Cross-Site Request Forgery Attacks in HTML5
HTML5 may offer developers greater control and flexibility when creating applications that can run on multiple platforms, but the new Web standard also comes with security issues that need to be addressed before attacks become more widespread, security experts believe.
At this year's Black Hat security conference in Las Vegas, there were three sessions focusing on security issues with HTML5. One of the presentations, by Shreeraj Shah, founder and director of Blueinfy Solutions, highlighted the top ten threats affecting HTML5. The other sessions showed off how to launch attacks using HTML5 to compromise network devices and other products.
"HTML5 is out there and people are using it," Shah said, adding, "It is time to take them [the threats] seriously."
Combination of components and technologies
It's important to remember that HTML5 is not a single technology stack, but actually a combination of components and technologies, Shah said. The components include XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS), and enhanced HTML/Browser rendering. The technologies include localstorage, webSQL, websocket, webworkers, enhanced XHR, and DOM-based XPATH. This jigsaw puzzle of various components has expanded the attack surface and is precisely the reason why HTML5 applications are vulnerable to stealth attacks and silent exploits, Shah said.
Top 10 threats
Shah identified the top 10 threats affecting HTML5 as the following:
- Cross-site request forgery (CSRF) and leveraging CORS to bypass same origin policy (SOP)
- ClickJacking and phishing by mixing layers and iframe
- Attacking WebSQL and client-side SQL injection
- Stealing information from storage and global variables
- HTML 5 tag abuse and XSS
- HTML 5/DOM based XSS and redirects
- DOM injections and hijacking with HTML 5
- Abusing thick-client features
- Using WebSockets for stealth attacks
- Abusing WebWorker functionality
Shah started off with a discussion of cross-site request forgery attacks and how attackers would be able to inject a payload on one cross-domain page that initiates a request to a different target domain without the user's knowledge or consent.
CORS is a "blind response" technique that allows the request to hit the target site without performing any checks or returning a response. Another component, XHR, can set a stealth connection with a website even if the user is not accessing that site.
Setting "Content-Type" as "text-plain" will prevent CORS from initiating OPTIONS/preflight to check rules on the server side. Using the POST method, XHR can establish a connection by replaying the cookies to set the "withCredentials" attribute to true.
The following two lines in a script would give attackers access to the target site in a successful cross-site request forgery or session riding scenario, Shah said:
http.setRequestHeader('Content-Type', 'text/plain'); http.withCredentials="true";
The XHR object in HTML5 is "very powerful," Shah said, as it enables developers to automatically upload and download binary files. XHR can also allow applications to scan internal ports on the network, mount a remote Web shell, and run a CORS policy scan. It can be a "really lethal attack vector," said Shah.
"Imagine your photo on Google or Facebook being changed while browsing an attacker's page," Shah said.
Network scanning via browser
Two researchers from AppSec Consulting demonstrated some XHR capabilities in a different presentation at Black Hat. Joshua Brashars and Phil Purviance, senior security researchers at AppSec Consulting, demonstrated how they were able to scan networks through the Web browser to figure out what kind of devices had been deployed. By performing an internal scan, they were first able to identify the IP address of the router on the network, and then collect enough resource information to identify the make and model of the device. Purviance and Brashars then used XHR to trick the browser into downloading a malicious firmware and executing the file onto the router to give them remote control over the network device.
In his original presentation, Shah went into great detail for each of the 10 threats, and I will be digging through the list over the next few weeks. But until then, I would like to know what you think. Have you seen cross-site request forgery attacks against HTML5 applications in action? Will the fact that attackers are already developing exploits for HTML5 impede rates of adoption among developers?
About the Author
Fahmida Y. Rashid is a contributing editor for Slashdot and SourceForge.