W3 conf hill-html5-security-realities

HTML5 Security Realities

Brad Hill, PayPal
bhill@paypal-inc.com @hillbrad

W3Conf: Practical standards for web professionals
21 -22 February 2013
San Francisco

“The reason that the Web browser is
the principal entry point for
malware is the number of choices
that a browser offers up to
whomever is at the other end.
Evolving technologies like
HTML5 promise to make this
significantly worse.” – Dan Geer

In the next 30 minutes:
• Show you real code using new standards to:
– Solve Script Injection Vulnerabilities
– Build Secure Mashups

• HTML5 is a big step forward in security for the
Web platform

Script Injection, also known as Cross-Site
Scripting or XSS, is the most common Web
Application vulnerability.

In 2007, WhiteHat estimated that 90% of
sites were vulnerable.

XSS in a nutshell:

If somebody else’s code gets to
run in your WebApp, it’s not your
WebApp anymore.

+ Same-Origin Policy = XSS
anywhere on your domain is XSS
everywhere on your domain.

Current defenses:
• Input filtering
– Strip dangerous characters and tags from user data

• Output encoding
– Encode user data so it isn’t treated as markup

“HTML5 broke my XSS filter!”

YES.

html5sec.org lists a dozen new XSS vectors
in new tags and attributes in HTML5.

But your filter was already broken.

</a/style='-=a\b expr65
ss/*
&#x2a/ion(URL='javascript:&#
x25;5cu00
64ocum%5cu0064oc
um%5cu0065nt.writ&
#x25;5cu0065(1)' )'>

1;--
<?f><x:!μ!:x/style=`b\65h
0061vior:url(#def&#x61ult#time
2)';'`/onbegin=&#x5b�=u00&#
054;1le&#114t&#40&#x31)&#x5
d&#x2f/&#xy,z>

W3 conf hill-html5-security-realities

XSS Filters Were Doomed
Filters are a server-side attempt to simulate the
client-side parser and execution environment.
But…
• Every browser parser operated differently
• The algorithms were secret
• Every browser had proprietary features, tags
and syntax
• Accepting bad markup was a feature

Generously coercing a shambling
mound of line noise into an
application is no longer a competitive
feature.

By standardizing the technology for
building Rich Web Applications,
HTML5 began a fundamental shift in
the security posture of the Web as a
platform.

Proprietary platforms compete for
developers by offering features.

Open platform implementers
compete for users by offering
quality.

And now,

BACK TO SOLVING SCRIPT INJECTION

New and Better Anti-XSS Approaches
Even if we now have some hope of simulating
the browser parser for HTML5…

Not easy, definitely not future-proof.
Misses client-only data flows.

Why not get help from the client?

Content Security Policy

25 6.0 6.0 6.0 10
X-Content-Security-Policy X-WebKit-CSP (sandbox only)

HTTP header to enforce, in the client, a least-
privilege environment for script and other
content.

Content-Security-Policy:
default-src 'self';
object-src 'none';
img-src https://uploads.example-board.net
https://cdn.example-board.com
data:;
script-src https://code.example-board.net
https://www.google-analytics.com;
frame-src *.youtube.com;
report-uri https://www.example-
board.net/cspViolations.xyz

Content Security Policy 1.0
default-src Everything
script-src Scripts
object-src Plugins
style-src CSS
img-src Images
media-src Audio + Video
frame-src Frame content
font-src Fonts
connect-src Script-loaded content (e.g. XHR)
sandbox Same as HTML5 iframe sandbox
reporturi Violation reporting

The catch…
• CSP enforces code / data separation

• This means:
NO inline script or css
NO eval, even in libraries

(can be disabled, but sacrifices many of the
benefits of CSP)

function doSomething ()…

Document.addEventListener(‘DOMContentLoader',
function() { for var b in
document.querySelectorAll('.clickme‘))
e.addEventListener('click', doSomething); });


<script src="myPageScript.js"></script>
<button class="clickme">Click Here!</button>

Coming soon in CSP 1.1
• Whitelisting of inline scripts and CSS

• More granular origins
• Better control of plugins and media types
• Control and reporting for reflected XSS filters
• META tag support

https://dvcs.w3.org/hg/content-security-
policy/raw-file/tip/csp-specification.dev.html

Templating

Templating is one of the oldest and most widely
used Web application construction patterns.

But it is a hive of XSS villainy because it has
never been a first-class feature in the client.

HTML Templates
New spec in progress in the WebApps WG:
https://dvcs.w3.org/hg/webcomponents/raw-
file/tip/spec/templates/index.html

Declare templates as first-class client-side
objects for increased performance, reduced XSS
risk.

With CSP and a careful application
architecture XSS can be solved today.

In the near future it will be possible
using more familiar and better
performing idioms.

