HTML 5 Security Philadelphia OWASP August, 2013 Copyright Justin C. Klein Keane Announcements ● ● ● OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! Please.
Download ReportTranscript HTML 5 Security Philadelphia OWASP August, 2013 Copyright Justin C. Klein Keane Announcements ● ● ● OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! Please.
HTML 5 Security Philadelphia OWASP August, 2013 Copyright Justin C. Klein Keane Announcements ● ● ● OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! Please register with the discount code "Support_PHI" to support the chapter. $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member ) so join! Copyright Justin C. Klein Keane About HTML 5 ● ● ● ● New HTML standard – Like JavaScript, dependent on browser implementation – Browser support varies – Remarkably, mobile tends to have more support Designed to address persistent headaches of web developers Makes web applications much closer to native applications Spec available atCopyright www.w3.org Justin C. Klein Keane Notable Features ● ● Canvas element for dynamic drawing Video and audio tags for embedding multimedia without plugins ● Local storage for offline web stores (cookie++) ● Content specific tags ● New form controls (calendar pop-ups, time data types, e-mail validation, etc.) Copyright Justin C. Klein Keane Take Note “Some features of HTML trade user convenience for a measure of user privacy.” “When HTML is used to create interactive sites, care needs to be taken to avoid introducing vulnerabilities through which attackers can compromise the integrity of the site itself or of the site's users.” http://www.w3.org/html/wg/drafts/html/master/intro duction.htm Copyright Justin C. Klein Keane Local Storage ● Web storage – NoSQL key-value store, much like cookies – Simple and easy to use Set and called via Javascript with localStorage or sessionStorage – – Session storage persists merely for the local session (no persistence) – “A mostly arbitrary limit of five megabytes per origin is suggested.” Copyright Justin C. Klein Keane Web SQL Database ● Full transactional database ● W3C no longer supports it for development ● ● Not clear what development roadmap will look like Creates all the security risks of a SQL database, but at the client Copyright Justin C. Klein Keane Security & Storage ● SQL injection moves to the client! ● Persistent XSS moves to the client ● Offline stores may become a target of malware ● Offline stores lead to new sources, and volumes, of forensic evidence ● Cross directory attacks ● DNS spoofing could expose data store ● http://dev.w3.org/html5/webstorage/#securitystorage Copyright Justin C. Klein Keane Filesystem API ● Allows applications access to local filesystem ● Useful for large files – ● Uploads, downloads, and usage Creates all sorts of new security challenges: – Denial of service – Theft or erasure of private data (client side malware) – Storing malicious executables client side – Storing dangerous or illegal files on a filesystem surreptitiously Copyright Justin C. Klein Keane Web Sockets ● ● Answer to AJAX Allows for synchronous connections between the client and a remote server ● Origin policies apply ● ws:// and wss:// protocol identifiers ● Uses port 80 ● Server validates client requests based on a key Copyright Justin C. Klein Keane Security Implications of Web Sockets ● ● ● New DoS surface Could make for interesting data exfiltration route No implicit security/validation Copyright Justin C. Klein Keane Vector Graphics ● Allows for dynamic image generation in HTML ● Great for scaling and responsive design ● Eliminates much of the need for embedded graphics Copyright Justin C. Klein Keane SVG Security Issues ● ● Graphics defined in HTML – This leads to interesting new XSS attacks – Clickjacking just got easier Potential for new client DoS or crash Copyright Justin C. Klein Keane Web Workers ● “threads” for HTML in JavaScript ● No DOM access – ● ● Can use AJAX and Web Sockets Worker threads can send and receive messages SharedWorker allows multiple pages to use the same worker Copyright Justin C. Klein Keane Web Worker Security ● ● ● Multi-threading, what could possiblie go wrong? Workers may have access to sensitive data so SharedWorkers must be scrutinized New asynchronous model is bound to produce confusion Copyright Justin C. Klein Keane New Security Model ● Old same origin policy is relaxed (CORS) ● Cross origin resource sharing redefines XSS attack surface Assumption: same origin == trust ● In HTML 5 origin policy is more nuanced – ● ● document.domain can be used to reset to remove subdomains New challenges: “Do not use the document.domain attribute when using shared hosting. IfCopyright an untrusted third party is able to host Justin C. Klein Keane an HTTP server at the same IP address but on a Content Security Policy ● ● Content Security Policy (CSP) defined in headers Specify the source of trusted content – Content, font, frame, img, media, object, style – (http|https), none, self, unsafe-inline, unsafe-eval ● Inline code is considered unsafe! ● All CSS, JavaScript must be external (.js files) ● No more injected XSS!!! – None of your existing apps will work :( Copyright Justin C. Klein Keane CSP Reporting ● ● CSP can specify reporting Allows browsers to report back to a specific server URI when something is blocked ● Protect - Detect – React ● Can be set to report only for debugging Copyright Justin C. Klein Keane New Security Model ● Sandbox flag – Effectively isolates origin – Prevents loading of plugins – Can force a unique origin – Can block form submission – And more... Copyright Justin C. Klein Keane New Complexities ● ● ● Complexity brings new security challenges Developers eager to implement features may not understand security challenges Testers may not be familiar with new features, or security risks ● Totally new security model at the browser level ● Replacing 3rd party plugins may bring win Copyright Justin C. Klein Keane Other Security Issues ● New dynamic attributes create new DOM based XSS attacks – ● ● Formaction, oninput, onerror, onforminput, onformchange, etc. Older security libraries may not recognize new security threats Greater capability and communications may make the browser a target for malware ● Fun new geolocation.GetCurrentPosition() ● Use getUserMedia() to capture audio/video! Copyright Justin C. Klein Keane Credits Special thanks to Mike Shema and Brad Hill for their excellent research into this topic, presentations, and book, which I relied upon heavily for this material. Copyright Justin C. Klein Keane