HTML5: Something wicked this way comes
Krzysztof Kotowicz Securing OWASP [email protected]
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation http://www.owasp.org About me • security researcher • HTML 5 • UI redressing / clickjacking • xss-track, squid-imposter, ... • pentester • IT security trainer • „Hacking HTML5”
OWASP 2 Plan • Same origin policy • Exploiting users • Attack gadgets • Wrap-up
OWASP 3 Same origin policy • the single most important security concept for the web • restricts communication between websites from different domains • has many flavors • without it hell breaks loose
OWASP 4 Same origin policy • can be relaxed though • crossdomain.xml • document.domain • HTML5 Cross Origin Resource Sharing • or ignored... • by exploiting users • UI redressing (clickjacking)
OWASP 5 Exploiting users Users • Like games • 100 mln play social games //goo.gl/RRWlM • Are not security-savvy
OWASP 6 Exploiting users
//goo.gl/DgPpY
OWASP 7 Combined attacks • Gadgets • HTML5 • UI redressing • Join them • New attacks
OWASP 8 Gadgets
OWASP 9 Basic clickjacking
OWASP 10 Basic clickjacking
20x20
OWASP 11 Basic clickjacking
-300
-350 20x20
OWASP 12 Basic clickjacking
20x20 Like us, plz!
OWASP 13 Basic clickjacking
OWASP 14 Basic clickjacking • Trick: Click here to see a video! • User action: click
+ Any clickable action + Works in every browser - X-Frame-Option - JS framebusting
OWASP 15 HTML5 IFRAME sandbox • Used to embed untrusted content • prevents XSS • prevents defacement • Facilitates clickjacking!
//html5sec.org/#122
OWASP 16 HTML5 IFRAME sandbox
+ Chrome / Safari / IE 10 + Will disable most JS framebusters - X-Frame-Option
OWASP 17 Cross Origin Resource Sharing • HTML5-ish • Cross domain AJAX • With cookies • Blind • Unless the receiving site agrees • Not limited to