html5 security (236667319)
TRANSCRIPT
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 1/36
Copyright Justin C. Klein Keane @madirish2600
HTML 5 Security
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 2/36
Copyright Justin C. Klein Keane @madirish2600
About Me
● Security
researcher
and
engineer
● Work at University of Pennsylvania
●
OWASP Philadelphia chapter leader● Working on y first !ook
● Professor at "re#el University
● $ecovering %e! application developer &'
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 3/36
Copyright Justin C. Klein Keane @madirish2600
TL"$
● HTM5 %ill !e the source of uch(
– Lamentation
– $e)oicing
● *or(
– "evelopers
–
Attackers – "efenders
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 4/36
Copyright Justin C. Klein Keane @madirish2600
A!out HTML 5
● +e% HTML standard
– Like ,avaScript- dependent on !ro%ser ipleentation
– .ro%ser support varies
–
$earka!ly- o!ile tends to have ore support● "esigned to address persistent headaches of %e!
developers /and get rid of plugins0'
● Makes %e! apps uch closer to native apps
● At core( 10"O2T3P4 htl1htl 16htl
● Spec availa!le at %%%7%87org
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 5/36
Copyright Justin C. Klein Keane @madirish2600
Take +ote
“Some features of HTML trade user conveniencefor a measure of user privacy.”
“When HTML is used to create interactive sites,care needs to be taken to avoid introducingvunerabiities through !hich attackers can
compromise the integrity of the site itsef or of thesite"s users.”
http(66%%%7%87org6htl6%g6drafts6htl6aster6introduction7htl
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 6/36
Copyright Justin C. Klein Keane @madirish2600
Ho% HTML 5 Works
● Adding ne% HTML tags(
– 1canvas- 1article- etc7
● Add ne% "OM functions(
– docuent7register/9ne%:tag9'&● There go your tag specific ;SS filters777
● Add ne% "OM eleents
– %indo%<9localStorage9=& – navigator7geolocation7get2urrentPosition/'&
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 7/36
Copyright Justin C. Klein Keane @madirish2600
Popular *eatures(That
I
won't rea lly discuss)
● 2anvas eleent for dynaic dra%ing
● >ideo and audio tags for e!edding ultiedia %ithout plugins
● 2ontent specific tags
● +e% for controls /calendar pop:ups- tie datatypes- e:ail validation- etc7'
●
+ative client side for validation● +e% history AP?
● "rag and drop
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 8/36
Copyright Justin C. Klein Keane @madirish2600
.anana .read
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 9/36
Copyright Justin C. Klein Keane @madirish2600
2ross Site Scripting /;SS'
● A !it a!out ;SS since HTML 5 has a !igipact
● ;SS is @ar!itrary script in)ection
–"isplay ar!itrary eleents- e#portar!itrary data including 2ookies- orperfor ar!itrary anipulation of "OM
● HTML 5 !oth helps and hurts ;SS
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 10/36
Copyright Justin C. Klein Keane @madirish2600
$eflected ;SS
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 11/36
Copyright Justin C. Klein Keane @madirish2600
Stored ;SS
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 12/36
Copyright Justin C. Klein Keane @madirish2600
.e4* Makes it 4asy
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 13/36
Copyright Justin C. Klein Keane @madirish2600
Minial ?n)ection
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 14/36
Copyright Justin C. Klein Keane @madirish2600
+e% Security Model
●
O ld
Same
Origin
Policy
is
relaxed● +e% policy is 2ross Origin $esource
Sharing /2O$S' – redefines ;SS attack surface
● Assuption( sae origin BB trust
● ?n HTML 5 origin policy is orenuanced
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 15/36
Copyright Justin C. Klein Keane @madirish2600
2ontent Security Policy
● 2ontent Security Policy /2SP' defined in headers
● Specify the source of trusted content
– 2ontent- font- frae- ig- edia- o!)ect- style
– /httpChttps'- none- self- unsafe:inline- unsafe:eval● ?nline code is considered unsafe0
● All 2SS- ,avaScript ust !e e#ternal /7)s files'
●
+o ore in)ected ;SS000 – +one of your e#isting apps %ill %ork (/
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 16/36
Copyright Justin C. Klein Keane @madirish2600
2SP in Practice
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 17/36
Copyright Justin C. Klein Keane @madirish2600
2SP $esults
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 18/36
Copyright Justin C. Klein Keane @madirish2600
2SP $eporting
● 2SP can specify reporting
● Allo%s !ro%sers to report !ack to a specificserver U$? %hen soething is !locked
● Protect :DetectD $eact
● 2an !e set to report only for de!ugging
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 19/36
Copyright Justin C. Klein Keane @madirish2600
$eporting
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 20/36
Copyright Justin C. Klein Keane @madirish2600
4#aple $eport
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 21/36
Copyright Justin C. Klein Keane @madirish2600
+e% i*rae Security
● Sand!o# attri!ute
– 4ffectively isolates origin
– Prevents loading of plugins
–
2an prevent ,avaScript – 2an force a uniEue origin /even sae origin fails'
– 2an !lock for su!ission
– And ore777
– Whitelist selectively allo%s functionality(● <iframe src=”blah” sandbox=”allow-forms allow-popups allow-
scripts”></iframe>
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 22/36
Copyright Justin C. Klein Keane @madirish2600
We! Storage
● We! storage
– +oSFL key:value store- uch like cookies
– Siple and easy to use
– Set and called via ,avascript %ith localStorage or sessionStorage
– Session storage persists erely for the localsession /no persistence'
– @ # mosty arbitrary imit of five megabytes per originis suggested.
