Comment: You should also pay attention to security issues in HTML5
Application security experts say HTML5 presents new security challenges for developers.The war of words between Apple and Adobe brings many speculations about the fate of HTML 5. Although HTML 5 implementation still has a long way to go, one thing is certain that developers using HTML 5 will need to deploy new security features for the application security development lifecycle to cope with the security challenges brought by HTML 5.
So what impact will HTML5 have on the attack surface we need to cover? This article will discuss several important security issues about HTML 5.
Client Storage
Earlier versions of HTML only allowed websites to store cookies as local information, which are relatively small and only suitable for storing simple archive information or as identifiers for data stored elsewhere (such as session ID), said Dan Cornell, director of the Denim Group Application Security Research Division. However, HTML5 LocalStorage allows the browser to store a large number of databases locally, allowing new types of applications to be used.
The risk that sensitive data may be stored on the local user's workstation, and attackers who physically access or compromise the workstation can easily obtain sensitive data, which Cornell said is even more dangerous for users who use shared computers.
By definition, it really just can store information on the client system, said Josh Abraham, a security researcher at Rapid7. Then you have the potential ability to use a client-based SQL injection attack, or maybe one of your client's database is malicious, and when synchronized with the production system, there may be synchronization problems, or the potential malicious data of the client will be inserted into the production system.
To solve this problem, developers need to be able to verify whether the data is malicious, which is actually a very complicated problem.
Not everyone agrees with the importance of this issue. Veracode chief technology officer Chris Wysopal said that for example, there have always been many ways to store data clients by using plug-ins or browser extensions.
There are many known methods to manipulate the HTML5 SessionStorage properties currently deployed, but this problem will only be solved when the standard is finalized, Wysopal said.
Cross-domain communication
Other versions of HTML may directly allow JavaScript to issue XML HTTP requests to call back to the original server, while HTML5 relaxes this limit, and XML HTTP requests can be sent to any server that allows such requests. Of course, if the server is untrusted, this can also bring serious security issues.
For example, I can build a mashup (combination, merge more than two web applications using public or private databases to form an integrated application) to pull the match scores of third-party websites through JSON (Javascript Object Notation). Cornell said that this website may send malicious data to the application running in my user's browser. Although HTML5 allows the establishment of new types of applications, if developers do not understand the security significance of the applications they have built when they start using these functions, it will bring great security risks to users.
For developers who rely on PostMessage() to write applications, they must check carefully to make sure that the information is from their own website, otherwise malicious code from other websites could create malicious information, Wysopal added. This feature itself is not secure, and developers have begun to use different DOM (Document Object Model)/Browser features to emulate cross-domain communication.
Another related issue is that the World Wide Web Alliance currently provides a way to use similar to cross-original mechanisms to bypass homologous policies for cross-original resource sharing design.
IE deployments have different security features than Firefox, Chrome, and Safari, and he notes that developers need to make sure they create too loose access control lists with the dangers of being too loose, especially because some reference code is currently very insecure.
Iframe security
From a security point of view, HTML5 also has nice features, such as the sandbox properties that plan to support iframes.
This property will allow developers to choose how the data is interpreted, Wysopal said, unfortunately, like most HTML, the design is likely to be misunderstood by developers and is likely to be disabled by developers because it is inconvenient to use. If handled properly, this feature will help defend against malicious third-party ads or prevent untrusted content from being played back.