HTML5 Web Security. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Similar documents
Thomas Röthlisberger IT Security Analyst

Gateway Apps - Security Summary SECURITY SUMMARY

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

The Top Web Application Attacks: Are you vulnerable?

Hack Proof Your Webapps

Recommended Practice Case Study: Cross-Site Scripting. February 2007

What is Web Security? Motivation

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Pwning Intranets with HTML5

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Magento Security and Vulnerabilities. Roman Stepanov

Where every interaction matters.

Enterprise Application Security Workshop Series

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web Application Security

Attacking with HTML5. By,

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Relax Everybody: HTML5 Is Securer Than You Think

Web application security

Client Side Filter Enhancement using Web Proxy

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

HTTP Response Splitting

Web-Application Security

Secure development and the SDLC. Presented By Jerry

A Tale of the Weaknesses of Current Client-side XSS Filtering

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

HTML5 Top 10 Threats - Stealth Attacks and Silent Exploits

Application security testing: Protecting your application and data

Introduction to Computer Security

A Tale of the Weaknesses of Current Client-Side XSS Filtering

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Security Testing with Selenium

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

The Dark Side of Ajax. Jacob West Fortify Software

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Developing ASP.NET MVC 4 Web Applications

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Web Application Security Assessment and Vulnerability Mitigation Tests

Hack Yourself First. Troy troyhunt.com

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Last update: February 23, 2004

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Web Application Firewall on SonicWALL SRA

Computer Networks. Lecture 7: Application layer: FTP and HTTP. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

Ethical Hacking as a Professional Penetration Testing Technique

CompTIA Security+ (Exam SY0-410)

Sitefinity Security and Best Practices

An Insight into Cookie Security

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Developing ASP.NET MVC 4 Web Applications MOC 20486

Cross Site Scripting Prevention

Web Application Penetration Testing

RTC-Web Security Considerations

IJMIE Volume 2, Issue 9 ISSN:

WEB ATTACKS AND COUNTERMEASURES

Advanced Web Security, Lab

DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Web Application Security 101

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Hacking cookies in modern web applications and browsers

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Breaking the Myths of Extended Validation SSL Certificates

Cloud Security:Threats & Mitgations

Understanding Web Application Security Issues

Cloud Security Framework (CSF): Gap Analysis & Roadmap

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Preparing for the Cross Site Request Forgery Defense

Web Application Firewall on SonicWALL SSL VPN

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Cross Site Scripting in Joomla Acajoom Component

Complete Cross-site Scripting Walkthrough

Step into the Future: HTML5 and its Impact on SSL VPNs

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Application Security Testing. Generic Test Strategy

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Web Application Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Summary of the SEED Labs For Authors and Publishers

Application Security Testing

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Web Development. Owen Sacco. ICS2205/ICS2230 Web Intelligence

Transcription:

HTML5 Web Security Thomas Röthlisberger thomas.roethlisberger@csnc.ch IT Security Analyst Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Agenda Introduction to HTML5 Vulnerabilities & Threats Countermeasures Demo Web Workers Demo CORS Quiz and Q&A Slide 2

Introduction to HTML5 Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

History The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1 Driven by the WHATWG and later also by the W3C Current status is living standard (February 2011) The candidate recommendation is planned for 2012 and the recommendation for 2022 HTML5 is not finished Slide 4

HTML5 TEST - http://html5test.com/ out of a total of 400 points Slide 5

Overview Slide 6

Vulnerabilities & Threats Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Cross-Origin Resource Sharing Slide 8

Cross-Origin Resource Sharing I Slide 9

Cross-Origin Resource Sharing II GET / HTTP/1.1 Host: domainb.csnc.ch Origin: http://domaina.csnc.ch HTTP/1.1 200 OK Content-Type: text/html Access-Control-Allow-Origin: http://domaina.csnc.ch Slide 10

CORS Vulnerabilities & Threats I Accessing internal websites Scanning the internal network Slide 11

CORS Vulnerabilities & Threats II Remote attacking a web server Easier exploiting of Cross-Site Request Forgery (XSRF) Establishing a remote shell (DEMO) Slide 12

Web Storage Slide 13

Web Storage Slide 14

Web Storage Vuln. & Threats Session Hijacking If session identifier is stored in local storage, it can be stolen with JavaScript. No HTTPOnly flag. Disclosure of Confidential Data If sensitive data is stored in the local storage, it can be stolen with JavaScript. User Tracking Additional possibility to identify a user. Persistent attack vectors Slide 15

