HTML5 brings with it the promise of increased functionality. More functionality however, as usual, comes with a price – an increased attack surface.
At the upcoming Black Hat USA 2012 conference in Las Vegas, Shreeraj Shah, founder of application security vendor Blueinfy Solutions, will discuss the top 10 threats to HTML5 and how developers can combat them.
“HTML5 is becoming the de facto standard now and companies (and) developers are moving towards it consciously or unconsciously,” he told SecurityWeek. “We do see developers excited about HTML5 features like Storage, File APIs, Geolocation, Canvas/3D, WebSQL etc. HTML5 supports cross platform including mobile that seems to be critical feature in current context. It is obviously killing Flash and (the) Silverlight stack and in (the) near future we will see migration taking place as well. HTML5 is…going to become a back-bone of Web applications.”
In the online description of his talk, Shah notes that HTML5 is not a single technology, but a combination of components such as XMLHttpRequest (XHR) and cross origin resource sharing (CORS) as well as technologies such as webSQL and localstorage that are new for browsers. The downside however is that HTML5 also faces a number of threats, ranging from CORJacking to cross-site scripting with HTML5 tags, attributes and events.
“HTML5 has several new features and some of them are lenient from security standpoint,” he said. “For example, XHR allows cross origin calls and it can open up reach of CSRF vectors. DOM specs are also expanded which allows opening a surface for DOM based XSS, Storage/FileSystem/Offline Cache/WebSQL allows sensitive information leakage and so on. I do see several significant openings from security standpoint and more attacks towards (the) browser. Post-XSS exploit scenario will change significantly and (the) client is no longer thin but thick with features and juicy information.”
Use of Web messaging can help in doing denial-of-service attacks on the browser as well, he said. There are several new features on the stack and developers need to be careful on the libraries and native code they are using. Secure coding on the client side around JavaScript needs a lot of attention in the next few years before things get matured, he added.
“HTML5 is reshaping the client-side code and (is) going to have some significant changes in coming few years,” Shah said.
Shah’s presentation, entitled ‘HTML5 Top 10 Threats –Stealth Attacks and Silent Exploits’, is scheduled for July 26.