Presentation on theme: "Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013."— Presentation transcript:
Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013
Copyright Justin C. Klein Keane Announcements ● OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! ● Please register with the discount code "Support_PHI" to support the chapter. ● $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member ) so join!
Copyright Justin C. Klein Keane Notable Features ● Canvas element for dynamic drawing ● Video and audio tags for embedding multimedia without plugins ● Local storage for offline web stores (cookie++) ● Content specific tags ● New form controls (calendar pop-ups, time data types, e-mail validation, etc.)
Copyright Justin C. Klein Keane Take Note “Some features of HTML trade user convenience for a measure of user privacy.” “When HTML is used to create interactive sites, care needs to be taken to avoid introducing vulnerabilities through which attackers can compromise the integrity of the site itself or of the site's users.” http://www.w3.org/html/wg/drafts/html/master/intro duction.htm
Copyright Justin C. Klein Keane Web SQL Database ● Full transactional database ● W3C no longer supports it for development ● Not clear what development roadmap will look like ● Creates all the security risks of a SQL database, but at the client
Copyright Justin C. Klein Keane Security & Storage ● SQL injection moves to the client! ● Persistent XSS moves to the client ● Offline stores may become a target of malware ● Offline stores lead to new sources, and volumes, of forensic evidence ● Cross directory attacks ● DNS spoofing could expose data store ● http://dev.w3.org/html5/webstorage/#security- storage
Copyright Justin C. Klein Keane Filesystem API ● Allows applications access to local filesystem ● Useful for large files – Uploads, downloads, and usage ● Creates all sorts of new security challenges: – Denial of service – Theft or erasure of private data (client side malware) – Storing malicious executables client side – Storing dangerous or illegal files on a filesystem surreptitiously
Copyright Justin C. Klein Keane Web Sockets ● Answer to AJAX ● Allows for synchronous connections between the client and a remote server ● Origin policies apply ● ws:// and wss:// protocol identifiers ● Uses port 80 ● Server validates client requests based on a key
Copyright Justin C. Klein Keane Security Implications of Web Sockets ● New DoS surface ● Could make for interesting data exfiltration route ● No implicit security/validation
Copyright Justin C. Klein Keane Vector Graphics ● Allows for dynamic image generation in HTML ● Great for scaling and responsive design ● Eliminates much of the need for embedded graphics
Copyright Justin C. Klein Keane SVG Security Issues ● Graphics defined in HTML – This leads to interesting new XSS attacks – Clickjacking just got easier ● Potential for new client DoS or crash
Copyright Justin C. Klein Keane Web Worker Security ● Multi-threading, what could possiblie go wrong? ● Workers may have access to sensitive data so SharedWorkers must be scrutinized ● New asynchronous model is bound to produce confusion
Copyright Justin C. Klein Keane New Security Model ● Old same origin policy is relaxed (CORS) – Cross origin resource sharing redefines XSS attack surface ● Assumption: same origin == trust ● In HTML 5 origin policy is more nuanced ● document.domain can be used to reset to remove subdomains ● New challenges: “Do not use the document.domain attribute when using shared hosting. If an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain attribute has been used.” http://www.w3.org/html/wg/drafts/html/master/browsers.ht ml#origin
Copyright Justin C. Klein Keane CSP Reporting ● CSP can specify reporting ● Allows browsers to report back to a specific server URI when something is blocked ● Protect - Detect – React ● Can be set to report only for debugging
Copyright Justin C. Klein Keane New Security Model ● Sandbox flag – Effectively isolates origin – Prevents loading of plugins – Can force a unique origin – Can block form submission – And more...
Copyright Justin C. Klein Keane New Complexities ● Complexity brings new security challenges ● Developers eager to implement features may not understand security challenges ● Testers may not be familiar with new features, or security risks ● Totally new security model at the browser level ● Replacing 3 rd party plugins may bring win
Copyright Justin C. Klein Keane Other Security Issues ● New dynamic attributes create new DOM based XSS attacks – Formaction, oninput, onerror, onforminput, onformchange, etc. ● Older security libraries may not recognize new security threats ● Greater capability and communications may make the browser a target for malware ● Fun new geolocation.GetCurrentPosition() ● Use getUserMedia() to capture audio/video!
Copyright Justin C. Klein Keane Credits Special thanks to Mike Shema and Brad Hill for their excellent research into this topic, presentations, and book, which I relied upon heavily for this material.