Connect with us

Hi, what are you looking for?


Black Hat

Top 10 Security Threats for HTML5 [Black Hat]

Black Hat 2012

HTML5 Top 10 Security Threats, Stealth Attacks and Silent Exploits

Black Hat 2012

HTML5 Top 10 Security Threats, Stealth Attacks and Silent Exploits

HTML5, the new Web standard that will make it easier to develop websites and applications that run on various screen sizes, is also vulnerable to stealth attacks and silent exploits, a security researcher said at the Black Hat security conference.

HTML5 faces a number of threats, including cross-site scripting and resource hijacking, Shreeraj Shah, founder of application security vendor Blueinfy, told attendees at the Black Hat security conference in Las Vegas Thursday. The fact that the new Web standard has cross-platform support and integrates several other technologies increases the attack surface, Shah said.

Even though it is still new and evolving, attacks against the new standard is already on the rise, Shah said. HTML5 pulls together many components, including XMLHttpRequest (XHR), cross-origin resource sharing (CORS), webSQL, and localstorage. In addition to the elements included in the specification such as Web messaging, Web sockets, and Canvas 2D, HTML5 includes related technologies such as SVG for graphics, CSS3 for stylesheets, Geolocation, and APIs for Calendar and File, among others.

“HTML5 is out there and people are using it,” Shah told attendees.

Attacks against HTML5 are stealthy, and silent and generally target the application’s presentation and the business logic layers, Shah said. The top 10 threats against HTML5 target XHR and HTML5 tags, feature-rich components such as browser SQL and storage, and DOM, said Shah. The list is as follows:

1. CSRF with XHR and CORS bypass

2. Jacking – click, CORS, tabs

Advertisement. Scroll to continue reading.

3. HTML5-driven cross-site scripting using tags, events and attributes

4. Attacking storage and DOM variables

5. Exploiting Browser SQL points

6. Injection with Web Messaging and Workers

7. DOM-based cross site scripting and issues

8. Offline attacks and cross-widget vectors

9. Web socket issues

10. API and protocol attacks

The new technologies that make up HTML5 brings in several new threats. CORS is vulnerable to data transfer and origin issues, HTML5 forms can be manipulated, and client-side storage and SQL exposes the application to injection attacks, Shah said. It was critical to address how these attack vectors would work in today’s environment before attackers start taking advantage of these features for malicious purposes, Shah explained.

Shah called the XHR object in HTML5 “very powerful,” as it allows a variety of features, such as cross-origins requests and binary uploads and downloads. Attacks include bypass CORS preflight calls, forcing authentication cookies to replay with credentials, internal network scanning and tunneling, information harvesting, and abusing the business logic by uploading binary streams. Users could be tricked into uploading content onto the server, Shah said.

Some of the threat vectors can be mitigated by strengthening the CORS implementation, using secure JavaScript coding practices, and improving CORS controls, Shah said. Developers should look at secure libraries for streaming HTML5/Web 2.0 content and secure CORS. Developers should also employ standard cross-site-scripting protections and not store sensitive information inside localStorage.

Shah called the top 10 vectors just the “beginning,” and that HTML5 is just “warming up.” Different libraries and ways of development are bound to emerge over time and open up new risks and security issues. Looking at these threats would provide some ideas about security controls necessary for future applications, he said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.