A Security Analysis of Emerging Web Standards - HTML5 and Friends, from Specification to Implementation

Over the past few years, a significant effort went into the development of a new generation of web standards, centered around the HTML5 specification. Given the importance of the web in our society, it is essential that these new standards are scrutinized for potential security problems. This paper reports on a systematic analysis of ten important, recent specifications with respect to two generic security goals: (1) new web mechanisms should not break the security of existing web applications, and (2) different newly proposed mechanisms should interact with each other gracefully. In total, we found 45 issues, of which 12 are violations of the security goals and 31 issues concern under-specified features. Additionally, we found that 6 out of 11 explicit security considerations have been overlooked/overruled in major browsers, leaving secure specifications vulnerable in the end. All details can be found in an extended version of this paper (De Ryck et al., 2012).

[1]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[2]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[3]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[4]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[5]  Deirdre K. Mulligan,et al.  Privacy Issues of the W3C Geolocation API , 2010, ArXiv.

[6]  Frank Piessens,et al.  A security analysis of next generation web standards , 2011 .

[7]  Wouter Joosen,et al.  Automatic and Precise Client-Side Protection against CSRF Attacks , 2011, ESORICS.

[8]  Wouter Joosen,et al.  A security analysis of emerging web standards - Extended version , 2012 .

[9]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[10]  E. Felten,et al.  Cross-Site Request Forgeries : Exploitation and Prevention , 2008 .

[11]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Dan Boneh,et al.  An Analysis of Private Browsing Modes in Modern Browsers , 2010, USENIX Security Symposium.

[13]  David Sands,et al.  Safe Wrappers and Sane Policies for Self Protecting JavaScript , 2010, NordSec.

[14]  Wouter Joosen,et al.  Security of Web Mashups: A Survey , 2010, NordSec.

[15]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[16]  Wouter Joosen,et al.  WebJail: least-privilege integration of third-party components in web mashups , 2011, ACSAC '11.