Secure
Mashups
“HTML5 and CORS give new
ways to bypass the Same-Origin
Policy!”

A “mashup” incorporates content from
multiple origins under different
administrative control.

Today, more apps than not are
authenticated mashups: ads, analytics,
federated login

How did we do this before HTML5?

Flash, with crossdomain.xml
<?xml version="1.0"?>
<!--https://www.foo.com/crossdomain.xml--
>
<cross-domain-policy>
<allow-access-from
domain=“www.example-analytics.com"/>
</cross-domain-policy>

Jan’s Rule:

“Give someone an ACL, and
they’ll put in a *.”

A “*” in your master crossdomain.xml policy means your
users’ information is vulnerable to any malicious SWF,
anywhere on the Web

I can’t use Flash on iOS anyway…

What about HTML-only methods?

AKA – “JSONP”
• “JSON with padding”
<script src=“example.com/jsonp?callback=foo”>

• Returns JSON data “padded” with a call to the
function you specified.

• You hope…it’s still script!

This pattern injects somebody
else’s code into your
application.

Remember what the definition
of XSS was?

We can
build it better.
We have the
technology.

Cross-Origin Resource Sharing (CORS)

22 5.1 3.2 15 15 2.1 10 7

Voluntarily relax the Same-Origin Policy with an
HTTP header to allow permissioned sharing on a
resource-by-resource basis

Access-Control-Allow-Credentials: true

Access-Control-Allow-Origin: someorigin.com

CORS Client Example
var xhr = new XMLHttpRequest();
xhr.open(method, xDomainUrl, true);
xhr.withCredentials = true;

xhr.onload = function() {
var responseText = xhr.responseText;
validatedResponse = validate(responseText); };

xhr.onerror = function() {
console.log('There was an error!'); };

xhr.send();

The difference:

Script src gives you code you
have no choice but to TRUST

CORS gives you data you can
VERIFY

What about the * in CORS?
* cannot be used for a resource that supports
credentials.

* in Access-Control-Allow-Origin gives other origins
only the same view they already have from their own
server.

Access-Control-Allow-Origin: *
is actually one of the safest ways to use CORS!

What if you need data from somebody
who doesn’t publish a CORS API?

sandboxed iframes

23 5.1 4.2 15 2.1 10 7

and

postMessage

23 5.1 4.2 16 12.1 2.1 8 7

trusted.mydomain.com/foo.html

<iframe sandbox=“allow-scripts”
src=“integration.mydomain.com/wrapLogin.html
”>
</iframe>
By using a different domain name,
many benefits of the sandbox can
be achieved, even in browsers that
don’t support it.

integration.mydomain.com/wrapLogin.html

<html>
<script src=“foreigndomain.com/login.js”>
</script>
<script>
window.parent.postMessage(loginName,
“trusted.mydomain.com”);
</script>
</html>

trusted.mydomain.com/foo.html

<iframe sandbox=“allow-scripts”
src=“untrusted.mydomain.com/untrusted.html”>
</iframe>
<script>
window.addEventListener("message", receiveMessage, false);
receiveMessage = function(event) {
if(event.origin == “untrusted.mydomain.com”) {
var data = sanitizeData(event.data);
}
<script>

But wait, there’s more!

What if you do this to your own code?

http://www.cs.berkeley.edu/~devdatta
/papers/LeastPrivileges.pdf

Hackers HATE Him!!!!

Reduce your Trusted Computing
Base by 95% with this one simple
HTML5 trick!!!

Summary: HTML5
HTML5 and the Open Web Platform are
improving the security of the Web ecosystem.

Rich Web Apps are not new, and HTML5 offers
big security improvements compared to the
proprietary plugin technologies it’s actually
replacing.

Summary: Script Injection
• Script Injection, aka XSS, can be a solved
problem with proper application architecture
and new client-side technologies.

• Avoid incomplete server-side simulation, solve
it directly in the client environment:
– Content Security Policy
– HTML Templates

Summary: Mashups
• Use CORS to get (and validate) data, not code
• Use iframes and postMessage to isolate legacy
mashup APIs

• Treat your own code like a mashup: Use the
Same-Origin Policy as a powerful privilege
separation technique for secure application
architecture in HTML5

https://github.com/devd/html5privsep

Ongoing work in WebAppSec WG:
• Content Security Policy 1.1
• User Interface Security to Kill Clickjacking
• Sub-Resource Integrity

• More important work underway in the Web
Cryptography WG

public-webappsec-request@w3.org

Thank you! Questions?

Brad Hill, PayPal
bhill@paypal-inc.com @hillbrad

W3Conf: Practical standards for web professionals
21 -22 February 2013
San Francisco

W3 conf hill-html5-security-realities

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to W3 conf hill-html5-security-realities (20)

Recently uploaded (20)

W3 conf hill-html5-security-realities

Editor's Notes