Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Black Hat

Researcher to Talk HTML5 Security at Black Hat

Black Hat 2012

HTML5 brings with it the promise of increased functionality. More functionality however, as usual, comes with a price – an increased attack surface.

Black Hat 2012

HTML5 brings with it the promise of increased functionality. More functionality however, as usual, comes with a price – an increased attack surface.

At the upcoming Black Hat USA 2012 conference in Las Vegas, Shreeraj Shah, founder of application security vendor Blueinfy Solutions, will discuss the top 10 threats to HTML5 and how developers can combat them.

“HTML5 is becoming the de facto standard now and companies (and) developers are moving towards it consciously or unconsciously,” he told SecurityWeek. “We do see developers excited about HTML5 features like Storage, File APIs, Geolocation, Canvas/3D, WebSQL etc. HTML5 supports cross platform including mobile that seems to be critical feature in current context. It is obviously killing Flash and (the) Silverlight stack and in (the) near future we will see migration taking place as well. HTML5 is…going to become a back-bone of Web applications.”

In the online description of his talk, Shah notes that HTML5 is not a single technology, but a combination of components such as XMLHttpRequest (XHR) and cross origin resource sharing (CORS) as well as technologies such as webSQL and localstorage that are new for browsers. The downside however is that HTML5 also faces a number of threats, ranging from CORJacking to cross-site scripting with HTML5 tags, attributes and events.

“HTML5 has several new features and some of them are lenient from security standpoint,” he said. “For example, XHR allows cross origin calls and it can open up reach of CSRF vectors. DOM specs are also expanded which allows opening a surface for DOM based XSS, Storage/FileSystem/Offline Cache/WebSQL allows sensitive information leakage and so on. I do see several significant openings from security standpoint and more attacks towards (the) browser. Post-XSS exploit scenario will change significantly and (the) client is no longer thin but thick with features and juicy information.”

Use of Web messaging can help in doing denial-of-service attacks on the browser as well, he said. There are several new features on the stack and developers need to be careful on the libraries and native code they are using. Secure coding on the client side around JavaScript needs a lot of attention in the next few years before things get matured, he added.

“HTML5 is reshaping the client-side code and (is) going to have some significant changes in coming few years,” Shah said.

Advertisement. Scroll to continue reading.

Shah’s presentation, entitled ‘HTML5 Top 10 Threats –Stealth Attacks and Silent Exploits’, is scheduled for July 26.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...