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 23/36
Copyright Justin C. Klein Keane @madirish2600
Cool
Uses
● Storing
form
state
(no
more
Back
button
returning to a !lank for'
● $eplace cookies
● Store serialiGed ,SO+ o!)ects and othercople# structures
● Persist data solely on the client0
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 24/36
Copyright Justin C. Klein Keane @madirish2600
4#aple
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 25/36
Copyright Justin C. Klein Keane @madirish2600
Where "id ?t oI
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 26/36
Copyright Justin C. Klein Keane @madirish2600
Security( LocalStorage
●
SQL
in jection
moves
to
the
client!● Persistent ;SS oves to the client
● Offline stores ay !ecoe a target of al%are
●
+e% sources- and volues- of forensic evidence● 2ross directory attacks
– “"ifferent authors sharing one host nae- for e#aple users hosting content ongeocities7co - all share one loca l storage o!)ect7 There is no feature to restrict the
access !y pathnae7 Authors on shared hosts are therefore urged to avoid using thesefeatures- as it %ould !e trivial for other authors to read the data and over%rite it7
● "+S spoofing could e#pose data store
● http://dev. w3.org/htm l5/ webstorage/#security-storage
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 27/36
Copyright Justin C. Klein Keane @madirish2600
*ile Storage
● 2hroe supports %8c *ileSyste AP?
● MoGilla supporting "eviceStorage AP?
● .oth essentially address the sae need
● Still very uch developing
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 28/36
Copyright Justin C. Klein Keane @madirish2600
*ilesyste AP?
● Allo%s applications access to local filesyste
● Useful for large files
– Uploads- do%nloads- and usage
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 29/36
Copyright Justin C. Klein Keane @madirish2600
*ilesyste Security
● 2reates all sorts of ne% security challenges( – Target of al%are for theft
– "enial of service
– Theft or erasure of private data /client side al%are' – Storing alicious e#ecuta!les client side
– Storing dangerous or illegal files on a filesystesurreptitiously
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 30/36
Copyright Justin C. Klein Keane @madirish2600
We! Sockets
●
Ans%er to A,A;● Allo%s for synchronous
connections !et%een the clientand a reote server
● Origin policies apply
– connect:src in 2SP
● %s(66 and %ss(66 protocolidentifiers
● Uses port JK68 !y default
● >alid http upgrades to %e!socket
var
host
=
'ws://url.
tld/ref
var conn = new WebSockethost!"
conn#onopen = function ! $%
conn#onmessage = function! $%
Security ?plications of We!
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 31/36
Copyright Justin C. Klein Keane @madirish2600
Security ?plications of We!Sockets
● +o native authentication● +e% "oS surface
● 2usto socket code could contain vulnera!ilities
including overflo%s● 2ould ake for interesting 22 and data e#filtration
route
● +o iplicit security6validation
● Like A,A; it provides a ne% @hidden attack surfacethat is difficult to audit
> hi
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 32/36
Copyright Justin C. Klein Keane @madirish2600
>ector raphics
● Allo%s for dynaic iage generation in HTM● reat for scaling and responsive design
● 4liinates uch of the need for e!eddedgraphics
S> S i ?
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 33/36
Copyright Justin C. Klein Keane @madirish2600
S> Security ?ssues
● raphics defined in HTML – This leads to interesting ne% ;SS attacks
– 2lick)acking )ust got easier
● Potential for ne% client "oS or crash
+ 2 l iti
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 34/36
Copyright Justin C. Klein Keane @madirish2600
+e% 2ople#ities
● 2ople#ity !rings ne% security challenges● "evelopers eager to ipleent features ay
not understand security challenges
● Testers ay not !e failiar %ith ne% features-or security risks
● Totally ne% security odel at the !ro%ser lev
● $eplacing 8rd party plugins ay !ring %in
Oth S it ?
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 35/36
Copyright Justin C. Klein Keane @madirish2600
Other Security ?ssues
●
+e% dynaic attri!utes create ne% "OM !ased ;SS attacks
– foraction- oninput- onerror- onforinput- onforchange-etc7
● Older security li!raries ay not recogniGe ne% security threa
● reater capa!ility and counications ay ake the !ro%sea target for al%are
● *un ne%geolocation.GetCurrentPosition()
● Useget&ser'edia!to capture audio6video0
Th k 0
8/11/2019 HTML5 Security (236667319)
http://slidepdf.com/reader/full/html5-security-236667319 36/36
Copyright Justin C. Klein Keane @madirish2600
Thanks0
FuestionsI