Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
Introduction to HTML5
Introduction to hackers world
Client side storages
Offline web application
Same origin policy
Cross origin resource sharing
Introduction – HTML5
Hypertext Markup Language version 5
Session storage
IndexedDB
Web SQL
Local storage:
http://victim-site.com:2000/html5/cart/web_html5.php
Session storage
http://victim-site.com:2000/html5/cart/web_html5_session.php
SQL Storage – Indexed DB
IndexedDB
API for client-side storage
Object oriented
Store and retrieve objects which are indexed
with a ‘key’
Used for high performance searches
No limits on a single database item's size
SQL Storage – Web SQL
Standard SQL
tx.executeSql('INSERT INTO table (id, text,
comment) values (1,”xxx”,”yyyy”)', []);
http://victim-site.com:2000/html5/tweet_reader/
http://victim-site.com:2000/html5/offline_blog/
Offline Web Application
A web application can send information to the
client about which files are needed for working
offline
Attack vectors:
Physical access
Malicious java script
Using HTTP (unencrypted) protocol
Using Cross Site Scripting (XSS) attack
Client Side Storage
Should not store sensitive data
PII [Private Identifiable Information]
Passwords
Health
Keys
IFRAME
<iframe src=“//another.com/home.htm”></iframe>
Stupid block
You have no control over content / style
JSONP
<script src=“//another.com/data.js?callback=run”></script>
You run the script from another domain on your site!
It’s not a really natural way.
Cross Origin Resource Sharing
Until now it wasn’t possible to read pages
from another site, because of SOP
restriction
Same Origin Policy
http://online.attacker-site.com/html5/CORS/HTML5_Denial_of_Service_Tester.htm
Mitigation
Exit early if the origin hasn’t got permission
If( isset($_SERVER['HTTP_ORIGIN']))
exit;
If($_SERVER['HTTP_ORIGIN'] != 'http://trusted.site')
exit();
<% Response.AddHeader("Access-Control-Allow-Origin","*") %>
header('Access-Control-Allow-Origin: http://trusted.site');
Cross Origin Resource Sharing
Universal Allow
◦ Any site can read your site.
◦ Data may should have limited access only to
customer’s IP address
◦ Internal websites
◦ Dev version
Cross Origin Resource Sharing
Do not use the wildcard (*):
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type
Summary
HTML5 adds features that allow new browser
capabilities.
In this presentation we have demonstrated innovative
ways for attackers to exploit & utilize these
capabilities for malicious purposes.
Perform input validation & output encoding also in
client!!
Use relevant headers to protect against attacks