HTML5, the fifth standard of HTML released in 2014, is slowly becoming more prevalent across the internet as browsers adopt the new protocol and webpages are updated to make use of the new features. HTML is the technology at the basis of the internet, and acts as the structured content on webpages – text images (and now with HTML5 videos too) all appear in HTML code on a webpage. HTML5 attempts to bridge the gap left by old HTML standards, which failed to natively support multimedia and extensive API’s. Two of these new features are CORS (Cross Origin Resource Sharing) and Local Storage.
CORS came about because developers felt restricted by the same-origin policy (an essential concept in web application security) and therefore felt a need to work around it. The same-origin policy (SOP) is used within web browsers to restrict access originating from one domain from accessing content originating from another. For example, say you have your banking information opened in one tab, and then you access another malicious website in another tab. The same-origin policy prevents that malicious website from making requests from your browser on your behalf (using AJAX calls made from scripts received from a malicious site, which allow your browser to transfer data with a server without refreshing the page) and impersonating you, which would allow that malicious website to steal your money.
CORS brings about new ways to share resources between domains which circumvent SOP restrictions. The rules set for CORS which allow cross domain access are established within HTTP headers. One such header is the “Access-Control-Allow-Origin” header, which specifies which origins are allowed to share resources. If this header is set to the “*” (wildcard) value, any origins are allowed to share data. Even if headers seem to be set securely, validation bypass techniques can be used. For example, to bypass an origin set to www.government.com, and attacker could try the following values and see if they might circumvent restrictions: wwwxgovernment.com, www.government.com.malicious.site, null values, etc, to trick the underlying system. This means if you had visited your banking site and a malicious site in another tab, the malicious site can use AJAX requests from your browser to share information with your banking account and you wouldn’t even be able to tell this was going on in the background. Depending on how other headers are configured, this could let an attacker impersonate you on your bank account and rob you of your hard earned money, all because developers didn’t implement the CORS protocol securely, or validate/sanitize input correctly.
Also, if a user has access to their browser, they have access to all local storage data. For example, if a victim’s browser is hooked with BeEF, all local storage data can simply be extracted. For these reasons it is not recommended that sensitive data is stored in local storage.
Because most web vulnerabilities exist because web developers implemented a site poorly, adding new features means that many lazy developers will inevitably create new attack vectors. This is great news for hackers, but unfortunately bad news for everybody else.