Download presentation
Presentation is loading. Please wait.
1
Everybody loves html5, h4ck3rs too
2
Security Enthusiastic
~#Whoami Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. Security Enthusiastic
3
Everybody loves html5…Well h4ck3rs too… What!!!
Which part you care Everybody loves html5…Well h4ck3rs too… What!!! Because we are here the security guy we care second part
5
What is HTML5 Next major version of HTML.
The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1 Adds new tags, event handlers to HTML. Many more…. HTML5 is not finished
6
supported by latest versions of FireFox, Chrome, Safari and Opera.
HTML5 is already here. HTML5 TEST - Many features supported by latest versions of FireFox, Chrome, Safari and Opera.
7
Standard web model B4 go to the HTML5
8
Html5 OVERVIEW COR Web sockets Iframe Sandboxing Web Messaging
9
WEB BROWSER SECURITY MODELS
The same origin policy The cookies security mode The Flash security model/SandBox
10
Same Origin Policy The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin. An origin is defined as the combination of host name, protocol, and port number;
11
The Browser “Same Origin” Policy
bank.com XHR TAG See Also: TAG XHR JS blog.net document, cookies
12
What Happens if the Same Origin Policy Is Broken?
13
Some major HTML5 feature
CORS-Cross-Origin Resource Sharing WebSockets WebWorkers Javascript APIs
14
My intention is not make you panic
Disclaimer Today I want to show you how far an attacker go with simple JavaScript and html5 So you can convince your boss to give effort on security measure My intention is not make you panic My intention is not make you panic
15
Cross Origin Request (COR)
Originally Ajax calls were subject to Same Origin Policy Site A cannot make XMLHttpRequests to Site B HTML5 makes it possible to make these cross do main Calls site A can now make XMLHttpRequests to Site B as long as Site B allows it. Response from Site B should include a header: Access ‐Control ‐Allow‐Origin: Site A
16
Cross-Origin Resource Sharing
<allow-access-from domain="*">
17
CORS-Cross-Origin Resource Sharing
Why programmer happy? Lets see from attacker view
18
XSS-Cross Site Scripting
19
Demo
20
xss attack vector
21
Impact of xss History Stealing Intranet Hacking XSS Defacements
DNS pinning IMAP3 MHTML Hacking JSON Cookie stealing Clipboard stealing
22
Cookie stealing Pr3venting
23
XSS Defacements
24
If you still cannot manage your boss More Evil use
I do not care Show me how my org is effected
25
Attacking intranet
26
Obtaining NAT’ed IP Addresses
Java applet
27
If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet
<script> function natIP() { var w = window.location; var host = w.host; var port = w.port || 80; var Socket = (new java.net.Socket(host, port)).getLocalAddress().getHostAddress(); return Socket; } </script> if the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet requirement and invoke a Java socket directly from JavaScript space. The net-net effect between these two techniques is more or less the same.
28
Not only NAT’ed IP ,You can lots more system info
Demo
29
Port Scanning O’ Really
30
Port Scanning window.onerror = err; <script src= if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip
31
Blind Web Server Fingerprinting
Apache Web Server /icons/apache_pb.gif HP Printer /hp/device/hp_invent_logo.gif <img src=" onerror="fingerprint()" />
32
HTML5 Made it easy Demo
33
What just happed
34
Port Scanning: Beating protections
Blocking example for known ports (Firefox, WebSockets and CORS) ➔ Workaround! ➔ ftp://example.com:22 It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari Based on timeouts, it can be configured WTFun
35
Port Scanning: result
36
Self‐triggering XSS exploits with HTML5
A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS <input type="text" value="‐>Injecting here" onmouseover="alert('Injected val')"> • HTML5 turns this in to self ‐triggering XSS <input type="text” value="‐‐>Injecting here" onfocus="alert('Injected value')" autofocus>
37
Black‐list XSS filters
Html5 introduce many new tag
38
How your browser become a proxy of an attacker?
39
CSRF(Cross-Site Request Forgery)
The Sleeping Giant
40
Victim logon to bank.com
41
Converting POST to GET
42
https://bank.com/fn?param=1
Credentials Included JSESSIONID=AC934234… blog.net
43
Cross-Site Request Forgery
bank.com Go to Transfer Assets Select FROM Fund Select TO Fund Select Dollar Amount Submit Transaction Confirm Transaction attacker’s post at blog.net
44
XSS & CSRF- Killer Combo Programmers Prepare, Users Beware
Demo XSS & CSRF- Killer Combo Programmers Prepare, Users Beware If xss is there all csrf protection can be bypass <form method="POST" name="form0" action=" <input type="hidden" name="csrf-token" value="SecurityIsDisabled"/> <input type="hidden" name="blog_entry" value="This is come from CSRF"/> <input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/> </form>
45
How Does CSRF Work? Tags <img src=“https://bank.com/fn?param=1”>
<iframe src=“ <script src=“ Autoposting Forms <body onload="document.forms[0].submit()"> <form method="POST" action=“ <input type="hidden" name="sp" value="8109"/> </form> XmlHttpRequest Subject to same origin policy
46
What Can Attackers Do with CSRF?
Anything an authenticated user can do Click links Fill out and submit forms Follow all the steps of a wizard interface
47
Using CSRF to Attack Internal Pages
attacker.com internal browser CSRF TAG Internal Site Allowed! internal.mybank.com
48
Web Workers http://www.andlabs.org/tools/ravan.html
Web Workers provide the possibility for JavaScript to run in the background. Web Workers alone are not a security issue. But they can be used indirectly for launching work intensive attacks without the user noticing it.
49
Web Storage
50
Web Storage Vuln. & Threats
Session Hijacking If session identifier is stored in local storage, it can be stolen with JavaScript. No HTTPOnly flag. Disclosure of Confidential Data If sensitive data is stored in the local storage, it can be stolen with JavaScript. User Tracking Additional possibility to identify a user. Persistent attack vectors Attacker can be store persistently on the user browser
51
Offline Web Application
Cache Poisoning Caching of the root directory possible. HTTP and HTTPs caching possible.
52
Ok Enough, Just tell me can attacker Get a remote (Control)shell of my PC??
53
Infection method known as Drive by download
54
In summary = + = + + = Cracking Hashes in JS Cloud
Web Worker = Cracking Hashes in JS Cloud Cross-origin resource sharing Web Worker + = Powerful DDoS attacks Cross-origin resource sharing Web socket Web Worker + + = Web-based Botnet.
55
Is HTML5 hopelessly (in)secure?
Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.
56
Reference Compass Security AG
security-v1.html urity_Cheat_Sheet
57
Be secure & safe Twitter:@nahidupa
HTML5 make everybody happy including h4ck3rs and make security professional busy.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.