Application security experts say that HTML5 poses a new security challenge for developers.
The spat between Apple and Adobe has led to a lot of speculation about the fate of HTML 5, although the implementation of HTML 5 still has a long way to go, but it is certain that the use of HTML 5 of developers will need to deploy new security features to the application Security development lifecycle to address the security challenges posed by HTML5.
So what impact will HTML5 have on the attack surface we need to cover? This article will explore several important security issues about HTML 5.
Client Storage
Earlier versions of HTML only allowed Web sites to store cookies as local information, and they were relatively small, only for storing simple file information or as identifiers for data stored in other locations (such as session IDs), director of the denim group's application security Research Department Dan Cornell said. However, HTML5 Localstorage allows browsers to store a large number of libraries locally, allowing the use of new types of applications.
"The attendant risk is that sensitive data may be stored at the local user station, and that sensitive data can be easily obtained by physically accessing or destroying the workstation's attacker," Cornell said, "which is more dangerous for users who use shared computers." ”
"By definition, it's really just the ability to store information on the client system," says Josh Abraham, security researcher at Rapid7, "so you have the potential to be based on a client-side SQL injection attack, or maybe one of your client's databases is malicious, and when synchronized with the production system , there may be a synchronization problem, or potentially malicious data from the client will be inserted into the production system. ”
In order to solve this problem, developers need to be able to verify that the data is malicious, which is actually a very complex issue.
The importance of this question is not shared by all. Chris Wysopal, chief technology officer at Veracode, says that, for example, Web applications have many ways to extend storage data clients by using Plug-ins or browsers.
"There are a number of known ways to manipulate the HTML5 Sessionstorage properties that are currently deployed, but this problem will be resolved when the criteria are finalized," Wysopal said.
Cross-domain communication
While other versions of HTML may allow JavaScript to emit XML HTTP request calls back to the original server, HTML5 has relaxed this restriction, and XML HTTP requests can be sent to any server that allows such a request. Of course, this can also pose a serious security problem if the server is not trusted.
"For example, I could create a mashup that combines two or more Web applications that use a public or private database to form a consolidation application, pulling the game scores of third-party sites through JSON (Javascript Object notation)," "This site may send malicious data to the application that my user's browser is running," Cornell said. While HTML5 allows the creation of new types of applications, if developers do not understand the security implications of the applications they build when they start using these features, they pose a significant security risk to users. ”
For developers who rely on PostMessage () to write applications, it is important to check carefully to make sure that the information comes from their own web site, otherwise malicious code from other sites may create malicious information, Wysopal added. This feature is not inherently secure, and developers have started using different DOM (Document Object model)/browser capabilities to emulate Cross-domain communication.
Another related issue is that the World Wide Web Consortium currently provides a way to use similar and cross-domain mechanisms to circumvent homologous policies for cross source resource sharing design.
"The security features of IE deployments are different from those of Firefox, Chrome, and Safari," he says, "and developers need to make sure that they create too loose access control lists, especially since some reference code is currently very insecure."
IFrame Safe
From a security standpoint, HTML5 also has good features, such as the planned sandbox properties that support IFRAME.
This property will allow developers to choose how the data is interpreted, "Wysopal said." Unfortunately, like most HTML, this design is likely to be misunderstood by developers and may be disabled by developers because it is not easy to use. If handled properly, this feature will help protect against malicious third-party advertising or prevent untrusted content from being replayed. "