White Paper

HTML 5

Handling Security Issues

idexcel

IntroductionLots of key technologies are emerging in the market every day, and with these latest technological advancements come the latest security threats. It is common for any new technology to have pitfalls and defects, and although the standards are defined, there are always good chances of security lapses and loose threads here and there. One such upcoming key technology is HTML5, which is the most recent version of html, codified by W3C (World Wide Web Consortium), which is the main body for setting standards for the Web. In this paper, we will try to understand and explore the security issues related with this emerging technology.

2 P a g e

Handling Security Issuesidexcel

HTML 5A Peek

HTML4 was the most successful and widely used markup format, and HTML5 has been built on its success, with additional feature set, larger than the previous version, especially the rich media extensions. HTML5 is quite relevant in today’s web development industry. It is a collection of individual features, and using it does not require throwing away existing markup or relearn things. Web applications that worked in HTML4 will work in HTML5 because HTML5 supports all the form controls from HTML4.

3 P a g e

However, there are some important additions in HTML5, such as new input controls, sliders, date pickers etc. It has tight integration of JavaScript so that default func-tionality of HTML elements can be extended. HTML5 closely integrates with the browsing devices and offer features such as graphics rendering and location aware-ness. Application cache feature can be used to down-load the application to the browser even in the offline mode.

idexcelHandling Security Issues

Data can be stored on a

user’s computer or

mobile device, so web apps work without an Internet connection.

Web page can have flashier

type with more fonts, shadows,

colours and other effects.

Objects move on Web pages

and react to the move-ments of a

cursor.

Audio is played

without a plug-in. Browser

makers have not agreed on

formats.

Interactive games can run with just a Web browser without installing other

software or plug-ins. A technology

called WebGL can create

interactive 3D effects using a

computer’s graphics

processor.

Video can be embedded in a

Web page without a

plug-in. Brows-er makers have not agreed on

formats.

What Does HTML5 DO

4 P a g e

idexcelHandling Security Issues

HTML5 is supported by all the major browsers, and there are no fears of cross-browser compatibility as there are large polyfill libraries providing support to the older browsers. By using LocalStorage and IndexDB, developers can store data locally in the browser, and this data will persist across sessions. Complicated animations can be created by using keyframes. The large

set of APIs improve performance, enhance the applica-tion experience, and reduce the battery drain for the mobile devices. The Audio and Video elements can stream the multimedia content faster. Older browsers can gracefully degrade or can have polyfills loaded to implement the new feature without causing and disrup-tion in the application.

DRAG & DROP

VIDEO ELEMENT

AUDIO ELEMENT

OFFLINE WEB APPSSEMANTIC ELEMENTS

HTML5 FORMS

FORM VALIDATION

CANVAS

BROWSER SUPPORT FOR HTML5 ELEMENT

8 9 3.6 4

4 2

4

5 11 11

12.5% 62.5% 62.5% 93.8% 81.2%

87.5% 100% 100% 62.5% 37.5%

5 P a g e

Although, HTML is meant to be a standard, hardware and application vendors have their constraint in terms of version specification or their current platforms. Addition-ally, same specifications are interpreted differently by different developers, and hence same functionality is implemented slightly differently for different applications. Several vendors are definitely implementing HTML5 features, however, the finalized recommendations or specifications are scheduled tentatively for the year 2022.

can be exploited by using frame busting JavaScript code. Web storage encompasses WebSQL and IndexedDB. The Session Storage is stored in the browser process memory, and hence it is possible to perform DoS, or Denial of Service resource exhaustation attacks if storage limit is not specified.

Due to their novelty, Web Sockets get a lot of attention as they provide an alternative to the HTTP polling for commu-nication from a web page to a remote server. Web Socket vulnerabilities most likely centre on server implementa-tion. Attacker can abuse the injection flaw to execute the code, and can intercept or log messages, or can perform server DoS attacks. Geolocation API provides means to determine location of the user via JavaScript. It returns values such as longitude, latitude and accuracy, and can be used for points-of interest applications and navigation assistance, but at the same time can give rise to security issues due to storage of trails of locations over a period of time.

HMTL5 is a markup language, not a programming language, and hence it is mainly used for Structure and Content. Web developers have been using Java, Flash, ShockWave and Silverlight for several years, and hence, adoption of HTML5 is not high. However, with few giants such as Netflix, Facebook, Amazon and YouTube making a shift, the industry is gradually moving towards HTML5. It opens entirely new range of amazing possibilities for the Web such as email clients that work offline and 3D environment.

