• Adonis Fung
  • Information Security Engineer (Paranoid) Yahoo
  • Twitter

Dr. Adonis Fung is a security paranoid at Yahoo. His focuses includes web application scanning, reviews, and secure application development. He also lectures a popular Web Programming and Security course for the Chinese University of Hong Kong. Adonis enjoyed doing security research during his PhD, and has once discovered vulnerabilities in online banking systems for fun and profit.

Session

  • A Novel Solution to Automatically Resolve HTML Compatibility Issues
  • Time: 11:15am - 12:00pm | Room: CJM Classroom
We are all thrilled to welcome exciting new HTML5 features for modern web application development. Nevertheless, HTML5 does not guarantee seamless migrations, making the transition to this new standard non-trivial. For instance, HTML5 lowered the precedence of HTML comment, as compared to HTML4. As a result, developers cannot blindly upgrade by changing only the doctype of an existing HTML4 document. On the other hand, amid meeting the HTML5 standard for new applications, developers cannot neglect legacy browsers which do not understand HTML5, yet are still substantially popular.

In case the issues are not properly handled, a document being “misinterpreted” by browsers will produce different DOM trees, and that break not only the presentation visually, but also business logic and even security. The traditional validator (or, lint) approach can give some warnings due to parsing discrepancies between HTML 4 and 5. However, it is still non-scalable and error-prone for developers to fix them manually, let alone other compatibility issues arising from typos and browser quirks.

We present a novel canonicalisation approach to automatically correct these compatibility issues, in which the corrections are decided in favor of security and the parsing rules of HTML5. We have built and open-sourced a developer-friendly utility [1]. The rewritten HTML is compliant to HTML5, and could be consistently parsed across popular browsers. This can significantly relieve developers’ burden by ensuring consistent HTML parsing and a resulted DOM tree for display and JavaScript logics to work on.

The importance of this work is also justified by its use in the Safe JavaScript Templating framework to defend against Cross-Site Scripting (XSS) [2]. This framework performs HTML contextual analysis and applies context-sensitive output escaping filters accordingly. In particular, the HTML analysis must first clean up the compatibility issues with the canonicalisation process, without which an XSS vulnerability could be resulted. This is because an output escaping filter would render ineffective if it is applied to a position where the HTML output context is ambiguous among different browsers and the analyser.

In this talk, we will cover the identified compatibility issues, arising from different HTML versions and browser parsers. There however exists no automated solutions, and it does not scale to fix them manually. We propose the canonicalisation process to rewrite HTML that can be consistently parsed across popular browsers, thus preserving the presentation, business logic, and security of web applications. We will introduce how to use the automated utility, and how the issues are resolved automatically, gracefully, and securely. We also provide a proven use case in Safe JS Templating, in which the canonicalisation is crucial in defending against XSS attacks. The automated solution can help not only developers address the compatibility issues, but also the community in embracing HTML5 more aggressively.

References:
[1] Context Parser
[2] Safe JavaScript Templating

========
This work has a second author Nera Liu (neraliu@yahoo-inc.com), also from Yahoo Paranoid.

Media

Video
Slides
Sponsors