SH5ARK: Secure HTML5 Assessment Resource Kit
Welcome to the SH5ARK Repository. This repository contains sample code and information about HTML5 vulnerable features and HTML5 attacks. The HTML5 features and attacks are available for testing via a web browser using an Apache web server, and using mod_security for testing the filtering rules for blocking HTML5 features and attacks.
The SH5ARK Project consists of two separate files. The first is the sh5ark-code.tgz file which includes the SH5ARK repository, where as the shark-etcfiles.tgz file includes all the configuration files in the /etc folder that were used in the project to use the SH5ARK code.
The SH5ARK code repository is categorized into the following folders under /var/www/
./html5 - includes the SH5ARK home page and testing results spreadsheet
./html5/features - includes sample code that demonstrates various HTML5 features
./html5/attacks - includes sample code that demonstrates HTML5 attacks
./html5/repellant - includes mod_security rules that block HTML5 features and attacks.
* Each folder includes web pages for testing the code and the filtering rules.
The Features directory tree is categorized by HTML5 Feature, and the Attacks directory is categorized by Attack type. Navigate by clicking on the folders to the desired feature or attack to be tested. Once you have navigated to the desired feature or attack folder, look for the starting web page using the following naming convention:
- For HTML5 Features: html5feature.<html5feature>.html (e.g. html5feature.webappcache.html)
- For HTML5 Attacks: html5attack.<attacktype or tool>.html (e.g. html5attack.ddos.html)
* Some of the attacks have a .php instead of .html extension
The Repellant directory can be used to test the HTML5 features and attack code included in the repository, or use the provided web page to manually test the effectiveness of the mod_security filtering rules with requests that include the use of HTML5 features.
The SH5ARK repository requires a web server to test the code. The project utilized Ubuntu 10.04 LTS with Apache to host the web pages and mod_security for the filter rules. To use the code as is, the web server must be configured with the following static IP addresses:
- eth0: 10.10.1.174
- eth0:0 10.10.1.175
- eth0:1 10.10.1.176
Apache is listening on port 80 for IP addresses ending in .174 & .175, with .176 open for other adhoc web services as required. The Ubuntu server must be setup with these static IP addresses due to some of the sample code has to reference specific web servers for demonstrating cross domain features. The configuration files are available in the sh5ark-etcfiles.tar file for the configuration files under the /etc folder that were used with the setup as described above. Be careful when extracting these files into an existing Ubuntu system so as to not replace existing configuration files required with your current setup. It is recommended to to use either a new Ubuntu system or virtual machine, or to extract the files to a separate folder to review the configuration and apply them manually to your configuration.