Learn more about two of many new attacks

HTML5 Security
Keine Kommentare

HTML5 brings new opportunities – for developers and for attackers. Here you will see two examples of how an attacker could abuse HTML5 and how you as a developer could prevent this (or not).

These are only two of many new or improved attacks on web clients. I chose them for two reasons: the first is a new attack, first described in December 2011 and not widely known to developers. The second shows a misuse of new HTML5 functionalities which have often has been overlooked.

A new kind of XSS

I assume that all readers know DOM-based XSS. If not, you can find a good description in a paper from Amit Klein, in which he describes the concept for the first time, back in 2005 [1]. In short, DOM-based XSS works solely in the browser – it abuses vulnerabilities in JavaScript code on the client and is independent from the code on the server. As you can see from the year of its discovery, it’s absolutely autonomous from HTML5 – it depends only on JavaScript code in the browser.

But with HTML5, we get a new version of XSS: Resident XSS. Artur Janc chose this name for a new attack, which he presented at the 28th Chaos Communication Congress in December 2001. In case of Resident XSS, the malicious JavaScript code will be introduced permanently into the web client of a user [2]. Unlike with traditional XSS, whether reflected, persistent or DOMbased, where the malicious code (in most cases) is executed and terminated, the Resident XSS code remains active as long as the affected window or the affected tab remains open. Artur Janc used Resident XSS to implement a rootkit in the web client. With the permanent running code, the attacker gains complete control over the web client and access to the web application in the name of the attacked user. All input to and output from the web application is under his control. And this without any chance for the server to recognise the attack or to inform the user in case the attack is recognised.


Unsere Redaktion empfiehlt:

Relevante Beiträge

Benachrichtige mich bei
Inline Feedbacks
View all comments
- Gib Deinen Standort ein -
- or -