everybody loves html5,h4ck3rs too

57
Everybody loves html5, h4ck3rs too

Upload: nahidul-kibria

Post on 15-Jul-2015

79 views

Category:

Technology


3 download

TRANSCRIPT

Page 1: Everybody loves html5,h4ck3rs too

Everybody loves html5,h4ck3rs too

Page 2: Everybody loves html5,h4ck3rs too

~#Whoami

2

Nahidul Kibria

Co-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd.

Security Enthusiastic

Page 3: Everybody loves html5,h4ck3rs too

Which part you care

Everybody loves html5…Well

h4ck3rs too… What!!!

3

Page 4: Everybody loves html5,h4ck3rs too

4

Page 5: Everybody loves html5,h4ck3rs too

What is HTML5

Next major version of HTML.

The Hypertext Markup Language version 5 (HTML5) is the successor of HTML 4.01, XHTML 1.0 and XHTML 1.1

Adds new tags, event handlers to HTML. Many more….

HTML5 is not finished

5

Page 6: Everybody loves html5,h4ck3rs too

HTML5 is already here.

HTML5 TEST - http://html5test.com/

6

Many features

supported by

latest versions of

FireFox, Chrome,

Safari and Opera

.

Page 7: Everybody loves html5,h4ck3rs too

Standard web model

Page 8: Everybody loves html5,h4ck3rs too

HTML5 OVERVIEW

Web

sockets

COR

Iframe

Sandboxing

Web Messaging

Page 9: Everybody loves html5,h4ck3rs too

WEB BROWSER SECURITY MODELS

The same origin policy

The cookies security mode

The Flash security model/SandBox

Page 10: Everybody loves html5,h4ck3rs too

Same Origin Policy

The same origin policy prevents document or script loaded from one origin, from getting or setting properties from a of a document from a different origin.

An origin is defined as the combination of

• host name,

• protocol,

• and port number;

Page 11: Everybody loves html5,h4ck3rs too

The Browser “Same Origin” Policy

11

bank.com

blog.net

XHR

XHR

document,

cookies

TAG

TAG

JS

Page 12: Everybody loves html5,h4ck3rs too

What Happens if the Same Origin Policy Is Broken?

Page 13: Everybody loves html5,h4ck3rs too

Some major HTML5 feature

• CORS-Cross-Origin Resource Sharing

• WebSockets

• WebWorkers

• Javascript APIs

13

Page 14: Everybody loves html5,h4ck3rs too

Today I want to show you

how far an attacker go

with simple JavaScript and html5

So you can convince your boss

to give effort on security measure

My intention is not make you panic

Disclaimer

Page 15: Everybody loves html5,h4ck3rs too

15

Cross Origin Request (COR)

• Originally Ajax calls were subject to Same OriginPolicy

• Site A cannot make XMLHttpRequests to Site B

• HTML5 makes it possible to make these cross domain

• Calls site A can now make XMLHttpRequeststo Site B as long as Site B allows it.

Response from Site B should include a header:

Access ‐Control ‐Allow‐Origin: Site A

Page 16: Everybody loves html5,h4ck3rs too

16

Cross-Origin Resource Sharing

<allow-access-from domain="*">

Page 17: Everybody loves html5,h4ck3rs too

The OWASP Foundationhttp://www.owasp.org

CORS-Cross-Origin Resource Sharing

1

Why programmer happy?

