The reason I decide to write this post, is because I have encountered too many flawed HTML5 games and demos. And one of them just blew me to sky high today, right on Newgrounds. I just want to help, that's it. If this post is too technical for you, please PM me for more explanation.
HTML5 is a 5th version of standard markup language HTML. The full phrase of abbreviation is Hyper Text Markup Language. HTML is the core language of all webpage that build the contents of world wide web. HTML5 not only supports newer DOM (Document Object Model) but dynamic media functions and CSS3.
However, everything has two sides. Bright and dark. Same goes for HTML5. Its flaw and vulnerability are something can cause major headache for its users, or disastrous problems.
Because of HTML5 new properties, most of older HTML functions also have changed. This, creates many more new problems. Like software devs used to tell each other "adding new codes is creating new bugs", unfortunately, this is unavoidable. The only thing we can do is to temporary prevent the flaw from biting our asses once more time.
localStorage Loop - Basically, localStorage function requests user's browser to store given info of a HTML5 app into cookies. In Firefox, this is filtered if cookies are poisonous, however, others & especially IE will perform storage automatically. This flaw is very serious, however not serious enough to be called as a vulnerability.
Instead of creating healthy storage, attacker pumps cookies with rubbishes by looping the storing calls to infinity until system crash. Demo. Exploit.
Tag - Recently I had some super headache with the audio tag in HTML5, because Firefox has problem with it. But that's not everything. The more I dive deep into this awesome language, the more shit I hit. No really, I found out more than half of HTML5 tags can do superhuman things, that not supposed to do so.
Most flaws are quite harmless, but missing tags (eg. ending tag) or misuse in codes can create catastrophic vulnerabilities such as classic Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF). With these two vuls, I can steal anyone credentials.
// Take Newgrounds, I upload a small malicious HTML5 game on here that contains a worm that collect user cookies whenever ones click my little game. Of course, that's not the end of it. Says NG adds medal system for HTML5 games. Now my little script can crawls transmitted info from users every time they 'win' a medal. I notice NG doesn't have HTTPS/TLS, which means most info transmit unencrypted. Now I can steal user's sessions and gain access to their accounts. This is not a theory, becausse I did the same on other Flash/Java content sites. Why not HTML5?
Client-side SQL Injection - SQL injection, or SQLi, is a black hole of web application security. Structure Query Language (SQL) is the main component for website to perform data storage. If the web dev misuse or miss the closing or bit of SQL codes, the attacker then can inject malicious code to request, modify, add or delete server data. More skilled attacker would take control of server using just SQL injection.
localStorage Command injection - This is a new concept actually, and I am working hard on this attack vector. I found the problem, but still struggling on a fully working exploit. Since we all know localStorage capability (first flaw), we then can turn a knife to a sword. Command injection is a variant of code injection (SQLi is a form). Attacker injects commands into user/server system, depend on what OS they are using. By this, attacker can gain info or even full access to the victim's system.
Oh! The game & medals again! This time we will target users. We add a script that control all the codes to be injected to either Mac, Win, Linux or BSD systems. Now instead requesting user's data to be stored, we request pseudo codes of storage than contain command to confirm the successful injection. If works, the script then automatically request system information. Most people would argue that some newer Win versions and Linux in common, cannot run command without permission. This is quite wrong. Because writing data into system is automatically gains permission for 3rd party application to do so, make a read & write permits. Then reuse the stored data next time, gains a execute permit. Then why not command injection do so?
Web Application Botnet - Web App botnet isn't new. In fact, hackers have been using this trick to mine Bitcoin illegally. However, HTML5 makes the whole botnet thing becomes much easier to do so. Why? Because of the autonomous read, write & execute permission. localStorage flaw is a strong evidence.
The game & medal will play one last important role in our security opera. We add a XSS worm, similar to first flaw. But instead of just stealing cred, we control the users' browser in real time. We can then inject junks into user browsing data, inject malware to user's system for permanent control (r,w & e of localStorage), phish user or redirect user to a targeted site to create denial-of-service. The possibilities are endless, and fun!
Close all the tags! Lulz. Well, I mean to check your codes before you release. Debug them again and again, then let a hacker do the testing work. Or learn how to hack, by yourself.
- Firefox or Chrome :: Not only they support powerful addons that important for debugging, but they have sandbox.
- Firebug :: The best debugging tool for web app
- DOM Inspector :: DOM debugger, build into Firebug
- Greasemonkey :: run custom script
- User Agent Switcher :: The name says so
- Tamper Data :: debugging and attack tool
- FireQuery :: jQuery debugger
- FIreRainbow :: JS syntax highlighting
- Validator :: General validating HTML
Open your eyes & mind wide, silent, and listen. You will see more things happen around you. Also, ask more question.
After-note: I'll make this part short. Although I am a strong supporter of open software projects, however, I do not blindly support those with flaws that people try to hide or ignore. In this case, even I put HTML5 on the butcher table, make this clear that it doesn't prove Flash, or Silverlight is perfect. I can put them both on dining table with equal problems.