Saturday, December 11, 2010

Top 5 Security Threats in HTML5


HTML4 was introduced in 1997. Recently, with the introduction of new features, HTML5 also brings with it potential security vulnerabilities. This isn't to say that HTML5 is "flawed," but that there will be new attack vectors for hackers to exploit. Some originate from elements of the standard itself, some from implementations of the standard in each browser, and some from the care that developers do (or do not) take in building their HTML5 code.

1. Cross-Document Messaging

HTML5 does not itself enforce the origin check in the newly introduced API, called postMessage that creates a framework for a script in one domain to pass data to a script running on another domain. This means a careless developers might not actually implement origin verification, essentially leaving the script exposed to postMessage requests from malicious sites.

2. Local Storage

A newly introduced HTML5 feature is offline storage, a client-side SQL database that can be accessed by JavaScript (offline). When storing sensitive data, such as email messages or passwords, it is up to the developers to use SSL and to generate unique database names (to prevent a predictable attack). Also, developers are expected to use prepared SQL statements, rather than constructing queries in JavaScript code, or else hackers could intercept or emulate these queries to execute "SQL injection"

3. Attribute Abuse

In addition to providing many new tags, HTML5 also introduces new attributes, some of which may be subject to abuse. A particular threat is when attributes can be used to trigger automatic script execution.

For example, the new HTML5 attribute "autofocus" will automatically switch browser focus to the specified element—a trick that is sometimes useful for user interface design and previously had been implemented using JavaScript. Other new attributes, including "poster" and "srcdoc," allow page elements to point to external resources—resources that may be malicious in nature. 

Again, it is not that these attributes are flawed—they exist to enable richer functionality in Web applications—but that they also could be abused by bad actors.

4. Inline Multimedia and SVG

With its new <audio>, <video>, and <svg> tags, HTML5 can natively render popular formats and vector graphics without external plug-ins. For example, an earlier version of Google Chrome contained a documented bug in its SVG parser which, could allow scripts to access the object properties of a page hosted on a different domain and violating cross-domain security policy.

Each browser needs to implement native multimedia handling and crop up for different bugs. And this may lead to multiple attack vectors been exposed.

5. Input Validation

HTML5 provides rich client-side input validation, empowering Web developers to define input boundaries alongside the forms themselves, with instant feedback provided to users. Since this input validation syntax is new to HTML5, developers may be more prone to make mistakes in their validation code, such as flawed regular expression (regex) syntax in page code that lead to DoS against browser.


Related links:
  • https://developer.mozilla.org/en/DOM/window.postMessage
  • http://diveintohtml5.org/offline.html
  • http://code.google.com/p/html5security/wiki/WebSQLDatabaseSecurity
  • http://code.google.com/p/chromium/issues/detail?id=21338
  • https://developer.mozilla.org/en/HTML/HTML5/Forms_in_HTML5#Constraint_Validation