Lets see from attacker view

Page 18: Everybody loves html5,h4ck3rs too

XSS-Cross Site Scripting

18

Page 19: Everybody loves html5,h4ck3rs too

Demo

19

Page 20: Everybody loves html5,h4ck3rs too

xss attack vector

20

Page 21: Everybody loves html5,h4ck3rs too

Impact of xss

History Stealing

Intranet Hacking

XSS Defacements

DNS pinning

IMAP3

MHTML

Hacking JSON

Cookie stealing

Clipboard stealing

Page 22: Everybody loves html5,h4ck3rs too

Cookie stealing

Pr3venting

Page 23: Everybody loves html5,h4ck3rs too

XSS Defacements

Page 24: Everybody loves html5,h4ck3rs too

If you still cannot manage your bossMore Evil use

I do not care

Show me how my

org is effected

Page 25: Everybody loves html5,h4ck3rs too

Attacking intranet

25

Page 26: Everybody loves html5,h4ck3rs too

Obtaining NAT’ed IP Addresses

Java applet

Java applet

Java applet

Page 27: Everybody loves html5,h4ck3rs too

If the victim’s Web browser is a Mozilla/Firefox, it’s possible to skip the applet

27

<script>function natIP() {

var w = window.location;var host = w.host;var port = w.port || 80;var Socket = (new

java.net.Socket(host, port)).getLocalAddress().getHostAddress();return Socket;

}</script>

Page 28: Everybody loves html5,h4ck3rs too

Demo

Not only NAT’ed IP ,You can lots more system info

28

Page 29: Everybody loves html5,h4ck3rs too

Port Scanning

29

O’ Really

Page 30: Everybody loves html5,h4ck3rs too

Port Scanningwindow.onerror = err;

<script src=http://ip/></script>

if (! msg.match(/Error loading script/))

//ip does not exit’s

Else

Find internal ip

Page 31: Everybody loves html5,h4ck3rs too

Blind Web Server Fingerprinting

Apache Web Server /icons/apache_pb.gif

HP Printer /hp/device/hp_invent_logo.gif

<img src="http://intranet_ip/unique_image_url"onerror="fingerprint()" />

Page 32: Everybody loves html5,h4ck3rs too

HTML5 Made it easy

32

www.andlabs.org/tools/jsrecon.html

Demo

Page 33: Everybody loves html5,h4ck3rs too

What just happed

33

Page 34: Everybody loves html5,h4ck3rs too

Port Scanning: Beating protections

Blocking example for known ports

(Firefox, WebSockets and CORS)

➔ http://example.com:22

Workaround!

➔ ftp://example.com:22

It works on Internet Explorer, Mozilla Firefox, Google Chrome and Safari

Based on timeouts, it can be configured

34

WTFun

Page 35: Everybody loves html5,h4ck3rs too

35

Port Scanning: result

Page 36: Everybody loves html5,h4ck3rs too

Self‐triggering XSS exploits with

HTML5A common XSS occurrence is injection inside some

attribute of INPUT tags. Current techniques require user interaction to trigger this XSS

<input type="text" value="‐>Injecting here"onmouseover="alert('Injected val')">

• HTML5 turns this in to self ‐triggering XSS

<input type="text” value="‐‐>Injecting here"onfocus="alert('Injected value')"autofocus>

36

Page 37: Everybody loves html5,h4ck3rs too

Black‐list XSS filtersHtml5 introduce many new tag

37

Page 38: Everybody loves html5,h4ck3rs too

How your browser become a proxy of an

attacker?

38

http://erlend.oftedal.no/blog/?blogid=107

Page 39: Everybody loves html5,h4ck3rs too

The OWASP Foundationhttp://www.owasp.org

CSRF(Cross-Site Request Forgery)

The Sleeping Giant

Page 40: Everybody loves html5,h4ck3rs too

Victim logon to bank.com

Page 41: Everybody loves html5,h4ck3rs too

The OWASP Foundationhttp://www.owasp.org

Converting POST to GET

Page 42: Everybody loves html5,h4ck3rs too

The OWASP Foundationhttp://www.owasp.org

Credentials Includedbank.com

blog.net

https://bank.com/fn?param=1

JSESSIONID=AC934234…

Page 43: Everybody loves html5,h4ck3rs too

The OWASP Foundationhttp://www.owasp.org

Cross-Site Request Forgery

bank.com

attacker’s post at blog.net

Go to Transfer Assets

https://bank.com/fn?param=1Select FROM Fund

https://bank.com/fn?param=1Select TO Fund

https://bank.com/fn?param=1Select Dollar Amount

https://bank.com/fn?param=1Submit Transaction

https://bank.com/fn?param=1Confirm Transaction

https://bank.com/fn?param=1

Page 44: Everybody loves html5,h4ck3rs too

The OWASP Foundationhttp://www.owasp.org

Demo

XSS & CSRF- Killer ComboProgrammers Prepare, Users Beware

<form method="POST" name="form0"

action="http://my.victim.mutillidae:81/mutillidae/index.php?page=add-to-your-blog.php">

