Top 10 HTML5 threats and attack vectors

Emerging as popular standard to create Rich Internet Applications and competing with technology stacks like Adobe’s Flex/Flash and Microsoft’s Silverlight is HTML5. HTML5 brings several new features and functionalities that allow developers to create really attractive and robust applications. These applications can run on any browser and platform, although with some limitations.

HTML5 applications are also supported by mobile devices. Hence, you can create your application once and run it on several devices and browsers. Each time, every new technology stack throws up new security challenges and vulnerabilities. HTML 5, though very promising, is no different. There are security concerns that need to be addressed when creating applications. Let us look at the top 10 possible attack vectors associated with HTML5 and modern browser architecture.

Browser layers and HTML 5
Before we begin analyzing possible attack vectors let’s understand a modern browser’s layers in the current context and possible threat model. Browsers have four logical layers – Presentation, Process/Logic, Network and Policies as shown in Figure 1.

Figure 1 – Browser layers for threat model and attack surface.

Presentation (L1) – HTML5 is native to the browser and does not need any additional plug-in. Several new tags allow the creation of a very rich presentation layer.

Process/Logic(L2) – This is the core of the browser which allows JavaScript, DOM and Threads. It forms the business process layer for applications. Several new features are added in HTML 5 like WebWorkers, WebSQL, LocalStorage and enhanced DOM (Level 3).

Network(L3) – This layers allows connectivity to the Internet and Domain/Cross Domain calls across networks. HTML 5 supports WebSocket and XHR(Level-2) calls.

Policies (L4) – This layer controls browser security and allows overall security to end users. Security policies like SOP, CORS, etc. are defined here.

Top 10 attack vectors
Structured layers as mentioned in the above section provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threats which can be exploited. Listed below are possible top 10 threats where new HTML5 features along with emerging software developing patterns, have significant impact.

1. ClickJacking & Phishing by mixing layers and iframe – ClickJacking is becoming a popular attack vector in current applications. A number of social networking sites allow reloading into an iframe. This opens up an opportunity for successfully initiating ClickJacking attacks on these sites. Also, HTML 5 allows iframe with sandbox; sandboxes have interesting attributes such as allow-scripts that help in breaking frame- bursting code implementation by not allowing script execution within the frame. This means that frame-bursting code will not come into play though the X-Frame option would remain applicable. In few cases it is possible to enable ClickJacking with HTML 5 enhanced iframe/sandbox (nested). New interesting tags such as presentation tags may help in creating an illusory presentation layer as well. In general HTML 5 helps in opening up few additional ways of performing ClickJacking.

2. CSRF and leveraging CORS to bypasses SOP – Same Origin Policy (SOP) dictates cross domain calls and allows establishment of cross domain connections. SOP bypass allows a CSRF attack vector to be deployed; an attacker can inject a payload on a cross domain page that initiates a request to the target domain without the consent or knowledge of the victim. HTML5 has one more method in place called CORS (Cross Origin Resource Sharing). CORS is a “blind response” technique and is controlled by an extra HTTP header “origin”, which when added, allows the request to hit the target. Hence, it is possible to do a one-way CSRF attack. It is possible to initiate a CSRF vector using XHR-Level 2 on HTML5 pages. This can prove to be a really lethal attack vector. In this attack, XHR establishes a stealth connection – using the POST method, a hidden, XHR connection can be set using the attribute “withCredentials” set to true. Doing so allows cookies to be replayed and helps in crafting a successful CSRF or session riding scenario. Interestingly HTML 5 along with CORS allows performing file upload CSRF as well. Hence, without the victim’s consent or knowledge, a file can be uploaded using the victim’s account. Imagine your photo on Google or Facebook being changed while browsing an attacker’s page – alarming indeed!

3. Attacking WebSQL and client side SQL injection – HTML 5 allows offline databases in the form of WebSQL. This feature enhances performance. We have seen SQL injections on the server side but this mechanism can open up client side SQL injections. If the application is vulnerable to XSS then an attacker can steal information from WebSQL and transfer it across domains. Imagine a bank or trading portal storing the last 20 transactions on WebSQL being the target of an XSS attack.

