CORSjacking, Clickjacking Threaten HTML5 Applications
HTML5 promises many nifty tricks, but those very features can also be used maliciously.
With HTML5, applications can take advantage of advanced features, such as letting Websites store data locally, executing code while offline and accessing installed hardware such as cameras and microphones. Developers see HTML5 as a way to make Websites more powerful and to write applications that can run on desktops as well as mobile devices without requiring a complete rewrite.
Threat #1: CORSjacking
You might recall that last month I discussed how cross-site request forgery attacks take advantage of XMLHttpRequest (XHR), Document Object model (DOM), and Cross Origin Resource Sharing (CORS) to inject malicious payloads on one domain to initiate a request on a different domain. I'm not the only one concerned.
At the Black Hat security conference last month, Shreeraj Shah, founder of Blueinfy, unveiled his list of top 10 threats that use HTML5 and demonstrated sample attacks for each one. By tricking users into visiting a maliciously crafted HTML5 Website, Shah said, attackers could gain access to files stored on the computer. There's a lot of opportunity for hijacking the browsers with HTML5," warned Shah.
Threat #2: Clickjacking
With many sites, including social networking sites, allowing other pages to load in an IFRAME, clickjacking is also becoming a popular attack method. At Black Hat, Shah demonstrated how a user trying to access a real banking Website could be directed to a fake login site because a different HTML5 site had manipulated certain resources.
The real banking site may have a Flash application with its own login file (login.swf), which is loaded via object into the browser, he explained. If the HTML5 page being loaded in the browser has a DOM-based issue, it is possible to manipulate where the browser thinks the actual login object is. CORjacking allows the attacker to point the browser to a similar file residing on the fake banking site.
The user may be believe the login page is part of the real banking site, but actually is entering account credentials in a fake login screen. This kind of attack can also be used with Silverlight resources.
Fortunately, there is a way to defend against this kind of injection. Before the site loads the component into the browser, the object should be "self aware" and be able to check what domain it actually arrived on. If it is not on the correct domain, Shah advised, then the object should not be allowed to execute cross-domain.
Increased Adoption Demands Secure Coding
HTML5 adoption will grow as more companies look at the new Web standard to improve the online customer experience and deliver enhanced features to mobile users. "HTML5 is no longer an emerging toolset for mobile and tablet development," analyst Peter Sheldon wrote recently on his Forrester blog. "Instead, it is fast becoming the de facto standard for Web experience innovation across touch points."
A full-fledged HTML5 site offers enough functionality, including locally storing small databases, ability to execute SQL commands, and accessing files. As Sheldon explains: "You can compare HTML5 with a small operating system running in your browser."
Major brands in various industry sectors, including Best Buy in retail and the Four Seasons Hotel in hospitality have embraced HTML5, noted Sheldon. Developers can take advantage of existing code and enhance the sites incrementally. Many mobile apps are also taking advantage of the hybrid model, both HTML5 and native code within a single application.
While HTML5 puts more tools in the box, it "doesn't change the fundamentals of how to build the Website," he concluded. Organizations making the shift to HTML5 have to make sure their developers are coding securely.
As we've seen, HTML5 has a lot of rich capabilities that can be used to craft attacks that access local resources, take control of the computer or redirect users. As the standard matures and additional libraries are created, new attack surfaces will surely crop up. Developers need to start thinking about these possible vulnerabilities from the outset of their HTML5 initiatives.
So far, we've looked at cross-site request forgery attacks and clickjacking. There's a lot more left from Shah's list of top ten HTML5 threats and others, which we'll explore over the next few weeks. Until then, I'd like to know what you think.
Will these new attack methods slow down HTML5 adoption? Have you seen examples of click-jacking attacks using HTML5?
About the Author
Fahmida Y. Rashid is a contributing editor for Slashdot and SourceForge.