SlideShare a Scribd company logo

HTML5 Handling Security Issues, Security Threats for HTML5, HTML5 Application Development Risks

Idexcel Technologies, profile picture
Idexcel Technologies

This white paper explores the security issues associated with HTML5, the latest version of HTML, highlighting the vulnerabilities and attack vectors introduced by its advanced features. While HTML5 enables powerful web applications and offline capabilities, it also raises significant privacy concerns and security challenges, as its adoption is inconsistent across different browsers. To mitigate these risks, developers must prioritize secure coding practices and continuous updates to their security models in light of evolving threats.

Business
1 of 10
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
idexcel HTML 5 Handling Security Issues White Paper
Introduction Lots of key technologies are emerging in the market every day, and with these latest technological advancements come the latest security threats. It is common for any new technology to have pitfalls and defects, and although the standards are defined, there are always good chances of security lapses and loose threads here and there. One such upcoming key technology is HTML5, which is the most recent version of html, codified by W3C (World Wide Web Consortium), which is the main body for setting standards for the Web. In this paper, we will try to understand and explore the security issues related with this emerging technology. 2 Page Handling Security Issues idexcel
HTML 5 A Peek HTML4 was the most successful and widely used markup format, and HTML5 has been built on its success, with additional feature set, larger than the previous version, especially the rich media extensions. HTML5 is quite relevant in today’s web development industry. It is a collection of individual features, and using it does not require throwing away existing markup or relearn things. Web applications that worked in HTML4 will work in HTML5 because HTML5 supports all the form controls from HTML4. However, there are some important additions in HTML5, such as new input controls, sliders, date pickers etc. It has tight integration of JavaScript so that default func-tionality of HTML elements can be extended. HTML5 closely integrates with the browsing devices and offer features such as graphics rendering and location aware-ness. Application cache feature can be used to down-load the application to the browser even in the offline 3 Page mode. idexcel Handling Security Issues Data can be stored on a user’s computer or mobile device, so web apps work without an Internet connection. Web page can have flashier type with more fonts, shadows, colours and other effects. Objects move on Web pages and react to the move-ments of a cursor. Audio is played without a plug-in. Browser makers have not agreed on formats. Interactive games can run with just a Web browser without installing other software or plug-ins. A technology called WebGL can create interactive 3D effects using a computer’s graphics processor. Video can be embedded in a Web page without a plug-in. Brows-er makers have not agreed on formats. What Does HTML5 DO
4 Page idexcel Handling Security Issues HTML5 is supported by all the major browsers, and there are no fears of cross-browser compatibility as there are large polyfill libraries providing support to the older browsers. By using LocalStorage and IndexDB, developers can store data locally in the browser, and this data will persist across sessions. Complicated animations can be created by using keyframes. The large set of APIs improve performance, enhance the applica-tion experience, and reduce the battery drain for the mobile devices. The Audio and Video elements can stream the multimedia content faster. Older browsers can gracefully degrade or can have polyfills loaded to implement the new feature without causing and disrup-tion in the application. DRAG & DROP VIDEO ELEMENT AUDIO ELEMENT CANVAS FORM VALIDATION HTML5 FORMS SEMANTIC ELEMENTS OFFLINE WEB APPS BROWSER SUPPORT FOR HTML5 ELEMENT 8 9 3.6 4 4 12.5% 62.5% 62.5% 93.8% 81.2% 4 2 5 11 11 87.5% 100% 100% 62.5% 37.5%
Handling Security Issues Although, HTML is meant to be a standard, hardware and application vendors have their constraint in terms of version specification or their current platforms. Addition-ally, same specifications are interpreted differently by different developers, and hence same functionality is implemented slightly differently for different applications. Several vendors are definitely implementing HTML5 features, however, the finalized recommendations or specifications are scheduled tentatively for the year 2022. can be exploited by using frame busting JavaScript code. Web storage encompasses WebSQL and IndexedDB. The Session Storage is stored in the browser process memory, and hence it is possible to perform DoS, or Denial of Service resource exhaustation attacks if storage limit is not specified. Due to their novelty, Web Sockets get a lot of attention as they provide an alternative to the HTTP polling for commu-nication from a web page to a remote server. Web Socket vulnerabilities most likely centre on server implementa-tion. Attacker can abuse the injection flaw to execute the code, and can intercept or log messages, or can perform server DoS attacks. Geolocation API provides means to determine location of the user via JavaScript. It returns values such as longitude, latitude and accuracy, and can be used for points-of interest applications and navigation assistance, but at the same time can give rise to security issues due to storage of trails of locations over a period of time. 5 Page idexcel Changing Landscape HMTL5 is a markup language, not a programming language, and hence it is mainly used for Structure and Content. Web developers have been using Java, Flash, ShockWave and Silverlight for several years, and hence, adoption of HTML5 is not high. However, with few giants such as Netflix, Facebook, Amazon and YouTube making a shift, the industry is gradually moving towards HTML5. It opens entirely new range of amazing possibilities for the Web such as email clients that