The Dangers of HTML5

2013-05-07 06:20:58 by KatMaestro

The reason I decide to write this post, is because I have encountered too many flawed HTML5 games and demos. And one of them just blew me to sky high today, right on Newgrounds. I just want to help, that's it. If this post is too technical for you, please PM me for more explanation.

[I] Introduction

HTML5 is a 5th version of standard markup language HTML. The full phrase of abbreviation is Hyper Text Markup Language. HTML is the core language of all webpage that build the contents of world wide web. HTML5 not only supports newer DOM (Document Object Model) but dynamic media functions and CSS3.

However, everything has two sides. Bright and dark. Same goes for HTML5. Its flaw and vulnerability are something can cause major headache for its users, or disastrous problems.

[II] Flaw & Vulnerability

Because of HTML5 new properties, most of older HTML functions also have changed. This, creates many more new problems. Like software devs used to tell each other "adding new codes is creating new bugs", unfortunately, this is unavoidable. The only thing we can do is to temporary prevent the flaw from biting our asses once more time.

localStorage Loop - Basically, localStorage function requests user's browser to store given info of a HTML5 app into cookies. In Firefox, this is filtered if cookies are poisonous, however, others & especially IE will perform storage automatically. This flaw is very serious, however not serious enough to be called as a vulnerability.
Bane: Instead of creating healthy storage, attacker pumps cookies with rubbishes by looping the storing calls to infinity until system crash. Demo. Exploit.

Tag - Recently I had some super headache with the audio tag in HTML5, because Firefox has problem with it. But that's not everything. The more I dive deep into this awesome language, the more shit I hit. No really, I found out more than half of HTML5 tags can do superhuman things, that not supposed to do so.
Bane: Most flaws are quite harmless, but missing tags (eg. ending tag) or misuse in codes can create catastrophic vulnerabilities such as classic Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF). With these two vuls, I can steal anyone credentials.
// Take Newgrounds, I upload a small malicious HTML5 game on here that contains a worm that collect user cookies whenever ones click my little game. Of course, that's not the end of it. Says NG adds medal system for HTML5 games. Now my little script can crawls transmitted info from users every time they 'win' a medal. I notice NG doesn't have HTTPS/TLS, which means most info transmit unencrypted. Now I can steal user's sessions and gain access to their accounts. This is not a theory, becausse I did the same on other Flash/Java content sites. Why not HTML5?

Client-side SQL Injection - SQL injection, or SQLi, is a black hole of web application security. Structure Query Language (SQL) is the main component for website to perform data storage. If the web dev misuse or miss the closing or bit of SQL codes, the attacker then can inject malicious code to request, modify, add or delete server data. More skilled attacker would take control of server using just SQL injection.
Bane: Take NG, since HTTPS/TLS is missing, now shit hits the fan. Here comes the malicious HTML5 game with medals again, instead of XSS worm, we use autonomous Javascript SQL injector. We then 'medalninja' the server, instead of user, to request SQL info. Then loads the SQL info to our server, from there we move on better attack phase.

localStorage Command injection - This is a new concept actually, and I am working hard on this attack vector. I found the problem, but still struggling on a fully working exploit. Since we all know localStorage capability (first flaw), we then can turn a knife to a sword. Command injection is a variant of code injection (SQLi is a form). Attacker injects commands into user/server system, depend on what OS they are using. By this, attacker can gain info or even full access to the victim's system.
Bane: Oh! The game & medals again! This time we will target users. We add a script that control all the codes to be injected to either Mac, Win, Linux or BSD systems. Now instead requesting user's data to be stored, we request pseudo codes of storage than contain command to confirm the successful injection. If works, the script then automatically request system information. Most people would argue that some newer Win versions and Linux in common, cannot run command without permission. This is quite wrong. Because writing data into system is automatically gains permission for 3rd party application to do so, make a read & write permits. Then reuse the stored data next time, gains a execute permit. Then why not command injection do so?

