A Peek at HTML5 & Security
BlackHat webcast series December 16th, 2010 Mike Shema
• Volatile environment (SSL, no cache) means more difficult forensics. • Universal execution environment unaffected by firewalls or most desktop security. • Large (millions) population of potential victims within easy reach -- and now pervasive on mobile devices. Early Browser Security
• Implementation errors within a browser. • Implementation ambiguity among browsers. • Design errors in HTML and HTTP. • Unexpected, creative uses of the browser. Mixed-Protocol Attacks
• Remember gopher? • gopher://host:25/0HELO%20zombie%0D %0AQUIT • gopher://host:79/0root • Netscape already blocking ports like 79 (finger daemon) in 1996 • An implementation error would be a blocked port bypass using integer overflow, e.g. port 65561 The Path to HTML5
Cuneiform enables stone markup 3350 B.C. languages.
Neuromancer. “Cyberspace. A July 1984 consensual hallucination...” (p. 51) December 25, 1990 CERN httpd starts serving HTML. HTML 2.0 standardized in RFC November 1995 1866. December 24, 1999 HTML 4.01 finalized. Brief (Non-)Definitions
• Unintended heir to the vapid buzzword “Web 2.0” -- except there’s a standard this time. • Another way to create Rich Internet Applications. • HTML5 does not mean video, but it has a
Your Browser is...
html5.gif" ''src = "safari.gif" /src = "firefox.gif" http://x86.cx/html5 src = "others.gif" src = "lynx.gif" />http://www.w3.org/TR/html5/syntax.html
A Link That Goes Ping...• Hyperlink auditing, i.e • Capability already exists in one way or another through use/abuse of HTML and browser quirks. (http://bit.ly/ucsdprivacy) • Standardization can help privacy with reliable browser controls. Local Storage, Database
• Unencrypted store for user data. • Will be targeted by trojans, bots, etc. that are already looking for financial data, keystores on the file system. • Nice target for privacy exploits if not security exploits. Relaxing Same Origin
• Cross-page/domain messaging • Web developers already using clumsy work-arounds for Same Origin, why not accept and standardize to help secure? • There will always be ugly, insecure web development, e.g. JSONP. • ...and mistakes happen: crossdomain.xml Web Workers
• Worker() and SharedWorker() enable threading within JavaScript. • Designed with security in mind, e.g. restricted from accessing the DOM. • Bringing concurrency attacks to the browser? • Predicated on misuse or poor use of Workers by the web application. • Client-side validation without sever-side confirmation, e.g. race conditions in authorization. Plugins Still Plugging
• Plug-ins still learning from ActiveX (Adobe AIR, Flash, Microsoft Silverlight, Google Native Client, ...) • Impedance mismatch between sandboxes. • Inconsistent enforcement of Same Origin. • Tracking tokens unaffected by the browser. Summary
• The ubiquity of browsers makes them a prime target. • HTML5 reflects the evolution of web site design patterns. • Attackers looking for implementation and design errors. • Will always be possible to misuse, abuse, or creatively use HTML & JavaScript. Thank You
• Check out browsercheck.qualys.com
• Send questions to [email protected]
• Get slides at www.deadliestwebattacks.com