Risk
5/11/2010
04:43 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New HTML Version Comes With Security Risks Of Its Own

HTML 5 could help spur SQL injection attacks on client machines, experts say

Internet Explorer 9 and Firefox 4 will support it, and Microsoft recently touted its advantages. But the upcoming version of HTML, which builds rich Internet application features into the Web programming language and shifts more Web functions to the client machine, also could open up new Web attack vectors.

Security experts say HTML 5, which comes with rich Internet application features baked in, will not only provide better performance and multimedia features, such as video, but also will eliminate the need to manage and maintain browser plug-ins, such as Adobe Flash. "These features are tied in at the design stage," says Josh Abraham, security researcher with Rapid7. "You don't have to load in a third-party plug-in and then upgrade it. Maintaining these third-party [applications] has been a huge issue [for organizations]."

Even so, Abraham says the current HTML 5 specification comes with some security risks of its own. HTML 5 -- which is currently a working draft within the World Wide Web Consortium (W3C) and is expected to be finalized late this year or sometime in 2011 -- moves more Web functions to the client computer.

HTML 5 lets developers store information for a Web application on the client side and offline, Abraham notes. "That means persistent storage on the client for longer periods of time than while a cookie exists...they store this within a file-based client-side database," he says. That opens the door for attackers to wage SQL injection attacks on the client's machine, he says.

"In the past, SQL injection was [leveraged] against the servers, Abraham says. With the current HTML 5 spec, an attacker could execute some JavaScript or other code to interact with the client machine's database to steal data from it, he says.

But Chris Wysopal, CTO of Veracode, says there already are ways for developers to store app data today that could be vulnerable to SQL injection attacks. That can occur if "the data isn't sanitized and treated as trusted when read from the local store," he says. "Developers typically trust stored data, which is wrong. They need to treat it as untrusted, lest they fall into a second-order SQL injection attack."

Wysopal says the current HTML 5 spec basically makes it simpler for Web developers to store data locally. Even so, he says some of the known ways to manipulate the HTML 5 session-storage feature could be eradicated with fixes to the standard before it goes final.

And because HTML 5 standardizes storage on the client side, it also could intensify the effectiveness of cross-browser attacks. Daniel Kennedy, a partner with Praetorian Security Group, says while today user data can leak via the browser with cookie sessions and local storage, the cross-browser aspect of HTML 5 could leave client machines more prone to more powerful cross-site scripting and SQL injection attacks.

"The problem here mirrors today's problem with theft of user session cookies, but exacerbates it by allowing more data to be available," Kennedy says. "Like cookies, the data is attached to a website through a same-origin policy. Also like cookies, this is bypassed by attackers through attacks, such as cross-site scripting and cross-site request forgery."

SQL injection would require manipulating the Web application into providing data, first by exploiting an existing vulnerability in the Web app, he says. "With cross-site scripting, a far more common vulnerability, you are manipulating what a client-side script is doing," he says. "So conceptually you could say the attack value of an effective SQL injection attack -- lots of sensitive data at once -- is being broadened by potentially allowing sensitive database data to be available through an effective cross-site scripting attack."

Another weak link in HTML 5 is its built-in multimedia and other features, security experts say. "The ability to play videos, which does open up the actual number of systems, could be affected if there's a flaw in the spec," Rapid7's Abraham says.

But the client-side storage feature poses the biggest security risk with HTML 5, Abraham and other experts say. "It changes the whole concept of the Web application because of the ability to go offline," he says. "It puts the developer in a position where he has to think of the client and trust the client to provide that sort of functionality. We've always been telling developers never to trust the client...now [the clients] will have to sync back with the production system when they come back online and there will be synchronization issues."

But it all depends on what the final HTML 5 standard looks like and how developers deploy it, the experts say. "The HTML 5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn't assume any of this is set in stone," Veracode's Wysopal says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.