The HTML5 Center Blog

Cross-Site Request Forgery Attacks in HTML5

by Fahmida Y. Rashid (July 31, 2012)

HTML5 may offer developers greater control and flexibility when creating applications that can run on multiple platforms, but the new Web standard also comes with security issues that need to be addressed before attacks become more widespread, security experts believe.

At this year's Black Hat security conference in Las Vegas, there were three sessions focusing on security issues with HTML5. One of the presentations, by Shreeraj Shah, founder and director of Blueinfy Solutions, highlighted the top ten threats affecting HTML5. The other sessions showed off how to launch attacks using HTML5 to compromise network devices and other products.

With HTML5, developers can design and execute rich Internet applications with advanced animation, sound, and video, all within the context of a modern Web browser. The powerful combination of HTML, CSS, and Javascript gives both legitimate and malicious developers a lot of tools. As HTML5 continues to evolve and new technologies get added, the areas of potential exploitation will grow, Blueinfy's Shah told attendees.

"HTML5 is out there and people are using it," Shah said, adding, "It is time to take them [the threats] seriously."

Combination of components and technologies

It's important to remember that HTML5 is not a single technology stack, but actually a combination of components and technologies, Shah said. The components include XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS), and enhanced HTML/Browser rendering. The technologies include localstorage, webSQL, websocket, webworkers, enhanced XHR, and DOM-based XPATH. This jigsaw puzzle of various components has expanded the attack surface and is precisely the reason why HTML5 applications are vulnerable to stealth attacks and silent exploits, Shah said.

Top 10 threats

Shah identified the top 10 threats affecting HTML5 as the following:

  1. Cross-site request forgery (CSRF) and leveraging CORS to bypass same origin policy (SOP)
  2. ClickJacking and phishing by mixing layers and iframe
  3. Attacking WebSQL and client-side SQL injection
  4. Stealing information from storage and global variables
  5. HTML 5 tag abuse and XSS
  6. HTML 5/DOM based XSS and redirects
  7. DOM injections and hijacking with HTML 5
  8. Abusing thick-client features
  9. Using WebSockets for stealth attacks
  10. Abusing WebWorker functionality

Shah started off with a discussion of cross-site request forgery attacks and how attackers would be able to inject a payload on one cross-domain page that initiates a request to a different target domain without the user's knowledge or consent.

CORS is a "blind response" technique that allows the request to hit the target site without performing any checks or returning a response. Another component, XHR, can set a stealth connection with a website even if the user is not accessing that site.

Setting "Content-Type" as "text-plain" will prevent CORS from initiating OPTIONS/preflight to check rules on the server side. Using the POST method, XHR can establish a connection by replaying the cookies to set the "withCredentials" attribute to true.

The following two lines in a script would give attackers access to the target site in a successful cross-site request forgery or session riding scenario, Shah said: 

	http.setRequestHeader('Content-Type', 'text/plain');
	http.withCredentials="true";

The XHR object in HTML5 is "very powerful," Shah said, as it enables developers to automatically upload and download binary files. XHR can also allow applications to scan internal ports on the network, mount a remote Web shell, and run a CORS policy scan. It can be a "really lethal attack vector," said Shah.

"Imagine your photo on Google or Facebook being changed while browsing an attacker's page," Shah said.

Network scanning via browser

Two researchers from AppSec Consulting demonstrated some XHR capabilities in a different presentation at Black Hat. Joshua Brashars and Phil Purviance, senior security researchers at AppSec Consulting, demonstrated how they were able to scan networks through the Web browser to figure out what kind of devices had been deployed. By performing an internal scan, they were first able to identify the IP address of the router on the network, and then collect enough resource information to identify the make and model of the device. Purviance and Brashars then used XHR to trick the browser into downloading a malicious firmware and executing the file onto the router to give them remote control over the network device.

Purviance and Brashars wondered if it was possible to take over an entire network combining JavaScript attacks on an HTML-compliant browser. "Yes, we can!" they said.

In his original presentation, Shah went into great detail for each of the 10 threats, and I will be digging through the list over the next few weeks. But until then, I would like to know what you think. Have you seen cross-site request forgery attacks against HTML5 applications in action? Will the fact that attackers are already developing exploits for HTML5 impede rates of adoption among developers?

About the Author
Fahmida Y. Rashid is a contributing editor for Slashdot and SourceForge.




Sponsored Links

Previous Blog Posts

  • Weinre Debugs HTML5 Apps on Windows Phone 8, IE

    HTML5 developers can now use the weinre debugging tool to test and debug Web apps using Internet Explorer 10 and Firefox on the desktop, thanks to Microsoft Open Technologies and the contributing community.... read more.

  • Windows 8 & Store: Code Once, Sell Many

    With Windows 8 and the Windows Store, Microsoft is trying to close the gap between the mobile device and the PC. Wide-scale adoption of HTML5 is instrumental to its plans.... read more.

  • Still Opportunities Aplenty for HTML5 Developers

    It's no secret that major social networking sites such as Facebook and LinkedIn have abandoned high-profile HTML5 projects in favor of mobile native app. But there are still plenty of opportunities at enterprises for developers with strong Web-based skillsets.... read more.

  • Intel's Free Dev Platform Boosts HTML5

    With the launch of a free development and testing platform for platform-independent Web applications, Intel has thrown its hat into the HTML5 ring and given the emerging standard an important nod.... read more.

  • Native or Mobile App? Depends

    Businesses grappling with mobile strategy have to decide whether to invest time and resources into developing a native app, or into improving their mobile Web experience.... read more.

  • Beyond Cross Platform Development: Security, User Benefits of HTML5

    We've looked at how HTML5's features can be manipulated to craft malicious Websites, or to exploit applications to perform unauthorized tasks. But HTML5 also introduces new features to help developers write more secure, plug-in free, cross-platform applications. In a recent interview, Mike Shema, director of engineering at cloud security company Qualys explained these benefits of HTML5.... read more.

Recent HTML5 Tweets

HTML5 Topics on Slashdot

Featured Webcasts