Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Researcher to Talk HTML5 Security at Black Hat

Black Hat 2012

HTML5 brings with it the promise of increased functionality. More functionality however, as usual, comes with a price – an increased attack surface.

Black Hat 2012

HTML5 brings with it the promise of increased functionality. More functionality however, as usual, comes with a price – an increased attack surface.

At the upcoming Black Hat USA 2012 conference in Las Vegas, Shreeraj Shah, founder of application security vendor Blueinfy Solutions, will discuss the top 10 threats to HTML5 and how developers can combat them.

“HTML5 is becoming the de facto standard now and companies (and) developers are moving towards it consciously or unconsciously,” he told SecurityWeek. “We do see developers excited about HTML5 features like Storage, File APIs, Geolocation, Canvas/3D, WebSQL etc. HTML5 supports cross platform including mobile that seems to be critical feature in current context. It is obviously killing Flash and (the) Silverlight stack and in (the) near future we will see migration taking place as well. HTML5 is…going to become a back-bone of Web applications.”

In the online description of his talk, Shah notes that HTML5 is not a single technology, but a combination of components such as XMLHttpRequest (XHR) and cross origin resource sharing (CORS) as well as technologies such as webSQL and localstorage that are new for browsers. The downside however is that HTML5 also faces a number of threats, ranging from CORJacking to cross-site scripting with HTML5 tags, attributes and events.

“HTML5 has several new features and some of them are lenient from security standpoint,” he said. “For example, XHR allows cross origin calls and it can open up reach of CSRF vectors. DOM specs are also expanded which allows opening a surface for DOM based XSS, Storage/FileSystem/Offline Cache/WebSQL allows sensitive information leakage and so on. I do see several significant openings from security standpoint and more attacks towards (the) browser. Post-XSS exploit scenario will change significantly and (the) client is no longer thin but thick with features and juicy information.”

Use of Web messaging can help in doing denial-of-service attacks on the browser as well, he said. There are several new features on the stack and developers need to be careful on the libraries and native code they are using. Secure coding on the client side around JavaScript needs a lot of attention in the next few years before things get matured, he added.

“HTML5 is reshaping the client-side code and (is) going to have some significant changes in coming few years,” Shah said.

Shah’s presentation, entitled ‘HTML5 Top 10 Threats –Stealth Attacks and Silent Exploits’, is scheduled for July 26.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.