Comments: Application security experts who should pay attention to security issues in HTML5 said that HTML5 brings new security challenges to developers.
The verbal war between Apple and Adobe has brought a lot of speculation about the fate of HTML 5. Although the implementation of HTML 5 still has a long way to go, it is certain that, developers using HTML 5 will need to deploy new security features for the application security development lifecycle to meet the security challenges posed by HTML5.
So what is the impact of HTML5 on the attack surface we need to cover? This article will discuss several important security issues related to HTML 5.
Client Storage
Earlier versions of HTML only allow websites to store cookies as local information, which is relatively small, this only applies to identifiers that store simple archival information or data stored elsewhere (such as session IDs), said Dan Cornell, director of the Denim group's application security research department. However, HTML5 LocalStorage allows the browser to locally store a large number of data databases, allowing the use of new types of applications.
"The risk is that sensitive data may be stored on a local user workstation, and attackers who access or damage the workstation can easily obtain sensitive data," Cornell said, "This is more dangerous for users who use shared computers."
"By definition, it is really just capable of storing information in the client system," says Josh Abraham, a security researcher at Rapid7, "Then you have the potential capability of SQL injection attacks based on the client, or the database of one of your clients may be malicious. When syncing with the production system, synchronization may occur, or the Potential Malicious data on the client will be inserted into the production system."
To solve this problem, developers need to be able to verify whether the data is malicious, which is actually a very complicated problem.
Not everyone agrees with the importance of this issue. Chris Wysopal, chief technology officer of Veracode, said that for example, there have been many ways for web applications to expand the storage of data clients by using plug-ins or browsers.
"There are many known methods to manipulate the currently deployed HTML5 SessionStorage attribute, but this problem will be solved only when the standard is finalized," Wysopal said.
Cross-origin Communication
Other versions of HTML may directly allow JavaScript to send xml http requests back to the original server, while html5. xml http requests can be sent to any server that allows such requests. Of course, if the server cannot be trusted, this will also cause serious security problems.
"For example, I can create a mashup (which combines two or more web applications using public or private databases to form an integrated application) through JSON (Javascript Object Notation) pull the score of a third-party website, "Cornell said." This website may send malicious data to an application running in my user browser. Although HTML5 allows the creation of new types of applications, if developers do not understand the security significance of the applications they create when starting to use these features, this will bring great security risks to users."
Developers who rely on PostMessage () to write applications must carefully check to ensure that information comes from their own websites, otherwise, malicious code from other websites may generate malicious information, Wysopal added. This function is not secure in itself. Developers have begun to use different DOM (Document Object Model)/browser functions to emulate cross-origin communication.
Another issue is that the World Wide Web Alliance currently provides a method for cross-source resource sharing design to bypass the same-source policy using a mechanism similar to the Cross-origin mechanism.
"Security features deployed by IE are different from those deployed by Firefox, Chrome, and Safari," he pointed out. "developers need to ensure that they create excessively loose access control lists, this is especially because some reference codes are currently very insecure.
Iframe Security
From the security point of view, HTML5 also has good functions, such as planning to support iframe sandbox attributes.
"This attribute allows developers to select how data is interpreted," Wysopal said. "Unfortunately, like most HTML, this design may be misunderstood by developers, developers may be disabled because it is not easy to use. If handled properly, this function can help defend against malicious third-party advertisements or prevent replay of Untrusted content ."