Presentation is loading. Please wait.

Presentation is loading. Please wait.

Everybody loves html5, h4ck3rs too. ~#Whoami 2 Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. Security Enthusiastic.

Similar presentations

Presentation on theme: "Everybody loves html5, h4ck3rs too. ~#Whoami 2 Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. Security Enthusiastic."— Presentation transcript:

1 Everybody loves html5, h4ck3rs too

2 ~#Whoami 2 Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. Security Enthusiastic

3 Which part you care Everybody loves html5…Well h4ck3rs too… What!!! 3

4 4

5 What is HTML5 Next major version of HTML. The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1 Adds new tags, event handlers to HTML. Many more…. HTML5 is not finished 5

6 HTML5 is already here. HTML5 TEST - 6 Many features supported by latest versions of FireFox, Chrome, Safari and Opera.

7 Standard web model

8 HTML5 OVERVIEW Web sockets COR Iframe Sandboxing Web Messaging

9 WEB BROWSER SECURITY MODELS The same origin policy The cookies security mode The Flash security model/SandBox

10 Same Origin Policy The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin. An origin is defined as the combination of host name, protocol, and port number;

11 The Browser Same Origin Policy 11 XHR document, cookies TAG JS

12 What Happens if the Same Origin Policy Is Broken?

13 Some major HTML5 feature CORS-Cross-Origin Resource Sharing WebSockets WebWorkers Javascript APIs 13

14 Today I want to show you how far an attacker go with simple JavaScript and html5 So you can convince your boss to give effort on security measure My intention is not make you panic Disclaimer

15 15 Cross Origin Request (COR) Originally Ajax calls were subject to Same Origin Policy Site A cannot make XMLHttpRequests to Site B HTML5 makes it possible to make these cross do main Calls site A can now make XMLHttpRequests to Site B as long as Site B allows it. Response from Site B should include a header: Access Control Allow Origin: Site A

16 16 Cross-Origin Resource Sharing

17 The OWASP Foundation CORS-Cross-Origin Resource Sharing 17 Why programmer happy? Lets see from attacker view

18 XSS-Cross Site Scripting 18

19 Demo 19

20 xss attack vector 20

21 Impact of xss History Stealing Intranet Hacking XSS Defacements DNS pinning IMAP3 MHTML Hacking JSON Cookie stealing Clipboard stealing

22 Cookie stealing Pr3venting

23 XSS Defacements

24 If you still cannot manage your boss More Evil use I do not care Show me how my org is effected

25 Attacking intranet 25

26 Obtaining NATed IP Addresses Java applet

27 If the victims Web browser is a Mozilla/Firefox, its possible to skip the applet 27 function natIP() { var w = window.location; var host =; var port = w.port || 80; var Socket = (new, port)).getLocalAddress().getHostAddress(); return Socket; }

28 Demo Not only NATed IP,You can lots more system info 28

29 Port Scanning 29 O Really

30 Port Scanning window.onerror = err; if (! msg.match(/Error loading script/)) //ip does not exits Else Find internal ip

31 Blind Web Server Fingerprinting Apache Web Server /icons/apache_pb.gif HP Printer /hp/device/hp_invent_logo.gif

32 HTML5 Made it easy 32 Demo

33 What just happed 33

34 Port Scanning: Beating protections Blocking example for known ports (Firefox, WebSockets and CORS) Workaround! It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari Based on timeouts, it can be configured 34 WTFun

35 35 Port Scanning: result

36 Self triggering XSS exploits with HTML5 A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS Injecting here" onmouseover="alert('Injected val')"> HTML5 turns this in to self triggering XSS Injecting here" onfocus="alert('Injected value')" autofocus> 36

37 Black list XSS filters Html5 introduce many new tag 37

38 How your browser become a proxy of an attacker? 38

39 The OWASP Foundation CSRF( CSRF(Cross-Site Request Forgery) The Sleeping Giant

40 Victim logon to

41 The OWASP Foundation Converting POST to GET

42 The OWASP Foundation Credentials Included JSESSIONID=AC934234…

43 The OWASP Foundation Cross-Site Request Forgery attackers post at Go to Transfer Assets Select FROM Fund Select TO Fund Select Dollar Amount Submit Transaction Confirm Transaction

44 The OWASP Foundation Demo XSS & CSRF- Killer Combo Programmers Prepare, Users Beware

45 The OWASP Foundation How Does CSRF Work? Tags Autoposting Forms XmlHttpRequest Subject to same origin policy

46 What Can Attackers Do with CSRF? 46 Anything an authenticated user can do Click links Fill out and submit forms Follow all the steps of a wizard interface

47 Using CSRF to Attack Internal Pages 47 Allow ed! CSRF Intern al Site TAG internal browser

48 Web Workers Web Workers provide the possibility for JavaScript to run in the background. Web Workers alone are not a security issue. But they can be used indirectly for launching work intensive attacks without the user noticing it. 48

49 Web Storage 49

50 Web Storage Vuln. & Threats Session Hijacking If session identifier is stored in local storage, it can be stolen with JavaScript. No HTTPOnly flag. Disclosure of Confidential Data If sensitive data is stored in the local storage, it can be stolen with JavaScript. User Tracking Additional possibility to identify a user. Persistent attack vectors Attacker can be store persistently on the user browser 50

51 Offline Web Application 51 Cache Poisoning Caching of the root directory possible. HTTP and HTTPs caching possible.

52 52 Ok Enough, Just tell me can attacker Get a remote (Control)shell of my PC??

53 Infection method known as Drive by download 53

54 In summary 54 Web Worker Cracking Hashes in JS Cloud = Web Worker Cross-origin resource sharing + = Powerful DDoS attacks Web Worker + Cross-origin resource sharing + Web socket = Web-based Botnet.

55 Is HTML5 hopelessly (in)secure? Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused. 55

56 Reference Compass Security AG security-v1.html security-v1.html urity_Cheat_Sheet urity_Cheat_Sheet 56

57 57 Be secure & safe HTML5 make everybody happy including h4ck3rs and make security professional busy.

Download ppt "Everybody loves html5, h4ck3rs too. ~#Whoami 2 Nahidul Kibria Co-Leader, OWASP Bangladesh, Senior Software Engineer, KAZ Software Ltd. Security Enthusiastic."

Similar presentations

Ads by Google