps_are_here_sfcampua
20181023 progressive web_apps_are_here_sfcampua
 
Progressive Web Apps are here!
Progressive Web Apps are here!Progressive Web Apps are here!
Progressive Web Apps are here!
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not Found
 
We are Digital Puppets
We are Digital PuppetsWe are Digital Puppets
We are Digital Puppets
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
03 - Membangun Aplikasi Mobile Berkualitas (Herman Tolle)
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
 
Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1Implementing Acessibility in Liferay 6.1
Implementing Acessibility in Liferay 6.1
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Win j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateevWin j svsphonegap-damyan-petev-mihail-mateev
Win j svsphonegap-damyan-petev-mihail-mateev
 

Mehr von drewz lin

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiudrewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)drewz lin
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践drewz lin
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电drewz lin
 
互联网海量运维 20130807
互联网海量运维 20130807互联网海量运维 20130807
互联网海量运维 20130807drewz lin
 
阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践drewz lin
 
T4 淘宝私有云
T4 淘宝私有云T4 淘宝私有云
T4 淘宝私有云drewz lin
 
I os与android多平台开发心得
I os与android多平台开发心得I os与android多平台开发心得
I os与android多平台开发心得drewz lin
 
Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民drewz lin
 
人人网服务化与架构变迁V3
人人网服务化与架构变迁V3人人网服务化与架构变迁V3
人人网服务化与架构变迁V3drewz lin
 
有道云笔记架构简介
有道云笔记架构简介有道云笔记架构简介
有道云笔记架构简介drewz lin
 

Mehr von drewz lin (17)

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电
 
互联网海量运维 20130807
互联网海量运维 20130807互联网海量运维 20130807
互联网海量运维 20130807
 
阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践阿里自研数据库 Ocean base实践
阿里自研数据库 Ocean base实践
 
T4 淘宝私有云
T4 淘宝私有云T4 淘宝私有云
T4 淘宝私有云
 
I os与android多平台开发心得
I os与android多平台开发心得I os与android多平台开发心得
I os与android多平台开发心得
 
Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民Hadoop在反作弊中的应用 林述民
Hadoop在反作弊中的应用 林述民
 
