Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Researcher to Talk HTML5 Security at Black Hat

Black Hat 2012

HTML5 brings with it the promise of increased functionality. More functionality however, as usual, comes with a price – an increased attack surface.

Black Hat 2012

HTML5 brings with it the promise of increased functionality. More functionality however, as usual, comes with a price – an increased attack surface.

At the upcoming Black Hat USA 2012 conference in Las Vegas, Shreeraj Shah, founder of application security vendor Blueinfy Solutions, will discuss the top 10 threats to HTML5 and how developers can combat them.

“HTML5 is becoming the de facto standard now and companies (and) developers are moving towards it consciously or unconsciously,” he told SecurityWeek. “We do see developers excited about HTML5 features like Storage, File APIs, Geolocation, Canvas/3D, WebSQL etc. HTML5 supports cross platform including mobile that seems to be critical feature in current context. It is obviously killing Flash and (the) Silverlight stack and in (the) near future we will see migration taking place as well. HTML5 is…going to become a back-bone of Web applications.”

In the online description of his talk, Shah notes that HTML5 is not a single technology, but a combination of components such as XMLHttpRequest (XHR) and cross origin resource sharing (CORS) as well as technologies such as webSQL and localstorage that are new for browsers. The downside however is that HTML5 also faces a number of threats, ranging from CORJacking to cross-site scripting with HTML5 tags, attributes and events.

“HTML5 has several new features and some of them are lenient from security standpoint,” he said. “For example, XHR allows cross origin calls and it can open up reach of CSRF vectors. DOM specs are also expanded which allows opening a surface for DOM based XSS, Storage/FileSystem/Offline Cache/WebSQL allows sensitive information leakage and so on. I do see several significant openings from security standpoint and more attacks towards (the) browser. Post-XSS exploit scenario will change significantly and (the) client is no longer thin but thick with features and juicy information.”

Use of Web messaging can help in doing denial-of-service attacks on the browser as well, he said. There are several new features on the stack and developers need to be careful on the libraries and native code they are using. Secure coding on the client side around JavaScript needs a lot of attention in the next few years before things get matured, he added.

“HTML5 is reshaping the client-side code and (is) going to have some significant changes in coming few years,” Shah said.

Shah’s presentation, entitled ‘HTML5 Top 10 Threats –Stealth Attacks and Silent Exploits’, is scheduled for July 26.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.