Transcript html5security

HTML 5 Security
Philadelphia OWASP
August, 2013
Copyright Justin C. Klein Keane
Announcements
●
●
●
OWASP App Sec USA is coming up in
November in NYC (http://appsecusa.org/2013/)!
Please register with the discount code
"Support_PHI" to support the chapter.
$50 cheaper if you're an OWASP member, and
individual membership only costs $50
(https://owasp.org/index.php/Individual_Member
) so join!
Copyright Justin C. Klein Keane
About HTML 5
●
●
●
●
New HTML standard
–
Like JavaScript, dependent on browser
implementation
–
Browser support varies
–
Remarkably, mobile tends to have more support
Designed to address persistent headaches of
web developers
Makes web applications much closer to native
applications
Spec available atCopyright
www.w3.org
Justin C. Klein Keane
Notable Features
●
●
Canvas element for dynamic drawing
Video and audio tags for embedding
multimedia without plugins
●
Local storage for offline web stores (cookie++)
●
Content specific tags
●
New form controls (calendar pop-ups, time
data types, e-mail validation, etc.)
Copyright Justin C. Klein Keane
Take Note
“Some features of HTML trade user convenience
for a measure of user privacy.”
“When HTML is used to create interactive sites,
care needs to be taken to avoid introducing
vulnerabilities through which attackers can
compromise the integrity of the site itself or of the
site's users.”
http://www.w3.org/html/wg/drafts/html/master/intro
duction.htm
Copyright Justin C. Klein Keane
Local Storage
●
Web storage
–
NoSQL key-value store, much like cookies
–
Simple and easy to use
Set and called via Javascript with localStorage
or sessionStorage
–
–
Session storage persists merely for the local
session (no persistence)
–
“A mostly arbitrary limit of five megabytes per
origin is suggested.”
Copyright Justin C. Klein Keane
Web SQL Database
●
Full transactional database
●
W3C no longer supports it for development
●
●
Not clear what development roadmap will look
like
Creates all the security risks of a SQL
database, but at the client
Copyright Justin C. Klein Keane
Security & Storage
●
SQL injection moves to the client!
●
Persistent XSS moves to the client
●
Offline stores may become a target of malware
●
Offline stores lead to new sources, and
volumes, of forensic evidence
●
Cross directory attacks
●
DNS spoofing could expose data store
●
http://dev.w3.org/html5/webstorage/#securitystorage
Copyright Justin C. Klein Keane
Filesystem API
●
Allows applications access to local filesystem
●
Useful for large files
–
●
Uploads, downloads, and usage
Creates all sorts of new security challenges:
–
Denial of service
–
Theft or erasure of private data (client side
malware)
–
Storing malicious executables client side
–
Storing dangerous or illegal files on a filesystem
surreptitiously Copyright Justin C. Klein Keane
Web Sockets
●
●
Answer to AJAX
Allows for synchronous connections between
the client and a remote server
●
Origin policies apply
●
ws:// and wss:// protocol identifiers
●
Uses port 80
●
Server validates client requests based on a
key
Copyright Justin C. Klein Keane
Security Implications of Web
Sockets
●
●
●
New DoS surface
Could make for interesting data exfiltration
route
No implicit security/validation
Copyright Justin C. Klein Keane
Vector Graphics
●
Allows for dynamic image generation in HTML
●
Great for scaling and responsive design
●
Eliminates much of the need for embedded
graphics
Copyright Justin C. Klein Keane
SVG Security Issues
●
●
Graphics defined in HTML
–
This leads to interesting new XSS attacks
–
Clickjacking just got easier
Potential for new client DoS or crash
Copyright Justin C. Klein Keane
Web Workers
●
“threads” for HTML in JavaScript
●
No DOM access
–
●
●
Can use AJAX and Web Sockets
Worker threads can send and receive
messages
SharedWorker allows multiple pages to use
the same worker
Copyright Justin C. Klein Keane
Web Worker Security
●
●
●
Multi-threading, what could possiblie go
wrong?
Workers may have access to sensitive data so
SharedWorkers must be scrutinized
New asynchronous model is bound to produce
confusion
Copyright Justin C. Klein Keane
New Security Model
●
Old same origin policy is relaxed (CORS)
●
Cross origin resource sharing redefines XSS
attack surface
Assumption: same origin == trust
●
In HTML 5 origin policy is more nuanced
–
●
●
document.domain can be used to reset to
remove subdomains
New challenges:
“Do not use the document.domain attribute when using
shared hosting. IfCopyright
an untrusted
third party is able to host
Justin C. Klein Keane
an HTTP server at the same IP address but on a
Content Security Policy
●
●
Content Security Policy (CSP) defined in
headers
Specify the source of trusted content
–
Content, font, frame, img, media, object, style
–
(http|https), none, self, unsafe-inline, unsafe-eval
●
Inline code is considered unsafe!
●
All CSS, JavaScript must be external (.js files)
●
No more injected XSS!!!
–
None of your existing apps will work :(
Copyright Justin C. Klein Keane
CSP Reporting
●
●
CSP can specify reporting
Allows browsers to report back to a specific
server URI when something is blocked
●
Protect - Detect – React
●
Can be set to report only for debugging
Copyright Justin C. Klein Keane
New Security Model
●
Sandbox flag
–
Effectively isolates origin
–
Prevents loading of plugins
–
Can force a unique origin
–
Can block form submission
–
And more...
Copyright Justin C. Klein Keane
New Complexities
●
●
●
Complexity brings new security challenges
Developers eager to implement features may
not understand security challenges
Testers may not be familiar with new features,
or security risks
●
Totally new security model at the browser level
●
Replacing 3rd party plugins may bring win
Copyright Justin C. Klein Keane
Other Security Issues
●
New dynamic attributes create new DOM
based XSS attacks
–
●
●
Formaction, oninput, onerror, onforminput, onformchange, etc.
Older security libraries may not recognize new
security threats
Greater capability and communications may
make the browser a target for malware
●
Fun new geolocation.GetCurrentPosition()
●
Use getUserMedia() to capture audio/video!
Copyright Justin C. Klein Keane
Credits
Special thanks to Mike Shema and Brad Hill for
their excellent research into this topic,
presentations, and book, which I relied upon
heavily for this material.
Copyright Justin C. Klein Keane