Top Ten HTML5 Attack Vectors

Friday, December 09, 2011



Shreeraj Shah, Founder of Blueinfy, has published an article on HelpNet outlining his analysis of the top ten HTML5 threats and attack vectors.

HTML5 is an emerging standard for developing Rich Internet Applications and is offered as an alternative to Microsoft's Silverlight and Adobe's Flex/Flash.

"Every new technology stack throws up new security challenges and vulnerabilities. HTML 5, though very promising, is no different. There are security concerns that need to be addressed when creating applications," Shah writes.

Shah first illustrates how modern browsers have four logical structured layers – Presentation, Process/Logic, Network and Policies  - and how they relate to the threat model and attack surface.

"Structured layers... provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threats which can be exploited," Shah explains.

The following is Shah's listing of the top ten HTML5 attack vectors and a brief excerpt of his analysis:

1. ClickJacking & Phishing by mixing layers and iframe

  • "HTML 5 allows iframe with sandbox; sandboxes have interesting attributes such as allow-scripts that help in breaking frame- bursting code implementation by not allowing script execution within the frame. This means that frame-bursting code will not come into play though the X-Frame option would remain applicable..."

2. CSRF and leveraging CORS to bypasses SOP

  • "HTML5 has one more method in place called CORS (Cross Origin Resource Sharing). CORS is a “blind response” technique and is controlled by an extra HTTP header “origin”, which when added, allows the request to hit the target. Hence, it is possible to do a one-way CSRF attack..."

3. Attacking WebSQL and client side SQL injection

  • "HTML 5 allows offline databases in the form of WebSQL... If the application is vulnerable to XSS then an attacker can steal information from WebSQL and transfer it across domains..."

4. Stealing information from Storage and Global variables

  • "HTML 5 supports LocalStorage... [which] can be accessed through JavaScript. This allows an attacker to steal information via XSS, if the application is vulnerable to an XSS attack..."

5. HTML5 tag abuse and XSS

  • "HTML 5 has some interesting additional tags... [which] can be abused both for XSS and CSRF. One needs to be extra careful during dynamic reloading and the implementation of these new tags and feature..."

6. HTML5 and DOM based XSS and redirects

  • "Several HTML 5 tags and attributes are controlled by DOM calls. Poorly implemented DOM calls like eval() or document.*() can cause a “cocktail” attack vector where both DOM and HTML5 can be leveraged simultaneously. This expands the attack surface..."

7. DOM injections and Hijacking with HTML 5

  • "HTML 5 applications use DOM extensively and dynamically change content via XHR calls. DOM manipulation is done by several different DOM-based calls and poor implementation allows DOM-based injections. These injections can lead to a set of possible attacks and exploits..."

8. Abusing thick client features

  • "HTML 5 also allows thick client like features inside a browser’s UI. These features can be leveraged by an attacker to craft attack vectors. An attacker can leverage drag-drop thick client APIs..."

9. Using WebSockets for stealth attacks

  • " HTML 5 supports WebSocket... [which] can be used by an attacker to craft a vector which communicates with web ports and even with non-webports with restrictions..."

10. Abusing WebWorker functionality

  • "WebWorker is newly added vector in HTML 5... [which]  can help in payload delivery and exploitation to typical Web 2.0 applications... if the application is vulnerable to DOM-based XSS..."

"Different libraries and ways of development are bound to emerge over time and in the process open up new attack surfaces and security issues. Contemplating on the above top 10 would give us more ideas about controls required for security as time progresses," Shah concludes.

For the full analysis of each of the threat vectors identified, see Shah's complete article at HelpNet:


Possibly Related Articles:
XSS SQl Injection Software Application Security Vulnerabilities Clickjacking Development Headlines Cross Site Scripting Attack Vector HTML5 DOM injections
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.