Top 3 HTML5 Vulnerability Risk Categories

Forrester urges HTML5 adoption, but security researchers say secure coding should be in place from the start

New advice out from Forrester Research during the past week urges companies to step up the pace of their HTML5 adoption to keep up with mobility trends and enable better online customer experiences. But as HTML5 gains relevance in the enterprise, developers need to think carefully about the vulnerabilities that their new code may introduce into their organizations' Web infrastructure.

Click here for more of Dark Reading's Black Hat articles.

"We are at an inflection point," Peter Sheldon, an analyst for Forrester, wrote yesterday in a blog post. "With consumer adoption of HTML5-'capable' desktop browsers widespread and web developer understanding of the technology rapidly maturing, HTML5 is no longer an emerging toolset for mobile and tablet development. Instead, it is fast becoming the de facto standard for web experience innovation across touch points."

He says that leading brands, such as Apple, Best Buy, and Four Seasons Hotels, are taking advantage of advanced HTML5 to enhance customers' online experience, and that e-business teams within other enterprises need to leverage the specification for improved competitive differentiation. It needn't involve a wholesale rip-and-replace of existing code, as HTML5 is essentially an extension of existing W3C HTML standards, he explains.

"The decision to start using HTML5 or CSS3 does not require any changes to or throwing away of existing code," Sheldon said. "Instead, e-business teams can simply enhance the user experience of existing sites by incrementally using the new features of HTML5. HTML5 puts more tools in the box, but it doesn’t change the fundamentals of how to build the website."

If organizations are to do it right, though, one of those fundamentals needs to be a thorough secure coding process. As one Indian researcher highlighted at Black Hat recently, the rich capabilities afforded by HTML5 open up a whole new world of attack opportunities for hackers.

"HTML5 has lots of components that, if they are not securely coded, can cause a number of new attack vectors," said Shreeraj Shah, founder and director of Blueinfy Solutions. "By leveraging these vectors, one can craft stealth attacks and silent exploits [that are] hard to detect and easy to compromise."

He explained at the show that in many cases a full-fledged HTML5 site offers enough functionality that it could almost be likened to a small operating system running in the browser. With HTML5 it is possible to create sites that locally store small databases on the client. As he demonstrated in his talk, components like local storage, enhanced XMLHttpRequest (XHR), Document Object model (DOM), and webSQL that make advanced features possible greatly increase a user's attack surface if coded improperly.

In his talk, Shah ran through a number of different vulnerabilities and demonstrated proof-of-concepts for many, with all of them falling under three main categories.

1. XHR And Tag Vulnerabilities
The first, XHR and tag vulnerabilities, stem from enhancements to XHR in HTML5 that changes HTTP request and response to allow cross-domain calls by following what is called the Cross Origin Resource Sharing (CORS) policy. This change greatly enhances the potency of Cross Site Request Forgery (CSRF) attacks, enabling more stealthy CSRF attacks that can send CSRF on the raw stream of data from the browser and which can not only be sent with the request, but also sent back with the response.

"So it is like crosssite response extraction," he said.

Also in this category, Shah lumped in Cross Site Scripting (XSS) attacks that take advantage of the surfeit of new tags, attributes, and events offered up through HTML5.

"This is definitely an interesting attack vector to bypass an existing blacklist or whitelist because these are a whole new set of tags that can possibly cause XSS," he said.

2. Thick Feature Vulnerabilities
The next category of vulnerabilities Shah called out stem from the fat client functionality brought forth by HTML5. The support of local storage and session storage through HTML5's storage API makes it possible for attackers to use XSS to do blind enumeration of local storage variables and eventually get access to local storage. Similarly, if a local file system is created using SQL Lite to store a database locally, attackers can potentially run SQL injection attacks against that database through attacks leveraging blind WebSQL enumeration.

"So we are still dealing with SQL injection on the server side and now we have SQL injection on the client side using XSS," he said.

3. DOM Vulnerabilities
Finally, the third big category that Shah ran through were vulnerabilities around DOM.

For example, HTML5 now makes it possible for developers to create an HTML-5 based application that runs on a single DOM without any refreshes necessary. This is a boon for performance, but it also makes DOM-based XSS a "sleeping giant" in Shah's mind.

"Essentially, what is going to happen is when you have a DOM-based XSS, that XSS will remain throughout the application life cycle," he said.

In the same vein, HTML5's support of caching pages for offline usage opens the possibility of cache poisoning. And the way that the widgets, gadgets, and modules popular with HTML5 applications share.

As Shah noted in a paper written in conjunction with his talk, the vendor-neutral, browser-native nature of HTML5 is finally starting to gain the specification traction within developer communities. He noted that the attacks he detailed are just the tip of the iceberg because "HTML5 is just warming up."

As different libraries and ways of development continue to emerge, new attack surfaces are bound to come up. That is why Shah said he believes developers need to start thinking about these possible vulnerabilities from the outset of their HTML5 initiatives.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
8 'SOC-as-a-Service' Offerings
Steve Zurier, Freelance Writer,  4/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-18
A vulnerability in the DHCPv6 input packet processor of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to restart the server and cause a denial of service (DoS) condition on the affected system. The vulnerability is due to incomplete user-supplied input validation when...
PUBLISHED: 2019-04-18
A vulnerability in the Software Image Management feature of Cisco DNA Center could allow an authenticated, remote attacker to access to internal services without additional authentication. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vuln...
PUBLISHED: 2019-04-18
A vulnerability in the quality of service (QoS) feature of Cisco Aironet Series Access Points (APs) could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation on QoS fields within Wi-Fi fra...
PUBLISHED: 2019-04-18
A vulnerability in the CLI of Cisco Aironet Series Access Points (APs) could allow an authenticated, local attacker to gain access to the underlying Linux operating system (OS) without the proper authentication. The attacker would need valid administrator device credentials. The vulnerability is due...
PUBLISHED: 2019-04-18
A vulnerability in Locally Significant Certificate (LSC) management for the Cisco Wireless LAN Controller (WLC) could allow an authenticated, remote attacker to cause the device to unexpectedly restart, which causes a denial of service (DoS) condition. The attacker would need to have valid administr...