Web Application Botnet - Web App botnet isn't new. In fact, hackers have been using this trick to mine Bitcoin illegally. However, HTML5 makes the whole botnet thing becomes much easier to do so. Why? Because of the autonomous read, write & execute permission. localStorage flaw is a strong evidence.
Bane: The game & medal will play one last important role in our security opera. We add a XSS worm, similar to first flaw. But instead of just stealing cred, we control the users' browser in real time. We can then inject junks into user browsing data, inject malware to user's system for permanent control (r,w & e of localStorage), phish user or redirect user to a targeted site to create denial-of-service. The possibilities are endless, and fun!

[III] Prevention

Close all the tags! Lulz. Well, I mean to check your codes before you release. Debug them again and again, then let a hacker do the testing work. Or learn how to hack, by yourself.
List of debugging & testing tools:
- Firefox or Chrome :: Not only they support powerful addons that important for debugging, but they have sandbox.
- Firebug :: The best debugging tool for web app
- DOM Inspector :: DOM debugger, build into Firebug
- JavaScript Debugger :: JS debugger
- Greasemonkey :: run custom script
- User Agent Switcher :: The name says so
- Tamper Data :: debugging and attack tool
- JavaScript Deobfuscator :: de-obfuscate JS
- FireQuery :: jQuery debugger
- FIreRainbow :: JS syntax highlighting
- Validator :: General validating HTML

List of resources for security heat_Sheet

[IV] Reminder

Open your eyes & mind wide, silent, and listen. You will see more things happen around you. Also, ask more question.

Good day.

After-note: I'll make this part short. Although I am a strong supporter of open software projects, however, I do not blindly support those with flaws that people try to hide or ignore. In this case, even I put HTML5 on the butcher table, make this clear that it doesn't prove Flash, or Silverlight is perfect. I can put them both on dining table with equal problems.


You must be logged in to comment on this post.


2013-05-07 06:36:44

I think no one will read your long ass post, Vahteri :/

ALso, ur yesterday post on Audio forum was awesome.

(Updated ) KatMaestro responds:

Dude, I was banned today lol. After some unfair accusation made by the-great-mod.

I made this post for information and helps, not to seek for random attention. I stumbled upon a very bad game yesterday. Bad, not because of the content (in fact the game was quite fun to play) but because of its functions and security. I launched Firebug and do some debugging, the amount of bugs and flaws shocked me so much. Memory management is shit. The app's runtime is shit. Best part, buffer overflow is there too!

Lulz, the dude that I commented on his game deleted my comment. I gonna try to exploit his ass out. Har har har!


2013-05-07 06:58:30

Well this was interesting to read. Seems most of the problems are related to medals though, which makes me wonder, are there any medal gams in HTML5? I've played a lot of medal games but I don't believe I've ever stumbled upon one with medals, maybe that's an intentional move to prevent exploits.

I'm more interested in Flash though, how insecure is it? How easy is it to include potentially harmful content within a Flash file? I remember back in 2003 there were malicious entries in the portal that stole user account information (including my own) and caused a bit of havoc, but since then I don't think there have been any issues. Is there kind of security within Flash working to prevent malicious code from running?

KatMaestro responds:

I think the HTML5 game's medal hasn't implement yet. It might be in Tom Fulp to-do list since HTML5 is still invited-only. Personally I think preventing medal system won't slow down attackers from exploiting a system. I don't want to make a bet but I would say NG system is fairly secure, at least on server-side, base on my general observation. However I haven't perform a legal security pentesting yet, so I can't be so sure. User-side, not really. No HTTPS/TLS, which means 2 out of 5 vulns above works. Flash and HTML5 are mainly user-side, so the medal cred stealing trick works. I'm thinking to perform a test attack, with permit from admins.

HTML5 codes cannot be obfuscated (only JS section can). No encryption. No compression. Flash has all these. At least you can stop attacker from reading codes.

Flash is quite secure, I hate to admin :/. The numbers of serious vulnerability are quite controllable. Though, I think XSS is probably the biggest problem with Flash. Like mentioned above, XSS is mainly user-side, so all the wrecking havocs are all to user. Stealing cred/session, cookie poison, zombie, slave bitcoin mining, command injection; XSS does it all. Also, a more scary trick that hackers are using is Flash wrap malware. Basically a harmless Flash app/game that contains malicious codes to inject into your system. It activates whenever you click or interact. Antivirus cannot detect.

