Is Math­ML Dan­ge­rous?

Chris­to­pher Späth

In: Lang­weg, H., Meier, M., Witt, B. C. & Rein­hardt, D. (Hrsg.), SI­CHER­HEIT 2018. Bonn: Ge­sell­schaft für In­for­ma­tik e.V..


Ab­stract

HTML5 forms the basis for mo­dern web de­ve­lop­ment and mer­ges dif­fe­rent stan­dards. One of these stan­dards is Math­ML. It is used to ex­press and dis­play ma­the­ma­ti­cal state­ments. Howe­ver, with more stan­dards being na­tive­ly in­te­gra­ted into HTML5 the pro­ces­sing model gets in­her­ent­ly more com­plex. In this paper, we eva­lua­te the se­cu­ri­ty risks of Math­ML. We crea­ted a se­mi-au­to­ma­tic test suite and stu­died the Ja­va­Script code exe­cu­ti­on and the XML pro­ces­sing in Math­ML. We added also the Con­tent-Ty­pe hand­ling of major brow­sers to the pic­tu­re. We dis­co­ver­ed a novel way to ma­ni­pu­la­te the brow­ser’s sta­tus line wi­thout Ja­va­Script and found two novel ways to exe­cu­te Ja­va­Script code, which al­lo­wed us to by­pass se­ver­al sa­niti­zers. The fact, that Ja­va­Script code em­bed­ded in Math­ML can ac­cess ses­si­on cook­ies wor­sens mat­ters even more.

[Link] [PDF]

Tags: