SlideShare a Scribd company logo

HTML 5 The Good, the Bad, and the Ugly: A Security Perspective

Mario Heiderich
Mario Heiderich

This document provides an overview of HTML5 including its history, current status, implementation in browsers, and both benefits and security issues. It discusses how HTML5 aims to simplify and enhance usability but also introduces new vulnerabilities due to its dynamic nature forcing rapid implementation. While HTML5 enables rich content and interactivity, its inconsistencies and evolving specifications combined with a rush for browser support has resulted in buggy websites and potential for attacks like hijacking forms, stealing data, and bypassing security restrictions.

Technology
1 of 22
Download to read offline
HTML 5The good, the bad, the ugly A presentation by Mario Heiderich, 2010
Introduction ● Mario Heiderich ➔ Based in Cologne ➔ Grad. Eng. and PhD student ➔ Freelancer and researcher at the RUB ➔ JavaScript, markup and malware research ➔ International speaker ➔ HTML5 Security Cheatsheet [heideri.ch/jso] ➔ PHPIDS [php­ids.org] ➔ @0x6D6172696F [twitter.com]
This Presentation ● HTML5 and DOM Level 3 ● Overview and History ● HTML5 and current Browsers ● The Good ● The Bad ● The Ugly ● Discussion
HTML5 „It must be admitted that many aspects of HTML appear at first glance to be nonsensical and inconsistent.“ [w3.org/TR/html5/introduction.html#introduction]
History lesson ● 1990 – 1995 :: first revisions derived from SGML and hosted by CERN and IETF ● 1995 :: W3C took over releasing HTML3.0 ● 1997 :: HTML3.2 - many new extensions ● 1998 :: HTML4 - still used today - and DOM Level 1 ● 2000 :: DOM Level 2 Core ● 2003 :: DOM Level 2 HTML, XForms ● 2004 :: The idea for HTML5 was born - WHATWG founded ● 2006 - 2007 :: W3C redecided - particiapted in HTML5 ● 2007 - now :: WHATWG and W3C collaborate on HTML5
Current Status ● HTML5 is not ready yet – work in progress ● Same for vendor support ● No child of SGML anymore ● W3C != WHATWG, HTML5 != HTML5 ● New DOM interfaces ● Webforms 2.0 enhanced ● XHTML5
In short words ● HTML5 brings us ➔ A pile of new tags and structural elements ➔ Many new attributes ➔ Easier ways to create usable websites ➔ Generally a lack of strictness ➔ New form elements ➔ New DOM interfaces and methods ➔ And many more things - we cannot enumerate them all in two.5 hours...
Browsers ● HTML5 develops ● So do the user agents. Or at least have to. ➔ Opera :: advantage through supporting a dead specification ➔ Chrome :: release often - release early ➔ IE9 :: a lot of catching up to do – but apparently motivated! ➔ Firefox :: finally a new parser - html5.enable=true
Consistency? ● Impossible! ● W3C HTML5 specs are 4.4 MB of text ● WHATWG HTML5 specs – 707 A4 pages ● This is a lot of implementation work ● Don't we forget about ➔ CSS3 ➔ ECMAScript 5 ➔ SVG ➔ Canvas etc. etc.
So... security? ● Some say HTML5 itself is a vulnerability ● Not that funny - not that wrong ● Secure implementations require ➔ Clear specifications X ➔ Manageable amount of work X ➔ Thorough and diverse testing X ➔ Fast and precise feedback loops X ➔ Quick and comprehensive patch deployment X
Results ● Inconsistent and ever-evolving specs ● Browsers rush for implementation – [html5test.com] and others ● Webdevs still build buggy websites ● Necessary legacy support – IE6 is still around … UK gov, PayPal, etc. ● But now for some actual goodies!
