Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013.

Published byCamden Heaston Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013."— Presentation transcript:

1 Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013

2 Copyright Justin C. Klein Keane Announcements ● OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! ● Please register with the discount code "Support_PHI" to support the chapter. ● $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member ) so join!

3 Copyright Justin C. Klein Keane About HTML 5 ● New HTML standard – Like JavaScript, dependent on browser implementation – Browser support varies – Remarkably, mobile tends to have more support ● Designed to address persistent headaches of web developers ● Makes web applications much closer to native applications ● Spec available at www.w3.org

4 Copyright Justin C. Klein Keane Notable Features ● Canvas element for dynamic drawing ● Video and audio tags for embedding multimedia without plugins ● Local storage for offline web stores (cookie++) ● Content specific tags ● New form controls (calendar pop-ups, time data types, e-mail validation, etc.)

5 Copyright Justin C. Klein Keane Take Note “Some features of HTML trade user convenience for a measure of user privacy.” “When HTML is used to create interactive sites, care needs to be taken to avoid introducing vulnerabilities through which attackers can compromise the integrity of the site itself or of the site's users.” http://www.w3.org/html/wg/drafts/html/master/intro duction.htm

6 Copyright Justin C. Klein Keane Local Storage ● Web storage – NoSQL key-value store, much like cookies – Simple and easy to use – Set and called via Javascript with localStorage or sessionStorage – Session storage persists merely for the local session (no persistence) – “A mostly arbitrary limit of five megabytes per origin is suggested.”

7 Copyright Justin C. Klein Keane Web SQL Database ● Full transactional database ● W3C no longer supports it for development ● Not clear what development roadmap will look like ● Creates all the security risks of a SQL database, but at the client

8 Copyright Justin C. Klein Keane Security & Storage ● SQL injection moves to the client! ● Persistent XSS moves to the client ● Offline stores may become a target of malware ● Offline stores lead to new sources, and volumes, of forensic evidence ● Cross directory attacks ● DNS spoofing could expose data store ● http://dev.w3.org/html5/webstorage/#security- storage

9 Copyright Justin C. Klein Keane Filesystem API ● Allows applications access to local filesystem ● Useful for large files – Uploads, downloads, and usage ● Creates all sorts of new security challenges: – Denial of service – Theft or erasure of private data (client side malware) – Storing malicious executables client side – Storing dangerous or illegal files on a filesystem surreptitiously

10 Copyright Justin C. Klein Keane Web Sockets ● Answer to AJAX ● Allows for synchronous connections between the client and a remote server ● Origin policies apply ● ws:// and wss:// protocol identifiers ● Uses port 80 ● Server validates client requests based on a key

11 Copyright Justin C. Klein Keane Security Implications of Web Sockets ● New DoS surface ● Could make for interesting data exfiltration route ● No implicit security/validation

12 Copyright Justin C. Klein Keane Vector Graphics ● Allows for dynamic image generation in HTML ● Great for scaling and responsive design ● Eliminates much of the need for embedded graphics

13 Copyright Justin C. Klein Keane SVG Security Issues ● Graphics defined in HTML – This leads to interesting new XSS attacks – Clickjacking just got easier ● Potential for new client DoS or crash

14 Copyright Justin C. Klein Keane Web Workers ● “threads” for HTML in JavaScript ● No DOM access – Can use AJAX and Web Sockets ● Worker threads can send and receive messages ● SharedWorker allows multiple pages to use the same worker

15 Copyright Justin C. Klein Keane Web Worker Security ● Multi-threading, what could possiblie go wrong? ● Workers may have access to sensitive data so SharedWorkers must be scrutinized ● New asynchronous model is bound to produce confusion

16 Copyright Justin C. Klein Keane New Security Model ● Old same origin policy is relaxed (CORS) – Cross origin resource sharing redefines XSS attack surface ● Assumption: same origin == trust ● In HTML 5 origin policy is more nuanced ● document.domain can be used to reset to remove subdomains ● New challenges: “Do not use the document.domain attribute when using shared hosting. If an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain attribute has been used.” http://www.w3.org/html/wg/drafts/html/master/browsers.ht ml#origin

17 Copyright Justin C. Klein Keane Content Security Policy ● Content Security Policy (CSP) defined in headers ● Specify the source of trusted content – Content, font, frame, img, media, object, style – (http|https), none, self, unsafe-inline, unsafe-eval ● Inline code is considered unsafe! ● All CSS, JavaScript must be external (.js files) ● No more injected XSS!!! – None of your existing apps will work :(

18 Copyright Justin C. Klein Keane CSP Reporting ● CSP can specify reporting ● Allows browsers to report back to a specific server URI when something is blocked ● Protect - Detect – React ● Can be set to report only for debugging

19 Copyright Justin C. Klein Keane New Security Model ● Sandbox flag – Effectively isolates origin – Prevents loading of plugins – Can force a unique origin – Can block form submission – And more...

20 Copyright Justin C. Klein Keane New Complexities ● Complexity brings new security challenges ● Developers eager to implement features may not understand security challenges ● Testers may not be familiar with new features, or security risks ● Totally new security model at the browser level ● Replacing 3 rd party plugins may bring win

21 Copyright Justin C. Klein Keane Other Security Issues ● New dynamic attributes create new DOM based XSS attacks – Formaction, oninput, onerror, onforminput, onformchange, etc. ● Older security libraries may not recognize new security threats ● Greater capability and communications may make the browser a target for malware ● Fun new geolocation.GetCurrentPosition() ● Use getUserMedia() to capture audio/video!

22 Copyright Justin C. Klein Keane Credits Special thanks to Mike Shema and Brad Hill for their excellent research into this topic, presentations, and book, which I relied upon heavily for this material.

Download ppt "Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HTML5 Security Realities Brad Hill, W3Conf: Practical standards for web professionals 21 -22 February 2013 San Francisco.

HTML5 Security Realities Brad Hill, W3Conf: Practical standards for web professionals February 2013 San Francisco.
What is HTML5…?. ”…removes the need for plugins” ”…can handle multimedia directly” ”…enables rich, interactive clients” ”…enables advanced visual designs”

What is HTML5…?. ”…removes the need for plugins” ”…can handle multimedia directly” ”…enables rich, interactive clients” ”…enables advanced visual designs”
HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.

HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
An Introduction Timmy Kokke | UNIT4 Internet Solutions | Expression Blend MVP / Webguy.

An Introduction Timmy Kokke | UNIT4 Internet Solutions | Expression Blend MVP / Webguy.
4.01 How Web Pages Work.

4.01 How Web Pages Work.
Introduction to HTML5 Programming donghao. HTML5 is the New HTML Standard New Elements, Attributes. Full CSS3 Support Video and Audio 2D/3D Graphics Local.

Introduction to HTML5 Programming donghao. HTML5 is the New HTML Standard New Elements, Attributes. Full CSS3 Support Video and Audio 2D/3D Graphics Local.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.

AppSec USA 2014 Denver, Colorado Warning Ahead: Security Storms are Brewing in Your JavaScript Helen Bravo.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Similar presentations

Ads by Google