html5&and&web security
TRANSCRIPT
2
Table of Contents
Abstract ............................................................................................................................ 3
Introduction ...................................................................................................................... 4 What is HTML5? ......................................................................................................................... 4 Why is HTML5 important? .......................................................................................................... 4
To the Community ............................................................................................................. 5
Types of Attacks ................................................................................................................ 5 CORS attack ................................................................................................................................ 5 HTML Tag abuse ......................................................................................................................... 7 Middleware issue ....................................................................................................................... 9 Local Storage .............................................................................................................................. 9 Cross Document Messaging ...................................................................................................... 10 Offline Web application ........................................................................................................... 10
Protection against attacks ............................................................................................... 11
Conclusion ....................................................................................................................... 11
Works Cited ..................................................................................................................... 12
3
Abstract
HTML5 is the latest version of HTML that has come up with some impressive
new features and enhancements. Within the last few years it has gained a lot
of popularity with web and mobile application developers. It is now being
extensively used by tech giants like Facebook, Microsoft and Google. This level
of popularity and usage makes us wonder about how HTML5 performs in
terms of security.
Some of the old security issues of HTML4 and JavaScript still remain in HTML5
and cyber criminals and hackers will continue to make use of these loopholes
to perform malicious activities.
The primary objective of this paper is to analyze how much threat does HTML5
pose to security, what type of attacks are made possible by HTML5 and what
measures can be taken to prevent such attacks.
4
Introduction What is HTML5?
HTML5 is W3C’s next major revision to HTML. This is the 5th revision of the
HTML standard. It describes the contents and appearance of web pages. It
makes the web pages more dynamic and interactive. HTML5 has improved
features such as introduction of new attributes, messaging enhancements,
new parsing rules for enhanced flexibility, elimination of redundant attributes
etc. It was mainly developed to solve the compatibility problems of HTML4.
Another improvement in HTML5 is the support for multimedia in mobile
devices.
Why is HTML5 important?
With HTML5, browser plugins have come to an end. Rich multimedia aspects
that were once handled by plugins are now built-‐in and simplified by the
introduction of new media tags.
HTML5 is important now that it has the support of all major browser vendors
like Apple, Google, Microsoft, Opera, Firefox including those in the mobile
space. Another important reason for the use of HTML5 is that it reduces
development time. Another really important feature of HTML5 is that it is
mobile friendly. A web application in HTML5 can be deployed on both desktop
and mobile devices.
5
To the Community With the increasing popularity of HTML5 it is important for developers and
average users to know about its capabilities and also about its dangers. Over
50% of mobile apps are likely to be based on HTML5 by the end of 2016.
The security issues with previous version of HTML still exists. The newly added
features have further increased the threats now. HTML5 apps are most likely
to add security risks due to developer error. It is therefore especially important
for developers to understand how to securely write code in HTML5.
The focus of this paper will be to show how how the new features of HTML5
can be exploited and how can users protect themselves.
Types of Attacks
CORS attack
Cross Origin Resource Sharing allows a resource to access data from a
domain outside itself. Using CORS, a webpage can load resources such
as CSS stylesheets, scripts and images from separate domains. This
allows a remote attacker to perform code injection on the webpage.
XMLHttpRequest is an API used in web applications for transferring data
between a client and a server. Prior to HTML5 site A could not make a
direct request to site B through XMLHttpRequest API. With HTML5,
site A can make an http request to site B through XMLHttpRequest,
provided site B allows it to do so. To give its permission site B must
include the following header in its response.
Access-Control-Allow-Origin: Site A
6
This feature of HTML5 opens up a number of possibilities for attack.
• Bypassing Access Control (Scenario 1): Accessing internal websites from
the Internet is possible if the
internal website has defined the header Access-‐Control-‐Allow-‐Origin
wrongly or bases access control decisions on wrong assumptions. A
similar threat already exists in HTML 4.01 known as Cross-‐Site-‐Request-‐
Forgery (CSRF) but can be done with CORS without needing user
interaction. This breaks the security requirement Access Control.