The Good ● New form elements and element types enhance usability ● <input type=“ – range, tel, color, datetime­local, email, url, … ● New <output> tag ● Autofocus and active form elements ● Client-side validation and placeholders ● Form elements - outside the form
More good ● Iframe restrictions <iframe sandbox /> ● Seemlessness for iframes ● Local storage mechanisms ● Client side databases ● Geolocation services ● Notification interfaces ● Interaction with USB and RS232 devices ● Multimedia and inline SVG
So good! ● Animations and transformations ● WebGL and 3D acceleration inside the browser ● Video and audio support ● New webfont technologies ● Less Flash and Silverlight – more open standards ● Accessibility and document structuring
Any bad? ● W3C and WHATWG mean HTML5 to be ➔ An easy way to create interactive and rich content for everyone ➔ Less XMLish strictness – more open structure and fun ➔ Simplification instead of over-specification ➔ The focus is neither the server nor the browser – but the user ➔ HTML4 was screen, XHTML was open – HTML5 is web
Bad stuff please! ● Hijacking forms with the new form attribute #1 ● Stealing personal data via autofill ● Stealing focus and keystrokes #8 ● Dossing the client with bad validation regex #14 ● Bypassing blacklists with new event handlers #23 ● Using harmless attributes to execute JavaScript #10 ● Disabling framebusters with sandboxes ● Enough already? No?
The Ugly ● Abusing the history.pushState() API ➔ URL spoofing #103 ➔ Redirection to infected websites ➔ Overflowing users history ● Abusing local storage on non-FQDN ● about:blank is not a domain - or is it? ➔ Cross-medium attacks on Opera ➔ Payload hiding and obfuscation
More Ugliness ● SQL injections on the client ➔ openDatabase() uses SQLite ➔ An 0-day in SQLite affects all user agents ➔ SQL injections in the DOM ➔ DOMSQLI superseding DOMXSS ● Circumventing protection mechanisms with sandboxed iframes ● Using evil SVG chameleons ?svg
Roundup ● HTML5 does ship awesomeness ● But it also is an actual vulnerability nest ● We now know why ● HTML4 was static - few new vulnerabilities for years (except for vendor specific extensions like HTML+TIME, Data Islands, HTA, HTC, ActiveX, -moz-binding, -o-link-source and many many more) ● HTM5 is dynamic - forcing vendors to progress ● That by design leverages insecurity
Discussion ● How to improve the situation? ● Where will we be in two years? Or five? ● How to make the average user understand risks in the www? ● And what will the average user be like? ● Will there be too many web developers in five years - or just mashup architects? ● Will we still have servers - or just CDNs?
Questions ● Please feel free to ask and comment! ● Or mail me later on mario.heiderich@rub.de ● Thanks for your time!
Links ● http://simon.html5.org/html5-elements Overview on HTML tags and elements ● http://www.w3.org/TR/html5/ The W3C spec draft ● http://www.whatwg.org/specs/web-apps/current-work/multipage/ The WHATWG spec draft ● http://heideri.ch/jso/ The HTML5 Security Cheatsheet ● http://www.w3.org/TR/html5-diff/ W3C differences between HTML4 and HTML5 ● http://en.wikipedia.org/wiki/HTML5 Wikipedia page on HTML5 ● http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html Attacks against autocomplete and specific input field types ● http://seclab.stanford.edu/websec/framebusting/ Busting frame busting – a paper on framebusting and clickjacking ● http://code.google.com/p/html5security/w/list Articles on HTML5 security ● http://lists.w3.org/Archives/Public/public-web-security/ W3C HTML security mailing list

