There is one thing security engineers and new technologies ideally have in common: They make existing stuff more secure. For the security engineer, there is certainly a truth in this claim – for new technologies however, I’m not that sure though…
Recently I wanted to improve my skills in HTML5 when I stumbled on some interesting new features a penetration tester (or an attacker, which in most cases does not make a huge difference) can abuse to exploit XSS-vulnerabilities. Of course there are also many more features that make other injections possible, but for XSS there are some very interesting ones. Until now, when you found a XSS hole within a input element that has filtered < and > you could not exploit it automatically without using CSS expressions – for example:
<input type="text" USER_SPECIFIED_INPUT >
This type of vulnerability was usually exploited using something like
or similar. Anyway all of them work on a limited set of browsers only and are therefore not that interesting for a real exploit.
So what about HTML5? No more CSS expression is needed – the magic is called autofocus:
<input type="text" AUTOFOCUS onfocus=alert(0)>
Nice – so who did expect new technologies to make users safer? This is just one example – have a look at Mario Heiderich’s “HTML 5 Security Cheatsheet” for many more of them…
Finally – what are the lessons learned?
- I (and every penetration tester as well as WAF/IDS-developer out there, too) definitively need to look into HTML5
- HTML5 offers many new features – one might also call it “new ways to attack a web user”
So long – sc0rpio