The new features in HTML5 have opened a whole new world of opportunities for developers and for attackers. Secure Ideas recognized this and with the help of the DARPA Cyber Fast Track program, started a project call Securing HTML5 Assessment Resource Kit, or SH5ARK. The intent of this project was to build a repository with sample code of vulnerable HTML5 features, examples of existing HTML5 attacks, and filtering rules to block these vulnerable features and attacks. The code repository was released for our presentation at DerbyCon 2012 “The Reunion”. The presentation is available online here.
The SH5ARK project consists of two separate compressed files which are available on Source Forge at http://sourceforge.net/projects/sh5ark. The first is the sh5ark-code.tgz file which includes the SH5ARK repository, where as the shark-etcfiles.tgz file includes all the configuration files in the /etc folder that were used in the project to use the SH5ARK code. First I will provide an overview of the repository, and then will jump into how to setup a test environment so you can get started with it.
The SH5ARK code repository is categorized into three folders and by default are located under /var/www/.
- ./html5 – SH5ARK home page and project testing results spreadsheet
- ./html5/features – HTML5 features sample code
- ./html5/attacks – HTML5 attacks sample code
- ./html5/repellant – filtering rules that block HTML5 features and attacks.
The features and attacks folders include web pages that can be linked to starting from the SH5ARK home page and are displayed as a directory index. The Features directory tree is categorized by HTML5 Feature, and the Attacks directory is categorized by Attack type. Navigate by clicking on the folders to the desired feature or attack to be tested. Once you have navigated to the desired feature or attack folder, look for the starting web page using the following naming convention:
- Features: html5feature.<html5feature>.html
- Attacks: html5attack.<attacktype or tool>.html
- Note: Some of the attacks have a .php instead of .html extension
The web page describes the feature or attack, includes sample code, lists browser compatibility (for those tested in the project), and includes actual code that can be tested. Make sure to read through the description and testing instructions as some of the features and attacks require launching a script to properly setup the test environment.
The SH5ARK repository also includes a Repellant folder which includes the mod_security rules to block each of the HTML5 features and attacks in the repository. This folder also includes a web page that can be used to test the filtering of the HTML5 features and attack code included in the repository, and includes the ability to submit a manual request with your own HTML5 code.
In order to test the code and filters provided in the SH5ARK repository, you will need a test environment that includes an Apache web server with mod_security installed. Some of the sample code in the SH5ARK repository require cross-domain connections, thus the code was modified to use static IP addresses to demonstrate this capability within the same test environment. I know this sounds obvious, but you can either modify the code to work in your own environment or you can setup the environment that works with the current code. To use the code as is, the web server must be configured with the following static IP addresses:
- eth0: 10.10.1.174
- eth0:0 10.10.1.175
- eth0:1 10.10.1.176
Apache must be configured to listen on port 80 for IP addresses ending in .174 & .175, with .176 open for other adhoc web services as required. The files in sh5ark-etcfiles.tgz will help with setting up your environment based on Ubuntu 10.04 LTS. It is recommended to create the test environment as a virtual machine with a fresh install of Ubuntu with mod_security installed. Then simply extract the files from sh5ark-etcfiles.tgz and restart Ubuntu. If you are planning to install in an existing environment, it is strongly recommended to extract these files into a separate folder and manually implement the required changes.
Once your test environment is setup, open a browser in the test environment and link to http://10.10.1.174. From this web page you can navigate throughout the repository. Enjoy!