人人网服务化与架构变迁V3
人人网服务化与架构变迁V3人人网服务化与架构变迁V3
人人网服务化与架构变迁V3
 
有道云笔记架构简介
有道云笔记架构简介有道云笔记架构简介
有道云笔记架构简介
 

Kürzlich hochgeladen

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Owasp2013 johannesullrich

  • 1. HTML5: Risky Business or Hidden Security Tool Chest Johannes B. Ullrich, Ph.D. jullrich@sans.edu
  • 2. About Me • Dean of Research, SANS Technology Institute • Living in Jacksonville FL (aka Southern GA) • SANS Internet Storm Center https://isc.sans.edu • Created DShield.org • Instructor for SANS • Past: Physicist, Web Developer Hosted by OWASP & the NYC Chapter
  • 3. What is HTML5 • Collection of JavaScript APIs supported by some modern browsers in some ways and sometimes they even work. • Features to enable modern desktop like applications and support mobile devices • 5th Revision of the HTML Standard
  • 4. What is this talk about? • Ideas to improve security by using HTML5 responsibly • What are some of the security challenges that HTML5 addresses well (or doesn’t) • What are some of the limitations we have to consider
  • 5. Authentication • Exclusive vs. Inclusive Authentication Methods: – Inclusive: Proof the identity of the user – Exclusive: Disproof the identity of the user
  • 6. What the Factor? Segway: Multi Factor Authentication • Single Factor: Password • Two Factor: Password AND (Token|Biometric) • 1 ½ Factor: Password and Cookie • ½ Factor: Password OR (Token|Biometric)
  • 7. HTML5 Components • • • • • • • Local Storage / Session Storage Canvas Geolocation Media Capture Notifications Accelerometer Encryption
  • 8. Local and Session Storage • New JavaScript API to store data on client • Protected by “same origin” • Local Storage: – No defined expiration – Accessible by all browser windows • Session Storage: – Expired when window is closed – Scope limited to current window
  • 9. Local Storage: Persistent Cookie • Alternative to Flash cookie for “1 ½ Factor” login • Part of an “Evercookie” • Can be used for good (additional authentication) or evil (more user tracking) • Exposed to XSS attacks • Similar to cookies in scope and security
  • 10. Session Storage: Identifying users • Can be used to store session token • Breaks CSRF (good!) • User is logged out when they close the browser window (not entire browser) • Multiple users can use the same browser (is this a good thing?) • Easier log out, more secure session tracking, can be used alongside cookies.
  • 11. Risks • Risks: Storing too much data on the client! Can’t enforce “secure” transmission over SSL Can’t protect from JavaScript/XSS (no httponly) Examples: – storing confidential data on mobile devices – Pushing data to the client the client is not authorized to see.
  • 12. Can I use it? http://caniuse.com/#feat=namevalue-storage
  • 13. Canvas • Allows drawing in the browser • Interactive image applications • Can be used for graphical login schemes – CAPTCHAs – Pattern based login
  • 14. Image Login • Display image, user identifies features • Done in Windows 8/RT for mobile login (“Pattern Login”, “Picture Password”) Image: Microsoft
  • 15. “Connect the Dots” • Implemented in Android • Good user acceptance for mobile login • No good studies yet as to how users select patterns Image: Extremetech.com
  • 16. Demo • Demo: “Connect the Dots” for the web • http://authonthemove.com • See Github for code repository
  • 17. Can I use it? http://caniuse.com/#feat=canvas
  • 18. Geolocation • JavaScript API provides access to devices built in sensors like GPS • Can be very accurate • Can also be spoofed easily Image: Mozilla.org
  • 19. Geolocation for Authentication • Only useful on mobile devices • Can be used to exclude users, but not to replace traditional authentication • Observe sudden changes in location • Combine with careful browser fingerprinting techniques
  • 20. Can I use it?
  • 21. Media Capture • aka getUserMedia/Stream API • Limited support (Chrome, Firefox, Blackberry) • Some potential for biometrics: – Face recognition – Hand signals / gestures – Fingerprint?
  • 22. Implementations • Face recognition libraries: – http://neave.github.io/face-detection/
  • 23. Difficulties • Hard to acquire sufficient detail • So far, in particular on mobile devices, more of a gimmick then a serious authentication feature • Possibility to use “finger print”, but current cameras not sufficient to acquire image
  • 24. Can I use it? http://caniuse.com/#feat=stream
  • 25. Accelerometer • • • • • • • Only useful for mobile devices Move the phone in a pattern to authenticate Detect step/walking pattern Detect if user/phone is at rest or on the move Can be spoofed (but not readily) Not easy to reproduce Adding sensors like compass may help.
  • 26. Can I use it? http://caniuse.com/#feat=deviceorientation
  • 27. Notifications • Popup Notifications sent by the server to notify the user • Initiated by server – Local Notifications: Require browser to be open, widely supported – Push Notifications: Safari Only
  • 28. Bad stuff happened! • Notify the user of security relevant events: – “Someone is trying to log in as you” • • • • User needs to accept notifications Notifications no 100% reliable Not “out of band” (can be faked, intercepted) Safari Notifications may be useful for one time passwords (OTP)
  • 29. Can I use it? http://caniuse.com/#feat=notifications
  • 30. Encryption • Client side encryption • Allows encryption of specific sensitive fields (e.g. payment data, passwords) • Intermediate services (proxies, web services) don’t need to know the information • Upcoming: CryptoAPI (June 2013) http://www.w3.org/TR/WebCryptoAPI/ • Until then: https://www.pidder.de/pidcrypt/
  • 31. Client side password hashing • Server sends random “nonce” as part of login form. • Client calculates hash from password/nonce • Passes hash to server • Server verifies hash • Advantage: Server never gets to know the “real” password.
  • 32. Signup • • • • • Use enters password Client hashes password Password hash transmitted to server Salt: Username? Provided by server? Changing password: Same procedure, salt may change.
  • 33. Summary • Lots of cool and useful tools in HTML5 • Use them as appropriate • “HTML5” itself isn’t the risk. Bad coding is the risk • Understand privacy issues • Understand user behavior • Share your code an experiences (OWASP!!)