2. HTML Security
41
-
Upload
nguyenlien -
Category
Documents
-
view
230 -
download
5
Transcript of 2. HTML Security
# who am I?
2
목차
1. 개요
2. HTML5 보안
3. 시연
4. Q & A
3
1. 개요
1.1 <title> HTML 5 </title>
- Hyper Text Markup Language / Version 5
http://www.blacktie.es/ ( Best HTML5 Web Site )
http://www.youtube.com/embed/XhMN0wlITLk ( HTML5 Quake )
http://haunted.remvst.com/ ( HTML5 game )
(그림) http://www.scoroncocolo.com/Html5.html
4
1. 개요
1.2. 새로운 특징들 – WoW !
- New Element ( Video, Audio, Canvas … )
- New Attribute
- New Handler
- Strong Web Form
- New API ( Drag&Drop , Communication, Geolocation, File … )
- Web Storage ( Web SQL Database, Session Storage, Local Storage )
- Web Worker
- Web Socket
- SVG
…
5
1. 개요
1.2. 새로운 특징들 – WoW !
단순한 UI 구성 DB, 그래픽, 소켓 …
HTML4 HTML5
6
1. 개요
1.2. 새로운 특징들 – But …
호환성 ? 아직도 만들어?
7
목차
2. HTML5 보안
1. 개요
3. 시연
4. Q & A
8
2. HTML Security
2.1 CORS / SOP
- SOP : Same Origin Policy
자바 스크립트는 동일한 도메인 내에서만 접근 가능
- Cross Origin Resource Sharing 크로스 도메인 간에 접근(요청) 가능
* Origin Determination rules (http://en.wikipedia.org/wiki/Same_origin_policy )
9
2. HTML Security
2.1 CORS / SOP - http://192.168.48.100/cors.html
* Request
- Origin: http://192.168.48.100
10
2. HTML Security
2.1 CORS / SOP •New Header for CORS Access-Control-Allow-Origin Access-Control-Expose-Headers Access-Control-Max-Age Access-Control-Allow-Credentials Access-Control-Allow-Methods Access-Control-Allow-Headers Access-Control-Request-Method Access-Control-Request-Headers … 크로스 도메인간 요청 가능 - Cross Domain CSRF - IP & Port Scanning - XSS WebShell …
11
2. HTML Security
2.1.1 CORS Port Scanning - http://192.168.48.128/corsscan.html
- XMLHttpRequest / Response Time based
12
if ( Response Code != 0 ) { 웹서버 로구나! }
2. HTML Security
2.1.1 CORS Port Scanning
- Port Closed - Port Open - IP Not Exist
13
2. HTML Security
2.2 XSS / New Tag, Attr, Handler
- http://192.168.48.128/xss0.html
• New Tag ( Audio , Video, Source … )
• New Attr ( Autofocus , Onscroll, Oninput… )
14
2. HTML Security
2.3 New Storage – SessionStorage, LocalStorage, WebSQL DB
IndexedDB
* Cookie vs Storage
- 4KB - 크기제한 없음
- 모든 요청에 추가 ( 내 트래픽!! ) - 서버로 보내지 않음
- 유효기간 없음
- 객체저장 가능
15
2. HTML Security
2.3 New Storage – SessionStorage - http://192.168.48.128/storage.html
- 브라우져 종료시 삭제
16
XSS
2. HTML Security
2.3 New Storage – LocalStorage
- 브라우저 종료 시에도 남음
17
XSS
2. HTML Security
2.3 New Storage – WebSQL DB
- 심지어 DB 까지 지원(!)
18
2. HTML Security
2.3 New Storage – WebSQL DB
장바구니 예제 - http://192.168.48.128/db.html
19
가격조작
2. HTML Security
2.3 New Storage – WebSQL DB
장바구니 예제 - http://192.168.48.128/db.html
20
포인트 조작
2. HTML Security
2.3 New Storage – WebSQL DB
WebSQLDB App 예제 - http://192.168.48.128/note.html
21
- SQL Lite Master DB 를 통해 DB Name enumerating - DB 쿼리 후 Script 를 통해 전송
정보유출(XSS)
2. HTML Security
2.4 History Tampering
- http://192.168.48.128/history.html
- history API 를 이용하여 history 변조
22
2. HTML Security
2.4.1 ClickJacking - http://192.168.48.128/history2.html
- Click + Hijacking / css 의 layer 를 이용한 눈속임
숨자!
23
2. HTML Security
2.4.1 ClickJacking
- Click + Hijacking / css 의 layer 를 이용한 눈속임
24
2. HTML Security
2.4.2 History Tampering & ClickJacking
- http://www.kr/history2.html
25
2. HTML Security
26
2.4.2 History Tampering & ClickJacking
* opacity = 0
* opacity = 1
정보유출(XSS)
2. HTML Security
27
2.4.2 History Tampering & ClickJacking
2. HTML Security
28
2.5 WebWorker
- 대신 일해줄 사람 ? Web Worker !
- 메인 페이지 로딩을 방해하지 않고 백그라운드에서 실행
- 복잡한 연산 , 동시 실행이 필요한 경우
Web Worker!
Web Worker!
Web Worker!
Web Worker!
2. HTML Security
29
2.5 WebWorker - http://192.168.48.128/corsscan.html
corsscan.js * 5
main.html
2. HTML Security
30
2.5.1 ( WebWorker + CORS Port Scan ) = MultiThread Port Scanner !
192.168.48.120 192.168.48.121
192.168.48.124
2. HTML Security
31
2.5.2 ( WebWorker + CORS ) = DDoS Attack !!
2. HTML Security
32
2.6 Notification API ( Chrome Only ! )
2. HTML Security
33
2.6 Notification API ( Chrome Only ! )
- http://192.168.48.128/board/index.php
2. HTML Security
34
2.6 Notification API ( Chrome Only ! )
2. HTML Security
35
2.7 Geolocation API
2. HTML Security
37
2.8 File API - http://192.168.48.128/fileapi.html
- 자바스크립트로 로컬파일 조작을(?!)
- OK ! But.. ( Drag&Drop || Selected )
2. HTML Security
38
2.8 File API & CORS
- XHR 을 이용하여 파일 내용과 파일명을 해커의 서버에 전송
- 단, 선택받은 폴더 혹은 파일만 전송 가능함
2. HTML Security
39
2.8 Filejacking + Clickjacking
- http://192.168.48.128/fileapi2.html
- File -> 폴더 클릭 유도
- 선택폴더 하위 모든 파일 전송 가능(!!)
3. QnA
40
질문없나요~?
수고하셨습니다~! ^-^
@by hyunmini ( 김현민 )
# Café : http://cafe.naver.com/secuholic
# Mail : [email protected]
# Reference : - HTML5_Web_Security_v1.0.docx / Michael Schmidt, Compass Security AG
- HTML5 OVERVIEW: A LOOK AT HTML5 ATTACK SCENARIOS / Trend Micro Research Paper
- HTML5 Top 10 Threats Stealth Attacks and Silent Exploits / By Shreeraj Shah, Founder
- http://html5security.org/#research
- http://shreeraj.blogspot.in/
41
END
