This very useful talk was as much an education in HTML5 for me as it was an education on how HTML5 can be abused. I am coming up to speed on HTML5 concepts.
Shreeraj Shah (@Shreeraj) Founder and Director of BlueInfy presented this talk, XSS and CSRF with HTML5 – Attack, exploit, and Defense, presented by
HTML5. It is tempting to think it would be designed with all the security knowledge acquired from its predecessor incorporated into its design and there are indeed efforts toward that reflected in the design. But any security veteran would suspect that nonetheless there are clever things that can be done and of course there are.
With XHR2, it is possible to contrive a cross origin tunnel that is amenable to CSRF. One overarching concept in HTML5 is Same Origin Policy (SOP) which as it turns out can be circumvented. img, script, and iframe evade SOP so attack payloads can be inserted in those tags. A dummy form with the attack payload in the POST can also be used to circumvent mechanisms that would otherwise catch it. Cookie replay can be forced by “withCredentials.”
I gather from this talk that XHR1 is not versatile enough to be useful as an attack, one must generally use XHR2. CORS (Cross Origin Resource Sharing) combined with XHR can allow for posting whatever (i.e. attacks) across domain. The push_state function can allow changing the address bar programatically. Defenses against attacks include Content Security Policy. Script src ‘self’ will prevent XSS. HTML5 also includes threading and messages that can be sent to other threads within the app; so the countermeasure for this is to write the app in such a way that it checks origin before posting the message.
My conclusions on this talk besides it being a very well done talk are that I need to get very familiar with HTML5 and probably code up a simple app in it that exercises the concepts. Another talk given by Dan Kuykendall, the co-CEO of NTO (see my review elsewhere) shows quite vividly that a great many of the new software technologies (JSON, AJAX, REST, AMF, etc) are really just pushing the fruit deeper but once you get the fruit, the injection and perturbation techniques for attacking it are largely the same. This talk is a fine counterpoint to that one insofar as it addresses the architectural concerns that come with these new software technologies… i.e. the context in which the fruit is exploited.
Leave a Reply