<input type="hidden" name="csrf-token" value="SecurityIsDisabled"/>

<input type="hidden" name="blog_entry" value="This is come from CSRF"/>

<input type="hidden" name="add-to-your-blog-php-submit-button" value="Save Blog Entry"/>

</form>

Page 45: Everybody loves html5,h4ck3rs too

The OWASP Foundationhttp://www.owasp.org

How Does CSRF Work?Tags

<img src=“https://bank.com/fn?param=1”>

<iframe src=“https://bank.com/fn?param=1”>

<script src=“https://bank.com/fn?param=1”>

Autoposting Forms<body onload="document.forms[0].submit()">

<form method="POST" action=“https://bank.com/fn”>

<input type="hidden" name="sp" value="8109"/>

</form>

XmlHttpRequestSubject to same origin policy

Page 46: Everybody loves html5,h4ck3rs too

What Can Attackers Do with CSRF?

46

Anything an authenticated user can do

• Click links

• Fill out and submit forms

• Follow all the steps of a wizard interface

Page 47: Everybody loves html5,h4ck3rs too

Using CSRF to Attack Internal Pages

47

attacker.com

internal.mybank.com

Allow

ed!

CSRF

Intern

al Site

TAG

internal browser

Page 48: Everybody loves html5,h4ck3rs too

Web Workers Web Workers provide the possibility for JavaScript to run in the background.

Web Workers alone are not a security issue.

But they can be used indirectly for launching work intensive attacks without the user noticing it.

48

http://www.andlabs.org/tools/ravan.html

Page 49: Everybody loves html5,h4ck3rs too

Web Storage

49

Page 50: Everybody loves html5,h4ck3rs too

Web Storage Vuln. & Threats

Session Hijacking

• If session identifier is stored in local storage, it can be stolen with JavaScript.

• No HTTPOnly flag.

Disclosure of Confidential Data

• If sensitive data is stored in the local storage, it can be stolen with JavaScript.

User Tracking

• Additional possibility to identify a user.

Persistent attack vectors

• Attacker can be store persistently on the user browser

50

Page 51: Everybody loves html5,h4ck3rs too

Offline Web Application

51

Cache Poisoning

• Caching of the root directory possible.

• HTTP and HTTPs caching possible.

Page 52: Everybody loves html5,h4ck3rs too

52

Ok Enough, Just tell

me can attacker Get a

remote (Control)shell

of my PC??

Page 53: Everybody loves html5,h4ck3rs too

Infection method known as Drive by download

53

Page 54: Everybody loves html5,h4ck3rs too

In summary

54

Web Worker Cracking Hashes in JS Cloud=

Web

Worker

Cross-origin

resource

sharing+ = Powerful DDoS attacks

Web

Worker +Cross-origin

resource

sharing+

Web

socket = Web-based Botnet.

Page 55: Everybody loves html5,h4ck3rs too

Is HTML5 hopelessly(in)secure?

Ahem no…but security has been a major consideration in the design of the specification But it is incredibly hard to add features in any technology without increasing the possibility of abused.

55

Page 56: Everybody loves html5,h4ck3rs too

Reference

Compass Security AG

http://userguidepdf.info/html5-web-security-v1.html

http://html5sec.org

https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet

http://dev.w3.org/html5/spec/Overview.html

56

Page 57: Everybody loves html5,h4ck3rs too

57

Twitter:@nahidupa

Be secure & safe

HTML5 make everybody happy including h4ck3rs and make security professional busy.