work offline and 3D environment. Attack Vectors No doubt that the enhancements in HTML5 are great, however, these advancements have opened more exploitation vectors for the hackers and cybercriminals. HTML5 offers the capabilities such as location awareness, access to microphone and webcam, and graphics render-ing, and hence provides a much wider access to the resources of the computer as compared to its predecessor. It has been built to integrate with latest web browsing devices, and application cache feature can be used to download the application to the browser. Scenarios for exploitation have not drastically changed for HTML5. The attackers still rely on XSS or Cross-Site Script-ing, or lure users to any website to execute malicious payload. HTML5 websites still use JavaScript as main scripting language, and hence the abuses and vulnerabili-ties inherent to the language are still applicable. In addition to these, the new XSS vectors in HTML5 use new tags and elements, and cybercriminals can use these new attributes to execute payloads ( for example, using autofo-cus attribute). <iframe sandbox> is another attribute that
Web Workers free the user interface by providing the ability for the browser to run scripts in the background. Hence long-running JavaScript code does not freeze the webpage, however, as the script keeps running in the background without user’s knowledge, they keep engag-ing system resources. If the web worker is not well-written, it will consume system memory, and degrade user experi-ence. 6 Page idexcel Handling Security Issues With the advancement in HTML5, SVG or Scalable Vector Graphics is gaining popularity as well. SVG can be used in-addition-to or instead-of <canvas> element, and it describes two-dimensional vector graphics in XML. For successful exploit, SVG file can be uploaded on the same domain as the page with the injection vulnerabilities that will support <object>, <iframe> or <embed> tag. Vulnerabilities of browsers The browsers act as a thin client and deal with data from cached files and cookies for improved performance. HTML5 is being implemented differently by different browsers mainly because the standard owned by W3C is not in the finalized form. Hence, browsers are using varying security models, which can radically affect the attack model for the browser. Attackers could use the browser information to access the computer and may get access to the personal data. HTML5 offers more offline caching and local storage, and hence, browsers contain much more sensitive information. This makes the browser a direct gateway to the stored data. This small change can cause quite significant security issues as browser vendors will be required to make more stringent security model, something similar to Operating Systems. The security becomes more challenging due to loose definition of security model, and browser vendors can make independent design decisions.
7 Page Privacy Issues Privacy concerns have resulted in more stringent regula-tions related to cookies which are used to track the usage across several sites, recording the preferences, purchases and clicks made by the users. Browser vendors are giving more priority and focus to the privacy features as consum-ers and becoming more aware of the data mining and web tracking, and hence are demanding more secured models. The new local storage mechanism in HTML5 leads to more ways to store users’ information, and this could compro-mise the personal security. The access model is more liberal and local storage is more flexible. As compared to cookies in HTML4, the issue of restricting or purging data is not very clear. As many people use mobile devices for browsing, media tools for the mobile devices add to the privacy challenges. Legacy Issues HTML5 defines new helpful APIs (Application Program-ming Interfaces) to access cameras, microphone and location services, but the security models of these services are not well tested, and are known to have security loopholes. Insecure use of APIs can leave the websites open to the manipulations and attacks in several ways. As a result, HTML5 carries a greater risk of data loss and invasion of privacy mainly because of the integrated and flexible technology. The tags such as video, canvas and audio can open new attacking possibilities for the cyber-criminals as media related functions can be very compli-cated. However, moving the capabilities, as in HTML5, to the core language and browser is an enhancement over the plugins that have been a constant targets of the cyber-criminals. HTML4 and JavaScript had some inherent security issues, and they continue to exist in HTML5. The cybercriminals are also exploring innovative ways to steal user informa-tion or spread malware. The browser vendors have tackled many loopholes and patched the security gaps to minimise the probability of cyber-attacks. However, as hackers investigate more features of HTML5, they will be able to find the new ways to trick users, steal clicks and spread malware. Hence, software developers need to make their filters and validation routines more updated. This includes using web application firewalls, or using free add-ons that can prevent attacks. idexcel Handling Security Issues
Handling Security Issues 8 Page idexcel Permissions Most browsers use sandboxing to isolate themselves from the operating system and prevent distribution of malware. However, the advanced browser capabilities of HTML5 open up an entire new realm of data theft, commonly associated mainly with the operating systems. As the browser is capable of accessing local data, breaking the sandbox and accessing the data via location or the media device, or visiting the infected website with the attack code can prove fatal. Although more capabilities have been added to the browser, the permission model is still unclear, and hence developers need to plan a multi-di-mensional security model. To summarize, some of the most common threats and attacks are as follows HTML5 tag abuse and XSS- The interesting tags of HTML5 allow dynamic loading of video and audio. These tags can be easily abused for CSRF and XSS. Stealing of information from