It all started in 1991 when HTTP and HTML came into picture and browser started to evolve. From that time onwards several new set of technologies gradually coming into the browser as per requirements. By introduction of HTML5 it has bounced to the next level. Here is a quick curve of technologies with time.
Figure 1 - HTML5 Evolution
As technologies evolve it brings new feature and threats along. Technologies are making browser much more complex in nature at the same time opens up attack surface for attacker and attack agents.
a.) HTTP and HTML were very static to start with. There is no need of dynamic manipulation within the browser. At some point server side technologies moved out from typical CGI and started to introduce strong feature. At that point one of the biggest limitations of HTTP protocol was realized and that is not having state to the connection. Hence, Cookie came into existence and new complexity added to the browser. At that point browser started to become an attack point and having some “confidential” information.
h.) Finally, HTML5 started to kick in, powerful specifications Canvas, Web Fonts, WebGL, Storage, WebSQL, Web Workers etc. came up and still evolving. HTML5 turns out to be a group of specifications taking browser to the next level. Browser based applications started to evolve and turning out to be powerful single DOM and single page application or software. This is a major change we are getting into. This platform is not restricted to desktop but extended to the mobile as well. All these bring next generation threats and new techniques to existing vectors. As shown on the chart above we have group of new technologies baked in the browser around 2012 and security aspects need greater attention. To analyze and understand overall security picture we need to scope out threat model and threat vectors clearly. It helps in providing secure coding practices around client side components.
Browser architecture would look like below to support HTML5 technology stack.
Figure 2 - Browser with HTML5 stack
During this evolution various different threats and attack vectors evolved. Here is a simple threat bubble for client side attack points.
Figure 3 - HTML5 threats and bubble
Other bubbles for attacks were ClickJacking, Abuse of functionality and open redirect. These vectors allow different level of threats to the end users. ClickJacking hijack user’s click without knowledge or consent by injecting iframes and other similar methodologies. Browser’s are having mechanism to allow redirect for business logic and smooth site-to-site flow. This specific feature can be exploited to inject open redirect and compromise user’s trust. At the same time applications are using DOM and related functionalities extensively so abuse around browser side functionalities crop up by attackers and various other toolkits. This is second layer of attack vectors.
Finally, there are several other small bubbles of threats lingering on browsers like Denial of Services (DoS), Phishing, SSL and Crypto issues. All these vectors again bring different level of threats and scenario of exploitation. All these were traditional attack vectors and as technology started to get complex these stack of vectors got their way through into the browser’s threat model. Both browser’s specification weakness and poor programming on the developer’s side lead to wide spread exploitation and great concern for browser security. Browser became the most important window to the world of Internet and its security is utmost important in this era where banking, trading, social networking etc. simply runs on the browser platform. Now, with HTML5 threat are more exposed and mode for evaluation need to change.