Recommended

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 

Recommended

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Introduccion a HTML5
Introduccion a HTML5Introduccion a HTML5
Introduccion a HTML5Pablo Garaizar
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
The Bleeding Edge
The Bleeding EdgeThe Bleeding Edge
The Bleeding EdgejClarity
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptYusuf Motiwala
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Html5
Html5Html5
Html5Mahmoud Ghoz
 
You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)Igalia
 

More Related Content

What's hot

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxMathias Karlsson
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
The Bleeding Edge
The Bleeding EdgeThe Bleeding Edge
The Bleeding EdgejClarity
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptYusuf Motiwala
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 

What's hot (20)

The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
 
Breaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandboxBreaking AngularJS Javascript sandbox
Breaking AngularJS Javascript sandbox
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
Introduccion a HTML5
Introduccion a HTML5Introduccion a HTML5
Introduccion a HTML5
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
The Bleeding Edge
The Bleeding EdgeThe Bleeding Edge
The Bleeding Edge
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Reverse Engineering Malicious Javascript
Reverse Engineering Malicious JavascriptReverse Engineering Malicious Javascript
Reverse Engineering Malicious Javascript
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 

Similar to HTML 5 The Good, the Bad, and the Ugly: A Security Perspective

You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)Igalia
 
"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor Turskyi"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor TurskyiJulia Cherniak
 
PHP South Coast - Don't code bake, an introduction to CakePHP 3
PHP South Coast - Don't code bake, an introduction to CakePHP 3PHP South Coast - Don't code bake, an introduction to CakePHP 3
PHP South Coast - Don't code bake, an introduction to CakePHP 3David Yell
 
Making sense of the front-end, for PHP developers
Making sense of the front-end, for PHP developersMaking sense of the front-end, for PHP developers
Making sense of the front-end, for PHP developersLewiz
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0Mike Belshe
 
2014 HTML5 총정리
2014 HTML5 총정리2014 HTML5 총정리
2014 HTML5 총정리Wonsuk Lee
 
Website & Internet + Performance testing
Website & Internet + Performance testingWebsite & Internet + Performance testing
Website & Internet + Performance testingRoman Ananev
 
Apache Flex and the imperfect Web
Apache Flex and the imperfect WebApache Flex and the imperfect Web
Apache Flex and the imperfect Webmasuland
 
Cross-platform Desktop application with AngularJS and build with Node-webkit
Cross-platform Desktop application with AngularJS and build with Node-webkitCross-platform Desktop application with AngularJS and build with Node-webkit
Cross-platform Desktop application with AngularJS and build with Node-webkitWittawas Wisarnkanchana
 
Client vs Server Templating: Speed up initial load for SPA with Angular as an...
Client vs Server Templating: Speed up initial load for SPA with Angular as an...Client vs Server Templating: Speed up initial load for SPA with Angular as an...
Client vs Server Templating: Speed up initial load for SPA with Angular as an...David Amend
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesYshay Yaacobi
 
Behaviour Testing and Continuous Integration with Drupal
Behaviour Testing and Continuous Integration with DrupalBehaviour Testing and Continuous Integration with Drupal
Behaviour Testing and Continuous Integration with Drupalsmithmilner
 

Similar to HTML 5 The Good, the Bad, and the Ugly: A Security Perspective (20)

Html5
Html5Html5
Html5
 
You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)
 
"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor Turskyi"The working architecture of NodeJs applications" Viktor Turskyi
"The working architecture of NodeJs applications" Viktor Turskyi
 
HTML5 and friends
HTML5 and friendsHTML5 and friends
HTML5 and friends
 
PHP South Coast - Don't code bake, an introduction to CakePHP 3
PHP South Coast - Don't code bake, an introduction to CakePHP 3PHP South Coast - Don't code bake, an introduction to CakePHP 3
PHP South Coast - Don't code bake, an introduction to CakePHP 3
 
Making sense of the front-end, for PHP developers
Making sense of the front-end, for PHP developersMaking sense of the front-end, for PHP developers
Making sense of the front-end, for PHP developers
 
HTML5 in IE9
HTML5 in IE9HTML5 in IE9
HTML5 in IE9
 
SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0SPDY and What to Consider for HTTP/2.0
SPDY and What to Consider for HTTP/2.0
 
resume
resumeresume
resume
 
2014 HTML5 총정리
2014 HTML5 총정리2014 HTML5 총정리
2014 HTML5 총정리
 
Website & Internet + Performance testing
Website & Internet + Performance testingWebsite & Internet + Performance testing
Website & Internet + Performance testing
 
Why Go Lang?
Why Go Lang?Why Go Lang?
Why Go Lang?
 
