Security Experts:

Connect with us

Hi, what are you looking for?


Black Hat

Top 10 Security Threats for HTML5 [Black Hat]

Black Hat 2012

HTML5 Top 10 Security Threats, Stealth Attacks and Silent Exploits

Black Hat 2012

HTML5 Top 10 Security Threats, Stealth Attacks and Silent Exploits

HTML5, the new Web standard that will make it easier to develop websites and applications that run on various screen sizes, is also vulnerable to stealth attacks and silent exploits, a security researcher said at the Black Hat security conference.

HTML5 faces a number of threats, including cross-site scripting and resource hijacking, Shreeraj Shah, founder of application security vendor Blueinfy, told attendees at the Black Hat security conference in Las Vegas Thursday. The fact that the new Web standard has cross-platform support and integrates several other technologies increases the attack surface, Shah said.

Even though it is still new and evolving, attacks against the new standard is already on the rise, Shah said. HTML5 pulls together many components, including XMLHttpRequest (XHR), cross-origin resource sharing (CORS), webSQL, and localstorage. In addition to the elements included in the specification such as Web messaging, Web sockets, and Canvas 2D, HTML5 includes related technologies such as SVG for graphics, CSS3 for stylesheets, Geolocation, and APIs for Calendar and File, among others.

“HTML5 is out there and people are using it,” Shah told attendees.

Attacks against HTML5 are stealthy, and silent and generally target the application’s presentation and the business logic layers, Shah said. The top 10 threats against HTML5 target XHR and HTML5 tags, feature-rich components such as browser SQL and storage, and DOM, said Shah. The list is as follows:

1. CSRF with XHR and CORS bypass

2. Jacking – click, CORS, tabs

3. HTML5-driven cross-site scripting using tags, events and attributes

4. Attacking storage and DOM variables

5. Exploiting Browser SQL points

6. Injection with Web Messaging and Workers

7. DOM-based cross site scripting and issues

8. Offline attacks and cross-widget vectors

9. Web socket issues

10. API and protocol attacks

The new technologies that make up HTML5 brings in several new threats. CORS is vulnerable to data transfer and origin issues, HTML5 forms can be manipulated, and client-side storage and SQL exposes the application to injection attacks, Shah said. It was critical to address how these attack vectors would work in today’s environment before attackers start taking advantage of these features for malicious purposes, Shah explained.

Shah called the XHR object in HTML5 “very powerful,” as it allows a variety of features, such as cross-origins requests and binary uploads and downloads. Attacks include bypass CORS preflight calls, forcing authentication cookies to replay with credentials, internal network scanning and tunneling, information harvesting, and abusing the business logic by uploading binary streams. Users could be tricked into uploading content onto the server, Shah said.

Some of the threat vectors can be mitigated by strengthening the CORS implementation, using secure JavaScript coding practices, and improving CORS controls, Shah said. Developers should look at secure libraries for streaming HTML5/Web 2.0 content and secure CORS. Developers should also employ standard cross-site-scripting protections and not store sensitive information inside localStorage.

Shah called the top 10 vectors just the “beginning,” and that HTML5 is just “warming up.” Different libraries and ways of development are bound to emerge over time and open up new risks and security issues. Looking at these threats would provide some ideas about security controls necessary for future applications, he said.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.