570 likes | 743 Vues
Everybody loves html5, h4ck3rs too. ~# Whoami. Security Enthusiastic. Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. . Which part you care. Everybody loves html5…Well h4ck3rs too… What!!!. What is HTML5. Next major version of HTML.
E N D
~#Whoami Security Enthusiastic Nahidul Kibria Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd.
Which part you care • Everybody loves html5…Well • h4ck3rs too… What!!!
What is HTML5 • Next major version of HTML. • The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1 • Adds new tags, event handlers to HTML. Many more…. • HTML5 is not finished
HTML5 is already here. • HTML5 TEST - http://html5test.com/ Many features supported by latest versions of FireFox, Chrome, Safari and Opera.
COR Web sockets Iframe Sandboxing Web Messaging Html5 OVERVIEW
WEB BROWSER SECURITY MODELS • The same origin policy • The cookies security mode • The Flash security model/SandBox
Same Origin Policy The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin. An origin is defined as the combination of • host name, • protocol, • and port number;
The Browser “Same Origin” Policy bank.com XHR TAG TAG XHR JS blog.net document, cookies
Some major HTML5 feature • CORS-Cross-Origin Resource Sharing • WebSockets • WebWorkers • Javascript APIs
Disclaimer Today I want to show you how far and attacker go with simple JavaScript and html5 So you can convince your boss to give effort on security measure My intention is not make you panic
Cross Origin Request (COR) • Originally Ajax calls were subject to Same Origin Policy • Site A cannot make XMLHttpRequests to Site B • HTML5 makes it possible to make these cross domain • Calls site A can now make XMLHttpRequests to Site B as long as Site B allows it. • Response from Site B should include a header: • Access ‐Control ‐Allow‐Origin: Site A
Cross-Origin Resource Sharing <allow-access-from domain="*">
Why programmer happy? CORS-Cross-Origin Resource Sharing Lets see from attacker view
Impact of xss • History Stealing • Intranet Hacking • XSS Defacements • DNS pinning • IMAP3 • MHTML • Hacking JSON • Cookie stealing • Clipboard stealing
Cookie stealing Pr3venting
If you still cannot manage your bossMore Evil use I do not care Show me how my org is effected
If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet <script> functionnatIP() { var w = window.location; var host = w.host; var port = w.port || 80; var Socket = (new java.net.Socket(host, port)).getLocalAddress().getHostAddress(); return Socket; } </script>
Demo • Not only NAT’ed IP ,You can lots more system info
Port Scanning O’ Really
Port Scanning window.onerror = err; <script src=http://ip/></script> if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip
Blind Web Server Fingerprinting Apache Web Server /icons/apache_pb.gif HP Printer /hp/device/hp_invent_logo.gif • <imgsrc="http://intranet_ip/unique_image_url"onerror="fingerprint()"/>
HTML5 Made it easy www.andlabs.org/tools/jsrecon.html Demo
Port Scanning: Beating protections • Blocking example for known ports • (Firefox, WebSockets and CORS) • ➔ http://example.com:22 • Workaround! • ➔ ftp://example.com:22 • It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari • Based on timeouts, it can be configured WTFun
Self‐triggering XSS exploits with HTML5 • A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS • <inputtype="text"value="‐>Injecting here"onmouseover="alert('Injectedval')"> • • HTML5 turns this in to self ‐triggering XSS • <inputtype="text” value="‐‐>Injecting here"onfocus="alert('Injected value')"autofocus>
Black‐list XSS filters • Html5 introduce many new tag
How your browser become a proxy of an attacker? http://erlend.oftedal.no/blog/?blogid=107
CSRF(Cross-Site Request Forgery) • The Sleeping Giant
bank.com Credentials Included https://bank.com/fn?param=1 JSESSIONID=AC934234… blog.net
bank.com Cross-Site Request Forgery Go to Transfer Assets https://bank.com/fn?param=1 Select FROM Fund https://bank.com/fn?param=1 Select TO Fund https://bank.com/fn?param=1 Select Dollar Amount https://bank.com/fn?param=1 Submit Transaction https://bank.com/fn?param=1 Confirm Transaction https://bank.com/fn?param=1 attacker’s post at blog.net
Demo <form method="POST" name="form0" action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php"> <input type="hidden" name="csrf-token" value="SecurityIsDisabled"/> <input type="hidden" name="blog_entry" value="This is come from CSRF"/> <input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/> </form> • XSS & CSRF- Killer Combo • Programmers Prepare, Users Beware
How Does CSRF Work? • Tags <imgsrc=“https://bank.com/fn?param=1”> <iframesrc=“https://bank.com/fn?param=1”> <script src=“https://bank.com/fn?param=1”> • Autoposting Forms <body onload="document.forms[0].submit()"> <form method="POST" action=“https://bank.com/fn”> <input type="hidden" name="sp" value="8109"/> </form> • XmlHttpRequest • Subject to same origin policy
What Can Attackers Do with CSRF? • Anything an authenticated user can do • Click links • Fill out and submit forms • Follow all the steps of a wizard interface
Using CSRF to Attack Internal Pages attacker.com internal browser CSRF TAG Internal Site Allowed! internal.mybank.com
Web Workers • Web Workers provide the possibility for JavaScript to run in the background. • Web Workers alone are not a security issue. • But they can be used indirectly for launching work intensive attacks without the user noticing it. http://www.andlabs.org/tools/ravan.html
Web Storage Vuln. & Threats • Session Hijacking • If session identifier is stored in local storage, it can be stolen with JavaScript. • No HTTPOnly flag. • Disclosure of Confidential Data • If sensitive data is stored in the local storage, it can be stolen with JavaScript. • User Tracking • Additional possibility to identify a user. • Persistent attack vectors • Attacker can be store persistently on the user browser