This post is the third and final entry for our 3-part series on HTML5. You may check the previous two entries, HTML5 – The Good, and HTML5 – The Bad.

Welcome back to the final part of our miniseries on HTML5 and the security issues surrounding it. Today, we are going to look at what, in my opinion, is the scariest security concern HTML5 introduces by a long margin: BITB (Botnets In The Browser).

With HTML5, attacker can now create a botnet which will run on any OS, in any location, on any device. Being heavily memory-based, it barely touches the disk, making it difficult to detect with traditional file-based antivirus. JavaScript code is also very easy to obfuscate, so network IDS signature will also have a very hard time. Finally, being web-based, it will easily pass through most firewalls.

Below is an extract from our newly released paper on HTML5 Attacks:

Stages of A Browser-Based Botnet Attack

  1. Infection: Infecting a user’s system is done by convincing him to execute the initial JavaScript. There is a very long list of ways to accomplish this, including XSS, clicking a link in an email or instant message, blackhat search engine optimization (SEO), social engineering, compromising a site, and others.
  2. Persistence: A browser-based botnet by its very nature will not be as persistent as a traditional botnet. As soon as a victim closes the browser tab, the malicious code will stop running. An attacker will need to bear this in mind, and the tasks given to browser-based botnets should be designed to take into account the transitory nature of botnet nodes. The ability to easily reinfect systems is important, so attack vectors such as using a persistent XSS and compromising sites are most likely.Another approach is to combine clickjacking and tabnabbing. Clickjacking is first used to force a victim to open another web page with the exact same content as the original page. While the victim browses the content he expects to see, the malicious tab runs in the background. To even further extend the malicious tab’s life, the attacker can use tabnabbing —- disguising the original tab and page as a commonly opened page such as Google orYouTube.Perhaps an even simpler form of persistence is to display the malicious page as an interactive game. Ideally, the game should be designed so that the user will keep it open all day, occasionally coming back to it to complete some new task.
  3. Payload:This attack can result in the following possibilities:
    1. DDoS Attacks:The web worker can use Cross Origin Requests to send thousands of GET requests to a target site, resulting in Denial of Service.
    2. Spamming: Using poorly configured web forms on site’s Contact Us pages, a bot can be used to generate spam
    3. Bitcoin generation: Bitcoins are the new currency of choice for the cybercrime underground. Several browser-based Bitcoin generators currently exist.
    4. Phishing: Using the tabnabbing approach, an attacker can change the look of a malicious tab each time the tab loses focus. As a result, each time a victim returns to the tab, he will be presented with the login for a different service, allowing the attacker to steal his credentials.
    5. Internal network reconnaissance: Using the techniques described in this paper, an attacker can perform a vulnerability or port scan of a victim’s network.
    6. Proxy network usage: Using the same approach the Shell of the Future tool utilizes, a network of compromised systems can allow an attacker to proxy attacks and network connections, making these more difficult to trace.
    7. Spreading: The botnet can be programmed to have a worm component that spreads via XSS attacks or SQL injections in vulnerable sites.

    For me, this represents a significant new capability in the arsenal of an attacker, and something that we will definitely see an increase of in the near future – especially in the area of targeted attacks. While traditional defenses against malware are not ideally suited to blocking this new attacker vector – there are two free tools which can offer very good protection:

    1. NoScript: The NoScript browser plugin is already well known in security circles. This excellent tool restricts how JavaScript and other plugins run on untrusted sites.
    2. BrowserGuard: Trend Micro’s own BrowserGuard tool includes a range of features to block web-based attacks, including advanced heuristic technologies.

    Our paper HTML5 Overview: A look at HTML5 Attack Scenarios is now online and available for download.



This post is the second of a 3-part series of blog entries on HTML5. You can also check the first part: HTML – The Good.

Yesterday, we started the first of a three-part series investigating the new HTML5 standard. We started this by looking at some of the new features which are going to improve how we can interact with the Web.

In today’s post, we will look at how some of the features of HTML5 can be misused by attackers. This post is not meant to be an exhaustive list, but if you are interested in more details we will be releasing an in-depth paper on HTML5 Attacks tomorrow.