Offline Web Application Slide 16

Offline Web Application <!DOCTYPE HTML> <html manifest="/cache.manifest"> <body>... Example cache.manifest CACHE MANIFEST /style.css /helper.js /csnc-logo.jpg NETWORK: /visitor_counter.jsp FALLBACK: / /offline_error_message.html Slide 17

OWA Vulnerabilities & Threats Cache Poisoning Caching of the root directory possible. HTTP and HTTPs caching possible. Persistent attack vectors Attack vectors can be stored persistently in the browser. User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the cached files. Slide 18

Offline Web Application Attack 1/2 Slide 19

Offline Web Application Attack 2/2 Slide 20

Web Messaging Slide 21

Web Messaging Embedding HTML Page internal.csnc.ch postmessage() <iframe src Stealing confidential data Sensitive data may be sent accidently to a malicious Iframe. Expands attack surface to the client Iframes can send malicious content to other Iframes. Input validation on the server is not longer sufficient. Slide 22

Custom scheme and content handlers Slide 23

Custom scheme and content handlers Stealing confidential data An attacker tricks the user to register a malicious website as the e-mail protocol handler. Sending e-mails through this web application gives the attacker access to the content of the e-mail. User Tracking Additional possibility to identify a user. Unique identifiers could be stored along with the protocol handler. Slide 24

Web Sockets API Slide 25

Web Sockets API Slide 26

Web Sockets API Vuln. & Threats Cache Poisoning A misunderstanding proxy could lead to a cache poisoning vulnerability. Scanning the internal network The browser of a victim can be used for port scanning of internal networks. Establishing a remote shell Web Sockets can be used to establish a remote shell to a browser. Slide 27

Geolocation API Slide 28

Geolocation API User Tracking User tracking based on the location of a user. If users are registered, their physical movement profile could be tracked. The anonymity of users could be broken. Slide 29

Web Workers Slide 30

Web Workers Web Workers provide the possibility for JavaScript to run in the background Prior to Web Workers using JavaScript for long processing jobs was not feasible because it is slower than native code and the browsers freezes till the processing is completed Web Workers alone are not a security issue. But they can be used indirectly for launching work intensive attacks without the user noticing it. Slide 31

Worst Case Scenarios Feature! Cracking Hashes in JS Cloud (DEMO). Powerful DDoS attacks. Web-based Botnet. Slide 32

Countermeasures Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Countermeasures Not all features can be mitigated through secure server-side implementation. Cross-Site Scripting (XSS) becomes even worse. Same old Story: Do input validation and consequent output encoding. Slide 34

Countermeasures Cross-Origin Resource Sharing Use the Access-Control-Allow-Origin header to restrict the allowed domains. Never set the header to *. Do not base access control on the origin header. To mitigate DDoS attacks the Web Application Firewall (WAF) needs to block CORS requests if they arrive in a high frequency. Web Storage Use cookies instead of Local Storage for session handling. Do not store sensitive data in Local Storage. Web Messaging The target in postmessage() should be defined explicitly and not set to *. The receiving Iframe should not accept messages from any domain. E.g. e.origin == "http://internal.csnc.ch" The received message needs to be validated on the client to avoid malicious content being executed. Slide 35

Countermeasures The risks of the following features cannot be mitigated by server side implementation or configuration: Custom scheme and content handlers Geolocation API Offline Web Applications Web Sockets Therefore the users need to be trained: Do not accept registration of protocol handlers. Do not accept to share location information. Do not accept caching of web applications. Clear the cache including Local Storage and Offline Web Applications. The risk of the Web Sockets API needs to be accepted. The only way to avoid Web Sockets would be to disable it in the browser. Slide 36

DEMO Exploiting Web Workers Ravan Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO Web Workers Ravan http://www.andlabs.org/tools/ravan.html Slide 38

DEMO Exploiting CORS Shell of the Future Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

DEMO CORS Shell of the Future Simplified: Slide 40

Quiz and Q&A Slide 41

References Michael Schmidt, master thesis 5 Web 31st March 2011 Lavakumar Kuppan, Attack and Defense Labs, http://www.andlabs.org W3C, HTML5, A vocabulary and associated APIs for HTML and XHTML, http://dev.w3.org/html5/spec/overview.html Slide 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information