“HTML5 vs. Security” was a talk given by Thomas Röthlisberger of Compass Security AG which gave a nice overview over some of the security problems that HTML5 brings.
Areas covered by the talk:
- Cross-Origin Resource Sharing (CORS)
- Local storage
- Web Sockets
- Geolocation API
- Offline Web Applications
- Web Workers
- Web Messaging
- Custom scheme and content handlers
Together, those technologies allow remote attackers to scan internal networks, access intranet sites and track users.
For example, if you’re visiting a site while connected to a compromised WLAN access point, an attacker might send you a manifest for this site. The manifest then contains the names of some files which exist on the original site plus additional resources. When you’re back in a safe network, the browser will use the saved files when you visit the site again, making the attack permanent.
Another place to save malicious code is the local storage. Or we can use the local storage to attach a permanent ID to the browser / user.
CORS and WebSockets allow to scan the local network for open ports. With Web Workers, thousands of ports can be scanned in the background. Or you can use the technology to build an ad-hoc botnet to crack passwords.
Shell of the Future is a proof of concept that demonstrates how you use the browser of another person to browse the web. This means that the attacker can a) see all the information (session cookies, JavaScript) that the hijacked browser has and b) that the attacker can drive said browser (downloading more resources, scanning the intranet, etc).
In some cases, these vulnerabilities are necessary to make the new feature useful. What you need to be aware:
- Decline strange/unexpected requests by your browser
- When you configure your server, make sure you send the correct Access-Control-Allow-Origin headers. Never configure your server to reply with “*”.
- There is no anonymity if you allow web sites access to the Geolocation API or local storage.
Dark Views 