Important security problems about HTML 5

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

Important security problems about HTML 5


HTML 5There are two major characteristics: first, to strengthen the performance of the Web Webpage. Secondly, the additional local database function of Web applications.

Application security experts say, HTML5Brings new security challenges to developers. A lot of speculation slobber battle between Apple Corp and Adobe company to bring HTML 5 fate, despite the implementation of HTML 5 is still a long way to go, but one thing is certain, the use of HTML 5 development staff will need security challenges for application security development lifecycle deployment of new safety features to deal with HTML5 the.

The HTML5 will then need to cover the face of the attack to bring what kind of impact? This paper will discuss about HTML important safety 5.

Client storage

Early versions of the HTML only allows the site will be cookies as the local information store, while the space is relatively small, is only applicable to simple storage file information or as data stored in other locations (e.g. session ID) identifier, Dan director Cornell Denim application security research department said. However, HTML5 LocalStorage allows local browser storage large database, allows the use of new types of applications.

"The risk is that, sensitive data may be stored in the local user workstations, and physical access or destroy the workstation attackers, can easily access to sensitive data, "Cornell said," the use of shared computer user more dangerous. "

"By definition, it really is just to the client system to store information, "Rapid7's security researcher Josh Abraham says," then you will have the potential capability of the client SQL injection attack based on, or may be a client of your database is malicious, when the synchronization with the production system, it may be the synchronization problem, potentially malicious data or the client will be inserted into the production system. "

In order to solve this problem, developers need to be able to verify that the data as malicious, it is a very complex problem.

For the importance of the problem and not everyone agrees. Veracode chief technology officer Chris Wysopal said, such as web applications through the use of plug-ins or browser extended stored data the client has been a lot of methods.

"There are many methods known to be HTML5 SessionStorage attribute control currently deployed, but the standard is finalized, the problem will be resolved, "said Wysopal.

Cross domain communication

While the other version of the HTML JavaScript XML HTTP may allow a request to call back to the original server, and HTML5 to relax this restriction, XML HTTP requests can be sent to any allow the requested server. Of course, if the server is not trusted, it also brings serious security problems.

"For example, I can build a mashup (web application mixes, more than two kinds of use of public or private database merged to form an integrated application) by JSON (Javascript Object Notation) of the third party website match score to pull over, "Cornell said," this site may send malicious data to the application I the user browser running on. Although the application of HTML5 allowed new types of establishment, but if developers start using these functions, safety is not understand the application they are established, it will bring great security risks to the user. "

For the dependence on PostMessage () to write the application developer, should be carefully checked to ensure that the information is derived from their own web site, or malicious code from other sites may create malicious information, Wysopal added. This function is not safe, developers have started to use a different DOM (document object model) / browser function to follow the cross domain communication.

A related issue is, provides a like like the World Wide Web Consortium currently CORS design; homologous policy bypass and cross domain mechanism.

"IE deployment of the security function and Firefox, Chrome and Safari are not the same, "he pointed out," developers need to ensure they create harm too loose access control list, especially for some reference code is currently not very safe.

Iframe security

From a security point of view, HTML5 also has a good function, Sandbox attributes such as plans to support iframe.

"This property will allow developers to select how the data interpretation method, "Wysopal said," unfortunately, like most of the HTML, this design is likely to be developers misunderstanding, probably because it is not convenient to use by developers to disable. If handled properly, it will help to resist malicious third party advertising or prevent untrusted content playback. "

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Cheryl at December 15, 2013 - 2:39 PM