Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

HTML5 raises new security issues

As HTML5 enhances the Web, so too will it bring new vulnerabilities, security experts warn

When it comes to new security issues, the security team for the Firefox browser have the new version of the Web HyperText Markup Language, HTML5, foremost on the mind.

"Web apps are becoming incredibly rich with HTML5. The browser is starting to manage full-bore applications and not just Web pages," said Sid Stamm, who works on Firefox security issues for the Mozilla Foundation. Stamm was speaking at the Usenix Security Symposium, held last week in Washington D.C.

"There is a lot of attack surface we need to think about," he said.

On the same week Stamm expressed worry over HTML5, developers of the Opera browser were busy fixing a buffer overflow vulnerability that could be exploited using the HTML5 canvas image-rendering feature.

Is it inevitable that the World Wide Web Consortium's (W3C) new set of standards for rendering Web pages, collectively known as HTML5, come with a whole new bundle of vulnerabilities? At least some security researchers are thinking this is the case.

"HTML5 brings a lot of features and power to the Web. You can do so much more [malicious work] with plain HTML5 and JavaScript now than it was ever possible before," said security researcher Lavakumar Kuppan.

The W3C is "gearing this entire redesign over the idea that we will start executing applications within the browser, and we've proven over the years how secure browsers are," said Kevin Johnson, a penetration tester with security consulting firm Secure Ideas. "We have to go back to understanding the browser is a malicious environment. We lost site of that."

Although it is the name of a specification on its own, HTML5 is also often used to describe a collection of loosely interrelated set of standards that, taken together, can be use to build full-fledged web applications. They offer capabilities such as page formatting, offline data storage, image rendition and other aspects. (Though not a W3C spec, JavaScript is also frequently lumped in these standards, so widely used it is in building Web applications).

All this new proposed functionality is beginning to be explored by security researchers.

Earlier this summer, Kuppan and another researcher posted a way to misuse the HTML5 Offline Application Cache. Google Chrome, Safari, Firefox and the beta of the Opera browser have all already implemented this feature, and would be vulnerable to attacks that used this approach, they noted.

The researchers argue that because any Web site can create a cache on the user's computer, and, in some browsers, do so without that user's explicit permission, an attacker could set up a fake log-in page to a site such as a social networking or e-commerce site. Such a fake page could then be used to steal the user's credentials.

Other researchers were divided about the value of this finding.

"It's an interesting twist but it does not seem to offer network attackers any additional advantage beyond what they can already achieve," wrote Chris Evans on the Full Disclosure mailing list. Evans is the creator of the Very Secure File Transfer Protocol (vsftp) software.

Dan Kaminsky, chief scientist of the security research firm Recursion Ventures, agreed that this work is a continuation of attacks developed before HTML5. "Browsers don't just request content, render it, and throw it away. They also store it for later use ... Lavakumar is observing that the next-generation caching technologies suffer this same trait," he said, in an e-mail interview.

Critics agreed that this attack would rely on a site not using Secure Sockets Layer (SSL) to encrypt data between the browser and Web page server, which is commonly practiced. But even if this work did not unearth a new type of vulnerability, it does show that an old vulnerability can be reused in this new environment.

Johnson says that, with HTML5, many of the new features constitute threats on their own, due to how they increase the number of ways an attacker could harness the user's browser to do harm of some sort.

"For years security has focused on vulnerabilities--buffer overflows, SQL injection attacks. We patch them, we fix them, we monitor them," Johnson said. But in HTML5's case, it is often the features themselves "that can be used to attack to us," he said.

As an example, Johnson points to Google's Gmail, which is an early user of HTML5's local storage capabilities. Before HTML5, an attacker may have had to steal cookies off a machine and decode them to get the password for an online e-mail service. Now, the attacker needs only to gain entry into the user's browser, where Gmail stories a copy of the inbox.

"These feature sets are scary," he said. "If I can find a flaw in your Web application, and inject HTML5 code, I can modify your site and hide things I don't want you to see."

With local storage, an attacker can read data from your browser, or insert other data there without your knowledge. With geolocation, an attacker can determine your location without your knowledge. With the new version of Cascading Style Sheets (CSS), an attacker can control what elements of a CSS-enhanced page you can see. The HTML5 WebSocket supplies a network communication stack to the browser, which could be misused for surreptitious backdoor communications.

This is not to say that the browser makers are oblivious to this issue. Even as they work to add in the support for the new standards, they are looking at ways to prevent their misuse. At the Usenix symposium, Stamm noted some of the techniques that the Firefox team is exploring to mitigate damage that could be done with these new technologies.

For instance, they are working on an alternative plug-in platform, called JetPack, that would keep tighter control of what actions a plug-in could execute. "If we have complete control of the [application programming interface], we're able to say 'This add-on is requesting access to Paypal.com, would you allow it?'" Stamm said.

JetPack may also use a declarative security model, in which the plug-in must declare to the browser each action it intends to undertake. The browser then would monitor the plug-in to ensure it stays within these parameters.

Still, whether browser makers can do enough to secure HTML5 remains to be seen, critics contend.

"The enterprise has to start evaluating whether it is worth these features to roll out the new browsers," Johnson said. "This is one of the few times you may hear 'You know, maybe [Internet Explorer]6 was better.'"

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Cache, Google, IDG, Mozilla, Mozilla Foundation, Recursion, Sid Stamm, W3C, World Wide Web Consortium
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: application development, Architecture, html5, html 5, internet, Languages and standards, Mozilla Foundation, opera, soa, software, Web services development
Latest Blog Posts
Whitepapers
  • HP Security Action Plan for Enterprise Printing and Imaging
    Security is a part of how we work. When you walk through the front door of your office every morning, you probably pass a level of security. At your desk, it’s likely you log in to your computer and access files over a secure server. From security badges and ID cards to network firewalls and software security, it may seem like your organisation has taken every measure to protect its property, people and data. This action plan outlines a step-by-step approach to help you develop a plan that improves the security of your printing and imaging environment and boosts your business.
    Learn more »
  • Six tips for choosing a unified threat management (UTM) solution
    As network security grows more complex, businesses are demanding the simplicity of unified threat management (UTM). Businesses like yours are replacing multiple, outdated and costly appliances from different vendors with a single, reliable UTM solution. The best solutions offer a more powerful way to manage network security today and in the future. UTM also promises to slash your network security management efforts and hardware costs. This whitepaper offers you detailed advice on how to choose the comprehensive unified threat management (UTM) that best suits your business.
    Learn more »
  • Setting a strategy for secure mobile printing
    Where, when and how we work is changing. Increasingly, we’re doing business on the road, at the office without a dedicated workstation and from our home offices. A 2010 InfoTrends survey of more than 1,400 mobile knowledge workers in Brazil, Germany, India, Japan and the U.S. echoes this trend. Respondents reported spending, on average, more than half of their time away from hard-wired network access. Implementing an effective strategy to make printing secure and simple for employees—regardless of where those employees happen to be—can help reduce security risks. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments