Risk
5/11/2010
04:43 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New HTML Version Comes With Security Risks Of Its Own

HTML 5 could help spur SQL injection attacks on client machines, experts say

Internet Explorer 9 and Firefox 4 will support it, and Microsoft recently touted its advantages. But the upcoming version of HTML, which builds rich Internet application features into the Web programming language and shifts more Web functions to the client machine, also could open up new Web attack vectors.

Security experts say HTML 5, which comes with rich Internet application features baked in, will not only provide better performance and multimedia features, such as video, but also will eliminate the need to manage and maintain browser plug-ins, such as Adobe Flash. "These features are tied in at the design stage," says Josh Abraham, security researcher with Rapid7. "You don't have to load in a third-party plug-in and then upgrade it. Maintaining these third-party [applications] has been a huge issue [for organizations]."

Even so, Abraham says the current HTML 5 specification comes with some security risks of its own. HTML 5 -- which is currently a working draft within the World Wide Web Consortium (W3C) and is expected to be finalized late this year or sometime in 2011 -- moves more Web functions to the client computer.

HTML 5 lets developers store information for a Web application on the client side and offline, Abraham notes. "That means persistent storage on the client for longer periods of time than while a cookie exists...they store this within a file-based client-side database," he says. That opens the door for attackers to wage SQL injection attacks on the client's machine, he says.

"In the past, SQL injection was [leveraged] against the servers, Abraham says. With the current HTML 5 spec, an attacker could execute some JavaScript or other code to interact with the client machine's database to steal data from it, he says.

But Chris Wysopal, CTO of Veracode, says there already are ways for developers to store app data today that could be vulnerable to SQL injection attacks. That can occur if "the data isn't sanitized and treated as trusted when read from the local store," he says. "Developers typically trust stored data, which is wrong. They need to treat it as untrusted, lest they fall into a second-order SQL injection attack."

Wysopal says the current HTML 5 spec basically makes it simpler for Web developers to store data locally. Even so, he says some of the known ways to manipulate the HTML 5 session-storage feature could be eradicated with fixes to the standard before it goes final.

And because HTML 5 standardizes storage on the client side, it also could intensify the effectiveness of cross-browser attacks. Daniel Kennedy, a partner with Praetorian Security Group, says while today user data can leak via the browser with cookie sessions and local storage, the cross-browser aspect of HTML 5 could leave client machines more prone to more powerful cross-site scripting and SQL injection attacks.

"The problem here mirrors today's problem with theft of user session cookies, but exacerbates it by allowing more data to be available," Kennedy says. "Like cookies, the data is attached to a website through a same-origin policy. Also like cookies, this is bypassed by attackers through attacks, such as cross-site scripting and cross-site request forgery."

SQL injection would require manipulating the Web application into providing data, first by exploiting an existing vulnerability in the Web app, he says. "With cross-site scripting, a far more common vulnerability, you are manipulating what a client-side script is doing," he says. "So conceptually you could say the attack value of an effective SQL injection attack -- lots of sensitive data at once -- is being broadened by potentially allowing sensitive database data to be available through an effective cross-site scripting attack."

Another weak link in HTML 5 is its built-in multimedia and other features, security experts say. "The ability to play videos, which does open up the actual number of systems, could be affected if there's a flaw in the spec," Rapid7's Abraham says.

But the client-side storage feature poses the biggest security risk with HTML 5, Abraham and other experts say. "It changes the whole concept of the Web application because of the ability to go offline," he says. "It puts the developer in a position where he has to think of the client and trust the client to provide that sort of functionality. We've always been telling developers never to trust the client...now [the clients] will have to sync back with the production system when they come back online and there will be synchronization issues."

But it all depends on what the final HTML 5 standard looks like and how developers deploy it, the experts say. "The HTML 5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn't assume any of this is set in stone," Veracode's Wysopal says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.