Investigation Report Regarding Security Issues of Web Applications Using HTML5
Total Page:16
File Type:pdf, Size:1020Kb
Investigation Report Regarding Security Issues of Web Applications Using HTML5 JPCERT Coordination Center October 30, 2013 Contents 1. Introduction ...................................................................................................................... 2 2. Purpose and Method of This Investigation ...................................................................... 4 2.1. Purpose .................................................................................................................... 4 2.2. Method ..................................................................................................................... 4 3. Vulnerabilities that need to be noted especially in HTML5 .............................................. 5 3.1. Cross Site Scripting ............................................................................................... 5 3.2. Cross Site Request Forgery ................................................................................ 10 3.3. Open Redirect ....................................................................................................... 12 3.4. Defect in Access or Authorization Control ........................................................ 15 4. HTML5 features that should be noted ........................................................................... 16 4.1. Newly Added HTML Elements ............................................................................. 16 4.2. JavaScript API ....................................................................................................... 23 4.3. XMLHttpRequest ................................................................................................... 30 5. Security features in HTML5 ........................................................................................... 39 5.1. X-XSS-Protection .................................................................................................. 39 5.2. X-Content-Type-Options ...................................................................................... 40 5.3. X-Frame-Options ................................................................................................... 42 5.4. Content-Security-Policy ....................................................................................... 43 5.5. Content-Disposition ............................................................................................. 45 5.6. Strict-Transport-Security ..................................................................................... 47 6. Conclusion...................................................................................................................... 49 References ............................................................................................................................ 50 Appendix ................................................................................................................................ 52 Browsers Used in this Report ........................................................................................ 52 1 1. Introduction In a narrow sense, HTML5 is a specification of a markup language for structuring and presenting contents on the World Wide Web, and it is in the process of formulation by WHATWG and W3C as the next generation of HTML standard which will take over HTML4, the current standard. In a broad sense, HTML5 is a framework for describing web application, including not only the mark-up language but also WebSocket protocol and other related Internet standards. HTML5 is rapidly gathering population according to the inquiry held by Evans Data, an investigation company, in January 2012, in which 58 percent of engineers answered to adopt HTML5 when developing a new web site. A large number of vendors and entities including web browser developers have been working closely on the implementation of HTML5 in order to respond to such strong market needs, however, they sometimes implement incompatible details in their products such as browser because of the insufficient draft-specification still reviewed by the standardization entity. While HTML5 and its peripheral technologies enable more flexible and convenient web sites to be developed, such as Web Storage storing data in the browser of the web site viewer (herein, “user”), WebSocket for a server and a client to communicate in full-duplex, and Geolocation acquiring geographical location information, , considerations and notifications regarding how attackers may exploit these new features have yet to be properly performed and thus there are concerns that HTML5 may become more and more prevalent without proper security measures being put in place. This investigation was performed to provide web security researchers and web application developers with the basic information about how HTML5 migration may affect web application security by organizing currently known issues. We delegated this research project to web security experts who mainly focused on vulnerabilities that may be built in as a result of using newly added features in HTML5, and methods on utilizing newly added features when building secure web applications as well as considerations upon using such features. As mentioned above, there are discrepancies in the implementation of HTML5 specifications. The results in this report are based on browser implementations from August, 2012 to February, 2013. The list of browsers used in this investigation is listed in the Appendix. This report is composed of 6 sections. Section 1 provides the overview of this investigation and Section 2 will continue to describe the purpose and methods for this investigation. Section 3 gives an overview of long-lasting web application vulnerabilities and respective countermeasures that must be carefully considered in the development phase of the web applications. This section also describes the new attack vectors introduced by the HTML5 as well as 2 web application development considerations that were not necessary in the past but have become necessary due to HTML5. Section 4 contains a description of pitfalls leading to the vulnerabilities in web applications and corresponding mitigations from the point of view of the newly added features in the HTML5 and widely used functions in web application development using the HTML5. Section 5 contains information on browser security features that are particularly effective for secure operations of HTML5 web applications by focusing on how to configure and implement these features. Section 6 gives a conclusion of this report. The contents of this report were created so that it can act as a starting point for discussions on how to develop secure web applications using HTML5. Since this report focuses on HTML5 features used in web applications, basic technologies related to conventional web application security may not be mentioned here. Please refer to the "How to Secure Your Website" document provided by the Information-technology Promotion Agency (herein, IPA) for such information. Also, not a few specifications of HTML5 still remain undetermined, and for this reason, it is necessary to continuously pay attention to the standardizing processes and their impacts on security. In addition, it cannot be denied that new attack methods specific to HTML5 may be discovered in the future. Therefore, we believe that this report needs to be updated periodically by adding new findings and feedbacks from readers of this report, since this report lists security issues on HTML5 that were discovered at the time of the investigation and the basic mitigations against such issues. 3 2. Purpose and Method of This Investigation 2.1. Purpose The purpose of this investigation was to examine the mechanism of the vulnerabilities themselves and basic mitigations to avoid from such vulnerabilities. It was additionally to provide materials that can serve as a basis for technical documentations and guidelines for secure web application development, regarding major vulnerabilities that tend to be accidentally implemented into the HTML5 web applications and frequently utilized in the HTML5 web applications. 2.2. Method In this investigation, we made the following list of newly introduced features in the HTML5, and offered web application security experts to investigate security risks and mitigations. HTML elements that have been newly added or functionally expanded: meta a iframe video audio source canvas input button Newly defined JavaScript API WebSocket Web Storage Offline Web Application Web Workers Cross Document Messaging In this investigation, we first listed up security risks of each feature and studied them, then inspected them as much as possible, and finally compiled this report. In addition, we also investigated other security issues and included them into this report. 4 3. Vulnerabilities that need to be noted especially in HTML5 In HTML5, new elements and attributes were added in order to expand features to present contents in web browsers. Misuse of such elements and attributes may cause vulnerabilities to be built into web sites. In addition, web applications that had been secure in the past may became vulnerable since features newly enhanced to the HTML5 may become available for attackers to attack. Of those vulnerabilities, we focused and deeply analyzed the following 4 vulnerabilities that web application developers should especially keep in mind: Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) Open Redirect Lack of Access and Authorization Control