• Remote attacking a web server (Scenario 2): That requests are always
being sent can also be abused to attack another web server through the
UA of any user accessing a malicious website (This can already be done
with other HTML4 features but sending manipulated POST requests is
made easier and not limited to text/plain). This breaks the security
requirement of Secure session handling because the attacker is able to
abuse the session of a user for malicious purposes.
• Information Gathering (Scenario 3): Scanning of the internal network for
existing domain names based on the response time of XMLHttpRequests
can be performed. This breaks the security requirement Confidentiality
because internal information is passed on to the attacker.
• Establishing a remote shell (Scenario 4): XMLHttpRequests can be
abused to establish a remote shell to a UA and control the behavior of
the UA through this remote shell. This breaks the security requirement
Secure session management because the attacker can abuse the
sessions of a user.
• Disclosure of confidential data: Even though the request can only be
accessed by JavaScript if the appropriate header is defined the request
7
will always be sent to the foreign domain. This can be used to send
sensitive data to the attacker server. While this is possible through other
features as well CORS provides a new flexible way for doing this and,
therefore, disclosure of confidential data is an implicit threat concerned
with CORS and breaks the security requirement Confidentiality.
• Web-‐Based Botnet: Creating a web based Botnet is possible through
CORS and other HTML5 features. Therefore, this threat is only covered
once in section 2.7.2 because only the used technology for establishing
the Botnet changes but the threat remains the same.
• DDoS attacks with CORS and Web Workers: Combined with Web
Workers a DDoS attack is possible. Web Workers and details to this
attack scenario are described in section 2.9.1. (Schmidt, 2011)
HTML Tag abuse
HTML5 has introduced some new tags and attributes which now forms a
threat to cross site scripting attacks. XSS attacks have been around for years
now. XSS refers to client side code injection attack where an attacker can
execute malicious scripts by making use of unvalidated or unencoded user
inputs in web applications. In most cases, developers try to avoid this attack
by filtering user inputs using blacklisting(not allowing users to input
character sequences such as <, >, <script> etc).
Let us see some examples that shows how certain new tags and attributes
present in HTML5 can be used to execute scripts by bypassing these filters.
8
Example 1: The filter blocks known tags such as <script>, <img> etc, but
HTML5 has now introduced new tags that can execute scripts.
Example 2: In the past, all of the form elements needed to be in
between the <form> tags. HTML5 allows any object to associate itself
with a form irrespective of its position on the page.
The following attributes which are now part of HTML5 can be used by an
attacker to modify forms on a webpage for malicious purposes.
• formaction: Allows changes to where the form is submitted to
• formenctype: changes the form data’s encoding type
• formmethod: changes a GET to POST and vice versa
• formnovalidate: turns off validation in a form
• formtarget: changes where the action URL is opened (McArdle,
2011)
9
Middleware issue
HTML5 applications often need a middleware framework to be cross-‐
platform. The middleware framework is used to facilitate JavaScript to
call the operating system in its native language. Since the middleware
accepts both data and code, it is susceptible to malicious code injection
attacks such as XSS.
As per the research conducted by Syracuse University, risks of such
attacks are higher in mobile devices due to permission given to apps for
accessing contact lists, location data and cameras. The research showed
that a popular middleware called PhoneGap had 77 plugins out of 186
that were exploitable. These plugins could accept data and code from
external channels and execute them. PhoneGap is said to be used by
almost 764 apps in Google Play store and the researchers succeeded in
performing code injection attacks on 2 of them. (Panchal, 2015)
Local Storage
• Local storage objects allow us to store, retrieve and delete data based
on name-‐value pairs.
• It is origin specific. A site from a different origin cannot access the data
stored in an application’s local database.
• If the target site has obvious XSS flaw, the attacker can leverage this to
execute JavaScript code and can gain access to local variables.
• Using DNS cache poisoning an attacker can redirect all requests for the
target site to a different site under his control. (Srinivas, 2015)
10
Cross Document Messaging • This API allows documents to communicate across domains.
