Analysis: HTML5 security holes detailed

A string of vulnerabilities have been discovered in the budding web standard HTML5.

Michael Schmidt, Swiss researcher at Compass security, examined in a master thesis paper (pdf) “the most critical flaws” in HTML5 technology in areas such as Cross-Origin Resource Sharing (CORS), web applications, iframe messaging and storage, web sockets and geolocation.

Many of the vulnerabilities existed only under specific conditions detailed in the paper and Schmidt said readers should not conclude that "HTML5 is completely insecure".

In detailing the vulnerabilities, Schmidt wrote that one “fundamental security problem” with HTML5 was that once the header ‘Access-Control-Allow-Origin’ was defined, XMLHttpRequest could be sent across domains without users noticing.

If the header was wrongly defined within CORS, Cross Site Request Forgeries (CSRFs) that bypass access controls and allow internal websites to be accessed from the internet were possible.

While such an attack was also possible using GET requests in HTML4, it was made “much more efficient” using XMLHttpRequests in HTML5, Schmidt said.

CORS requests could also be used to force user agents (UAs) to launch denial of service (DoS) attacks against web servers. JavaScript sent from a malicious web site to a victim’s UA then issues XMLHttpRequests to launch DoS attacks against another website.

Attackers could overcome an inability to send multiple CORS requests – if Access-Control-Allow-Origin headers were not included in server responses –  using a technique that combined CORS and web worker.

“Every CORS request was made unique through inserting a random dummy string to the URL which changes for every request. Using this technique, it was possible to send with one browser about 10,000 requests per second to a server,” Schmidt wrote.

“Placing the attack code on a frequently visited website can have serious side effects for domains being victim of such a DDoS attack.”

Schmidt also cited the ability of attackers to launch reverse shells using CORS and tools such as ‘Shell of the Future’.

He said there was no server-side countermeasure against the CORS exploits.

The potential for bypassing access controls could be minimised by restricting CORS requests to allowed domains defined in Access-Control-Allow-Origin headers. Access controls should not be based on origin headers.

To mitigate DoS attacks, Web Application Firewalls need to block CORS requests that arrive en masse.

Schmidt wrote that Offline Web Applications in HTML5 make attacks including cache poisoning more powerful. “The security boundaries [have] moved. The target of attacking web application was not limited to the server-side; attacking the client-side part of Offline Web Application was possible as well.”

There were two advantages attacks against offline web apps have over existing HTML attacks. The first was that HTML5 will load directly from the UA cache while in previous HTML installations server requests were made, allowing malicious cache content to be loaded.

The second, a beefed-up man-in-the-middle attack, could happen if the root directory of an SSL website was cached. An insecure connection would need to be initiated and the user would then need to click through an insecure certificate warning.  The malicious application could then later hijack legitimate SSL sessions.

Users must clear their cache to remain protected, Schmidt wrote.

Copyright © SC Magazine, Australia