HTML5 Security, Nimrod Luria, Q.Rity

Get Started. It's Free
or sign up with your email address
Rocket clouds
HTML5 Security, Nimrod Luria, Q.Rity by Mind Map: HTML5 Security, Nimrod Luria, Q.Rity

1. Application security

1.1. Switching

1.1.1. from

1.1.1.1. Firewall

1.1.1.2. Anti-virus

1.1.1.3. SSL

1.1.2. to

1.1.2.1. Architecture

1.1.2.2. Code

1.2. From things that cover only what's known, to things that cover what's possible

2. Web attack vectors

2.1. See list in slides

3. Encryption

3.1. SSL not enough

3.1.1. not just in transport, but also in messages

3.1.2. Eg, Wireless provider can terminate SSL

4. Same origin/domain policy

4.1. HTML5 allows breaking this rule

4.2. facebook was hacked using HTML5 cross domain hack

4.3. there's a hack to override the function that returns the domain, in order to break it

5. Top attacks on Web2.0 apps

5.1. CSRF

5.2. XML poisoning

5.2.1. sends many childrens of some node, not limiting the number of children

5.3. RSS injection

5.4. Malicious AJAX code execution

5.5. HTTP request splitting

5.6. WSDL scanning & enumeration

5.7. RIA binary manipulation

6. Sometimes the only strategy is to confuse the enemy

6.1. because the logic is downloaded & exposed

6.2. eg

6.2.1. change signatures, fake requests &c

7. Threat focuses

7.1. 1

7.1.1. Drive-by download

7.1.1.1. eg

7.1.1.1.1. (spare) phishing

7.2. 2

7.2.1. Code obfuscation

7.2.1.1. hide the exploit vector

7.2.1.2. evasion of signature-based detection

7.3. 3

7.3.1. Compromised web sites

7.3.1.1. malicious code injected to hacked web sites

8. Mitigation techniques

8.1. Spoofing -> Authentication

8.1.1. Strong authentication - using something you have

8.1.1.1. vs something you know

8.2. Tempering -> Integrity

8.2.1. Sign transaction

8.3. ...

8.3.1. (see in slides)

9. Attacks

9.1. XSS

9.1.1. eg, send link by email that stills your cookie to some site

9.1.2. See in slides some 10 techniques of XSS

9.1.3. Defending

9.1.3.1. Do not

9.1.3.1.1. Don't trust user input

9.1.3.2. Do

9.1.3.2.1. Encoding

9.1.3.2.2. Use validation for each request

9.2. Common injection attacks

9.2.1. See list in slides

9.3. CSRF

9.3.1. Merged sessions

9.3.1.1. supported everywhere

9.3.1.2. means that if you have a very secured web site, & you open in another tab a new site that keeps its session active, then you hibernate the machine & opens it, the session of the secured site will still be active

9.3.2. to avoid

9.3.2.1. Use POST for side-effect operations

9.3.2.2. ...

9.3.2.2.1. (see slides)

9.4. Xpath injection

9.5. SQL injection - client side!

9.5.1. hack the local data, & then invoke server API's with manipulated data

9.5.1.1. send tweet from the account of Bill Gates

9.6. Providing file downloads

9.6.1. PDF links can execute javascript

9.6.1.1. http://.../example.pdf#something=javascript:alert('something')

9.6.2. Don't trust the client, always validate according to white list

9.7. Untitled

9.8. iframe sandbox

9.8.1. removes all limitation on the iframe source

9.8.2. avoid using iframes

9.9. HTML cache poisoning

9.9.1. Have sessions for long durations, during which the cached data can be stolen

9.9.2. Tool:

9.9.2.1. Imposter

9.10. SQL DB security

9.10.1. what should & shouldn't be stored on client-side

9.10.2. XSS can run sql injected code

9.10.2.1. use encoding

9.11. Network Reconnaissance

9.11.1. Cross domain XHR & WebSockets can be used in port scanning

9.11.1.1. search

9.11.1.1.1. HTML5 port scanner

9.12. HTML5 Botnets

9.12.1. HTML5 WebWorkers allows running bots attacking apps from trusted client machines

9.12.2. Botnets try to

9.12.2.1. Reach out to victims

9.12.2.1.1. Phishing

9.12.2.2. Extend execution lifetime

9.13. Distributed password cracking

9.13.1. Ravan

9.13.1.1. JavaScript based tool

10. Hacking Facebook using HTML5

10.1. hacked

10.1.1. touch.facebook.com

10.1.2. to which you connect when logging into facebook from mobile

10.2. they ran any URL after the hash, & execute it in AJAX

10.3. the attacker exploited this

10.3.1. there wasn't same domain protection

10.3.2. onError wasn't validated, so added:

10.3.2.1. onerror=$("..").appendChild(script...

10.4. See full code in slides

10.5. touch.facebook.com is trusted by facebook.com, so the hack enabled full access to any personal data in facebook

11. More resources

11.1. http://html5sec.org/

11.1.1. html5 security cheat sheet

11.2. many more in slides