HTML5 Building a better botnet

copy right@2012

What a tangled web we weave. New web technologies address shortcoming in web browsers but created new problems as well. Html5 is a set of powerful features aimed at moving the web applications closed to existing desktop applications in terms of user experience and features..

Moreover, new Web technologies such as Web Sockets, Web Workers, and Web Storage are designed to address the simple fact that people now expect the web to provide applications and multimedia. This paper presents how these technologies used to create a massive Dos network and how can be used to track people.

Web 3.0 is being referred to by experts as the semantic web; semantic meaning data driven. The data will come from the user and the web will essentially adjust to meet the needs of the user. For example, if you do a lot of searching for design blogs , you ll receive more advertisements related to design. Also, when you search for other things, for example, computers , the web will keep in mind that you often search for design and may pull up search queries that combine design and computers .

A huge benefit of Web 3.0 is the move towards being able to access data from anywhere The idea here is to make sure that the user can access as much data as possible from anywhere, not just their home. Technology is trying to expand this idea in ways that allow TV s to pick up on user data, and allowing smart phones to access data on your computer.

For designers like myself who typically forget their jump drives, this is an amazing and useful advancement..

HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML came in 1999. The web has changed a lot since then.HTML5 is still a work in progress. However, most modern browsers have some HTML5 support. HTML5 ~= HTML + CSS + JS

All in all, a lot of nice new things and technology to help us shape the future of the web. As you can see, some of these things are in the actual HTML5 specification; some others are broken out into their own specifications.

Now, with the nearly-complete standard for HTML5 being implemented (at least in part) in the latest or beta versions of all the major browsers, including Internet Explorer, Firefox, Safari, Chrome, and Opera, many of the advanced Web app features developers need will be available in native HTML. But with any major introduction of new features, HTML5 also brings with it potential security vulnerabilities which is not to say that HTML5 is "flawed," but that, invariably, there will be new attack vectors for hackers to exploit. Some originate from elements of the standard itself, some from implementations of the standard in each browser, and some from the care that developers do (or do not) take in building their HTML5 code.

HTML5 introduces Web Storage, which comprises Session Storage, Local Storage, Global Storage, and Database Storage (using SQLite). HTML5 offers two new objects for storing data on the client: 1) Local Storage - stores data with no time limit. 2) Session Storage - stores data for one session. Until recently, the only reliable method for storing (and retrieving) data from a web client was cookies.

Cookies are a few kilobytes in size typically, so if you want to store a large amount of data on a client (such as an image or a document), you d have to split it up across many cookies and hope that none get deleted or replace. Cookies are not suitable for large amounts of data, because they are passed on by EVERY request to the server, making it very slow and in-effective. In HTML5, the data is NOT passed on by every server request, but used ONLY when asked for.

It is possible to store large amounts of data without affecting the website's performance. Like cookies, these storage objects are generally bound to the domain they came from, which should largely prevent sites from stealing data or using Web Storage to pass data around easily.

However, unlike cookies, Web Storage provides new ways to track users in a very persistent manner (e.g., you set a key called tracking with a unique string) [1] [2]. This feature can t directly be used to aid in botnet creation, but it does give attackers a way to store data and then retrieve it later.

WebSocket is a new proposal under html 5 to provide full-duplex, bi-directional client-server interaction over single TCP connection. Making WebSocket safe for use has been attempted by requiring the server to reply to such requests in a way that shows it s okay, but this fails to take into account two problems. The first problem is HTTP header splitting; some web applications and servers can be manipulated to create a custom.

WebSocket is such a problem that currently Opera 11.00 and Firefox 4 beta 8 both ship with it disabled. The reason is WebSocket is designed to allow a web browser to make a request to a third-party site that is generated from within a JavaScript program. For the last few years, Firefox and other browser vendors have been working to prevent such cross-origin requests and cross-site request forgeries .

CONNECTING = 0 OPEN = 1 CLOSED = 2

Then, the user can enter messages and receive messages from the server.

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale. HTTP header, which is sent back to the client (which can contain cookies, weird caching values, etc.) and could include the WebSocket reply data needed by the client.

The second problem is simply that a client can make a lot of WebSocket requests (i.e., several thousand per second), turning this into a great denial-of service platform [3]. With this approach, you simply get people to visit a web page that you control and, as long as that page is open, the browser will hammer away at whatever site you want taken down. Alternatively, this feature can be used for port scanning.

Because the WebSocket interface takes a variable amount of time to return, depending on whether the connection fails, connects, or is refused, you can determine the port status. [4] Note that determining the network address of a user is made easier by the fact that most of us are behind NAT boxes using 192.168.*.* (the default for virtually all home routers) or 10.*.*.* (almost no one uses 172.16.0.0 through 172.31.255.255). Simply scanning 192.168.*.1 and 192.168.*.254 will give you a very good chance of finding the router used to provide network access.