Apache Flex and the imperfect Web
Apache Flex and the imperfect WebApache Flex and the imperfect Web
Apache Flex and the imperfect Web
 
Full stack development
Full stack developmentFull stack development
Full stack development
 
Cross-platform Desktop application with AngularJS and build with Node-webkit
Cross-platform Desktop application with AngularJS and build with Node-webkitCross-platform Desktop application with AngularJS and build with Node-webkit
Cross-platform Desktop application with AngularJS and build with Node-webkit
 
Hinting at a better web
Hinting at a better webHinting at a better web
Hinting at a better web
 
Client vs Server Templating: Speed up initial load for SPA with Angular as an...
Client vs Server Templating: Speed up initial load for SPA with Angular as an...Client vs Server Templating: Speed up initial load for SPA with Angular as an...
Client vs Server Templating: Speed up initial load for SPA with Angular as an...
 
Instant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositoriesInstant developer onboarding with self contained repositories
Instant developer onboarding with self contained repositories
 
Behaviour Testing and Continuous Integration with Drupal
Behaviour Testing and Continuous Integration with DrupalBehaviour Testing and Continuous Integration with Drupal
Behaviour Testing and Continuous Integration with Drupal
 
A Period of Transition
A Period of TransitionA Period of Transition
A Period of Transition
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

