5 What is HTML5 Next major version of HTML. The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1Adds new tags, event handlers to HTML. Many more….HTML5 is not finished
6 supported by latest versions of FireFox, Chrome, Safari and Opera. HTML5 is already here.HTML5 TEST -Many features supported by latest versions of FireFox, Chrome, Safari and Opera.
9 WEB BROWSER SECURITY MODELS The same origin policyThe cookies security modeThe Flash security model/SandBox
10 Same Origin PolicyThe same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin.An origin is defined as the combination ofhost name,protocol,and port number;
11 The Browser “Same Origin” Policy bank.comXHRTAGSee Also:TAGXHRJSblog.netdocument, cookies
12 What Happens if the Same Origin Policy Is Broken?
15 Cross Origin Request (COR) Originally Ajax calls were subject to Same Origin PolicySite A cannot make XMLHttpRequests to Site BHTML5 makes it possible to make these cross do main Calls site A can now make XMLHttpRequests to Site B as long as Site B allows it.Response from Site B should include a header:Access ‐Control ‐Allow‐Origin: Site A
28 Not only NAT’ed IP ,You can lots more system info Demo
30 Port Scanningwindow.onerror = err; <script src=http://ip/></script> if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip
if (! msg.match(/Error loading script/)) //ip does not exit’s Else Find internal ip",
31 Blind Web Server Fingerprinting Apache Web Server /icons/apache_pb.gifHP Printer /hp/device/hp_invent_logo.gif<img src="http://intranet_ip/unique_image_url" onerror="ﬁngerprint()" />
34 Port Scanning: Beating protections Blocking example for known ports (Firefox, WebSockets and CORS) ➔ Workaround! ➔ ftp://example.com:22 It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari Based on timeouts, it can be configuredWTFun
36 Self‐triggering XSS exploits with HTML5 A common XSS occurrence is injection inside some attribute of INPUT tags. Current techniques require user interaction to trigger this XSS <input type="text" value="‐>Injecting here" onmouseover="alert('Injected val')"> • HTML5 turns this in to self ‐triggering XSS <input type="text” value="‐‐>Injecting here" onfocus="alert('Injected value')" autofocus>
37 Black‐list XSS filters Html5 introduce many new tag
38 How your browser become a proxy of an attacker?
39 CSRF(Cross-Site Request Forgery) The Sleeping Giant
43 Cross-Site Request Forgery bank.comGo to Transfer Assetshttps://bank.com/fn?param=1Select FROM Fundhttps://bank.com/fn?param=1Select TO Fundhttps://bank.com/fn?param=1Select Dollar Amounthttps://bank.com/fn?param=1Submit Transactionhttps://bank.com/fn?param=1Confirm Transactionhttps://bank.com/fn?param=1attacker’s post at blog.net
44 XSS & CSRF- Killer Combo Programmers Prepare, Users Beware DemoXSS & CSRF- Killer Combo Programmers Prepare, Users BewareIf xss is there all csrf protection can be bypass<form method="POST" name="form0" action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php"><input type="hidden" name="csrf-token" value="SecurityIsDisabled"/><input type="hidden" name="blog_entry" value="This is come from CSRF"/><input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/></form>
45 How Does CSRF Work? Tags <img src=“https://bank.com/fn?param=1”> <iframe src=“https://bank.com/fn?param=1”><script src=“https://bank.com/fn?param=1”>Autoposting Forms<body onload="document.forms.submit()"><form method="POST" action=“https://bank.com/fn”><input type="hidden" name="sp" value="8109"/></form>XmlHttpRequestSubject to same origin policy
46 What Can Attackers Do with CSRF? Anything an authenticated user can doClick linksFill out and submit formsFollow all the steps of a wizard interface
47 Using CSRF to Attack Internal Pages attacker.cominternal browserCSRFTAGInternal SiteAllowed!internal.mybank.com
51 Offline Web Application Cache PoisoningCaching of the root directory possible.HTTP and HTTPs caching possible.
52 Ok Enough, Just tell me can attacker Get a remote (Control)shell of my PC??
54 In summary = + = + + = Cracking Hashes in JS Cloud Web Worker=Cracking Hashes in JS CloudCross-origin resource sharingWeb Worker+=Powerful DDoS attacksCross-origin resource sharingWeb socketWeb Worker++=Web-based Botnet.
55 Is HTML5 hopelessly (in)secure? Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.
56 Reference Compass Security AG security-v1.htmlhttps://www.owasp.org/index.php/HTML5_Sec urity_Cheat_Sheet
57 Be secure & safe Twitter:@nahidupa HTML5 make everybody happy including h4ck3rs and make security professional busy.