{"id":190,"date":"2010-10-02T12:29:11","date_gmt":"2010-10-02T11:29:11","guid":{"rendered":"http:\/\/www.floyd.ch\/?p=190"},"modified":"2011-07-28T16:41:34","modified_gmt":"2011-07-28T15:41:34","slug":"html5-security-where-are-our-lessons-learned","status":"publish","type":"post","link":"https:\/\/www.floyd.ch\/?p=190","title":{"rendered":"HTML5 security – making web users more safe?"},"content":{"rendered":"

There is one thing security engineers and new technologies ideally have in common: They make existing stuff more secure. For the security engineer, there is certainly a truth in this claim – for new technologies however, I’m not that sure though…<\/p>\n

Recently I wanted to improve my skills in HTML5 when I stumbled on some interesting new features a penetration tester (or an attacker, which in most cases does not make a huge difference) can abuse to exploit XSS-vulnerabilities. Of course there are also many more features that make other injections possible, but for XSS there are some very interesting ones. Until now, when you found a XSS hole within a input element that has filtered < and > you could not exploit it automatically without using CSS expressions – for example:<\/p>\n

\r\n<input type="text" USER_SPECIFIED_INPUT >\r\n<\/pre>\n
This type of vulnerability was usually exploited using something like<\/p>\n
\r\nstyle=xss:expression(alert(0))\r\n<\/pre>\n
or similar. Anyway all of them work on a limited set of browsers only and are therefore not that interesting for a real exploit.<\/p>\n
So what about HTML5? No more CSS expression is needed – the magic is called autofocus<\/em>:<\/p>\n
<input type="text" AUTOFOCUS onfocus=alert(0)><\/pre>\n
Nice – so who did expect new technologies to make users safer? This is just one example – have a look at Mario Heiderich’s “HTML 5 Security Cheatsheet<\/a>” for many more of them…<\/p>\n
Finally – what are the lessons learned?<\/p>\n