Below, in no particular order, are 5 new attacks made possible by features introduced in HTML5:

  1. Clickjacking made easy: Clickjacking itself is not a new attack. It is an attack that aims to effectively steal mouse button clicks from a victim and to redirect them to a different page the attacker specifies. The attacker’s goal is to make the user click on a concealed link without his knowledge.
    At the moment, one of the best server-side defenses against clickjacking is something calledFramekilling. Essentially, the affected site can use JavaScript to see if it is running in an iframe, and if so refuse to display. This technique is already in use by sites such as FacebookGmailand others.
    However, HTML5 adds a new “sandbox” attribute to iframes, which stops the site from running JavaScript. In many cases, this actually leads to a much more secure setup, but it does have the downside to nullifying the best current defense against clickjacking.
  2. Port Scanning using Cross Origin Requests or WebSockets: With HTML5, a browser can now connect to any IP address or site on (almost) any port. While it is not able to read the response of this connection unless this is specifically allowed by the target site, researchers have already shown that the amount of time the request takes can be used to determine if the target port is open or closed. This allows an attacker to carry out a port scan of a victim’s local network, directly from the browser.
  3. Social Engineering with Web Notifications: We mentioned web notifications in our post yesterday about the new features introduced by HTML5. These pop-ups which appear outside the browser can actually be fully customized using HTML code. While this allows for some very nice interaction possibilities, it is also a gold mine for social engineering attacks, such as phishing or FAKEAV. Check the picture below to get an idea of what attackers can do with this new feature.
  4. Tracking victims with Geolocation: Geolocation is one of the most talked about features introduced in HTML5. As a security and privacy concern, a site must always ask a user’s permission before being able to get access to this location information. However, as has been seen in the past with features such as Vista’s user access control, Android’s application permissions, and with invalid HTTPS certificates – security based on user needing to make a decision rarely works out well. Once permission is given, that site can not only learn the victim’s location, but also track that user in real-time as they move around.
  5. Form Tampering: Another new feature allows an attacker who has successfully injected JavaScript code into a site (e.g. from an XSS attack) to alter how the forms on that page behave. For example, an attacker can change a normally benign form on an online shop to instead submit content to the purchasing page, or a login page to instead send the user’s credentials to the attacker’s site.

Those are just 5 of the new attacks introduced by HTML5, and we covered them at a very high level. Here is the link that will lead you to final mini-blog series HTML5: The Ugly, and the release our paper on HTML5 Attacks.




HTML5 is the fifth revision of the language that makes the web work, and this Wednesday we will be releasing a paper detailing some of the new attacks that are made possible by this technology. Over the next three days we’ll be looking at the Good, the Bad and the downright Ugly of what HTML5 adds to the web, and to the arsenal of cybercriminals.

First up – HTML5 (and its associated APIs) is not an upgrade like you may be familiar with when it comes to software – it’s actually a whole lot of individual features, each with differing browser support. There is a good Wikipedia article that shows which features are currently implemented. For me there are very many fantastic features in HTML5, but five of them really stand out – and I think these will really change how we interact with the web.

  1. New graphics libraries: HTML5 introduces the Canvas and WebGL libraries which allow for more feature-rich websites. There are some great demos up on this page . In particular, I think the WebGL library is a game changer – just look at how well the graphics work in this port of the famous Quake II game – now entirely coded in HTML5. For me, that opens up a whole new generation of how games will be played in the future.
  2. Easier multimedia content: If you have ever designed a site that included audio and video content you will know that it has always felt a bit clunky, and will normally require a bunch of <object> and   tags along with some flash to get things to work. Not anymore however – HTML5 introduces the very easy to use <video> and <audio> tags, making it simpler than ever to include multimedia content on your site. Support is so good that YouTube is already in the process of moving over to using HTML5
  3. Geolocation: People are accessing the Internet less and less from desktop machines, and even laptops. Today, a lot of people surf the web from handheld mobile devices such as smart-phones and tablets. The mobile nature of today’s web browsing, combined with the new Geolocation feature in HTML5 opens up a wealth of new possibilities. Knowing exactly where someone is when they access your site can help you personalize content for them to match their local surroundings. Imagine a hiking program whose default homepage allows you to plan trips if it sees you are accessing it from a built up area, but defaults to the interactive maps page if you are out in the countryside.
  4. Drag & Drop: This one is really subtle, but very important – Drag & Drop allows you to drag content from your browser directly onto your computer and from your computer to the browser. Doesn’t sound like a game changer really, does it? Well, check out this demo and then think what this means for a site likeFacebook. Think about when you arrive back from your holidays and can simply select all of your holiday pics, drop them into the browser and instantly share them with your friends on the social network. Now that’s how I want to interact with the web!
  5. Web Notifications: Web Notifications are small pop-ups that appear outside of the browser windows itself, allowing users to interact with a site even if they are not currently looking at it. Currently these only work with the Google Chrome browser, and you can check out a demo of them. These notifications are perfect for mail alerts, social networks updates, Twitter, and a wide variety of other services. Along with Drag & Drop this feature really blurs the line between offline and online applications.

Those are just a taste of the fantastic new possibilities of HTML5, but there are many other demos out there on the web which are definitely worth a look. However just like powerful abilities in superhero movies, these features can be a double-edged sword.

The second part of the blog series, we will look at the Bad side of HTML5. HTML5 – THE BAD and the third part HTML5 – THE UGLY side of HTML5.