Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HTML 5The good, the bad, the ugly
A presentation by Mario Heiderich, 2010
Introduction
● Mario Heiderich
➔ Based in Cologne
➔ Grad. Eng. and PhD student
➔ Freelancer and researcher at the RUB
➔ Ja...
This Presentation
● HTML5 and DOM Level 3
● Overview and History
● HTML5 and current Browsers
● The Good
● The Bad
● The U...
HTML5
„It must be admitted that many aspects of HTML
appear at first glance to be nonsensical and
inconsistent.“
[w3.org/T...
History lesson
● 1990 – 1995 :: first revisions derived from SGML and hosted by
CERN and IETF
● 1995 :: W3C took over rele...
Current Status
● HTML5 is not ready yet – work in progress
● Same for vendor support
● No child of SGML anymore
● W3C != W...
In short words
● HTML5 brings us
➔ A pile of new tags and structural elements
➔ Many new attributes
➔ Easier ways to creat...
Browsers
● HTML5 develops
● So do the user agents. Or at least have to.
➔ Opera :: advantage through supporting a dead
spe...
Consistency?
● Impossible!
● W3C HTML5 specs are 4.4 MB of text
● WHATWG HTML5 specs – 707 A4 pages
● This is a lot of imp...
So... security?
● Some say HTML5 itself is a vulnerability
● Not that funny - not that wrong
● Secure implementations requ...
Results
● Inconsistent and ever-evolving specs
● Browsers rush for implementation
– [html5test.com] and others
● Webdevs s...
The Good
● New form elements and element types enhance
usability
● <input type=“
– range, tel, color, datetime­local, emai...
More good
● Iframe restrictions <iframe sandbox />
● Seemlessness for iframes
● Local storage mechanisms
● Client side dat...
So good!
● Animations and transformations
● WebGL and 3D acceleration inside the browser
● Video and audio support
● New w...
Any bad?
● W3C and WHATWG mean HTML5 to be
➔ An easy way to create interactive and rich
content for everyone
➔ Less XMLish...
Bad stuff please!
● Hijacking forms with the new form attribute #1
● Stealing personal data via autofill
● Stealing focus ...
The Ugly
● Abusing the history.pushState() API
➔ URL spoofing #103
➔ Redirection to infected websites
➔ Overflowing users ...
More Ugliness
● SQL injections on the client
➔
openDatabase() uses SQLite
➔ An 0-day in SQLite affects all user agents
➔ S...
Roundup
● HTML5 does ship awesomeness
● But it also is an actual vulnerability nest
● We now know why
● HTML4 was static -...
Discussion
● How to improve the situation?
● Where will we be in two years? Or five?
● How to make the average user unders...
Questions
● Please feel free to ask and comment!
● Or mail me later on mario.heiderich@rub.de
● Thanks for your time!
Links
● http://simon.html5.org/html5-elements Overview on HTML tags and elements
● http://www.w3.org/TR/html5/ The W3C spe...
Upcoming SlideShare
Loading in …5
×

HTML5 - The Good, the Bad, the Ugly

3,338 views

Published on

Published in: Technology
  • If you need your papers to be written and if you are not that kind of person who likes to do researches and analyze something - you should definitely contact these guys! They are awesome ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❶❶❶ http://bit.ly/2Qu6Caa ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ http://bit.ly/2Qu6Caa ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