The 2003 incident is a good example. It's not like people can't do it now. It's more like no bad guys on here have thought about it. I believe there are some dicks who are running some malicious Flash around here, although is hidden. Adobe do patched a lot of thing, but a lot more dangerous stuff spit out lately. Just keep your Flash Player up to date then you are fine, at least for now. The insecure elements are still out there, open door to anyone to try out...

I am thinking on running a small testing operation on several large Flash sites, including NG. Just for the sake of security. Better safe than sorry.


2013-05-07 11:37:01

Good to know. It'll be interesting to hear if the admins let you test attacks on the system.

Completely un-related, I've been thinking about the lack of security on the login system a long time, it doesn't seem there's anything to block brute-force attacks, no login limitation, no captcha on multiple attempts, and if a user gets access to an account they can do pretty much anything without needing to confirm they are who they are, even change email address without confirming the change through the old email. Much better now that they removed the limit on password characters though..

KatMaestro responds:

The log in locks after 4-5 attempts, on my try. But I doubt most people would use strong passwords, so 4-5 attempts are good enough. The login's https is quite useless since it return to http after login, and keep it that way for the rest, except store has https, which is very good.

NG security system, to be honest, is worse than DeviantArt. DA actually now implements 2 step verification whenever people login from other place. Even so DA hasn't free from mass hacks. A friend of mine ran a 2 days op on stealing over 500 accounts in DA by just uploading malicious Flash movies. If DA has worked, why not NG?

Most of the effective attacks will be done without directly using user's password, just because some dev wrote bad Flash or HTML5, opening doors for bad guys. 90% of the gonna-be attacks on NG is going to be non-login. And typical script kiddies can't do this (DuckDIvision, ur social eng isn't gonna work!).

We then have a pseudo-but-working security system called: Blam & Save! Most users would find out either the malicious game/movie is boring or bad, and the blam it out of sight. Some would discover something isn't right and report to mods, and the submission get deleted. I hope, this would work, as long as we have responsible people around here.


2013-05-07 14:58:26

Lol, nothing special.. Just some infinite loop that crashes the browser, sql injections and obsolete cpu bitcoin farming.. It's nice to know these things because I am doing some html5 game/ crhome plugin myself...

On that note, trust me, you don't want to have any chrome plugins or toolbars installed..
Chrome plugins can insert and replace adds (which is actually legal, only adsense is not allowed), do bitcoin mining, lag your cpu to death, insert any javascript into any page (even https), I could continue forever..

KatMaestro responds:

Not special but all working lethally. On the note the Command Injection can combine with SQLi to hack server system.

The localStorage loop trick won't just crash browser, but the whole system. HTML5 does help with driveby attack, which is why I post this. I am working hard for an exploit of this vector. Driveby attack is no-touch. Sometime users don't even need to click, just visit the HTML5 app page and they are done. My boss used to tell me to think like a Russian hacker. The Slavs hack with autonomous tools mostly, eg. driveby. Most of the vulns above are used by Slav bros.

The Chrome/Firefox plugin is a different field actually. Similar devastating effects, but only attack user-side, which only works when user allows the malware to run. I'll look in to this, considering it can help me mine bitcoin, along with HTML5/Flash... (evil look!)

How's your bitcoin miner coming?


2013-05-08 02:38:33

Hmm, true, if the Blam/Save system works out that is a layer of security most other communities don't have. Also the splash screen before playing a movie, which means you could get rid of anything suspect without even exposing yourself to exponential harm. How can a Flash steal login information though? I mean, isn't that all stored on the server-side?

(Updated ) KatMaestro responds:

There are 3 ways a malicious Flash or HTML5 'game' can gain user's login.

- Most basic way is phishing: make fake app, ask user's login & password, direct information to some hidden server, then wait for some dumb user to enter their info.

- 2nd way is Man-in-Middle: make app that hidden as a info sniffing program. Make user click or type in something. Then it sniffs user's transmitting data between client and server. Send the user's credentials to attacker.