No doubt that the enhancements in HTML5 are great, however, these advancements have opened more exploitation vectors for the hackers and cybercriminals. HTML5 offers the capabilities such as location awareness, access to microphone and webcam, and graphics render-ing, and hence provides a much wider access to the resources of the computer as compared to its predecessor. It has been built to integrate with latest web browsing devices, and application cache feature can be used to download the application to the browser. Scenarios for exploitation have not drastically changed for HTML5. The attackers still rely on XSS or Cross-Site Script-ing, or lure users to any website to execute malicious payload. HTML5 websites still use JavaScript as main scripting language, and hence the abuses and vulnerabili-ties inherent to the language are still applicable. In addition to these, the new XSS vectors in HTML5 use new tags and elements, and cybercriminals can use these new attributes to execute payloads ( for example, using autofo-cus attribute). <iframe sandbox> is another attribute that

idexcelHandling Security Issues

Changing Landscape

Attack Vectors

6 P a g e

Web Workers free the user interface by providing the ability for the browser to run scripts in the background. Hence long-running JavaScript code does not freeze the webpage, however, as the script keeps running in the background without user’s knowledge, they keep engag-ing system resources. If the web worker is not well-written, it will consume system memory, and degrade user experi-ence.

idexcelHandling Security Issues

With the advancement in HTML5, SVG or Scalable Vector Graphics is gaining popularity as well. SVG can be used in-addition-to or instead-of <canvas> element, and it describes two-dimensional vector graphics in XML. For successful exploit, SVG file can be uploaded on the same domain as the page with the injection vulnerabilities that will support <object>, <iframe> or <embed> tag.

The browsers act as a thin client and deal with data from cached files and cookies for improved performance. HTML5 is being implemented differently by different browsers mainly because the standard owned by W3C is not in the finalized form. Hence, browsers are using varying security models, which can radically affect the attack model for the browser. Attackers could use the browser information to access the computer and may get access to the personal data. HTML5 offers more offline caching and local storage, and hence, browsers contain much more sensitive information. This makes the browser a direct gateway to the stored data. This small change can cause quite significant security issues as browser vendors will be required to make more stringent security model, something similar to Operating Systems. The security becomes more challenging due to loose definition of security model, and browser vendors can make independent design decisions.

Vulnerabilities of browsers

7 P a g e

PrivacyIssues

Legacy Issues

Privacy concerns have resulted in more stringent regula-tions related to cookies which are used to track the usage across several sites, recording the preferences, purchases and clicks made by the users. Browser vendors are giving more priority and focus to the privacy features as consum-ers and becoming more aware of the data mining and web tracking, and hence are demanding more secured models.

The new local storage mechanism in HTML5 leads to more ways to store users’ information, and this could compro-mise the personal security. The access model is more liberal and local storage is more flexible. As compared to cookies in HTML4, the issue of restricting or purging data is not very clear. As many people use mobile devices for browsing, media tools for the mobile devices add to the privacy challenges.

HTML5 defines new helpful APIs (Application Program-ming Interfaces) to access cameras, microphone and location services, but the security models of these services are not well tested, and are known to have security loopholes. Insecure use of APIs can leave the websites open to the manipulations and attacks in several ways.

As a result, HTML5 carries a greater risk of data loss and invasion of privacy mainly because of the integrated and flexible technology. The tags such as video, canvas and audio can open new attacking possibilities for the cyber-criminals as media related functions can be very compli-cated. However, moving the capabilities, as in HTML5, to the core language and browser is an enhancement over the plugins that have been a constant targets of the cyber-criminals.

HTML4 and JavaScript had some inherent security issues, and they continue to exist in HTML5. The cybercriminals are also exploring innovative ways to steal user informa-tion or spread malware. The browser vendors have tackled many loopholes and patched the security gaps to minimise the probability of cyber-attacks. However, as hackers

investigate more features of HTML5, they will be able to find the new ways to trick users, steal clicks and spread malware. Hence, software developers need to make their filters and validation routines more updated. This includes using web application firewalls, or using free add-ons that can prevent attacks.

idexcelHandling Security Issues

Handling Security Issues

8 P a g e

idexcel

PermissionsMost browsers use sandboxing to isolate themselves from the operating system and prevent distribution of malware. However, the advanced browser capabilities of HTML5 open up an entire new realm of data theft, commonly associated mainly with the operating systems. As the browser is capable of accessing local data, breaking the sandbox and accessing the data via location or the media device, or visiting the infected website with the attack code can prove fatal. Although more capabilities have been added to the browser, the permission model is still unclear, and hence developers need to plan a multi-di-mensional security model.

To summarize, some of the most common threats and attacks are as follows

HTML5 tag abuse and XSS- The interesting tags of HTML5 allow dynamic loading of video and audio. These tags can be easily abused for CSRF and XSS. Stealing of information from Storage and Global variables CSRF and leveraging CORS to bypass SOP- SOP or Same origin policy establishes cross domain connection, and bypassing it allows deployment of CSRF attack where the attacker can initiate the request to the target domain without the knowledge of the victim. CORS or Cross Origin Resource Sharing allows the request to hit the target. Phishing and ClickJacking by mixing layers and iframe- ClickJaking is a common attack, mainly in the social networking sites that allow reloading into an iframe. This gives cyber-criminals an opportunity to initiate ClickJacking attacks.

