Risk
5/11/2010
04:43 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New HTML Version Comes With Security Risks Of Its Own

HTML 5 could help spur SQL injection attacks on client machines, experts say

Internet Explorer 9 and Firefox 4 will support it, and Microsoft recently touted its advantages. But the upcoming version of HTML, which builds rich Internet application features into the Web programming language and shifts more Web functions to the client machine, also could open up new Web attack vectors.

Security experts say HTML 5, which comes with rich Internet application features baked in, will not only provide better performance and multimedia features, such as video, but also will eliminate the need to manage and maintain browser plug-ins, such as Adobe Flash. "These features are tied in at the design stage," says Josh Abraham, security researcher with Rapid7. "You don't have to load in a third-party plug-in and then upgrade it. Maintaining these third-party [applications] has been a huge issue [for organizations]."

Even so, Abraham says the current HTML 5 specification comes with some security risks of its own. HTML 5 -- which is currently a working draft within the World Wide Web Consortium (W3C) and is expected to be finalized late this year or sometime in 2011 -- moves more Web functions to the client computer.

HTML 5 lets developers store information for a Web application on the client side and offline, Abraham notes. "That means persistent storage on the client for longer periods of time than while a cookie exists...they store this within a file-based client-side database," he says. That opens the door for attackers to wage SQL injection attacks on the client's machine, he says.

"In the past, SQL injection was [leveraged] against the servers, Abraham says. With the current HTML 5 spec, an attacker could execute some JavaScript or other code to interact with the client machine's database to steal data from it, he says.

But Chris Wysopal, CTO of Veracode, says there already are ways for developers to store app data today that could be vulnerable to SQL injection attacks. That can occur if "the data isn't sanitized and treated as trusted when read from the local store," he says. "Developers typically trust stored data, which is wrong. They need to treat it as untrusted, lest they fall into a second-order SQL injection attack."

Wysopal says the current HTML 5 spec basically makes it simpler for Web developers to store data locally. Even so, he says some of the known ways to manipulate the HTML 5 session-storage feature could be eradicated with fixes to the standard before it goes final.

And because HTML 5 standardizes storage on the client side, it also could intensify the effectiveness of cross-browser attacks. Daniel Kennedy, a partner with Praetorian Security Group, says while today user data can leak via the browser with cookie sessions and local storage, the cross-browser aspect of HTML 5 could leave client machines more prone to more powerful cross-site scripting and SQL injection attacks.

"The problem here mirrors today's problem with theft of user session cookies, but exacerbates it by allowing more data to be available," Kennedy says. "Like cookies, the data is attached to a website through a same-origin policy. Also like cookies, this is bypassed by attackers through attacks, such as cross-site scripting and cross-site request forgery."

SQL injection would require manipulating the Web application into providing data, first by exploiting an existing vulnerability in the Web app, he says. "With cross-site scripting, a far more common vulnerability, you are manipulating what a client-side script is doing," he says. "So conceptually you could say the attack value of an effective SQL injection attack -- lots of sensitive data at once -- is being broadened by potentially allowing sensitive database data to be available through an effective cross-site scripting attack."

Another weak link in HTML 5 is its built-in multimedia and other features, security experts say. "The ability to play videos, which does open up the actual number of systems, could be affected if there's a flaw in the spec," Rapid7's Abraham says.

But the client-side storage feature poses the biggest security risk with HTML 5, Abraham and other experts say. "It changes the whole concept of the Web application because of the ability to go offline," he says. "It puts the developer in a position where he has to think of the client and trust the client to provide that sort of functionality. We've always been telling developers never to trust the client...now [the clients] will have to sync back with the production system when they come back online and there will be synchronization issues."

But it all depends on what the final HTML 5 standard looks like and how developers deploy it, the experts say. "The HTML 5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn't assume any of this is set in stone," Veracode's Wysopal says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.