“Web apps are becoming incredibly rich with HTML5. The browser is starting to manage full-bore applications and not just web pages,” said Sid Stamm, who works on Firefox security issues for the Mozilla Foundation. Stamm was speaking at the Usenix Security Symposium, held last week in Washington DC.
“There is a lot of attack surface we need to think about,” he said.
On the same week Stamm expressed worry over HTML5, developers of the Opera browser were busy fixing a buffer overflow vulnerability that could be exploited using the HTML5 canvas image-rendering feature.
Is it inevitable that the World Wide Web Consortium’s (W3C) new set of standards for rendering web pages, collectively known as HTML5, come with a whole new bundle of vulnerabilities? At least some security researchers are thinking this is the case.
The W3C is “gearing this entire redesign over the idea that we will start executing applications within the browser, and we’ve proven over the years how secure browsers are,” said Kevin Johnson, a penetration tester with security consulting firm Secure Ideas. “We have to go back to understanding the browser is a malicious environment. We lost sight of that.”
All this new proposed functionality is beginning to be explored by security researchers.
Earlier this year, Kuppan and another researcher posted a way to misuse the HTML5 Offline Application Cache. Google Chrome, Safari, Firefox and the beta of the Opera browser have all already implemented this feature, and would be vulnerable to attacks that used this approach, they noted.
The researchers argue that because any web site can create a cache on the user’s computer, and, in some browsers, do so without that user’s explicit permission, an attacker could set up a fake log-in page to a site such as a social networking or e-commerce site. Such a fake page could then be used to steal the user’s credentials.
Other researchers were divided about the value of this finding.
“It’s an interesting twist but it does not seem to offer network attackers any additional advantage beyond what they can already achieve,” wrote Chris Evans on the Full Disclosure mailing list. Evans is the creator of the Very Secure File Transfer Protocol (vsftp) software.
Dan Kaminsky, chief scientist of the security research firm Recursion Ventures, agreed that this work is a continuation of attacks developed before HTML5. “Browsers don’t just request content, render it, and throw it away. They also store it for later use … Lavakumar is observing that the next-generation caching technologies suffer this same trait,” he said, in an email interview.
Critics agreed that this attack would rely on a site not using Secure Sockets Layer (SSL) to encrypt data between the browser and web page server, which is commonly practiced. But even if this work did not unearth a new type of vulnerability, it does show that an old vulnerability can be reused in this new environment.
Johnson says that, with HTML5, many of the new features constitute threats on their own, due to how they increase the number of ways an attacker could harness the user’s browser to do harm of some sort.
“For years security has focused on vulnerabilities – buffer overflows, SQL injection attacks. We patch them, we fix them, we monitor them,” Johnson said. But in HTML5’s case, it is often the features themselves “that can be used to attack to us,” he said.
As an example, Johnson points to Google’s Gmail, which is an early user of HTML5’s local storage capabilities. Before HTML5, an attacker may have had to steal cookies off a machine and decode them to get the password for an online email service. Now, the attacker needs only to gain entry into the user’s browser, where Gmail stores a copy of the inbox.
“These feature sets are scary,” he said. “If I can find a flaw in your web application, and inject HTML5 code, I can modify your site and hide things I don’t want you to see.”
With local storage, an attacker can read data from your browser, or insert other data there without your knowledge. With geolocation, an attacker can determine your location without your knowledge. With the new version of Cascading Style Sheets (CSS), an attacker can control what elements of a CSS-enhanced page you can see. The HTML5 WebSocket supplies a network communication stack to the browser, which could be misused for surreptitious backdoor communications.
This is not to say that the browser makers are oblivious to this issue. Even as they work to add in the support for the new standards, they are looking at ways to prevent their misuse. At the Usenix symposium, Stamm noted some of the techniques that the Firefox team is exploring to mitigate damage that could be done with these new technologies.
For instance, they are working on an alternative plug-in platform, called JetPack, that would keep tighter control of what actions a plug-in could execute. “If we have complete control of the [application programming interface], we’re able to say ‘This add-on is requesting access to Paypal.com, would you allow it?’” Stamm said.
JetPack may also use a declarative security model, in which the plug-in must declare to the browser each action it intends to undertake. The browser then would monitor the plug-in to ensure it stays within these parameters.
Still, whether browser makers can do enough to secure HTML5 remains to be seen, critics contend.
“The enterprise has to start evaluating whether it is worth these features to roll out the new browsers,” Johnson said. “This is one of the few times you may hear ‘You know, maybe [Internet Explorer] 6 was better.’”