This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 ClientSideCodeHTML5"
(Created page with "=Code review on HTML5== HTML5 was created to replace HTLML4, XHTML and the HTML DOM Level 2. Main purposes of this new standard is to provide dynamic content without the use ...") |
|||
| Line 1: | Line 1: | ||
| − | =Code review on HTML5 | + | =Code review on HTML5= |
HTML5 was created to replace HTLML4, XHTML and the HTML DOM Level 2. Main purposes of this new standard is to provide dynamic content without the use of extra proprietary plugins such as Silverlight. This allows designers and developers to create exceptional sites providing a great user experience without having to install any additional plug-ins into the browser. | HTML5 was created to replace HTLML4, XHTML and the HTML DOM Level 2. Main purposes of this new standard is to provide dynamic content without the use of extra proprietary plugins such as Silverlight. This allows designers and developers to create exceptional sites providing a great user experience without having to install any additional plug-ins into the browser. | ||
| Line 6: | Line 6: | ||
==What and where to look for in the code== | ==What and where to look for in the code== | ||
| − | Many vulnerabilities are indeed patched through the implementation of proper HTTP Headers. Part of these vulnerabilities include Cross Site Scripting, Click jacking and Cross Site Forgery among others. For more info regarding these vulnerabilities, please consult the OWASP Top 10. | + | Many vulnerabilities are indeed patched through the implementation of proper HTTP Headers. Part of these vulnerabilities include Cross Site Scripting, Click jacking and Cross Site Forgery among others. For more info regarding these vulnerabilities, please consult the OWASP Top 10. The code reviewer must focus on looking for specific implementation of certain features and code |
==Clickjacking== | ==Clickjacking== | ||
To avoid click jacking of the website, look for implementation of X-Frame-Options .Keep in mind that this code might not work on legacy browsers. The website http://erlend.oftedal.no/blog/tools/xframeoptions/ does a compatibility test on the browser’s x-frame-options support. | To avoid click jacking of the website, look for implementation of X-Frame-Options .Keep in mind that this code might not work on legacy browsers. The website http://erlend.oftedal.no/blog/tools/xframeoptions/ does a compatibility test on the browser’s x-frame-options support. | ||
| − | For more info on Clicjacking/Jacking/Framing please refer to chapter Jacking/Framing | + | For more info on Clicjacking/Jacking/Framing please refer to chapter Jacking/Framing (https://www.owasp.org/index.php/CRV2_ClientSideCodeJackingFraming) |
| + | |||
Implementation of the code is also dependent on the type of web server technology used, therefore the code might be implemented in configuration files on the server side scripts (for example apache does this in the httpd.conf file) | Implementation of the code is also dependent on the type of web server technology used, therefore the code might be implemented in configuration files on the server side scripts (for example apache does this in the httpd.conf file) | ||
Header always append X-Frame-Options SAMEORIGIN | Header always append X-Frame-Options SAMEORIGIN | ||
| Line 32: | Line 33: | ||
==Implementation of HTML5 Sandbox attribute== | ==Implementation of HTML5 Sandbox attribute== | ||
| − | It is possible to set the sandbox attribute and this helps set restrictions on content hosted in the iframe. The value must be correctly implemented by setting an unordered unique space- | + | |
| + | It is possible to set the sandbox attribute and this helps set restrictions on content hosted in the iframe. The value must be correctly implemented by setting an unordered unique space-separated token which are ASCII case sensitive, these are allow-forms, allow-pointer-lock, allow-popups, allow-same-origin, allow-scripts, and allow-top-navigation. | ||
Modern browsers including Chrome, Firefox, and IE10 Platform Preview are based on the W3C IFrame Sandbox Attribute. | Modern browsers including Chrome, Firefox, and IE10 Platform Preview are based on the W3C IFrame Sandbox Attribute. | ||
| + | |||
<iframe src="dontrtustthis.html" sandbox></iframe> | <iframe src="dontrtustthis.html" sandbox></iframe> | ||
Revision as of 13:49, 12 May 2014
Code review on HTML5
HTML5 was created to replace HTLML4, XHTML and the HTML DOM Level 2. Main purposes of this new standard is to provide dynamic content without the use of extra proprietary plugins such as Silverlight. This allows designers and developers to create exceptional sites providing a great user experience without having to install any additional plug-ins into the browser. Ideally users should have the latest web browser installed but this does not happens as regularly as security experts advice, therefore the website should implement 2 layer controls, one layer independent from Browser type, second , as an additional control.
What and where to look for in the code
Many vulnerabilities are indeed patched through the implementation of proper HTTP Headers. Part of these vulnerabilities include Cross Site Scripting, Click jacking and Cross Site Forgery among others. For more info regarding these vulnerabilities, please consult the OWASP Top 10. The code reviewer must focus on looking for specific implementation of certain features and code
Clickjacking
To avoid click jacking of the website, look for implementation of X-Frame-Options .Keep in mind that this code might not work on legacy browsers. The website http://erlend.oftedal.no/blog/tools/xframeoptions/ does a compatibility test on the browser’s x-frame-options support. For more info on Clicjacking/Jacking/Framing please refer to chapter Jacking/Framing (https://www.owasp.org/index.php/CRV2_ClientSideCodeJackingFraming)
Implementation of the code is also dependent on the type of web server technology used, therefore the code might be implemented in configuration files on the server side scripts (for example apache does this in the httpd.conf file) Header always append X-Frame-Options SAMEORIGIN
PHP
<?php
header("X-Frame-Options: SAMEORIGIN");
?>
IIS (.NET)
<system.webServer> ...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
... </system.webServer>
Implementation of HTML5 Sandbox attribute
It is possible to set the sandbox attribute and this helps set restrictions on content hosted in the iframe. The value must be correctly implemented by setting an unordered unique space-separated token which are ASCII case sensitive, these are allow-forms, allow-pointer-lock, allow-popups, allow-same-origin, allow-scripts, and allow-top-navigation.
Modern browsers including Chrome, Firefox, and IE10 Platform Preview are based on the W3C IFrame Sandbox Attribute.
<iframe src="dontrtustthis.html" sandbox></iframe>
Keep in mind that these security restrictions can be easily lifted by placing allow tokens in the attributes value such as this:
<iframe src=" dontrtustthis.html" sandbox="allow-scripts allow-forms"></iframe>
For more info on correct implementation of HTML5 Sandbox code please visit http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-iframe-element
