HTML5 security issues

HTML5 has opened many new possibilities for developers. Now you can use web technologies to build full mobile applications, not just web pages. When you are building those application you need to know The Security Risks of HTML5 Development, because HTML5 includes a number of useful features that pose as double-edged swords from a security perspective.

Beware Of HTML5 Development Risks article gives you an introduction what you need to take into account: Local storage, native resource rights, and third-party code all add greater functionality and higher risk to HTML5 applications. Local storage is a big change from HTML of the past. Access to on-device features of smart phone can have huge privacy considerations. JavaScript can now request resources from different domains.

Also Top 10 Security Threats for HTML5 [Black Hat] article tells that HTML5 is vulnerable to stealth attacks and silent exploits according to a security researcher said at the Black Hat security conference. HTML5 faces a number of threats and attacks against the new standard is already on the rise. Attacks against HTML5 are stealthy, and silent and generally target the application’s presentation and the business logic layers.

[W3Conf] Brad Hill: “HTML5 Security Realities” article tells that Script injectiong (or XSS, or “Cross Site Scripting”) is the most common application vulnerability (~ 95% of all web apps). “If someone else’s code gets to run in you’re web app, it’s not your web app anymore.” Check also HTML5 Top 10 Threats Stealth Attacks and Silent Exploits.

HTML5 Security Cheat Sheet page serves as a guide for implementing HTML 5 in a secure fashion. HTML5 Security Cheatsheet project gives also useful security tips. Check also HTML5 Security Realities slide set.

1 Comment

  1. anon says:

    what is interesting and has perhaps been overlooked is that both cloud computing and html5 seem to have evolved on parralel paths. this is perhps no coincidence as both have huge security implcations both as seperate technologies and in combination with each other. take into consideraton that there has been heavy lobying for EME a form of DRM which allows the big boys to extend html5 and bybass the othewrwise open standard, it also means that the ability to inspect code will be thwarted in some cases thus making vulnerabilities harder to find, in addition this renders the “rights!holders, those making use of EME/drm in the html codebase more likely to be open to accusation of being the progenitors of malicious code.


Leave a Comment

Your email address will not be published. Required fields are marked *