HTML5 Top 10 Security Threats, Stealth Attacks and Silent Exploits

HTML5, the new Web standard that will make it easier to develop websites and applications that run on various screen sizes, is also vulnerable to stealth attacks and silent exploits, a security researcher said at the Black Hat security conference.

HTML5 faces a number of threats, including cross-site scripting and resource hijacking, Shreeraj Shah, founder of application security vendor Blueinfy, told attendees at the Black Hat security conference in Las Vegas Thursday. The fact that the new Web standard has cross-platform support and integrates several other technologies increases the attack surface, Shah said.

Even though it is still new and evolving, attacks against the new standard is already on the rise, Shah said. HTML5 pulls together many components, including XMLHttpRequest (XHR), cross-origin resource sharing (CORS), webSQL, and localstorage. In addition to the elements included in the specification such as Web messaging, Web sockets, and Canvas 2D, HTML5 includes related technologies such as SVG for graphics, CSS3 for stylesheets, Geolocation, and APIs for Calendar and File, among others.

“HTML5 is out there and people are using it,” Shah told attendees.

Attacks against HTML5 are stealthy, and silent and generally target the application's presentation and the business logic layers, Shah said. The top 10 threats against HTML5 target XHR and HTML5 tags, feature-rich components such as browser SQL and storage, and DOM, said Shah. The list is as follows:

1. CSRF with XHR and CORS bypass

2. Jacking – click, CORS, tabs

3. HTML5-driven cross-site scripting using tags, events and attributes

4. Attacking storage and DOM variables

5. Exploiting Browser SQL points

6. Injection with Web Messaging and Workers

7. DOM-based cross site scripting and issues

8. Offline attacks and cross-widget vectors

9. Web socket issues

10. API and protocol attacks

The new technologies that make up HTML5 brings in several new threats. CORS is vulnerable to data transfer and origin issues, HTML5 forms can be manipulated, and client-side storage and SQL exposes the application to injection attacks, Shah said. It was critical to address how these attack vectors would work in today's environment before attackers start taking advantage of these features for malicious purposes, Shah explained.

Shah called the XHR object in HTML5 “very powerful,” as it allows a variety of features, such as cross-origins requests and binary uploads and downloads. Attacks include bypass CORS preflight calls, forcing authentication cookies to replay with credentials, internal network scanning and tunneling, information harvesting, and abusing the business logic by uploading binary streams. Users could be tricked into uploading content onto the server, Shah said.

Some of the threat vectors can be mitigated by strengthening the CORS implementation, using secure JavaScript coding practices, and improving CORS controls, Shah said. Developers should look at secure libraries for streaming HTML5/Web 2.0 content and secure CORS. Developers should also employ standard cross-site-scripting protections and not store sensitive information inside localStorage.

Shah called the top 10 vectors just the “beginning,” and that HTML5 is just “warming up.” Different libraries and ways of development are bound to emerge over time and open up new risks and security issues. Looking at these threats would provide some ideas about security controls necessary for future applications, he said.