04:44 AM

Top 3 HTML5 Vulnerability Risk Categories

Forrester urges HTML5 adoption, but security researchers say secure coding should be in place from the start

New advice out from Forrester Research during the past week urges companies to step up the pace of their HTML5 adoption to keep up with mobility trends and enable better online customer experiences. But as HTML5 gains relevance in the enterprise, developers need to think carefully about the vulnerabilities that their new code may introduce into their organizations' Web infrastructure.

Click here for more of Dark Reading's Black Hat articles.

"We are at an inflection point," Peter Sheldon, an analyst for Forrester, wrote yesterday in a blog post. "With consumer adoption of HTML5-'capable' desktop browsers widespread and web developer understanding of the technology rapidly maturing, HTML5 is no longer an emerging toolset for mobile and tablet development. Instead, it is fast becoming the de facto standard for web experience innovation across touch points."

He says that leading brands, such as Apple, Best Buy, and Four Seasons Hotels, are taking advantage of advanced HTML5 to enhance customers' online experience, and that e-business teams within other enterprises need to leverage the specification for improved competitive differentiation. It needn't involve a wholesale rip-and-replace of existing code, as HTML5 is essentially an extension of existing W3C HTML standards, he explains.

"The decision to start using HTML5 or CSS3 does not require any changes to or throwing away of existing code," Sheldon said. "Instead, e-business teams can simply enhance the user experience of existing sites by incrementally using the new features of HTML5. HTML5 puts more tools in the box, but it doesn’t change the fundamentals of how to build the website."

If organizations are to do it right, though, one of those fundamentals needs to be a thorough secure coding process. As one Indian researcher highlighted at Black Hat recently, the rich capabilities afforded by HTML5 open up a whole new world of attack opportunities for hackers.

"HTML5 has lots of components that, if they are not securely coded, can cause a number of new attack vectors," said Shreeraj Shah, founder and director of Blueinfy Solutions. "By leveraging these vectors, one can craft stealth attacks and silent exploits [that are] hard to detect and easy to compromise."

He explained at the show that in many cases a full-fledged HTML5 site offers enough functionality that it could almost be likened to a small operating system running in the browser. With HTML5 it is possible to create sites that locally store small databases on the client. As he demonstrated in his talk, components like local storage, enhanced XMLHttpRequest (XHR), Document Object model (DOM), and webSQL that make advanced features possible greatly increase a user's attack surface if coded improperly.

In his talk, Shah ran through a number of different vulnerabilities and demonstrated proof-of-concepts for many, with all of them falling under three main categories.

1. XHR And Tag Vulnerabilities
The first, XHR and tag vulnerabilities, stem from enhancements to XHR in HTML5 that changes HTTP request and response to allow cross-domain calls by following what is called the Cross Origin Resource Sharing (CORS) policy. This change greatly enhances the potency of Cross Site Request Forgery (CSRF) attacks, enabling more stealthy CSRF attacks that can send CSRF on the raw stream of data from the browser and which can not only be sent with the request, but also sent back with the response.

"So it is like crosssite response extraction," he said.

Also in this category, Shah lumped in Cross Site Scripting (XSS) attacks that take advantage of the surfeit of new tags, attributes, and events offered up through HTML5.

"This is definitely an interesting attack vector to bypass an existing blacklist or whitelist because these are a whole new set of tags that can possibly cause XSS," he said.

2. Thick Feature Vulnerabilities
The next category of vulnerabilities Shah called out stem from the fat client functionality brought forth by HTML5. The support of local storage and session storage through HTML5's storage API makes it possible for attackers to use XSS to do blind enumeration of local storage variables and eventually get access to local storage. Similarly, if a local file system is created using SQL Lite to store a database locally, attackers can potentially run SQL injection attacks against that database through attacks leveraging blind WebSQL enumeration.

"So we are still dealing with SQL injection on the server side and now we have SQL injection on the client side using XSS," he said.

3. DOM Vulnerabilities
Finally, the third big category that Shah ran through were vulnerabilities around DOM.

For example, HTML5 now makes it possible for developers to create an HTML-5 based application that runs on a single DOM without any refreshes necessary. This is a boon for performance, but it also makes DOM-based XSS a "sleeping giant" in Shah's mind.

"Essentially, what is going to happen is when you have a DOM-based XSS, that XSS will remain throughout the application life cycle," he said.

In the same vein, HTML5's support of caching pages for offline usage opens the possibility of cache poisoning. And the way that the widgets, gadgets, and modules popular with HTML5 applications share.

As Shah noted in a paper written in conjunction with his talk, the vendor-neutral, browser-native nature of HTML5 is finally starting to gain the specification traction within developer communities. He noted that the attacks he detailed are just the tip of the iceberg because "HTML5 is just warming up."

As different libraries and ways of development continue to emerge, new attack surfaces are bound to come up. That is why Shah said he believes developers need to start thinking about these possible vulnerabilities from the outset of their HTML5 initiatives.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.