HTML5: Risky Business or Hidden

erosjellyΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 1 μήνα)

52 εμφανίσεις

HTML5: Risky Business or Hidden
Security Tool Chest

Johannes B. Ullrich, Ph.D.

jullrich@sans.edu

About Me

Hosted by OWASP & the NYC Chapter


Dean of Research,

SANS Technology Institute


Living in Jacksonville FL

(aka Southern GA)


SANS Internet Storm Center

https://isc.sans.edu


Created DShield.org


Instructor for SANS


Past: Physicist, Web Developer


What is HTML5


Collection of JavaScript APIs supported by
some modern browsers in some ways and
sometimes they even work.


Features to enable modern desktop like
applications and support mobile devices


5
th

Revision of the HTML Standard

What is this talk about?


Ideas to improve security by using HTML5
responsibly


What are some of the security challenges that
HTML5 addresses well (or doesn’t)


What are some of the limitations we have to
consider

Authentication


Exclusive vs. Inclusive Authentication
Methods:


Inclusive:

Proof the identity

of the user


Exclusive:

Disproof the identity

of the user

What the Factor?

Segway: Multi Factor Authentication


Single Factor: Password


Two Factor: Password AND (Token|Biometric)


1 ½ Factor: Password and Cookie


½ Factor: Password

OR (Token|Biometric)

HTML5 Components


Local Storage / Session Storage


Canvas


Geolocation


Media Capture


Notifications


Accelerometer


Encryption

Local and Session Storage


New JavaScript API to store data on client


Protected by “same origin”


Local Storage:


No defined expiration


Accessible by all browser windows


Session Storage:


Expired when window is closed


Scope limited to current window

Local Storage: Persistent
Cookie


Alternative to Flash cookie for “1 ½ Factor”
login


Part of an “Evercookie”


Can be used for good (additional
authentication) or evil (more user tracking)


Exposed to XSS attacks


Similar to cookies in scope and security

Session Storage: Identifying
users


Can be used to store session token


Breaks CSRF (good!)


User is logged out when they close the
browser window (not entire browser)


Multiple users can use the same browser (is
this a good thing?)


Easier log out, more secure session tracking,
can be used alongside cookies.

Risks


Risks:

Storing too much data on the client!

Can’t enforce “secure” transmission over SSL

Can’t protect from JavaScript/XSS (no
httponly
)


Examples:


storing confidential data on mobile devices


Pushing data to the client the client is not
authorized to see.



Can I use it?

http://caniuse.com/#feat=namevalue
-
storage

Canvas


Allows drawing in the browser


Interactive image applications


Can be used for graphical login schemes


CAPTCHAs


Pattern based login


Image Login


Display image, user identifies features


Done in Windows 8/RT for mobile login
(“Pattern Login”, “Picture Password”)


Image:

Microsoft

“Connect the Dots”


Implemented in Android


Good user acceptance for mobile login


No good studies yet as to how users select
patterns

Image:
Extremetech.com

Demo


Demo: “Connect the Dots” for the web


http://authonthemove.com


See Github for code repository

Can I use it?

http://caniuse.com/#feat=canvas

Geolocation


JavaScript API provides access to devices built
in sensors like GPS


Can

be very accurate


Can also be spoofed easily


Image:
Mozilla.org

Geolocation for Authentication


Only useful on mobile devices


Can be used to exclude users, but not to
replace traditional authentication


Observe sudden changes in location


Combine with careful browser fingerprinting
techniques

Can I use it?

Media Capture


aka getUserMedia/Stream API


Limited support (Chrome, Firefox, Blackberry)


Some potential for biometrics:


Face recognition


Hand signals / gestures


Fingerprint?


Implementations


Face recognition libraries:


http://neave.github.io/face
-
detection
/


Difficulties


Hard to acquire sufficient detail


So far, in particular on mobile devices, more of
a gimmick then a serious authentication
feature


Possibility to use “finger print”, but current
cameras not sufficient to acquire image

Can I use it?

http://caniuse.com/#feat=stream

Accelerometer


Only useful for mobile devices


Move the phone in a pattern to authenticate


Detect step/walking pattern


Detect if user/phone is at rest or on the move


Can be spoofed (but not readily)


Not easy to reproduce


Adding sensors like compass may help.

Can I use it?

http://caniuse.com/#feat=deviceorientation

Notifications


Popup Notifications sent by the server to
notify the user


Initiated by server


Local Notifications: Require browser to be open,
widely supported


Push Notifications: Safari Only

Bad stuff happened!


Notify the user of security relevant events:


“Someone is trying to log in as you”


User needs to accept notifications


Notifications no 100% reliable


Not “out of band” (can be faked, intercepted)


Safari Notifications
may

be useful for one time
passwords (OTP)

Can I use it?

http://caniuse.com/#feat=notifications

Encryption


Client side encryption


Allows encryption of specific sensitive fields
(e.g. payment data, passwords)


Intermediate services (proxies, web services)
don’t need to know the information


Upcoming: CryptoAPI (June 2013)

http://www.w3.org/TR/WebCryptoAPI/


Until
then: https://www.pidder.de/pidcrypt/

Client side password hashing


Server sends random “nonce” as part of login
form.


Client calculates hash from password/nonce


Passes hash to server


Server verifies hash


Advantage: Server never gets to know the
“real” password.

Signup


Use enters password


Client hashes password


Password hash transmitted to server


Salt: Username? Provided by server?


Changing password: Same procedure, salt may
change.

Summary


Lots of cool and useful tools in HTML5


Use them as appropriate


“HTML5” itself isn’t the risk. Bad coding is the
risk


Understand privacy issues


Understand user behavior


Share your code an experiences (OWASP!!)

Thanks!

! Thanks !

Questions?

jullrich@sans.edu

http://authonthemove.com

http://isc.sans.edu

Daily Updates * Daily Podcast * Live Data Feeds