Logo des Repositoriums
 
Konferenzbeitrag

Is MathML dangerous?

Vorschaubild

Volltext URI

Dokumententyp

Text/Conference Paper

Dateien

sicherheit2018-09.pdf (260.34 KB)

Zusatzinformation

Datum

2018

Autor:innen

Zeitschriftentitel

ISSN der Zeitschrift

Bandtitel

Quelle

SICHERHEIT 2018
Wissenschaftliche Beiträge

Verlag

Gesellschaft für Informatik e.V.

Zusammenfassung

HTML5 forms the basis for modern web development and merges different standards. One of these standards is MathML. It is used to express and display mathematical statements. However, with more standards being natively integrated into HTML5 the processing model gets inherently more complex. In this paper, we evaluate the security risks of MathML. We created a semi-automatic test suite and studied the JavaScript code execution and the XML processing in MathML. We added also the Content-Type handling of major browsers to the picture. We discovered a novel way to manipulate the browser’s status line without JavaScript and found two novel ways to execute JavaScript code, which allowed us to bypass several sanitizers. The fact, that JavaScript code embedded in MathML can access session cookies worsens matters even more.

Beschreibung

Späth, Christopher (2018): Is MathML dangerous?. SICHERHEIT 2018. DOI: 10.18420/sicherheit2018_09. Bonn: Gesellschaft für Informatik e.V.. PISSN: 1617-5468. ISBN: 978-3-88579-675-6. pp. 119-132. Wissenschaftliche Beiträge. Konstanz, Germany. 25.-27. April 2018

Schlagwörter

MathML , Web Security , XSS

Zitierform

DOI

10.18420/sicherheit2018_09

Tags

Sammlungen

P281 - Sicherheit 2018 - Sicherheit, Schutz und Zuverlässigkeit