HTML5: Risky Business or Hidden Security Tool Chest?

HTML5: Risky Business or Hidden
Security Tool Chest
Johannes B. Ullrich, Ph.D.
[email protected]
About Me
• Dean of Research,
SANS Technology Institute
• Living in Jacksonville FL
(aka Southern GA)
• SANS Internet Storm Center
• Created
• Instructor for SANS
• Past: Physicist, Web Developer
Hosted by OWASP & the NYC Chapter
What is HTML5
• Collection of JavaScript APIs supported by
some modern browsers in some ways and
sometimes they even work.
• Features to enable modern desktop like
applications and support mobile devices
• 5th Revision of the HTML Standard
What is this talk about?
• Ideas to improve security by using HTML5
• What are some of the security challenges that
HTML5 addresses well (or doesn’t)
• What are some of the limitations we have to
• Exclusive vs. Inclusive Authentication
– Inclusive:
Proof the identity
of the user
– Exclusive:
Disproof the identity
of the user
What the Factor?
Segway: Multi Factor Authentication
• Single Factor: Password
• Two Factor: Password AND (Token|Biometric)
• 1 ½ Factor: Password and Cookie
• ½ Factor: Password
OR (Token|Biometric)
HTML5 Components
Local Storage / Session Storage
Media Capture
Local and Session Storage
• New JavaScript API to store data on client
• Protected by “same origin”
• Local Storage:
– No defined expiration
– Accessible by all browser windows
• Session Storage:
– Expired when window is closed
– Scope limited to current window
Local Storage: Persistent
• Alternative to Flash cookie for “1 ½ Factor”
• Part of an “Evercookie”
• Can be used for good (additional
authentication) or evil (more user tracking)
• Exposed to XSS attacks
• Similar to cookies in scope and security
Session Storage: Identifying
• Can be used to store session token
• Breaks CSRF (good!)
• User is logged out when they close the
browser window (not entire browser)
• Multiple users can use the same browser (is
this a good thing?)
• Easier log out, more secure session tracking,
can be used alongside cookies.
• Risks:
Storing too much data on the client!
Can’t enforce “secure” transmission over SSL
Can’t protect from JavaScript/XSS (no httponly)
– storing confidential data on mobile devices
– Pushing data to the client the client is not
authorized to see.
Can I use it?
• Allows drawing in the browser
• Interactive image applications
• Can be used for graphical login schemes
– Pattern based login
Image Login
• Display image, user identifies features
• Done in Windows 8/RT for mobile login
(“Pattern Login”, “Picture Password”)
“Connect the Dots”
• Implemented in Android
• Good user acceptance for mobile login
• No good studies yet as to how users select
• Demo: “Connect the Dots” for the web
• See Github for code repository
Can I use it?
• JavaScript API provides access to devices built
in sensors like GPS
• Can be very accurate
• Can also be spoofed easily
Geolocation for Authentication
• Only useful on mobile devices
• Can be used to exclude users, but not to
replace traditional authentication
• Observe sudden changes in location
• Combine with careful browser fingerprinting
Can I use it?
Media Capture
• aka getUserMedia/Stream API
• Limited support (Chrome, Firefox, Blackberry)
• Some potential for biometrics:
– Face recognition
– Hand signals / gestures
– Fingerprint?
• Face recognition libraries:
• Hard to acquire sufficient detail
• So far, in particular on mobile devices, more of
a gimmick then a serious authentication
• Possibility to use “finger print”, but current
cameras not sufficient to acquire image
Can I use it?
Only useful for mobile devices
Move the phone in a pattern to authenticate
Detect step/walking pattern
Detect if user/phone is at rest or on the move
Can be spoofed (but not readily)
Not easy to reproduce
Adding sensors like compass may help.
Can I use it?
• Popup Notifications sent by the server to
notify the user
• Initiated by server
– Local Notifications: Require browser to be open,
widely supported
– Push Notifications: Safari Only
Bad stuff happened!
• Notify the user of security relevant events:
– “Someone is trying to log in as you”
User needs to accept notifications
Notifications no 100% reliable
Not “out of band” (can be faked, intercepted)
Safari Notifications may be useful for one time
passwords (OTP)
Can I use it?
• Client side encryption
• Allows encryption of specific sensitive fields
(e.g. payment data, passwords)
• Intermediate services (proxies, web services)
don’t need to know the information
• Upcoming: CryptoAPI (June 2013)
• Until then:
Client side password hashing
• Server sends random “nonce” as part of login
• Client calculates hash from password/nonce
• Passes hash to server
• Server verifies hash
• Advantage: Server never gets to know the
“real” password.
Use enters password
Client hashes password
Password hash transmitted to server
Salt: Username? Provided by server?
Changing password: Same procedure, salt may
• Lots of cool and useful tools in HTML5
• Use them as appropriate
• “HTML5” itself isn’t the risk. Bad coding is the
• Understand privacy issues
• Understand user behavior
• Share your code an experiences (OWASP!!)
! Thanks !
[email protected]
Daily Updates * Daily Podcast * Live Data Feeds

similar documents