• Disclosure of sensitive information can occur if a message is sent to all
domains through the wildcard domain.
• Another issue is that pages that process data from any origin can be
vulnerable to XSS attacks. (HollyGraceful, 2015)
Offline Web application • A web application can send information to the UA which files are needed
for working offline. Once loaded the application can be used offline. The
UA recognizes the offline mode and loads the data from the cache.
• Storing Offline Web Application details can be used for user tracking.
Web applications can include unique identifiers in the cached files and
use these for user tracking and correlation. This breaks the security
requirement of Confidentiality.
• It is possible to cache the root directory of a website. Caching of HTTP as
well as HTTPS pages is possible. This breaks the security requirement of
UA protection and Secure caching. (Schmidt, 2011)
11
Protection against attacks
• Secure coding practices
• User education
• Staying on top of new developments
• Developers must test their code regularly
• Understand the threats
• Sanitization (filtering the code mixed with data)
• Mitigation or restricting the permissions for untrusted code.
Conclusion
This paper has provided some of the possible attack scenarios introduced by
HTML5. HTML5 has brought out many newer features and most of them have
some security implications. Attacks on web and mobile applications will
continue to grow. And with the introduction of new features the possibility will
further increase.
Users as well as application developers should be made aware of the risks
these pose and what can be done to prevent these security risks. Developers
should study and understand each attack and be able to write secure code.
This can prevent CORS, Cross-‐domain messaging and local storage attacks to a
large extent.
12
Works Cited McArdle, R. (2011, 1 1). HTML5 Overview. Retrieved 12 10, 2015, from http://www.trendmicro.com: http://www.trendmicro.com/cloud-‐content/us/pdfs/security-‐intelligence/reports/rpt_html5-‐attack-‐scenarios.pdf Panchal, J. (2015, 03 18). What Are the Security Risks of HTML5 Apps? Retrieved 12 10, 2015, from www.sitepoint.com/: http://www.sitepoint.com/security-‐risks-‐html5-‐apps/ Schmidt, M. (2011, 12 06). HTML5 Web Security. Retrieved 12 10, 2015, from media.hacking-‐lab.com: http://media.hacking-‐lab.com/hlnews/HTML5_Web_Security_v1.0.pdf Srinivas. (2015, 1 1). HTML5 Security: Local Storage. Retrieved 12 10, 2015, from resources.infosecinstitute.com: https://resources.infosecinstitute.com/html5-‐security-‐local-‐storage/ HollyGraceful. (2015, 11 16). HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities. Retrieved 12 10, 2015, from www.gracefulsecurity.com: https://www.gracefulsecurity.com/html5-‐cross-‐domain-‐messaging-‐postmessage-‐vulnerabilities/ http://www.slideshare.net/shreeraj/top-‐10-‐html5-‐threats-‐whitepaper http://www.cis.syr.edu/~wedu/Research/paper/code_injection_most2014.pdf http://www.cis.syr.edu/~wedu/Research/paper/xds_attack.pdf http://www.aspiresys.com/WhitePapers/Html5.pdf http://www.networkworld.com/article/2226707/microsoft-‐subnet/research-‐-‐attacks-‐on-‐html5-‐based-‐apps-‐infect-‐smartphones-‐-‐spread-‐like-‐a-‐-‐worm-‐.html http://www.darkreading.com/risk/beware-‐of-‐html5-‐development-‐risks/d/d-‐id/1139966 https://thestack.com/security/2015/10/06/html5-‐covert-‐channels-‐jason-‐farina/ http://resources.infosecinstitute.com/general-‐html5-‐security/ http://www.trendmicro.com/cloud-‐content/us/pdfs/security-‐intelligence/reports/rpt_html5-‐attack-‐scenarios.pdf http://www.infoworld.com/article/2956193/html5/sick-‐of-‐flash-‐security-‐holes-‐html5-‐has-‐its-‐own.html https://www.gracefulsecurity.com/html5-‐cross-‐domain-‐messaging-‐postmessage-‐vulnerabilities/