- 3rd way is No-touch-login, XSS, or what I spoke in the post. Now to understand this step, like you asked about server-side question, I need to explain a bit more.
EDIT: XSS is also a form of man-in-middle.

:: Session :: As you login to NG (for example), and you check 'remember me'. Why? You want the site to remember you so next time it logins automatically. This is a session. Most session lasts as long as your browser opens once. Login session last as long as requested by either server or client. How? All your login info is stored in encrypted form inside a cookie.

:: Cookie :: Is a hidden file that stores all your cred, characteristics and personal info every time you visit a site; so that next time you revisit the same site, those info can be bring out and rematch your characteristics.

:: No-touch-login :: It's my own term. It's for an attack vector where attacker can gain access to a user account without actually logging into victim account.

:: XSS :: Cross site scripting is a form of no-touch-login. It is exploited by injection malicious JS into website (server-side), but perform on a browser (client-side), therefore it's a client-side attack.

How does all work together? Using XSS, attacker can 'hijack' victim's cookies during their transmission, without the need to decrypting cookie's info. Because a user session is stored in the cookie(s), attacker then can 'reuse' the session and indirectly 'login' to victim's account.

One way to prevent this is to encrypt the web traffic with HTTPS, SSL and/or TLS. Why I'm so sure about this attack on NG is because there is none of these security measurement during the Flash or HTML5 gameplay on here.

Should I tell the admins? I'm not sure if they know this already.


2013-05-08 10:31:26

Thanks for taking your time to post this, very informative. I don't research those things by myself (not enough time..), so it's great that someone like you shares knowledge. :)

I also think you should forward it to Tom or to one of the other Admins. They may already know all of this, but you mention a lot of security issues which NG currently has.

KatMaestro responds:

Yeah, I'm thinking on telling them about this. I'm preparing a demo or some sort of proof-of-concept. Like you said, they may already know this.


2013-05-10 15:25:55

Thanks for that detailed explanation! Since cookies are saved whether you wish to be remembered or not, I guess that doesn't make much of a difference. Would the browser allow any Flash file to access your cookies though, is there no built-in security for this, no confirmation dialog?

Yeah, you should definitely let the admins know, if they do know there's no harm done anyway.

KatMaestro responds:

Sorry, that it took me too long to reply here, for some reason my feed didn't show replies for a while.

For most of the cases (as I tested), Firefox and Chrome will freely allow 3rd party apps (Flash/Java/HTML5) to access, intercept or modify session cookies, if wanted so. No notification because this is not a local storage, since most session cookies are temporary stored. However you can use BetterPrivacy or Adblock Plus to stop this.


2013-05-13 16:05:47

I miss flash sites so much...I miss flash intros...
I missed it when I could decompile someones work and see what flash version they were using, the fps and so on then see how they made it.
Good times.

Now you have to be an advanced in HTML5 & HTML5 & CSS otherwise you're worth shit.
I just think flash hit the web too early, HTML5 has a very, very, very long way too go, if Adventure Quest switches to HTML5 I will throw a chair.

KatMaestro responds:

For sure, Flash isn't going to be replaced by HTML5 any time soon. No matter how we talk, Flash is surely more secure than our 'savior' HTML5. Sure, HTML5 + CSS3 is more powerful, but their workflow isn't easier than Flash.

HTML5 is gonna take at least 7 to 10 years to completely replace Flash or Silverlight.


2013-05-13 16:49:44

oh and your websites cpu limit

KatMaestro responds:

Shit, thanks for reminding, I just removed a bitcoin miner and forgot to also remove the filtering.


2013-05-21 17:32:08

Just read your recent interview, thanks for the appreciation! :)

KatMaestro responds:

You are welcome


2013-05-24 13:10:13

I think people just don't like the right click menu on flash

KatMaestro responds:

lol, a lot people are too picky.


2013-05-24 16:34:56

I actually found this

KatMaestro responds:

That's awesome. Thanks for sharing.


2013-06-20 21:23:53

A great read my friend.

As always, thank you for doing Newgrounds a service with your news post.

KatMaestro responds:

no problem, glad you are back