Architects need to place HTML5 security first in the form of new attacks

Architects need to place HTML5 security first in the form of new attacks

The Enterprise Architects we introduced earlier may encounter some problems when starting HTML5. This article will continue to introduce new security attacks as HTML5 functions increase.

New Function = New Attack

One of the concerns of security experts is that HTML5 stacks can run in both mobile and Web browsers. Shreeraj Shah is the founder and director of a network security attack supply company named Blueinfy Solutions. He said: "As a result, there are many HTML5 attack carriers, different attack carriers will change with different situations."

With HTML5, many different attack carriers are added. In some cases, the attack scope is extended due to new features, or because of the new implementation scheme, the well-known risk mitigation technology becomes useless. It is particularly worth noting that hackers may initiate an attack before security experts discover it.

These features are as follows:

◆ Programmable drawing interface

◆ WebGL for drawing 3-D images

◆ Local Storage

◆ Data stored on the client

◆ Geographic location

◆ Operation history

◆ Origin of cross-Origin

◆ Media logo

◆ Environmental Security Policy

◆ Local file system access permission

◆ Web message transmission

◆ Web staff

Shah explained: "a wide range of attacks are becoming more and more apparent, and security problems become very complex as functions and components are applied ."

The security issue of this large attack system allows hackers to use HTML5 components to initiate client attacks, such as XSS and CSRF, which are the top 10 attacks of OWASP among Web application vulnerabilities. Shah pointed out that HTML5 data storage and system files may contain important user information when creating browsers. Therefore, HTML5 allows hackers to exploit the XSS vulnerability to steal user information. Canvas, operation history, and some other features belong to the scope of personal privacy. For example, the fingerprint recognition interface is used to identify specific viewers.

Shah proposed that HTML5 applications also expand the scope of attacks on backend servers of applications. HTML5 mainly uses the SOA backend such as JSON, SOAP, or REST to obtain JavaScript. The boundaries between screen display, business logic, and data access layers become smaller. Many components are also part of Java scripts and HTML5. "Therefore, we can reverse engineer the business logic," said Shah. Attackers can execute and use the real business function layer"

Cache and Local Storage

The new HTML5 function makes data storage on the client easier. These local storage technologies fulfill the promise of accelerating application performance and allowing applications to operate offline. Without proper management, security, and encryption, malicious hackers will obtain the same data.

Eads believes that although the data on the client is protected by security and encryption tools, these tools cannot provide fault protection. "We have proved that the data is not unbreakable. In most cases, it has been proved that it is too risky to store data on the client. Similarly, from the management perspective, we have not found the advantage of storing data on the client ."

Eads pointed out that in some cases, especially on iOS operating platforms, local applications can provide better security for local storage. But on the other hand, the Android platform is more common with root operations, which can avoid some internal security measures on the platform.

When enterprises have greater control over users' use of the mobile device management (MDM) tool and mobile application management (MAM) tool, Eads does think that it has broken the convention. "With MDM and MAM, we can reduce control," he said. A well-designed system architecture is able to be controlled as appropriate. However, some enterprises store data on the client, but do not have effective control, so they face very serious risks ."

Third-party code (understanding the code library)

Many enterprises have begun to develop HTML5 function libraries. They want to shorten the time and improve the quality of new applications. If the function library contains risks or the code source is attacked by hackers, this will cause many problems. For most HTML5 applications, all JavaScript code, including third-party code, has the same level of security. This means that potential security vulnerabilities or faults from third-party function libraries can disrupt the running time of Enterprise browsers.

Brad Carleton is the founder and CTO of TechPines Application Development Company. He believes: "The more function libraries are used, the more complicated the security issues will be. I would like to say that the best security defense measure is to thoroughly review all third-party code before use. In some special circumstances, many potentially untrusted third-party code may run in browsers. We can use HTML5 Web Worker and iFrame sandbox for more secure settings."