Five HTML5 security issues

When everyone is emphasizing how good HTML5 is, and all are focusing on HTML5/css3, HTML5 is also exposed to several possible security issues, this is a series of complications behind HTML5's excellent standards, but it does not affect the impact of HTML5 standards on the future. We only need to know and prevent them.

 
 
The following content does not use any special sequence. We will introduce five methods that may use the HTML5 function for attacks:
 
5. Form tampering: Another new feature allows attackers to modify form behavior on the web page in websites injected with JavaScript (such as XSS attacks. For example, an attacker can change the normal behavior of an online store. Instead of sending the content to a purchase or login page, the attacker can send the user's identity authentication information to the attacker's website.
 
4. Track victims using Geographic Positioning: Geographic Positioning is the most notable new feature in HTML5. For security and privacy considerations, the website must be approved by the user before obtaining location information. However, similar to other functions that have previously appeared, such as Vista's User Account Control, Android app permissions, and invalid HTTPS creden, these security measures that need to be decided by the user have almost no effect. Once authorized, the website can not only know the location of the victim, but also track the victim in real time when the user moves.
 
3. Using desktop notifications for social engineering attacks: We once mentioned a new HTML5 feature in HTML5's five excellent functional articles: desktop notifications. These pop-up windows outside the browser can be customized using HTML code. Although this feature brings a good way of interaction, it may also lead to social engineering attacks, such as phishing or counterfeit anti-virus software. Looking at the image below, we can see how attackers can use this new function.
 
2. Use cross-origin requests or websockets port scanning: With HTML5, the browser can now connect to any IP address or any port of the website (almost. Although the target website may not receive a response from any port connection, the researchers said, the time it takes for such requests to determine whether the target port is opened or closed. Therefore, attackers can directly use a browser to scan the victim's internal network.
 
1. clickjacking is easier: clickjacking itself is not a new attack. The purpose of this attack is to steal the victim's mouse button and then redirect the click to another page specified by the attacker. Attackers can click hidden links without knowledge. Currently, one of the best server-side defense measures for clickjacking is called framekilling technology. In essence, the affected website can use JavaScript to verify whether it is running in an IFRAME. If so, the page content is not displayed. This technology has been used on Facebook, Gmail, and other websites. However, HTML5 adds a new sandbox attribute in IFRAME, which will stop the website from executing JavaScript scripts. In most cases
This is actually a safer approach, but it also has a disadvantage, that is, it will offset the current best defense against click hijacking.
 
There are only five new attacks that may be caused by HTML5. Trend Micro is just a rough description. Continue to watch this series of last articles: the ugly side of HTML5 and our reports on HTML5 attacks. This is the second article in the HTML5 series. You can also take a look at Article 1: Explore new HTML5 standards to learn about new functions that can enhance website interaction. In this article, Trend Micro will show readers how these HTML5 functions may be abused by attackers. We do not intend to give an example in detail here, but if you are interested in learning more, we will discuss the in-depth report on HTML5 attacks in the third part of this series.
 
3. Using desktop notifications for social engineering attacks: We once mentioned a new HTML5 feature in HTML5's five excellent functional articles: desktop notifications. These pop-up windows outside the browser can be customized using HTML code. Although this feature brings a good way of interaction, it may also lead to social engineering attacks, such as phishing or counterfeit anti-virus software. Looking at the image below, we can see how attackers can use this new function.