04:44 AM

Top 3 HTML5 Vulnerability Risk Categories

Forrester urges HTML5 adoption, but security researchers say secure coding should be in place from the start

New advice out from Forrester Research during the past week urges companies to step up the pace of their HTML5 adoption to keep up with mobility trends and enable better online customer experiences. But as HTML5 gains relevance in the enterprise, developers need to think carefully about the vulnerabilities that their new code may introduce into their organizations' Web infrastructure.

Click here for more of Dark Reading's Black Hat articles.

"We are at an inflection point," Peter Sheldon, an analyst for Forrester, wrote yesterday in a blog post. "With consumer adoption of HTML5-'capable' desktop browsers widespread and web developer understanding of the technology rapidly maturing, HTML5 is no longer an emerging toolset for mobile and tablet development. Instead, it is fast becoming the de facto standard for web experience innovation across touch points."

He says that leading brands, such as Apple, Best Buy, and Four Seasons Hotels, are taking advantage of advanced HTML5 to enhance customers' online experience, and that e-business teams within other enterprises need to leverage the specification for improved competitive differentiation. It needn't involve a wholesale rip-and-replace of existing code, as HTML5 is essentially an extension of existing W3C HTML standards, he explains.

"The decision to start using HTML5 or CSS3 does not require any changes to or throwing away of existing code," Sheldon said. "Instead, e-business teams can simply enhance the user experience of existing sites by incrementally using the new features of HTML5. HTML5 puts more tools in the box, but it doesn’t change the fundamentals of how to build the website."

If organizations are to do it right, though, one of those fundamentals needs to be a thorough secure coding process. As one Indian researcher highlighted at Black Hat recently, the rich capabilities afforded by HTML5 open up a whole new world of attack opportunities for hackers.

"HTML5 has lots of components that, if they are not securely coded, can cause a number of new attack vectors," said Shreeraj Shah, founder and director of Blueinfy Solutions. "By leveraging these vectors, one can craft stealth attacks and silent exploits [that are] hard to detect and easy to compromise."

He explained at the show that in many cases a full-fledged HTML5 site offers enough functionality that it could almost be likened to a small operating system running in the browser. With HTML5 it is possible to create sites that locally store small databases on the client. As he demonstrated in his talk, components like local storage, enhanced XMLHttpRequest (XHR), Document Object model (DOM), and webSQL that make advanced features possible greatly increase a user's attack surface if coded improperly.

In his talk, Shah ran through a number of different vulnerabilities and demonstrated proof-of-concepts for many, with all of them falling under three main categories.

1. XHR And Tag Vulnerabilities
The first, XHR and tag vulnerabilities, stem from enhancements to XHR in HTML5 that changes HTTP request and response to allow cross-domain calls by following what is called the Cross Origin Resource Sharing (CORS) policy. This change greatly enhances the potency of Cross Site Request Forgery (CSRF) attacks, enabling more stealthy CSRF attacks that can send CSRF on the raw stream of data from the browser and which can not only be sent with the request, but also sent back with the response.

"So it is like crosssite response extraction," he said.

Also in this category, Shah lumped in Cross Site Scripting (XSS) attacks that take advantage of the surfeit of new tags, attributes, and events offered up through HTML5.

"This is definitely an interesting attack vector to bypass an existing blacklist or whitelist because these are a whole new set of tags that can possibly cause XSS," he said.

2. Thick Feature Vulnerabilities
The next category of vulnerabilities Shah called out stem from the fat client functionality brought forth by HTML5. The support of local storage and session storage through HTML5's storage API makes it possible for attackers to use XSS to do blind enumeration of local storage variables and eventually get access to local storage. Similarly, if a local file system is created using SQL Lite to store a database locally, attackers can potentially run SQL injection attacks against that database through attacks leveraging blind WebSQL enumeration.

"So we are still dealing with SQL injection on the server side and now we have SQL injection on the client side using XSS," he said.

3. DOM Vulnerabilities
Finally, the third big category that Shah ran through were vulnerabilities around DOM.

For example, HTML5 now makes it possible for developers to create an HTML-5 based application that runs on a single DOM without any refreshes necessary. This is a boon for performance, but it also makes DOM-based XSS a "sleeping giant" in Shah's mind.

"Essentially, what is going to happen is when you have a DOM-based XSS, that XSS will remain throughout the application life cycle," he said.

In the same vein, HTML5's support of caching pages for offline usage opens the possibility of cache poisoning. And the way that the widgets, gadgets, and modules popular with HTML5 applications share.

As Shah noted in a paper written in conjunction with his talk, the vendor-neutral, browser-native nature of HTML5 is finally starting to gain the specification traction within developer communities. He noted that the attacks he detailed are just the tip of the iceberg because "HTML5 is just warming up."

As different libraries and ways of development continue to emerge, new attack surfaces are bound to come up. That is why Shah said he believes developers need to start thinking about these possible vulnerabilities from the outset of their HTML5 initiatives.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Coviello: Modern Security Threats are 'Less About the Techniques'
Kelly Sheridan, Staff Editor, Dark Reading,  4/24/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.