Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013.

Similar presentations


Presentation on theme: "Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013."— Presentation transcript:

1 Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013

2 Copyright Justin C. Klein Keane Announcements ● OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! ● Please register with the discount code "Support_PHI" to support the chapter. ● $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member ) so join!

3 Copyright Justin C. Klein Keane About HTML 5 ● New HTML standard – Like JavaScript, dependent on browser implementation – Browser support varies – Remarkably, mobile tends to have more support ● Designed to address persistent headaches of web developers ● Makes web applications much closer to native applications ● Spec available at

4 Copyright Justin C. Klein Keane Notable Features ● Canvas element for dynamic drawing ● Video and audio tags for embedding multimedia without plugins ● Local storage for offline web stores (cookie++) ● Content specific tags ● New form controls (calendar pop-ups, time data types, validation, etc.)

5 Copyright Justin C. Klein Keane Take Note “Some features of HTML trade user convenience for a measure of user privacy.” “When HTML is used to create interactive sites, care needs to be taken to avoid introducing vulnerabilities through which attackers can compromise the integrity of the site itself or of the site's users.” duction.htm

6 Copyright Justin C. Klein Keane Local Storage ● Web storage – NoSQL key-value store, much like cookies – Simple and easy to use – Set and called via Javascript with localStorage or sessionStorage – Session storage persists merely for the local session (no persistence) – “A mostly arbitrary limit of five megabytes per origin is suggested.”

7 Copyright Justin C. Klein Keane Web SQL Database ● Full transactional database ● W3C no longer supports it for development ● Not clear what development roadmap will look like ● Creates all the security risks of a SQL database, but at the client

8 Copyright Justin C. Klein Keane Security & Storage ● SQL injection moves to the client! ● Persistent XSS moves to the client ● Offline stores may become a target of malware ● Offline stores lead to new sources, and volumes, of forensic evidence ● Cross directory attacks ● DNS spoofing could expose data store ● storage

9 Copyright Justin C. Klein Keane Filesystem API ● Allows applications access to local filesystem ● Useful for large files – Uploads, downloads, and usage ● Creates all sorts of new security challenges: – Denial of service – Theft or erasure of private data (client side malware) – Storing malicious executables client side – Storing dangerous or illegal files on a filesystem surreptitiously

10 Copyright Justin C. Klein Keane Web Sockets ● Answer to AJAX ● Allows for synchronous connections between the client and a remote server ● Origin policies apply ● ws:// and wss:// protocol identifiers ● Uses port 80 ● Server validates client requests based on a key

11 Copyright Justin C. Klein Keane Security Implications of Web Sockets ● New DoS surface ● Could make for interesting data exfiltration route ● No implicit security/validation

12 Copyright Justin C. Klein Keane Vector Graphics ● Allows for dynamic image generation in HTML ● Great for scaling and responsive design ● Eliminates much of the need for embedded graphics

13 Copyright Justin C. Klein Keane SVG Security Issues ● Graphics defined in HTML – This leads to interesting new XSS attacks – Clickjacking just got easier ● Potential for new client DoS or crash

14 Copyright Justin C. Klein Keane Web Workers ● “threads” for HTML in JavaScript ● No DOM access – Can use AJAX and Web Sockets ● Worker threads can send and receive messages ● SharedWorker allows multiple pages to use the same worker

15 Copyright Justin C. Klein Keane Web Worker Security ● Multi-threading, what could possiblie go wrong? ● Workers may have access to sensitive data so SharedWorkers must be scrutinized ● New asynchronous model is bound to produce confusion

16 Copyright Justin C. Klein Keane New Security Model ● Old same origin policy is relaxed (CORS) – Cross origin resource sharing redefines XSS attack surface ● Assumption: same origin == trust ● In HTML 5 origin policy is more nuanced ● document.domain can be used to reset to remove subdomains ● New challenges: “Do not use the document.domain attribute when using shared hosting. If an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain attribute has been used.” ml#origin

17 Copyright Justin C. Klein Keane Content Security Policy ● Content Security Policy (CSP) defined in headers ● Specify the source of trusted content – Content, font, frame, img, media, object, style – (http|https), none, self, unsafe-inline, unsafe-eval ● Inline code is considered unsafe! ● All CSS, JavaScript must be external (.js files) ● No more injected XSS!!! – None of your existing apps will work :(

18 Copyright Justin C. Klein Keane CSP Reporting ● CSP can specify reporting ● Allows browsers to report back to a specific server URI when something is blocked ● Protect - Detect – React ● Can be set to report only for debugging

19 Copyright Justin C. Klein Keane New Security Model ● Sandbox flag – Effectively isolates origin – Prevents loading of plugins – Can force a unique origin – Can block form submission – And more...

20 Copyright Justin C. Klein Keane New Complexities ● Complexity brings new security challenges ● Developers eager to implement features may not understand security challenges ● Testers may not be familiar with new features, or security risks ● Totally new security model at the browser level ● Replacing 3 rd party plugins may bring win

21 Copyright Justin C. Klein Keane Other Security Issues ● New dynamic attributes create new DOM based XSS attacks – Formaction, oninput, onerror, onforminput, onformchange, etc. ● Older security libraries may not recognize new security threats ● Greater capability and communications may make the browser a target for malware ● Fun new geolocation.GetCurrentPosition() ● Use getUserMedia() to capture audio/video!

22 Copyright Justin C. Klein Keane Credits Special thanks to Mike Shema and Brad Hill for their excellent research into this topic, presentations, and book, which I relied upon heavily for this material.


Download ppt "Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013."

Similar presentations


Ads by Google