To top it off, one security vulnerability in WebSocket allows attackers to attack webbased proxies or transparent intercepting proxies because many of them don t fully understand how to handle WebSocket connections [5] yet. By poisoning the cache of a web proxy for an item such as http://www.googleanalytics.com/ga.js, an attacker can send malicious code to any victim accessing a website that uses Google Analytics.

There are a number of bottlenecks preventing interesting applications from being ported (say, from server-heavy implementations) to client-side JavaScript. Some of these include browser compatibility, static typing, accessibility, and performance.

With the use of Web Workers, you can now create and destroy threads and split up the work among them. Thus, programs can be split into modules and run for a very long time and can also take advantage of multi core processors (which is basically everything except mobile phones, but dual-core mobile phones are coming).

Ultimately, this means that web-based JavaScript applications will be able to behave more like traditional applications. JavaScript is a single-threaded environment, meaning multiple scripts cannot run at the same time. As an example, imagine a site that needs to handle UI events, query and process large amounts of API data, and manipulate the DOM.

Script execution happens within a single thread Although JavaScript is slow compared with well-written C or C++ code, it can still generate a huge number of requests on even a low-end machine, turning the system into an effective denialof-service platform. All the attacker needs to do is keep you on their web page, which is not hard to do with forum discussion sites or online games.

history.pushState() was introduced in HTML5 and it s meant for modifying history entries. By using pushState() we re allowed to alter the visible URL in address bar without reloading the document itself. The harmful part is that we can conceal the real location and replace it with anything we want. Although the hostname can t be replaced, we can completely change the pathname.

A lot of these attacks work much better when combined with XSS attacks (injecting hostile content into trusted websites), so is there a new HTML5 component that makes this easier? Of course. The new history.pushState() function allows the URL in the history to be modified. Unfortunately, it will also work on the current URL, thereby allowing an attacker to rewrite the address bar which is again something most browsers have been attempting to prevent for years [6].

The ability to execute long-running processes and make requests to arbitrary websites leads to an interesting possibility: compute time as a micro-payment system. However, all of the use cases I can think of essentially involve spam or some other unwanted activity, such as denial-of-service attacks against sites. One example of this is d0z.me [7], a URLshortening service. You simply type in the URL you want shortened (as usual) and the URL you want to attack.

When a user clicks on the d0z.me URL, the program redirects the user to the long URL. However, it will embed the site within an IFRAME, while another IFRAME constantly reloads the site that s being attacked. This approach, combined with social network sites like Reddit, could easily result in a few hundred or thousand people attacking a site.

Because most sites are getting better at dealing with distributed denial-of-service attacks, attackers will need to invest more time in creating more involved attacks. HTML5 offers a drag-and-drop interface. This, combined with interactive content, such as a game, could allow the attacker to get clients to fill out the form (in the background, of course) and submit it repeatedly.

Two big revolutions are happening right now that greatly affect web applications: HTML5 and devices are transforming the front end, and cloud computing is transforming the back end. Together these revolutions allow us to create rich, take-anywhere immersive experiences backed by on-demand, elastic services running at global scale

Some Internet experts believe the next generation of the Web -- Web 3.0 -- will make tasks like your search for movies and food faster and easier. Instead of multiple searches, you might type a complex sentence or two in your Web 3.0 browser, and the Web will do the rest. In our example, you could type "I want to see a funny movie and then eat at a good Mexican restaurant. What are my options?" The Web 3.0 browser will analyze your response, search the Internet for all possible answers, and then organize the results for you.

As usual, the guys developing new web technologies didn t give much thought to security problems, which is bad if you re a regular user, but great if you re a bad guy [8] [9] or you can do cool things with HTML5 (like building a distributed password cracker) [10].

We've discussed many points today. Let me quickly summarize the principal points: Web Storage and htmal5 Web Sockets and html5 KurT Seifrie Web Workers and html5 Work as Payment and html 5

References [1] Evercookie: http://samy.pl/evercookie/ [2] Nevercookie: http://www.anonymizer.com/learningcenter/#lc_labs [3] Performing DDoS Attacks with HTML5: http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-ht ml5.html [4] JS-Recon port scanner: http://www.andlabs.org/tools/jsrecon.html [5] WebSocket: https://developer.mozilla.org/en/WebSockets [6] History.pushState (): http://samuli.hakoniemi.net/how-to-conceal-xss-injection-in-html5/ [7] D0z.me: http://it.slashdot.org/story/10/12/20/2248219/D0zme-mdash-the-Evil-URL-Short ener [8] Attacking with HTML5: http://www.slideshare.net/clubhack/attacking-with-html5lava-kumar [9] HTML5 Security Cheatsheet Project: http://code.google.com/p/html5security/ [10] Douglas Crockford on JavaScript and HTML5: http://www.webmonkey.com/2010/05/douglas-

By AbdolMajid Shahgholi RN: 10031D6404 M.TECH, CNIS (SIT department ), JNTU HYDERABAD , INDIA Shahgholi_a@hotmail.com copy right@2012