4. Stealing information from Storage and Global variables – HTML 5 supports LocalStorage, wherein a developer can create LocalStorage for the application and can store some information. This storage can be accessed from anywhere in the application. This feature of HTML 5 offers great flexibility on the client side. LocalStorage can be accessed through JavaScript. This allows an attacker to steal information via XSS, if the application is vulnerable to an XSS attack. Imagine an attacker using XSS to get session token or hash from the LocalStorage.

5. HTML5 tag abuse and XSS – HTML 5 has some interesting additional tags, these tags allows dynamic loading of audio and video. These tags have some interesting attributes like poster, onerror, formaction, oninput, etc. All these attributes allows JavaScript execution. These tags can be abused both for XSS and CSRF. One needs to be extra careful during dynamic reloading and the implementation of these new tags and feature. WAF needs to be reconfigured for allowing tag-based injection to deflect both persistent and reflected XSS.

6. HTML5 and DOM based XSS and redirects – DOM-based XSS attacks are on the rise. This can be attributed to the fact that large applications are built using single DOM and XHR/Ajax. Several HTML 5 tags and attributes are controlled by DOM calls. Poorly implemented DOM calls like eval() or document.*() can cause a “cocktail” attack vector where both DOM and HTML5 can be leveraged simultaneously. This expands the attack surface allowing more entry points for attackers. The impact would be tremendous in a DOM-based XSS attack on an HTML 5 application running Widgets, Mashup, Objects etc . , because the entire DOM would be accessible to the attacker.

7. DOM injections and Hijacking with HTML 5 – Browser specifications are changed in three dimensions – HTML 5, DOM-Level 3 and XHR-Level2; each tightly integrated with the other. It is not possible to separate them while coding an application. HTML 5 applications use DOM extensively and dynamically change content via XHR calls. DOM manipulation is done by several different DOM-based calls and poor implementation allows DOM-based injections. These injections can lead to a set of possible attacks and exploits like DOM-based XSS, content extraction from DOM, variable manipulation, logical bypasses, information enumeration, etc. At the same time DOM loads different objects like Flash and Silverlight, making for interesting attack points. It is possible to hijack the entire DOM along with these objects and craft several different attack vectors as part of cross domain mechanism. DOM injections can allow add-on hacking and other browser-related hacks.

8. Abusing thick client features – HTML 5 also allows thick client like features inside a browser’s UI. These features can be leveraged by an attacker to craft attack vectors. An attacker can leverage drag-drop thick client APIs which can help in exploiting self XSS, forcing data on the fields, content/session extraction, etc. It can be linked with iframe-driven ClickJacking or UI redressing issues. It can be seen as an expanded ClickJacking attack vector. A few other interesting tags can be leveraged as well.

9. Using WebSockets for stealth attacks – HTML 5 supports WebSocket – a feature that allows browsers to open sockets to target ports on certain IPs. There are some restrictions on the list of ports that can be used. Nevertheless, an interesting feature. This can be used by an attacker to craft a vector which communicates with web ports and even with non-webports with restrictions. Imagine a user loading a page, only to have the page opening sockets and doing a port scanning on internal IP addresses. If this port scan finds an interesting port 80 open on your internal network, a tunnel can be established through your browser. Doing so would actually end up bypassing the firewall and allows access to internal content.

10. Abusing WebWorker functionality – WebWorker is newly added vector in HTML 5. It allows threading using JavaScript. WebWorker can help in payload delivery and exploitation to typical Web 2.0 applications. Web 2.0 applications run in single DOM, in this case, if the application is vulnerable to DOM-based XSS, then it is possible to inject a stealth thread in the background, which would allows an attacker to monitor all activities going on in that particular DOM. If the DOM hosts widgets and other components, the attacker starts getting useful information. Imagine a scenario where WebWorker keeps a watch on username and password fields in one of the widgets. No sooner does a user enter username and password, than this information is grabbed and POSTed back.

HTML 5, DOM and XHR embedded via JavaScript are involved in creating next generation applications. A next generation application stack is bound to leverage HTML 5, Silverlight and Flash/Flex, Being vendor- neutral and native to the browser HTML 5 should get wider acceptance. Enhanced features of HTML 5 bring new threats and challenges. In this paper we have discussed possible top 10 vectors but this only seems to be the beginning, HTML 5 is just warming up. Different libraries and ways of development are bound to emerge over time and in the process open up new attack surfaces and security issues. Contemplating on the above top 10 would give us more ideas about controls required for security as time progresses.