Storage and Global variables CSRF and leveraging CORS to bypass SOP- SOP or Same origin policy establishes cross domain connection, and bypassing it allows deployment of CSRF attack where the attacker can initiate the request to the target domain without the knowledge of the victim. CORS or Cross Origin Resource Sharing allows the request to hit the target. Phishing and ClickJacking by mixing layers and iframe- ClickJaking is a common attack, mainly in the social networking sites that allow reloading into an iframe. This gives cyber-criminals an opportunity to initiate ClickJacking attacks. HTML5/DOM based XSS and redirects- Incidents of DOM based XSS attacks are increasing as large applica-tions are built using single DOM and Ajax/XHR. Many attributes and tags of HTML5 are controlled by DOM calls and if these calls have been implemented poorly, they can allow more entry points for the cybercriminals. Using WebSockets for stealth attacks- This feature allows browsers to open sockets for the ports of specific IPs. Although the list of usable ports is restricted, the attackers can craft a vector to communicate with the web-ports and non-web-ports, even if they have restric-tions. Abusing thick client features- HTML5 allows thick client like features in the UI of the browsers, and attackers can leverage these features to craft attack vectors. Abusing WebWorker functionality- WebWorker and Messaging allow threading using JavaScript. By helping in payload delivery, WebWorker can help exploit appli-cations. Attacking WebSQL and client side SQL injection- HTML5 provides enhanced performance by allowing offline databases in the form of WebSQL, and this mechanism opens up client side SQL injections. Vulnerable applica-tions allow attackers to steal information, and transfer it across domains.
Most vulnerabilities are caused due to the insecure coding and improper configuration. The new features of HTML5 can be used as attack vectors only due to mistakes made by developers and administrators. Cybercriminals are constantly exploring new ways to attack the devices, especially when the web technology is deployed across wider range of devic-es. HTML5 has introduced very powerful and interesting concepts, but as of now, it is far from perfect. There is still a tug of war between usability, security, flexibility and privacy. At the same time, enhanced features are exposing new attack surfaces and security issues. Security of any application depends on the care taken by the developer, and this includes writing secure code, filtering data, and borrowing from cheat sheets such as the ones produced by OWASP (Open Web Application Security Project). An important step to prevent incorrect use of data is to implement proper checks in the code. The technology for securi-ty needs to catch up with the latest technologies and the vendors need to put more emphasis on privacy controls and the guidelines set by regulatory authorities need to be revised and made more stringent. As long as the infrastructure and security procedures are modified to stay current on the latest developments, security incidents can be minimized. Html5.org contains list of vulnerable attributes along with the vulnerable browsers. 9 Conclusion Moving Forward HTML5, XHR and DOM embedded via JavaScript are being increasingly used to create next generation applications. HTML5 has become the backbone of eLearning, social media and web commerce. It is vendor neutral, and native to the browser, and hence has far more wider acceptance. However, new features and refinements to the web also raise new security concerns. The associated new attack vectors need to be diligently identified and security models need to be revised accordingly by the security professionals. Several new browsers, or new versions of existing browsers are being introduced quite frequently in the market, and hence, it is still a long way before HTML5 is accepted as a worldwide standard. We need consistency across browsers, and strin-gent standards set by the universally accepted committees. We must plan well and stay ahead of malicious cyber-attack-ers. It is essential to understand all these attack vectors detailed in this paper, and proactively design defence strategies before cyber-criminals can leverage these enhanced features of HTML5 to their advantage. Page idexcel Handling Security Issues
idexcel Handling Security Issues About the Author Ponbharathi Bakthaduruvan works as a Technical Lead with Idexcel. He has over eight years’ experience in developing enterprise and rich internet applications using HTML5, CSS/CSS3, Adobe Flex and Java/J2EE technologies. He has exper-tise in software design, architecture, development, implementation and maintenance of enterprise applications and has delivered many successful projects . He has a deep knowledge of UI development using HTML5, CSS3, JavaScript, jQuery and developing enterprise level applications using Java, J2EE, Hibernate, Spring, JSP, Servlet, Adobe Flex and ActionScript. About Idexcel Idexcel is an innovative provider of IT Products & Services focused on emerging technologies. We help world leading companies build efficiencies and stronger businesses. With more than 15 years into existence Idexcel’s main focus is client satisfaction and technology innovation. Our industry expertise and a global, collaborative workforce forms the backbone of our services. We offer high degree of skills in Enterprise Applications, Cloud Services, Data-warehousing, Big Data, Analytic, QA & Testing Services, IT consulting and Staffing. Idexcel product line includes: NDS, ERP, and Cync - A revolutionary credit monitoring application for the manufacturing and nancial management. For more information log on to www.idexcel.com. Global Head quarters 459 Herndon Parkway Suite 11 Herndon, VA 20170 Tel: 703-230-2600 Fax: 703-467-0218 Email: inquiry@idexcel.com India Operations “Crystal Plaza” 9, 10 ,11 Bhuvanappa Layout, Hosur Road Bengaluru – 560 029 Karnataka Tel: +91-80-2550 8830 Email: inquiry@idexcel.com © Copyright, Idexcel. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Idexcel. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