HTML5 - The Good, the Bad, the Ugly

  1. 1. HTML 5The good, the bad, the ugly A presentation by Mario Heiderich, 2010
  2. 2. Introduction ● Mario Heiderich ➔ Based in Cologne ➔ Grad. Eng. and PhD student ➔ Freelancer and researcher at the RUB ➔ JavaScript, markup and malware research ➔ International speaker ➔ HTML5 Security Cheatsheet [heideri.ch/jso] ➔ PHPIDS [php­ids.org] ➔ @0x6D6172696F [twitter.com]
  3. 3. This Presentation ● HTML5 and DOM Level 3 ● Overview and History ● HTML5 and current Browsers ● The Good ● The Bad ● The Ugly ● Discussion
  4. 4. HTML5 „It must be admitted that many aspects of HTML appear at first glance to be nonsensical and inconsistent.“ [w3.org/TR/html5/introduction.html#introduction]
  5. 5. History lesson ● 1990 – 1995 :: first revisions derived from SGML and hosted by CERN and IETF ● 1995 :: W3C took over releasing HTML3.0 ● 1997 :: HTML3.2 - many new extensions ● 1998 :: HTML4 - still used today - and DOM Level 1 ● 2000 :: DOM Level 2 Core ● 2003 :: DOM Level 2 HTML, XForms ● 2004 :: The idea for HTML5 was born - WHATWG founded ● 2006 - 2007 :: W3C redecided - particiapted in HTML5 ● 2007 - now :: WHATWG and W3C collaborate on HTML5
  6. 6. Current Status ● HTML5 is not ready yet – work in progress ● Same for vendor support ● No child of SGML anymore ● W3C != WHATWG, HTML5 != HTML5 ● New DOM interfaces ● Webforms 2.0 enhanced ● XHTML5
  7. 7. In short words ● HTML5 brings us ➔ A pile of new tags and structural elements ➔ Many new attributes ➔ Easier ways to create usable websites ➔ Generally a lack of strictness ➔ New form elements ➔ New DOM interfaces and methods ➔ And many more things - we cannot enumerate them all in two.5 hours...
  8. 8. Browsers ● HTML5 develops ● So do the user agents. Or at least have to. ➔ Opera :: advantage through supporting a dead specification ➔ Chrome :: release often - release early ➔ IE9 :: a lot of catching up to do – but apparently motivated! ➔ Firefox :: finally a new parser - html5.enable=true
  9. 9. Consistency? ● Impossible! ● W3C HTML5 specs are 4.4 MB of text ● WHATWG HTML5 specs – 707 A4 pages ● This is a lot of implementation work ● Don't we forget about ➔ CSS3 ➔ ECMAScript 5 ➔ SVG ➔ Canvas etc. etc.
  10. 10. So... security? ● Some say HTML5 itself is a vulnerability ● Not that funny - not that wrong ● Secure implementations require ➔ Clear specifications X ➔ Manageable amount of work X ➔ Thorough and diverse testing X ➔ Fast and precise feedback loops X ➔ Quick and comprehensive patch deployment X
  11. 11. Results ● Inconsistent and ever-evolving specs ● Browsers rush for implementation – [html5test.com] and others ● Webdevs still build buggy websites ● Necessary legacy support – IE6 is still around … UK gov, PayPal, etc. ● But now for some actual goodies!
  12. 12. The Good ● New form elements and element types enhance usability ● <input type=“ – range, tel, color, datetime­local, email, url, … ● New <output> tag ● Autofocus and active form elements ● Client-side validation and placeholders ● Form elements - outside the form
  13. 13. More good ● Iframe restrictions <iframe sandbox /> ● Seemlessness for iframes ● Local storage mechanisms ● Client side databases ● Geolocation services ● Notification interfaces ● Interaction with USB and RS232 devices ● Multimedia and inline SVG
  14. 14. So good! ● Animations and transformations ● WebGL and 3D acceleration inside the browser ● Video and audio support ● New webfont technologies ● Less Flash and Silverlight – more open standards ● Accessibility and document structuring
  15. 15. Any bad? ● W3C and WHATWG mean HTML5 to be ➔ An easy way to create interactive and rich content for everyone ➔ Less XMLish strictness – more open structure and fun ➔ Simplification instead of over-specification ➔ The focus is neither the server nor the browser – but the user ➔ HTML4 was screen, XHTML was open – HTML5 is web
  16. 16. Bad stuff please! ● Hijacking forms with the new form attribute #1 ● Stealing personal data via autofill ● Stealing focus and keystrokes #8 ● Dossing the client with bad validation regex #14 ● Bypassing blacklists with new event handlers #23 ● Using harmless attributes to execute JavaScript #10 ● Disabling framebusters with sandboxes ● Enough already? No?
  17. 17. The Ugly ● Abusing the history.pushState() API ➔ URL spoofing #103 ➔ Redirection to infected websites ➔ Overflowing users history ● Abusing local storage on non-FQDN ● about:blank is not a domain - or is it? ➔ Cross-medium attacks on Opera ➔ Payload hiding and obfuscation
  18. 18. More Ugliness ● SQL injections on the client ➔ openDatabase() uses SQLite ➔ An 0-day in SQLite affects all user agents ➔ SQL injections in the DOM ➔ DOMSQLI superseding DOMXSS ● Circumventing protection mechanisms with sandboxed iframes ● Using evil SVG chameleons ?svg
  19. 19. Roundup ● HTML5 does ship awesomeness ● But it also is an actual vulnerability nest ● We now know why ● HTML4 was static - few new vulnerabilities for years (except for vendor specific extensions like HTML+TIME, Data Islands, HTA, HTC, ActiveX, -moz-binding, -o-link-source and many many more) ● HTM5 is dynamic - forcing vendors to progress ● That by design leverages insecurity
  20. 20. Discussion ● How to improve the situation? ● Where will we be in two years? Or five? ● How to make the average user understand risks in the www? ● And what will the average user be like? ● Will there be too many web developers in five years - or just mashup architects? ● Will we still have servers - or just CDNs?
  21. 21. Questions ● Please feel free to ask and comment! ● Or mail me later on mario.heiderich@rub.de ● Thanks for your time!
  22. 22. Links ● http://simon.html5.org/html5-elements Overview on HTML tags and elements ● http://www.w3.org/TR/html5/ The W3C spec draft ● http://www.whatwg.org/specs/web-apps/current-work/multipage/ The WHATWG spec draft ● http://heideri.ch/jso/ The HTML5 Security Cheatsheet ● http://www.w3.org/TR/html5-diff/ W3C differences between HTML4 and HTML5 ● http://en.wikipedia.org/wiki/HTML5 Wikipedia page on HTML5 ● http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html Attacks against autocomplete and specific input field types ● http://seclab.stanford.edu/websec/framebusting/ Busting frame busting – a paper on framebusting and clickjacking ● http://code.google.com/p/html5security/w/list Articles on HTML5 security ● http://lists.w3.org/Archives/Public/public-web-security/ W3C HTML security mailing list

×