One of the main threats facing HTML applications, whether
desktop or web, is that of injection attacks that result in malicious
code execution, such as cross site scripting (XSS). Code is usually
injected via a few common vectors such as URL handling (
javascript:
and
other dangerous schemes),
eval()
and assigning
external HTML content to DOM elements such as
innerHTML
and
outerHTML
.
Malicious code can also be injected into a trustworthy service (such
as Google Maps) if the loading operations happen over HTTP.
These vulnerabilities are exposed when a developer assumes that
the application is consuming harmless content when in fact it contains
malicious code. As an example, an HTML-based AIR application that
extracts comments from an online blog and displays them might allow
users to write comments such as the following:
<a href="#" onclick="var f=new air.File('c:\\something.txt'); f.deleteFile();">I'm cool!</a>
If the user clicks the link, files could be deleted. The damage
could be much worse and security vulnerabilities are common in browser-based
HTML and Ajax applications.
The assumption that damage from malicious content loaded via
JavaScript Object Notation (JSON) can be limited by existing domain
sandbox restrictions is incorrect. All data within even a granular
DOM sandbox boundary such as a
frame
or
iframe
operates
in that sandbox regardless of its origin. Even the most granular
frame-defined DOM sandbox boundary can only function successfully
if the content is placed in a different origin domain. Moreover,
common design and implementation patterns encourage the use of these
dangerous practices.
For traditional Ajax applications, this has been acceptable,
since applications that run within the browser are sandboxed. Isolated
from the user’s computer and bound by a same origin policy, browser
applications have a unique symmetry.
Rich internet applications, which have access to feature-rich
APIs, present unique challenges. Even a simple application, if poorly
coded, could contain an injection flaw resulting in a severe compromise
of the user’s machine. For any RIA platform, the damage potential
from a malicious attack is directly proportional to the value its
runtime provides. The more powerful and feature-rich are the APIs
in an RIA platform, the greater the risk.
