Application security experts say HTML5 brings new security challenges to developers. The spat between Apple and Adobe has led to a lot of speculation about the fate of HTML 5, although the implementation of HTML 5 still has a long way to go, but it is certain that using HTML 5 of developers will need to deploy new security features for the application Security Development lifecycle to address the security challenges posed by HTML5.
So HTML5 will have an impact on the attack surface we need to cover. This article explores several important security issues with respect to HTML 5.
Client Storage
Earlier versions of HTML allowed only Web sites to store cookies as local information, which was relatively small, only for storing simple archival information or as identifiers for data stored in other locations, such as session IDs, and denim, head of the group's Application Security Research Department, Dan Cornell said. However, HTML5 Localstorage allows the browser to store a large number of data repositories locally, allowing the use of new types of applications.
"The attendant risk is that sensitive data may be stored on a local user station, and the attacker who physically accesses or destroys the workstation can easily get sensitive data," Cornell says, "which is more dangerous for users who use shared computers." ”
"By definition, it really just can store information on the client system," says Josh Abraham, security researcher at Rapid7, "then you have the potential to be based on a client-side SQL injection attack, or maybe one of your clients ' databases is malicious, when synchronizing with the production system , the synchronization problem may occur, or the client's potentially malicious data will be inserted into the production system. ”
In order to solve this problem, developers need to be able to verify that the data is malicious, which is actually a very complex problem.
The importance of this issue is not shared by all. Chris Wysopal, chief technology officer at Veracode, says there are many ways for Web applications to store data clients by using plug-ins or browser extensions.
"There are a number of known ways to manipulate the HTML5 Sessionstorage properties that are currently deployed, but this problem will be resolved when the criteria are finalized," Wysopal said.
Cross-domain communication
While other versions of HTML may allow JavaScript to emit XML HTTP requests back to the original server, and HTML5 relaxes this limit, XML HTTP requests can be sent to any server that allows such requests. Of course, if the server is not trusted, this can also lead to serious security problems.
"For example, I could build a mashup that combines two or more web apps that use public or private databases to form a consolidated application, and pull the score of a third-party website through JSON (Javascript Object Notation)." Cornell said, "This site may send malicious data to the application that my user's browser is running." While HTML5 allows for the creation of new types of applications, developers are at great security risk if they do not understand the security implications of the application they are building when they start using these features. ”
Developers who rely on PostMessage () to write applications must be carefully checked to make sure that the information originates from their own web site, or malicious code from other sites may produce malicious information, Wysopal added. This feature is not inherently secure, and developers have started using different DOM (Document Object model)/browser capabilities to emulate cross-domain communication.
Another related issue is that the World Wide Web Consortium currently provides a way to bypass the same-origin policy with similar and cross-domain mechanisms for cross-source resource sharing designs.
"The security features of the IE deployment are not the same as Firefox, Chrome, and Safari," he notes. "Developers need to make sure that they create overly loose access control lists, especially because some reference codes are currently very insecure."
IFRAME Security
From a security standpoint, HTML5 also has good features, such as sandboxed properties that plan to support IFRAME.
"This property will allow the developer to choose how the data is interpreted," Wysopal says, "Unfortunately, like most HTML, this design is likely to be misunderstood by the developer and is likely to be disabled by the developer because it is not easy to use." If handled properly, this feature will help protect against malicious third-party ads or prevent untrusted content replay. ”
AD: "Excellent theme" Tob topic is officially released, cool enough. Perfect self-adapting layout, perfect picture station configuration