The HTML5 Center Blog

CORSjacking, Clickjacking Threaten HTML5 Applications

by Fahmida Y. Rashid (August 20, 2012)

HTML5 promises many nifty tricks, but those very features can also be used maliciously.

With HTML5, applications can take advantage of advanced features, such as letting Websites store data locally, executing code while offline and accessing installed hardware such as cameras and microphones. Developers see HTML5 as a way to make Websites more powerful and to write applications that can run on desktops as well as mobile devices without requiring a complete rewrite.

Threat #1: CORSjacking

You might recall that last month I discussed how cross-site request forgery attacks take advantage of XMLHttpRequest (XHR), Document Object model (DOM), and Cross Origin Resource Sharing (CORS) to inject malicious payloads on one domain to initiate a request on a different domain. I'm not the only one concerned.

At the Black Hat security conference last month, Shreeraj Shah, founder of Blueinfy, unveiled his list of top 10 threats that use HTML5 and demonstrated sample attacks for each one. By tricking users into visiting a maliciously crafted HTML5 Website, Shah said, attackers could gain access to files stored on the computer. There's a lot of opportunity for hijacking the browsers with HTML5," warned Shah.

Threat #2: Clickjacking

With many sites, including social networking sites, allowing other pages to load in an IFRAME, clickjacking is also becoming a popular attack method. At Black Hat, Shah demonstrated how a user trying to access a real banking Website could be directed to a fake login site because a different HTML5 site had manipulated certain resources.

The real banking site may have a Flash application with its own login file (login.swf), which is loaded via object into the browser, he explained. If the HTML5 page being loaded in the browser has a DOM-based issue, it is possible to manipulate where the browser thinks the actual login object is. CORjacking allows the attacker to point the browser to a similar file residing on the fake banking site.

The user may be believe the login page is part of the real banking site, but actually is entering account credentials in a fake login screen. This kind of attack can also be used with Silverlight resources.

Fortunately, there is a way to defend against this kind of injection. Before the site loads the component into the browser, the object should be "self aware" and be able to check what domain it actually arrived on. If it is not on the correct domain, Shah advised, then the object should not be allowed to execute cross-domain.

Increased Adoption Demands Secure Coding

HTML5 adoption will grow as more companies look at the new Web standard to improve the online customer experience and deliver enhanced features to mobile users. "HTML5 is no longer an emerging toolset for mobile and tablet development," analyst Peter Sheldon wrote recently on his Forrester blog. "Instead, it is fast becoming the de facto standard for Web experience innovation across touch points."

A full-fledged HTML5 site offers enough functionality, including locally storing small databases, ability to execute SQL commands, and accessing files. As Sheldon explains: "You can compare HTML5 with a small operating system running in your browser."

Major brands in various industry sectors, including Best Buy in retail and the Four Seasons Hotel in hospitality have embraced HTML5, noted Sheldon. Developers can take advantage of existing code and enhance the sites incrementally. Many mobile apps are also taking advantage of the hybrid model, both HTML5 and native code within a single application.

While HTML5 puts more tools in the box, it "doesn't change the fundamentals of how to build the Website," he concluded. Organizations making the shift to HTML5 have to make sure their developers are coding securely.

As we've seen, HTML5 has a lot of rich capabilities that can be used to craft attacks that access local resources, take control of the computer or redirect users. As the standard matures and additional libraries are created, new attack surfaces will surely crop up. Developers need to start thinking about these possible vulnerabilities from the outset of their HTML5 initiatives.

So far, we've looked at cross-site request forgery attacks and clickjacking. There's a lot more left from Shah's list of top ten HTML5 threats and others, which we'll explore over the next few weeks. Until then, I'd like to know what you think.

Will these new attack methods slow down HTML5 adoption? Have you seen examples of click-jacking attacks using HTML5?

About the Author
Fahmida Y. Rashid is a contributing editor for Slashdot and SourceForge.




Sponsored Links

Previous Blog Posts

  • Windows 8 & Store: Code Once, Sell Many

    With Windows 8 and the Windows Store, Microsoft is trying to close the gap between the mobile device and the PC. Wide-scale adoption of HTML5 is instrumental to its plans.... read more.

  • Still Opportunities Aplenty for HTML5 Developers

    It's no secret that major social networking sites such as Facebook and LinkedIn have abandoned high-profile HTML5 projects in favor of mobile native app. But there are still plenty of opportunities at enterprises for developers with strong Web-based skillsets.... read more.

  • Intel's Free Dev Platform Boosts HTML5

    With the launch of a free development and testing platform for platform-independent Web applications, Intel has thrown its hat into the HTML5 ring and given the emerging standard an important nod.... read more.

  • Native or Mobile App? Depends

    Businesses grappling with mobile strategy have to decide whether to invest time and resources into developing a native app, or into improving their mobile Web experience.... read more.

  • Beyond Cross Platform Development: Security, User Benefits of HTML5

    We've looked at how HTML5's features can be manipulated to craft malicious Websites, or to exploit applications to perform unauthorized tasks. But HTML5 also introduces new features to help developers write more secure, plug-in free, cross-platform applications. In a recent interview, Mike Shema, director of engineering at cloud security company Qualys explained these benefits of HTML5.... read more.

  • Chrome, IE, Safari: Handling HTML5 Storage Incorrectly?

    As HTML5 gains traction among developers, researchers are increasingly looking at how poor implementation and sloppy development practices could cause problems for end users.... read more.

Recent HTML5 Tweets

HTML5 Topics on Slashdot

Featured Webcasts