Saturday, January 19, 2013

HTML5/Browser Evolution and Threats

It all started in 1991 when HTTP and HTML came into picture and browser started to evolve. From that time onwards several new set of technologies gradually coming into the browser as per requirements. By introduction of HTML5 it has bounced to the next level. Here is a quick curve of technologies with time.
Figure 1 - HTML5 Evolution
As technologies evolve it brings new feature and threats along. Technologies are making browser much more complex in nature at the same time opens up attack surface for attacker and attack agents.
a.) HTTP and HTML were very static to start with. There is no need of dynamic manipulation within the browser. At some point server side technologies moved out from typical CGI and started to introduce strong feature. At that point one of the biggest limitations of HTTP protocol was realized and that is not having state to the connection. Hence, Cookie came into existence and new complexity added to the browser. At that point browser started to become an attack point and having some “confidential” information.
b.) As infrastructure started to move on the web more dynamic manipulation requirement started to come in and that is where JavaScript, Java and DOM added to the technology stack. It definitely brought new threat vectors to the browser and field became very dynamic. It is well supported by server side technologies like ASP, PHP, Perl etc. It took browser to the next level. At the same time traffic’s integrity and confidentiality became an important aspect. Hence, SSL brought in and point to point tunneling over encrypted channel established. It provides certificate based traffic which helps in maintaining confidentiality and integrity of the information. Again new threat and man in the middle attack vector started to gain popularity.
c.) Applications have started to use HTML, JavaScript and CSS extensively and specifications are empowered by powerful DOM and event models. Specifications are now empowered with new tags, attributes and events. All these are embedded by JavaScript. This new approach gives rise to vulnerabilities like Cross Site Scripting, Cross Site Request Forgery and few other tricks.  Evolution started to reach a point where extensive exposure and attack surface on the browser made open for attackers.
d.) Browser requirements started to grow and plugins like flash being introduced and that took browsers to the next level. Browser’s surface expanded by add-ons, plugins and other similar thick features. At the same time JavaScript and DOM specifications started to spiced up for feature requirements. At the end more attack vectors and exploit opportunities come into existence. Vectors and exploit kits started to use JavaScript extensively.
f.) Developers and world need still better and more generic thick feature solutions. Hence, Ajax driven approach introduced with Web 2.0 technologies. People have started to use XMLHttpRequest object along with powerful DOM manipulations across browser stack. This turns out to be game changer and browser usage started to move towards generic and not plug-in driven. DOM based attacks started to grow from this point onwards. DOM exploitation and information harvesting through JavaScript became a prime attack point from security standpoint. Lot of requirement for secure coding on browser side came as prime requirement.
h.) Finally, HTML5 started to kick in, powerful specifications Canvas, Web Fonts, WebGL, Storage, WebSQL, Web Workers etc. came up and still evolving. HTML5 turns out to be a group of specifications taking browser to the next level. Browser based applications started to evolve and turning out to be powerful single DOM and single page application or software. This is a major change we are getting into. This platform is not restricted to desktop but extended to the mobile as well. All these bring next generation threats and new techniques to existing vectors. As shown on the chart above we have group of new technologies baked in the browser around 2012 and security aspects need greater attention. To analyze and understand overall security picture we need to scope out threat model and threat vectors clearly. It helps in providing secure coding practices around client side components.
Browser architecture would look like below to support HTML5 technology stack.
Figure 2 - Browser with HTML5 stack
During this evolution various different threats and attack vectors evolved. Here is a simple threat bubble for client side attack points.
Figure 3 - HTML5 threats and bubble
As we can see top two vectors were XSS and CSRF, both are leveraging JavaScript extensively. Over period these vectors are used extensively to exploit client side sessions. It allows attacker to get session cookies and hijack the session. It allows access to confidential information and unauthorized session to the targeted web applications. CSRF allows to forcefully replaying cookie along with critical call. It allows generating a request from the browser without user’s consent or knowledge. Those two bubbles grown up over period and became very significant attack vectors. Also, OWASP and other standards have given them ranking in top 10 and must resolved error status. Usually XSS falls into critical bucket and CSRF depends on the type of form or target request.
Other bubbles for attacks were ClickJacking, Abuse of functionality and open redirect. These vectors allow different level of threats to the end users. ClickJacking hijack user’s click without knowledge or consent by injecting iframes and other similar methodologies. Browser’s are having mechanism to allow redirect for business logic and smooth site-to-site flow. This specific feature can be exploited to inject open redirect and compromise user’s trust. At the same time applications are using DOM and related functionalities extensively so abuse around browser side functionalities crop up by attackers and various other toolkits. This is second layer of attack vectors.
Finally, there are several other small bubbles of threats lingering on browsers like Denial of Services (DoS), Phishing, SSL and Crypto issues. All these vectors again bring different level of threats and scenario of exploitation. All these were traditional attack vectors and as technology started to get complex these stack of vectors got their way through into the browser’s threat model. Both browser’s specification weakness and poor programming on the developer’s side lead to wide spread exploitation and great concern for browser security. Browser became the most important window to the world of Internet and its security is utmost important in this era where banking, trading, social networking etc. simply runs on the browser platform. Now, with HTML5 threat are more exposed and mode for evaluation need to change.