HTML5/DOM based XSS and redirects- Incidents of DOM based XSS attacks are increasing as large applica-tions are built using single DOM and Ajax/XHR. Many attributes and tags of HTML5 are controlled by DOM calls and if these calls have been implemented poorly, they can allow more entry points for the cybercriminals. Using WebSockets for stealth attacks- This feature allows browsers to open sockets for the ports of specific IPs. Although the list of usable ports is restricted, the attackers can craft a vector to communicate with the web-ports and non-web-ports, even if they have restric-tions. Abusing thick client features- HTML5 allows thick client like features in the UI of the browsers, and attackers can leverage these features to craft attack vectors. Abusing WebWorker functionality- WebWorker and Messaging allow threading using JavaScript. By helping in payload delivery, WebWorker can help exploit appli-cations. Attacking WebSQL and client side SQL injection- HTML5 provides enhanced performance by allowing offline databases in the form of WebSQL, and this mechanism opens up client side SQL injections. Vulnerable applica-tions allow attackers to steal information, and transfer it across domains.

9

Conclusion

Moving Forward

Most vulnerabilities are caused due to the insecure coding and improper configuration. The new features of HTML5 can be used as attack vectors only due to mistakes made by developers and administrators. Cybercriminals are constantly exploring new ways to attack the devices, especially when the web technology is deployed across wider range of devic-es. HTML5 has introduced very powerful and interesting concepts, but as of now, it is far from perfect. There is still a tug of war between usability, security, flexibility and privacy. At the same time, enhanced features are exposing new attack surfaces and security issues.

Security of any application depends on the care taken by the developer, and this includes writing secure code, filtering data, and borrowing from cheat sheets such as the ones produced by OWASP (Open Web Application Security Project). An important step to prevent incorrect use of data is to implement proper checks in the code. The technology for securi-ty needs to catch up with the latest technologies and the vendors need to put more emphasis on privacy controls and the guidelines set by regulatory authorities need to be revised and made more stringent. As long as the infrastructure and security procedures are modified to stay current on the latest developments, security incidents can be minimized. Html5.org contains list of vulnerable attributes along with the vulnerable browsers.

HTML5, XHR and DOM embedded via JavaScript are being increasingly used to create next generation applications. HTML5 has become the backbone of eLearning, social media and web commerce. It is vendor neutral, and native to the browser, and hence has far more wider acceptance.

However, new features and refinements to the web also raise new security concerns. The associated new attack vectors need to be diligently identified and security models need to be revised accordingly by the security professionals. Several new browsers, or new versions of existing browsers are being introduced quite frequently in the market, and hence, it is still a long way before HTML5 is accepted as a worldwide standard. We need consistency across browsers, and strin-gent standards set by the universally accepted committees. We must plan well and stay ahead of malicious cyber-attack-ers. It is essential to understand all these attack vectors detailed in this paper, and proactively design defence strategies before cyber-criminals can leverage these enhanced features of HTML5 to their advantage.

P a g e

idexcelHandling Security Issues

About the AuthorPonbharathi Bakthaduruvan works as a Technical Lead with Idexcel. He has over eight years’ experience in developing enterprise and rich internet applications using HTML5, CSS/CSS3, Adobe Flex and Java/J2EE technologies. He has exper-tise in software design, architecture, development, implementation and maintenance of enterprise applications and has delivered many successful projects . He has a deep knowledge of UI development using HTML5, CSS3, JavaScript, jQuery and developing enterprise level applications using Java, J2EE, Hibernate, Spring, JSP, Servlet, Adobe Flex and ActionScript.

About IdexcelIdexcel is an innovative provider of IT Products & Services focused on emerging technologies. We help world leading companies build efficiencies and stronger businesses. With more than 15 years into existence Idexcel’s main focus is client satisfaction and technology innovation. Our industry expertise and a global, collaborative workforce forms the backbone of our services. We offer high degree of skills in Enterprise Applications, Cloud Services, Data-warehousing, Big Data, Analytic, QA & Testing Services, IT consulting and Staffing. Idexcel product line includes: NDS, ERP, and Cync - A revolutionary credit monitoring application for the manufacturing and �nancial management.For more information log on to www.idexcel.com.

Global Head quarters459 Herndon Parkway Suite 11Herndon, VA 20170Tel: 703-230-2600Fax: 703-467-0218Email: inquiry@idexcel.com

India Operations“Crystal Plaza” 9, 10 ,11Bhuvanappa Layout, Hosur RoadBengaluru – 560 029KarnatakaTel: +91-80-2550 8830Email: inquiry@idexcel.com

© Copyright, Idexcel. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Idexcel. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

idexcelHandling Security Issues