Analysis: HTML5 security holes detailed

By on
Analysis: HTML5 security holes detailed

Security shortfalls in burgeoning standard.

A string of vulnerabilities have been discovered in the budding web standard HTML5.

Michael Schmidt, Swiss researcher at Compass security, examined in a master thesis paper (pdf) “the most critical flaws” in HTML5 technology in areas such as Cross-Origin Resource Sharing (CORS), web applications, iframe messaging and storage, web sockets and geolocation.

Many of the vulnerabilities existed only under specific conditions detailed in the paper and Schmidt said readers should not conclude that "HTML5 is completely insecure".

In detailing the vulnerabilities, Schmidt wrote that one “fundamental security problem” with HTML5 was that once the header ‘Access-Control-Allow-Origin’ was defined, XMLHttpRequest could be sent across domains without users noticing.

If the header was wrongly defined within CORS, Cross Site Request Forgeries (CSRFs) that bypass access controls and allow internal websites to be accessed from the internet were possible.

While such an attack was also possible using GET requests in HTML4, it was made “much more efficient” using XMLHttpRequests in HTML5, Schmidt said.

CORS requests could also be used to force user agents (UAs) to launch denial of service (DoS) attacks against web servers. JavaScript sent from a malicious web site to a victim’s UA then issues XMLHttpRequests to launch DoS attacks against another website.

Attackers could overcome an inability to send multiple CORS requests – if Access-Control-Allow-Origin headers were not included in server responses –  using a technique that combined CORS and web worker.

“Every CORS request was made unique through inserting a random dummy string to the URL which changes for every request. Using this technique, it was possible to send with one browser about 10,000 requests per second to a server,” Schmidt wrote.

“Placing the attack code on a frequently visited website can have serious side effects for domains being victim of such a DDoS attack.”

Schmidt also cited the ability of attackers to launch reverse shells using CORS and tools such as ‘Shell of the Future’.

He said there was no server-side countermeasure against the CORS exploits.

The potential for bypassing access controls could be minimised by restricting CORS requests to allowed domains defined in Access-Control-Allow-Origin headers. Access controls should not be based on origin headers.

To mitigate DoS attacks, Web Application Firewalls need to block CORS requests that arrive en masse.

Schmidt wrote that Offline Web Applications in HTML5 make attacks including cache poisoning more powerful. “The security boundaries [have] moved. The target of attacking web application was not limited to the server-side; attacking the client-side part of Offline Web Application was possible as well.”

There were two advantages attacks against offline web apps have over existing HTML attacks. The first was that HTML5 will load directly from the UA cache while in previous HTML installations server requests were made, allowing malicious cache content to be loaded.

The second, a beefed-up man-in-the-middle attack, could happen if the root directory of an SSL website was cached. An insecure connection would need to be initiated and the user would then need to click through an insecure certificate warning.  The malicious application could then later hijack legitimate SSL sessions.

Users must clear their cache to remain protected, Schmidt wrote.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?