HTML5 security risk details 4: Web Worker attacks

HTML5 Security Risk Analysis 3: WebSQL attacks
HTML5 Security Risk Analysis II: Web Storage attacks
HTML5 security risk details: CORS attacks

1. Introduction to WebWorker

Because Javascript is executed in a single thread, the browser cannot execute other Javascript scripts during execution, and the UI rendering thread will also be suspended, causing the browser to become frozen. WebWorker can be used to put the computing process into a new thread for execution, which will avoid this situation. In this way, we can execute multiple JS tasks at the same time without blocking the browser, which is very suitable for Asynchronous interaction and large-scale computing, which was hard to achieve in the past.

The following figure reveals the role of WebWorker: if we want to fry an egg cake without a WebWorker, We need to mix it with the flour, then beat the eggs, and finally make the pancake; Use WebWorker, you can beat the eggs at the same time as the flour, both of which can be done at the same time and then start the pancake, greatly shortening the waiting time.

However, such a good feature also introduces the possibility of attacks.

Ii. WebWorker attacks

1. Botnet

Attacks include DDos attacks and spam. Once a user accesses a malicious page or website, the malicious code of the page can treat the user's browser as a zombie and use WebWorker to perform large-scale multi-thread attacks, for example, DDos attacks, spam, or network sniffing.

DDOS attack (distributed denial of service attack)

2. Problems Caused by postMessage

WebWorker cannot access the DOM and can only communicate with the main thread through postMessageAPI. PostMessage is introduced in HTML5 to solve the problem of cross-origin or cross-thread data interaction. However, if messaging can receive information from any source, this page may be attacked. In addition, postMessage does not pass the server. If it is not verified or filtered, it may become an XSS injection point. For example, the following code does not verify and clean the input data. Attackers can construct malicious data to inject page DOM and construct XSS attacks, such as "> <script> </script>.

 

1. Worker. addEventListener ('message', function (e ){
2. Document. getElementById ('result'). innerHTML = e. data;
3. }, False );

    worker.addEventListener(‘message’,function(e) {       document.getElementById(‘result’).innerHTML = e.data;    }, false);

 

Iii. attack tools

Ravan is a JS distributed computing system. It can use HTML5Web Worker to execute brute-force attacks through the JS multi-thread script encrypted in the background.

 

Iv. Prevention

1. Do not access insecure websites.

2. When using postMessage, You need to verify that the source is trusted. In addition, do not use innerHTML. modern browsers provide textContent attributes to help filter HTML tags, Or you can write filtering logic and functions on your own.