New HTML Version Comes With Security Risks Of Its Own

Internet Explorer 9 and Firefox 4 will support it, and Microsoft recently touted its advantages. But the upcoming version of HTML, which builds rich Internet application features into the Web programming language and shifts more Web functions to the client machine, also could open up new Web attack vectors.

Security experts say HTML 5, which comes with rich Internet application features baked in, will not only provide better performance and multimedia features, such as video, but also will eliminate the need to manage and maintain browser plug-ins, such as Adobe Flash. "These features are tied in at the design stage," says Josh Abraham, security researcher with Rapid7. "You don't have to load in a third-party plug-in and then upgrade it. Maintaining these third-party [applications] has been a huge issue [for organizations]."

Even so, Abraham says the current HTML 5 specification comes with some security risks of its own. HTML 5 -- which is currently a working draft within the World Wide Web Consortium (W3C) and is expected to be finalized late this year or sometime in 2011 -- moves more Web functions to the client computer.

HTML 5 lets developers store information for a Web application on the client side and offline, Abraham notes. "That means persistent storage on the client for longer periods of time than while a cookie exists...they store this within a file-based client-side database," he says. That opens the door for attackers to wage SQL injection attacks on the client's machine, he says.

"In the past, SQL injection was [leveraged] against the servers, Abraham says. With the current HTML 5 spec, an attacker could execute some JavaScript or other code to interact with the client machine's database to steal data from it, he says.

But Chris Wysopal, CTO of Veracode, says there already are ways for developers to store app data today that could be vulnerable to SQL injection attacks. That can occur if "the data isn't sanitized and treated as trusted when read from the local store," he says. "Developers typically trust stored data, which is wrong. They need to treat it as untrusted, lest they fall into a second-order SQL injection attack."

Wysopal says the current HTML 5 spec basically makes it simpler for Web developers to store data locally. Even so, he says some of the known ways to manipulate the HTML 5 session-storage feature could be eradicated with fixes to the standard before it goes final.

And because HTML 5 standardizes storage on the client side, it also could intensify the effectiveness of cross-browser attacks. Daniel Kennedy, a partner with Praetorian Security Group, says while today user data can leak via the browser with cookie sessions and local storage, the cross-browser aspect of HTML 5 could leave client machines more prone to more powerful cross-site scripting and SQL injection attacks.

"The problem here mirrors today's problem with theft of user session cookies, but exacerbates it by allowing more data to be available," Kennedy says. "Like cookies, the data is attached to a website through a same-origin policy. Also like cookies, this is bypassed by attackers through attacks, such as cross-site scripting and cross-site request forgery."

SQL injection would require manipulating the Web application into providing data, first by exploiting an existing vulnerability in the Web app, he says. "With cross-site scripting, a far more common vulnerability, you are manipulating what a client-side script is doing," he says. "So conceptually you could say the attack value of an effective SQL injection attack -- lots of sensitive data at once -- is being broadened by potentially allowing sensitive database data to be available through an effective cross-site scripting attack."

Another weak link in HTML 5 is its built-in multimedia and other features, security experts say. "The ability to play videos, which does open up the actual number of systems, could be affected if there's a flaw in the spec," Rapid7's Abraham says.

But the client-side storage feature poses the biggest security risk with HTML 5, Abraham and other experts say. "It changes the whole concept of the Web application because of the ability to go offline," he says. "It puts the developer in a position where he has to think of the client and trust the client to provide that sort of functionality. We've always been telling developers never to trust the client...now [the clients] will have to sync back with the production system when they come back online and there will be synchronization issues."

But it all depends on what the final HTML 5 standard looks like and how developers deploy it, the experts say. "The HTML 5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn't assume any of this is set in stone," Veracode's Wysopal says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.