Risk
5/11/2010
04:43 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New HTML Version Comes With Security Risks Of Its Own

HTML 5 could help spur SQL injection attacks on client machines, experts say

Internet Explorer 9 and Firefox 4 will support it, and Microsoft recently touted its advantages. But the upcoming version of HTML, which builds rich Internet application features into the Web programming language and shifts more Web functions to the client machine, also could open up new Web attack vectors.

Security experts say HTML 5, which comes with rich Internet application features baked in, will not only provide better performance and multimedia features, such as video, but also will eliminate the need to manage and maintain browser plug-ins, such as Adobe Flash. "These features are tied in at the design stage," says Josh Abraham, security researcher with Rapid7. "You don't have to load in a third-party plug-in and then upgrade it. Maintaining these third-party [applications] has been a huge issue [for organizations]."

Even so, Abraham says the current HTML 5 specification comes with some security risks of its own. HTML 5 -- which is currently a working draft within the World Wide Web Consortium (W3C) and is expected to be finalized late this year or sometime in 2011 -- moves more Web functions to the client computer.

HTML 5 lets developers store information for a Web application on the client side and offline, Abraham notes. "That means persistent storage on the client for longer periods of time than while a cookie exists...they store this within a file-based client-side database," he says. That opens the door for attackers to wage SQL injection attacks on the client's machine, he says.

"In the past, SQL injection was [leveraged] against the servers, Abraham says. With the current HTML 5 spec, an attacker could execute some JavaScript or other code to interact with the client machine's database to steal data from it, he says.

But Chris Wysopal, CTO of Veracode, says there already are ways for developers to store app data today that could be vulnerable to SQL injection attacks. That can occur if "the data isn't sanitized and treated as trusted when read from the local store," he says. "Developers typically trust stored data, which is wrong. They need to treat it as untrusted, lest they fall into a second-order SQL injection attack."

Wysopal says the current HTML 5 spec basically makes it simpler for Web developers to store data locally. Even so, he says some of the known ways to manipulate the HTML 5 session-storage feature could be eradicated with fixes to the standard before it goes final.

And because HTML 5 standardizes storage on the client side, it also could intensify the effectiveness of cross-browser attacks. Daniel Kennedy, a partner with Praetorian Security Group, says while today user data can leak via the browser with cookie sessions and local storage, the cross-browser aspect of HTML 5 could leave client machines more prone to more powerful cross-site scripting and SQL injection attacks.

"The problem here mirrors today's problem with theft of user session cookies, but exacerbates it by allowing more data to be available," Kennedy says. "Like cookies, the data is attached to a website through a same-origin policy. Also like cookies, this is bypassed by attackers through attacks, such as cross-site scripting and cross-site request forgery."

SQL injection would require manipulating the Web application into providing data, first by exploiting an existing vulnerability in the Web app, he says. "With cross-site scripting, a far more common vulnerability, you are manipulating what a client-side script is doing," he says. "So conceptually you could say the attack value of an effective SQL injection attack -- lots of sensitive data at once -- is being broadened by potentially allowing sensitive database data to be available through an effective cross-site scripting attack."

Another weak link in HTML 5 is its built-in multimedia and other features, security experts say. "The ability to play videos, which does open up the actual number of systems, could be affected if there's a flaw in the spec," Rapid7's Abraham says.

But the client-side storage feature poses the biggest security risk with HTML 5, Abraham and other experts say. "It changes the whole concept of the Web application because of the ability to go offline," he says. "It puts the developer in a position where he has to think of the client and trust the client to provide that sort of functionality. We've always been telling developers never to trust the client...now [the clients] will have to sync back with the production system when they come back online and there will be synchronization issues."

But it all depends on what the final HTML 5 standard looks like and how developers deploy it, the experts say. "The HTML 5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn't assume any of this is set in stone," Veracode's Wysopal says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio