HTML5 introduces new security risks due to features like client-side storage, geolocation, web sockets, and cross-origin resource sharing. Attackers could exploit these to launch cross-site scripting attacks, SQL injection, poison application caches, perform clickjacking, and more. While HTML5 aims to improve security with features like sandboxing, current implementations remain vulnerable. As HTML5 adds functionality, more security issues are likely to emerge that require ongoing investigation and remediation.

1. Introduction to HTML5 security
Speaker :luke

2. Outline
• What is HTML5
• Web Security related to HTML5
• Conclusion & looking forward

3. HTML5

4. HTML5
• New protocol of HTML
HTML5 + CSS3+ JavaScript
Compare to XML and XHTML
• Protocol design
 WHATWG (Apple Mozilla Google Opera) in 2004
 W3C
 IETF
• Still in progress
http://www.html5test.com/

5. HTML5

6. What’s in HTML5
• New Tag: <button> <canvas> <audio> <video>
• New Tag attribute: autocomplete ,autofocus ,regex
• New form controls for date ,time, email
• Geolocation(demo: http://html5demos.com/geo)
• Client-side storge localStorge sessionStorge and WebSQL
(demo:http://html5demos.com/database-rollback)
• WebSockets new way of communication
• WebWorkers allow multithread javascript in the background

7. What’s out in HTML5
• Present element <font><center>
• Present attribute<align><border><frame><frame set>
• Old special effects<marquee>,<bgsound>
Follow the rule :
Presentation and content are divided

8. Security Issues in HTML5

9. Basic ideas about the new vulnerability
New security problem because of new method
brought into web application
the security issues in web application has not been
changed
New security has been found worth to investigate

10. Security concern 1 client
Attack surface : client-side
• client-side and offline storage
• allows greater amount of data to be stored

11. Security concern 2 web sql
• Bring SQL to the client-side
• Core methods:
– openDatabase(“Database”,”Database
version”,”Database Description”,”Estimated Size”)
– Transaction (“SQL statement”)
• The usual attack : XSS,SQL injection can be
used here.

12. Security concern 3 Application cache
• Useful for offline browsing speed and reduce
server load
• The size limit for cached data for site :5MB
• Example 1 enabling application cache:
<html manfest=“example.manifest”>
…..
</html>
• Example 2 update applicaton cache:
applicationCache.addEventListener(‘checking’,updateCacheStatus,false);
• Poisoning the Application cache
• Any website can create a cache in the client
• Any file can be cached even in the /root directory

13. Security concern 4 html5 sandbox
• Sandbox is used to protect website from 3-
party software
<iframe src="untrusted.html" sandbox></iframe>
• can be used to clickjacking attack
<iframe sandbox=“allow-same-origin allow-form allow-scripts”>

14. Security concern 5 CROS
• Cros (Cross Origin Resource Sharing )
• Allow cross domain AJAX
var xhr = new XMLHttpRequset()
xhr.open(“post”，http://victim, ture )
xhr.setRequsetHeader(“Content-Type ”,”text/plain”);
xhr.withCredentials = “ture”;//send cookies
Xhr.send(Anything I want )
• Silent file upload
Fuction fileUpload(url,filedata,fileName){
Var fileSize = fileData.length,
Boundary =‘xxxxxxxxxxxx’
xhr = new XMLHttpRequest();
xhr.open(“POST”,url,true);
Xhr.withCredentials(“Content-Type”,”multipart/form-data”,boundary=“+boundary)
Xhr.setRequestHeader(“cotent-Length”,fileSize);}

15. Demo
Allow cross domain AJAX
http://victim.kotowicz.net/crossdomain-upload/vuln/index.php
http://attacker.kotowicz.net/crossdomain-upload/evil/upload.html
Silent file upload
http://kotowicz.net/wu/
http://attacker.kotowicz.net/wu/evil.html

16. Security concern 5 clickjacking
Clickjacking also called UI redressing
<iframe src=outer.html width=20 height=20 scrolling=nostyle="opacity:0;"></iframe>
<!-- outer.html -->
<iframe src="//victim" width=5000 height=5000 style="position: absolute; top:-
300px; left: -350px;"></iframe>

17. Security concern 5 clickjacking
Most Alexa top 500 website use frame busting
to protect from clickjackng
If (top!=self)
If (top.location != self.location)
Can be easy bypassed by in HTML5
<iframe sandbox src="//victim"></iframe>

18. Security concern 5 XSS
New Tag and new Attribute cause XSS
<video onerror=“javascript:alert(1)”><source>
<audio onerror=“javascript:alert(1)”><source>
Before HTML5:
<input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onmouseover=ʺalert(ʹInjected valueʹ)ʺ>
With HTML5:
<input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onfocus=ʺalert(ʹInjected valueʹ)ʺ
autofocus>

19. Security concern 5 Drag and Drop API
<div draggable=ʺtrueʺ
ondragstart=ʺevent.dataTransfer.setData(ʹtext/plainʹ, ʹEvil dataʹ)ʺ>
<h3>DRAG ME!!</h3>
</div>

20. Security concern 6 html5 shell
GET http://www.google.com Send request to
the web server
Pentester’s browser
Proxy
Send Google home page to
Pentester’s browser Send the
response body to
he proxy
Web server
Send the response body
to the shell of the
web server
Google web server Send the request
responds with the to the victim’s
HTML fot its homepage browser
Victim’s browser
www.google.com
Request the google web
server for
http://www.google.c

21. Security concern 7 network reconnaissance
Cross domain XMLHttpRequests and WebSockets
Port Status WebSocket COR
Open (application type <100ms <100ms
1&2)
Closed ~1000ms ~1000ms
Filtered >30000ms >30000ms

22. Security concern 8 HTML5 Botnets
Webworkers is a threading model for javascript
Background JavaScript threads that were started using
Botnet creation:
WebWorkers can send cross domain XMLHttpRequests even
though the remote website does not support it.
• Reaching out testvictimsthat around
A to showed
• Extending execution lifetimehas 600 zombies can send around
If you a small botnet just
Html5 botnets based attack
• Application –level DDos attacks
• Email Spam
• Distributed password cracking

23. Distributed password cracking
easy to launch a password cracker under HTML5
http://www.andlabs.org/tools/ravan.html that one browser possible
Test show
can observe password guessing rates
Submit hash of 100,000 MD5/second in JavaScript
Ravan
Ravan Mater 100-115 times slower than that native
Web
Manage Cracking Backend
code (like LC5),but if you control 100
zombies.it has the same cracking rate.
rk
Wo
lt
t
su
Ge
Re
it
bm
Su
Work farm

24. Top10 Risks in html5
1. ClickJacking & Phishing by mixing layers and iframe
2. CSRF and leveraging CORS to bypasses SOP
3. Attacking WebSQL and client side SQL injection
4. Stealing information from Storage and Global variables
5. HTML5 tag abuse and XSS
6. HTML5 and DOM based XSS and redirects
7. DOM injections and Hijacking with HTML 5
8. Abusing thick client features
9. Using WebSockets for stealth attacks
10. Abusing WebWorker functionality

25. Conclusion
• HTML5 &DOM-level3 &XHR-level2 via javascript are
involved in creating the next generation application
• As the people heavily use web browser .More
features will bring into HTML5
• More enhanced features in HTML5 will bring threat
and challenges
• More security issues will be discovered in the future

26. Reference
[1]HTML5 Security CheatSheet ‐ http://code.google.com/p/html5security/
[2]Shell of the Future ‐ http://www.andlabs.org/tools.html#sotf
[3] Next Generation Clickjacking ‐
http://www.contextis.co.uk/resources/white‐papers/clickjacking/Context‐Clic
kjacking_white_paper.pdf
[4]OWASP ClickJacking Guide ‐ http://www.owasp.org/index.php/Clickjacking
[5]http://html5sec.org/
[6]Hacking Facebook with HTML5 ‐ http://m‐austin.com/blog/?p=19
[7]http://html5demos.com
[8] https://www.owasp.org/index.php/Clickjacking
[9] http://www.andlabs.org/

27. Thanks for listening
any suggestion and comment