Security

 Security



Navigation mit Esc, und

bit.ly/HTML5Sec
Interaktive Version der Präsentation!

![tools](images/johannes.png) ### [JohannesHoppe.de](http://www.johanneshoppe.de/)

bit.ly/HTML5Sec
Interaktive Version der Präsentation!

# Ziel Angriffsvektoren aufzeigen. Strategien besprechen. Mehr nicht!
# Features Neue Angriffsvektoren ![tools](images/icon_tool.png)
## Ein Formular
```javascript contenteditable data-show-source="examples/formaction/clean.html" loading source... ```
## Formaction
```javascript contenteditable data-show-source="examples/formaction/index.html" loading source... ```
## SVG Presto, WebKit, Gecko und sogar Trident 9 ```javascript contenteditable data-show-source="examples/svg/smilie.svg" loading source... ```
## SVG kann JavaScript enthalten! ```html contenteditable data-show-source="examples/svg/sad_smilie.svg" small loading source... ```
## Business as usual HTML5 es ist auch nicht schlimmer als HTML 4
[» http://html5sec.org](http://html5sec.org)
# XSS Eingeschleuster JavaScript-Code ![tools](images/icon_bug.png)
## Oldies but Goldies index.html?message=Daten gespeichert                   index.html?message=<script>alert('XSS')</script> ```javascript contenteditable data-show-source="examples/XSS-DOM-based/index.html" loading source... ```
## Eval everywhere Eval is evil ```html contenteditable data-show-source="examples/new-xss-vectors/onfocus.html" loading source... ``` ```html contenteditable data-show-source="examples/new-xss-vectors/onerror.html" loading source... ``` ```html contenteditable data-show-source="examples/new-xss-vectors/onforminput.html" loading source... ``` » Demo [1](examples/new-xss-vectors/onfocus.html) [2](a href="examples/new-xss-vectors/onerror.html) [3](examples/new-xss-vectors/onforminput.html)
# OWASP #### Open Web Application Security Project XSS Filter Evasion Cheat Sheet ```html contenteditable data-show-source="examples/unicode-xss/index.html" loading source... ``` [» Old IE Demo](examples/unicode-xss/index.html)
## XSS Vorbeugen
# 1. Hier sollten dynamische Daten niemals verwendet werden ```html contenteditable data-show-source="examples/xss-rules/1.html" loading source... ```
# 2. HTML escape dynamic data ```html contenteditable data-show-source="examples/xss-rules/2.html" loading source... ```
& &amp;
< &lt;
> &gt;
" &quot;
' &apos; / &#39;
## Testen? ```html contenteditable data-show-source="examples/jasmine-demo/saveFormat.js" loading source... ```
## Testen! ```html contenteditable data-show-source="examples/jasmine-demo/saveFormat.spec.js" loading source... ```
## Test [» Demo](examples/jasmine-demo/SpecRunner.html)
## Moment... ```html contenteditable data-show-source="examples/jasmine-demo2/saveFormat.spec.js" loading source... ```
## Richtig testen! [» Demo](examples/jasmine-demo2/SpecRunner.html)
# 3. Attribute escape dynamic data ```html contenteditable data-show-source="examples/xss-rules/3.html" loading source... ```
a-z A-Z 0-9 immun
, . - _ immun
Rest &#xHH;
# 4. DO NOT JavaScript escape dynamic data
  • HTML parser runs before the JavaScript parser!
  • you are doing it wrong
## Das hier ist Alltag UserList.cshtml / Kendo UI Template ```html contenteditable data-show-source="examples/xss-rules/4.html" loading source... ```
# ? Offensichtlich läuft beim Umgang mit Daten etwas prinzipiell falsch!
# Storage ![tools](images/icon_storage.png)
## Egal
  • ob Cookies
  • ob Session Storage
  • ob Local Storage
  • ob WebSQL

die Daten sind nicht vertrauenswürdig!

Resident XSS

richtig fies!
Vertraulichen Informationen gehören in die SERVER-Session!
Session Storage bevorzugen!
## WebSQL
SQL Injection: ```html contenteditable executeSql("SELECT foo FROM bar WHERE value=" + value); ```
Prepared Statement: ```html contenteditable executeSql("SELECT foo FROM bar WHERE value=?", [value]); ```
## Kommunikation ![tools](images/icon_communication.png)
## Mashups! ```html contenteditable data-show-source="examples/jsonp/loadTweets.js" loading source... ```
JSON ```html contenteditable {"hello": "world"} ```
JSON with Padding ```html contenteditable data-show-source="examples/jsonp/jsonp_by_hand.html" loading source... ``` ```html contenteditable foo({"hello": "world"}); ``` [» Demo](examples/jsonp/jsonp_by_hand.html)
![tools](images/codingHorror.png) ##  JSONP
## SOP Same origin policy → Not macht erfinderisch (JSONP)

CORS

Cross-Origin Resource Sharing → Access-Control-Allow-Origin: *

WebSockets

do what you want
![Attack & Defense Labs](images/attack_and_defense_labs.png) [JS-Recon](http://www.andlabs.org/tools/jsrecon/jsrecon.html) [Shell of the Future](http://blog.andlabs.org/2010/07/shell-of-future-reverse-web-shell.html)
[![JS-RECON](images/js-recon.png)](http://www.andlabs.org/tools/jsrecon.html)
## Intranet == Internet ![Internet](images/icon_file.png)
# Danke! ![QR-Code http://bit.ly/slides_dwx](images/bit.ly__slides_dwx.png) [blog.johanneshoppe.de](http://blog.johanneshoppe.de/2013/06/dwx-developer-week/)
[![Artikel](images/hakin9.png)](http://blog.johanneshoppe.de/wp-content/uploads/2012/09/Sicherheit-von-Web-Anwendungen.pdf) [» Sicherheit von Web-Anwendungen](http://blog.johanneshoppe.de/wp-content/uploads/2012/09/Sicherheit-von-Web-Anwendungen.pdf)

Created by Johannes Hoppe | Print PDF | GitHub