1. Everybody loves html5, h4ck3rs too

2. Security Enthusiastic
~#Whoami
Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd.
Security Enthusiastic

3. Everybody loves html5…Well h4ck3rs too… What!!!
Which part you care
Everybody loves html5…Well h4ck3rs too… What!!!
Because we are here the security guy we care second part

5. What is HTML5 Next major version of HTML.
The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1
Adds new tags, event handlers to HTML. Many more….
HTML5 is not finished

6. supported by latest versions of FireFox, Chrome, Safari and Opera.
HTML5 is already  here.
HTML5 TEST -
Many  features  
supported by latest versions of FireFox, Chrome, Safari and   Opera.

7. Standard web model
B4 go to the HTML5

8. Html5 OVERVIEW
COR
Web sockets
Iframe Sandboxing
Web Messaging

9. WEB BROWSER SECURITY MODELS
The same origin policy
The cookies security mode
The Flash security model/SandBox

10. Same Origin Policy
The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin.
An origin is defined as the combination of
host name,
protocol,
and port number;

11. The Browser “Same Origin” Policy
bank.com
XHR
TAG
See Also:
TAG
XHR JS
blog.net
document, cookies

12. What Happens if the Same Origin Policy Is Broken?

13. Some major HTML5 feature
CORS-Cross-Origin Resource Sharing
WebSockets
WebWorkers
Javascript APIs

14. My intention is not make you panic
Disclaimer
Today I want to show you
how far an attacker go
with simple JavaScript and html5
So you can convince your boss
to give effort on security measure
My intention is not make you panic
My intention is not make you panic

15. Cross Origin Request (COR)
Originally  Ajax   calls  were subject   to   Same Origin  Policy
Site  A  cannot   make XMLHttpRequests to  Site  B
HTML5   makes  it  possible  to   make these  cross  do main 
Calls site  A  can   now   make XMLHttpRequests to  Site  B  as  long  as  Site  B  allows  it.
Response   from  Site  B  should   include   a  header:
Access ‐Control ‐Allow‐Origin:  Site  A

16. Cross-Origin Resource Sharing
<allow-access-from domain="*">

17. CORS-Cross-Origin Resource Sharing
Why programmer happy?
Lets see from attacker view

18. XSS-Cross Site Scripting

19. Demo

20. xss attack vector

21. Impact of xss History Stealing Intranet Hacking XSS Defacements
DNS pinning
IMAP3
MHTML
Hacking JSON
Cookie stealing
Clipboard stealing

22. Cookie stealing
Pr3venting

23. XSS Defacements

24. If you still cannot manage your boss More Evil use
I do not care
Show me how my
org is effected

25. Attacking intranet

26. Obtaining NAT’ed IP Addresses
Java applet

27. If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet
<script>
function natIP() {
var w = window.location;
var host = w.host;
var port = w.port || 80;
var Socket = (new
java.net.Socket(host, port)).getLocalAddress().getHostAddress();
return Socket; }
</script>
if the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet requirement and invoke a Java socket directly from JavaScript space. The net-net effect between these two techniques is more or less the same.

28. Not only NAT’ed IP ,You can lots more system info
Demo

29. Port Scanning
O’ Really

30. Port Scanning
window.onerror = err; <script src= if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip

31. Blind Web Server Fingerprinting
Apache Web Server /icons/apache_pb.gif
HP Printer /hp/device/hp_invent_logo.gif
<img src=" onerror="fingerprint()" />

32. HTML5 Made it easy
Demo

33. What just happed

34. Port Scanning: Beating protections
Blocking example for known ports (Firefox, WebSockets and CORS) ➔ Workaround! ➔ ftp://example.com:22 It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari Based on timeouts, it can be configured
WTFun

35. Port Scanning: result

36. Self‐triggering XSS exploits with HTML5
A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS <input type="text" value="‐>Injecting here" onmouseover="alert('Injected val')"> • HTML5 turns this in to self ‐triggering XSS <input type="text” value="‐‐>Injecting here" onfocus="alert('Injected value')" autofocus>

37. Black‐list XSS filters
Html5 introduce many new tag

38. How your browser become a proxy of an attacker?

39. CSRF(Cross-Site Request Forgery)
The Sleeping Giant

40. Victim logon to bank.com

41. Converting POST to GET

42. https://bank.com/fn?param=1
Credentials Included
JSESSIONID=AC934234…
blog.net

43. Cross-Site Request Forgery
bank.com
Go to Transfer Assets
Select FROM Fund
Select TO Fund
Select Dollar Amount
Submit Transaction
Confirm Transaction
attacker’s post at blog.net

44. XSS & CSRF- Killer Combo Programmers Prepare, Users Beware
Demo
XSS & CSRF- Killer Combo Programmers Prepare, Users Beware
If xss is there all csrf protection can be bypass
<form method="POST" name="form0" action="
<input type="hidden" name="csrf-token" value="SecurityIsDisabled"/>
<input type="hidden" name="blog_entry" value="This is come from CSRF"/>
<input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/>
</form>

45. How Does CSRF Work? Tags <img src=“https://bank.com/fn?param=1”>
<iframe src=“
<script src=“
Autoposting Forms
<body onload="document.forms[0].submit()">
<form method="POST" action=“
<input type="hidden" name="sp" value="8109"/>
</form>
XmlHttpRequest
Subject to same origin policy

46. What Can Attackers Do with CSRF?
Anything an authenticated user can do
Click links
Fill out and submit forms
Follow all the steps of a wizard interface

47. Using CSRF to Attack Internal Pages
attacker.com
internal browser
CSRF
TAG
Internal Site
Allowed!
internal.mybank.com

48. Web Workers http://www.andlabs.org/tools/ravan.html
Web Workers provide the possibility for JavaScript to run in the background.
Web Workers alone are not a security issue.
But they can be used indirectly for launching work intensive attacks without the user noticing it.

49. Web Storage

50. Web Storage Vuln. & Threats
Session Hijacking
If session identifier is stored in local storage, it can be stolen with JavaScript.
No HTTPOnly flag.
Disclosure of Confidential Data
If sensitive data is stored in the local storage, it can be stolen with JavaScript.
User Tracking
Additional possibility to identify a user.
Persistent attack vectors
Attacker can be store persistently on the user browser

51. Offline Web Application
Cache Poisoning
Caching of the root directory possible.
HTTP and HTTPs caching possible.

52. Ok Enough, Just tell me can attacker Get a remote (Control)shell of my PC??

53. Infection method known as Drive by download

54. In summary = + = + + = Cracking Hashes in JS Cloud
Web Worker =
Cracking Hashes in JS Cloud
Cross-origin resource sharing
Web Worker + =
Powerful DDoS attacks
Cross-origin resource sharing
Web socket
Web Worker + + =
Web-based Botnet.

55. Is HTML5 hopelessly (in)secure?
Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.

56. Reference Compass Security AG
security-v1.html
urity_Cheat_Sheet

57. Be secure & safe Twitter:@nahidupa
HTML5 make everybody happy including h4ck3rs and make security professional busy.