A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation

Philippe De Ryck, Lieven Desmet, Frank Piessens, Wouter Joosen

Abstract

Over the past few years, a significant effort went into the development of a new generation of web standards, centered around the HTML5 specification. Given the importance of the web in our society, it is essential that these new standards are scrutinized for potential security problems. This paper reports on a systematic analysis of ten important, recent specifications with respect to two generic security goals: (1) new web mechanisms should not break the security of existing web applications, and (2) different newly proposed mechanisms should interact with each other gracefully. In total, we found 45 issues, of which 12 are violations of the security goals and 31 issues concern under-specified features. Additionally, we found that 6 out of 11 explicit security considerations have been overlooked/overruled in major browsers, leaving secure specifications vulnerable in the end. All details can be found in an extended version of this paper (De Ryck et al., 2012).

References

  1. Aggarwal, G., Bursztein, E., Jackson, C., and Boneh, D. (2010). An analysis of private browsing modes in modern browsers. In Proc. of 19th Usenix Security Symposium.
  2. Akhawe, D., Barth, A., Lam, P. E., Mitchell, J., and Song, D. (2010). Towards a formal foundation of web security. Computer Security Foundations Symposium, IEEE, 0:290-304.
  3. Barth, A., Jackson, C., and Mitchell, J. C. (2008). Securing frame communication in browsers. In In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008).
  4. De Ryck, P., Decat, M., Desmet, L., Piessens, F., and Joosen, W. (2011a). Security of web mashups: a survey. In 15th Nordic Conference in Secure IT Systems (NordSec 2010).
  5. De Ryck, P., Desmet, L., Joosen, W., and Piessens, F. (2011b). Automatic and precise client-side protection against csrf attacks. Computer Security-ESORICS 2011, pages 100-116.
  6. De Ryck, P., Desmet, L., Philippaerts, P., and Piessens, F. (2011c). A security analysis of next generation web standards. Technical report, European Network and Information Security Agency (ENISA).
  7. De Ryck, P., Desmet, L., Piessens, F., and Joosen, W. (2012). A security analysis of emerging web standards - extended version. Technical Report CW 622, Department of Computer Science, K.U.Leuven, Leuven, Belgium.
  8. Doty, N., Mulligan, D. K., and Wilde, E. (2010). Privacy issues of the w3c geolocation api.
  9. Heiderich, M. (2011). Html5 security cheatsheet. http:// code.google.com/p/html5security/.
  10. Law, E. (2010). Combating clickjacking with x-frameoptions. http://blogs.msdn.com/b/ieinternals/archive/ 2010/03/30/ combating- clickjacking- with- x- frameoptions.aspx.
  11. Magazinius, J., Phung, P., and Sands, D. (2010). Safe wrappers and sane policies for self protecting javascript. In 15th Nordic Conference on Secure IT Systems.
  12. Meyerovich, L. and Livshits, B. (2010). Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 481-496.
  13. Miller, M. S., Samuel, M., Laurie, B., Awad, I., and Stay, M. (2008). Caja: Safe active content in sanitized javascript. http://google-caja. googlecode. com/files/cajaspec-2008-01-15.pdf.
  14. Phung, P. H., Sands, D., and Chudnov, A. (2009). Lightweight self-protecting javascript. In Proc. of the 4th International Symposium on Information, Computer, and Communications Security, pages 47-60.
  15. Rydstedt, G., Bursztein, E., Boneh, D., and Jackson, C. (2010). Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010).
  16. Sterne, B. and Barth, A. (2011). Content security policy. http://www.w3.org/TR/CSP/.
  17. Su, Z. and Wassermann, G. (2006). The essence of command injection attacks in web applications. In ACM SIGPLAN Notices, volume 41, pages 372-382. ACM.
  18. Ter Louw, M., Ganesh, K. T., and Venkatakrishnan, V. N. (2010). Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In 19th USENIX Security Symposium.
  19. Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., and Joosen, W. (2011). Webjail: Least-privilege integration of third-party components in web mashups. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 307-316. ACM.
  20. Zalewski, M. (2011). Postcards from the post-xss world. http://lcamtuf.coredump.cx/postxss/.
  21. Zeller, W. and Felten, E. W. (2008). Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University.
Download


Paper Citation


in Harvard Style

De Ryck P., Desmet L., Piessens F. and Joosen W. (2012). A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 257-262. DOI: 10.5220/0004049502570262


in Bibtex Style

@conference{secrypt12,
author={Philippe De Ryck and Lieven Desmet and Frank Piessens and Wouter Joosen},
title={A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={257-262},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004049502570262},
isbn={978-989-8565-24-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation
SN - 978-989-8565-24-2
AU - De Ryck P.
AU - Desmet L.
AU - Piessens F.
AU - Joosen W.
PY - 2012
SP - 257
EP - 262
DO - 10.5220/0004049502570262