Five vulnerabilities that are vulnerable to attacks in HTML5"

At the same time of the rapid rise of HTML5, we have to recognize the security issues that HTML5 brings to us, and they are not to be underestimated. This article mainly analyzes several security vulnerabilities that cannot be ignored in HTML5 from hijacking, cross-origin requests, desktop notifications, geographic location, and form tampering. Developers should always be vigilant.
 
"Although HTML5 has a certain role and contribution to enhancing website interaction, HTML5" vulnerabilities "are more likely to become their targets for malicious users ."
 
Therefore, this article will introduce the trend of HTML5 attacks in five aspects. We hope that the majority of application developers can pay attention to these "vulnerabilities" while using html5.
 
1. clickjacking is easier: clickjacking is not a new attack. The purpose of this attack is to steal the victim's mouse button and click, then, the click is directed to other pages specified by the attacker. Attackers can click hidden links without knowledge. Currently, one of the best server-side defense measures for clickjacking is called Framekilling technology. In essence, the affected website can use JavaScript to verify whether it is running in an iframe. If so, the page content is not displayed. This technology has been used on Facebook, Gmail, and other websites. However, HTML5 adds a new sandbox attribute in iframe, which will stop the website from executing JavaScript scripts. In most cases, this is actually a safer approach, but it also has a disadvantage, that is, it will offset the current best defense measures against click hijacking.
 
2. Use cross-origin requests or WebSockets port scanning: With HTML5, the browser can now connect to any IP address or any port of the website (almost. Although the target website cannot receive a response from any port connection, the researchers said, the time it takes for such requests to determine whether the target port is opened or closed. Therefore, attackers can directly use a browser to scan the victim's internal network.
 
3. Use desktop notifications for social engineering attacks: HTML5 has a new feature-desktop notifications. These pop-up windows outside the browser can be customized using HTML code. Although this feature brings a good way of interaction, it may also lead to social engineering attacks, such as phishing or counterfeit anti-virus software.
 
4. Track victims using Geographic Positioning: Geographic Positioning is the most notable new feature in HTML5. For security and privacy considerations, the website must be approved by the user before obtaining location information. However, similar to other functions that have previously appeared, such as Vista's User Account Control, Android app permissions, and invalid HTTPS creden, these security measures that need to be decided by the user have almost no effect. Once authorized, the website can not only know the location of the victim, but also track the victim in real time when the user moves.
 
5. Form tampering: Another new feature allows attackers to modify form behavior on a website injected with JavaScript (such as XSS attacks. For example, an attacker can change the normal behavior of an online store. Instead of sending the content to a purchase or login page, the attacker can send the user's identity authentication information to the attacker's website.
 
The above five HTML5 vulnerabilities are critical to developers, so we should be very careful when developing HTML5 programs. Although HTML5 has these security problems, I firmly believe that HTML5 is still the future of web.