HTML5 vs. Security

22. November, 2013

HTML5 vs. Security” was a talk given by Thomas Röthlisberger of Compass Security AG which gave a nice overview over some of the security problems that HTML5 brings.

Areas covered by the talk:

Together, those technologies allow remote attackers to scan internal networks, access intranet sites and track users.

For example, if you’re visiting a site while connected to a compromised WLAN access point, an attacker might send you a manifest for this site. The manifest then contains the names of some files which exist on the original site plus additional resources. When you’re back in a safe network, the browser will use the saved files when you visit the site again, making the attack permanent.

Another place to save malicious code is the local storage. Or we can use the local storage to attach a permanent ID to the browser / user.

CORS and WebSockets allow to scan the local network for open ports. With Web Workers, thousands of ports can be scanned in the background. Or you can use the technology to build an ad-hoc botnet to crack passwords.

Shell of the Future is a proof of concept that demonstrates how you use the browser of another person to browse the web. This means that the attacker can a) see all the information (session cookies, JavaScript) that the hijacked browser has and b) that the attacker can drive said browser (downloading more resources, scanning the intranet, etc).

In some cases, these vulnerabilities are necessary to make the new feature useful. What you need to be aware:

  • Decline strange/unexpected requests by your browser
  • When you configure your server, make sure you send the correct Access-Control-Allow-Origin headers. Never configure your server to reply with “*”.
  • There is no anonymity if you allow web sites access to the Geolocation API or local storage.

Chrome Experiments

19. July, 2012

If you want to see what’s possible in today’s browsers, go to Chrome Experiments.

My picks:


Jazoon 2012: Architecting non-trivial browser applications

28. June, 2012

Marc Bächinger gave a presentation how to develop HTML5 browser applications.

The big advantage of HTML5+JavaScript is that it gives users a better experience and usability. One of the first steps should be to decide which framework(s) you want to use. You can use one of the big, monolithic, one-size-fits-all frameworks that do everything or select best-of-breed frameworks for specific aspects (browser facade, MVC framework, helper libraries and components).

You should use REST on the server side because that makes the server and the components of your application easier to reuse.

The main drawback is that you have (often much) more complexity on the client. This can be controlled by strict application of the MVC pattern.

Browser facades

Every browser has its quirks and most of the time, you just don’t want to know. Browser facades try hard to make all browsers similar. Examples are jQuery and zepto.js

MVC frameworks

Backbone.js, Spine.js, Knockout.js, ember.js, JavaScriptMVC, Top 10 JavaScript MVC frameworks

Helper libraries and frameworks

gMap, OSM, Raphaël, jQuery UI, Twitter bootstrap.js, mustache, jade

Important

Since the whole application now runs in the client, security is even more important since attackers can do anything that you don’t expect.


Raphaël – Impressive Vector Graphics Framework for JavaScript

2. November, 2011

If you need a framework for vector graphics, try Raphaël.

MIT License, impressive demos, readable source code.