HTML 5 The Good, the Bad, and the Ugly: A Security Perspective

  • 1. HTML 5The good, the bad, the ugly A presentation by Mario Heiderich, 2010
  • 2. Introduction ● Mario Heiderich ➔ Based in Cologne ➔ Grad. Eng. and PhD student ➔ Freelancer and researcher at the RUB ➔ JavaScript, markup and malware research ➔ International speaker ➔ HTML5 Security Cheatsheet [heideri.ch/jso] ➔ PHPIDS [php­ids.org] ➔ @0x6D6172696F [twitter.com]
  • 3. This Presentation ● HTML5 and DOM Level 3 ● Overview and History ● HTML5 and current Browsers ● The Good ● The Bad ● The Ugly ● Discussion
  • 4. HTML5 „It must be admitted that many aspects of HTML appear at first glance to be nonsensical and inconsistent.“ [w3.org/TR/html5/introduction.html#introduction]
  • 5. History lesson ● 1990 – 1995 :: first revisions derived from SGML and hosted by CERN and IETF ● 1995 :: W3C took over releasing HTML3.0 ● 1997 :: HTML3.2 - many new extensions ● 1998 :: HTML4 - still used today - and DOM Level 1 ● 2000 :: DOM Level 2 Core ● 2003 :: DOM Level 2 HTML, XForms ● 2004 :: The idea for HTML5 was born - WHATWG founded ● 2006 - 2007 :: W3C redecided - particiapted in HTML5 ● 2007 - now :: WHATWG and W3C collaborate on HTML5
  • 6. Current Status ● HTML5 is not ready yet – work in progress ● Same for vendor support ● No child of SGML anymore ● W3C != WHATWG, HTML5 != HTML5 ● New DOM interfaces ● Webforms 2.0 enhanced ● XHTML5
  • 7. In short words ● HTML5 brings us ➔ A pile of new tags and structural elements ➔ Many new attributes ➔ Easier ways to create usable websites ➔ Generally a lack of strictness ➔ New form elements ➔ New DOM interfaces and methods ➔ And many more things - we cannot enumerate them all in two.5 hours...
  • 8. Browsers ● HTML5 develops ● So do the user agents. Or at least have to. ➔ Opera :: advantage through supporting a dead specification ➔ Chrome :: release often - release early ➔ IE9 :: a lot of catching up to do – but apparently motivated! ➔ Firefox :: finally a new parser - html5.enable=true
  • 9. Consistency? ● Impossible! ● W3C HTML5 specs are 4.4 MB of text ● WHATWG HTML5 specs – 707 A4 pages ● This is a lot of implementation work ● Don't we forget about ➔ CSS3 ➔ ECMAScript 5 ➔ SVG ➔ Canvas etc. etc.
  • 10. So... security? ● Some say HTML5 itself is a vulnerability ● Not that funny - not that wrong ● Secure implementations require ➔ Clear specifications X ➔ Manageable amount of work X ➔ Thorough and diverse testing X ➔ Fast and precise feedback loops X ➔ Quick and comprehensive patch deployment X
  • 11. Results ● Inconsistent and ever-evolving specs ● Browsers rush for implementation – [html5test.com] and others ● Webdevs still build buggy websites ● Necessary legacy support – IE6 is still around … UK gov, PayPal, etc. ● But now for some actual goodies!
  • 12. The Good ● New form elements and element types enhance usability ● <input type=“ – range, tel, color, datetime­local, email, url, … ● New <output> tag ● Autofocus and active form elements ● Client-side validation and placeholders ● Form elements - outside the form
  • 13. More good ● Iframe restrictions <iframe sandbox /> ● Seemlessness for iframes ● Local storage mechanisms ● Client side databases ● Geolocation services ● Notification interfaces ● Interaction with USB and RS232 devices ● Multimedia and inline SVG
  • 14. So good! ● Animations and transformations ● WebGL and 3D acceleration inside the browser ● Video and audio support ● New webfont technologies ● Less Flash and Silverlight – more open standards ● Accessibility and document structuring
  • 15. Any bad? ● W3C and WHATWG mean HTML5 to be ➔ An easy way to create interactive and rich content for everyone ➔ Less XMLish strictness – more open structure and fun ➔ Simplification instead of over-specification ➔ The focus is neither the server nor the browser – but the user ➔ HTML4 was screen, XHTML was open – HTML5 is web
  • 16. Bad stuff please! ● Hijacking forms with the new form attribute #1 ● Stealing personal data via autofill ● Stealing focus and keystrokes #8 ● Dossing the client with bad validation regex #14 ● Bypassing blacklists with new event handlers #23 ● Using harmless attributes to execute JavaScript #10 ● Disabling framebusters with sandboxes ● Enough already? No?
  • 17. The Ugly ● Abusing the history.pushState() API ➔ URL spoofing #103 ➔ Redirection to infected websites ➔ Overflowing users history ● Abusing local storage on non-FQDN ● about:blank is not a domain - or is it? ➔ Cross-medium attacks on Opera ➔ Payload hiding and obfuscation
  • 18. More Ugliness ● SQL injections on the client ➔ openDatabase() uses SQLite ➔ An 0-day in SQLite affects all user agents ➔ SQL injections in the DOM ➔ DOMSQLI superseding DOMXSS ● Circumventing protection mechanisms with sandboxed iframes ● Using evil SVG chameleons ?svg
  • 19. Roundup ● HTML5 does ship awesomeness ● But it also is an actual vulnerability nest ● We now know why ● HTML4 was static - few new vulnerabilities for years (except for vendor specific extensions like HTML+TIME, Data Islands, HTA, HTC, ActiveX, -moz-binding, -o-link-source and many many more) ● HTM5 is dynamic - forcing vendors to progress ● That by design leverages insecurity
  • 20. Discussion ● How to improve the situation? ● Where will we be in two years? Or five? ● How to make the average user understand risks in the www? ● And what will the average user be like? ● Will there be too many web developers in five years - or just mashup architects? ● Will we still have servers - or just CDNs?
  • 21. Questions ● Please feel free to ask and comment! ● Or mail me later on mario.heiderich@rub.de ● Thanks for your time!
  • 22. Links ● http://simon.html5.org/html5-elements Overview on HTML tags and elements ● http://www.w3.org/TR/html5/ The W3C spec draft ● http://www.whatwg.org/specs/web-apps/current-work/multipage/ The WHATWG spec draft ● http://heideri.ch/jso/ The HTML5 Security Cheatsheet ● http://www.w3.org/TR/html5-diff/ W3C differences between HTML4 and HTML5 ● http://en.wikipedia.org/wiki/HTML5 Wikipedia page on HTML5 ● http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html Attacks against autocomplete and specific input field types ● http://seclab.stanford.edu/websec/framebusting/ Busting frame busting – a paper on framebusting and clickjacking ● http://code.google.com/p/html5security/w/list Articles on HTML5 security ● http://lists.w3.org/Archives/Public/public-web-security/ W3C HTML security mailing list