More Related Content

PPT
Daniel Egan Msdn Tech Days Oc
Daniel Egan
 
PPTX
CODE IGNITER
Yesha kapadia
 
PDF
Secure web conferencing with Adobe
Videoguy
 
PDF
Customer FX Technical Reference Sheet
GoodCustomers
 
PPT
Developing RIAs... 10 reasons to use Adobe Flex
Matthias Zeller
 
PDF
Fundamental of-web design-trends-20142
Ly Nguyen Bui
 
PPT
Web 2.0 Tech Talk
pooyad
 
PPTX
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Christian Heindel
 
Daniel Egan Msdn Tech Days Oc
Daniel Egan
 
CODE IGNITER
Yesha kapadia
 
Secure web conferencing with Adobe
Videoguy
 
Customer FX Technical Reference Sheet
GoodCustomers
 
Developing RIAs... 10 reasons to use Adobe Flex
Matthias Zeller
 
Fundamental of-web design-trends-20142
Ly Nguyen Bui
 
Web 2.0 Tech Talk
pooyad
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Christian Heindel
 

What's hot (13)

PDF
Step by-step -visual_basic_2008_express_edition_by__microsoft_corporation
Muhammad Martayuda
 
PPTX
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams
 
PDF
Sybase sup hybrid_web_container_article_wp
Prabhakar Manthena
 
PDF
IRJET- HTML5 in Web Development: A New Approach
IRJET Journal
 
DOC
Validating A Product Key In A Vs
Raj Chanchal
 
PPT
Bitrix Intranet Portal
FTS Capital Group Sp. z o.o.
 
PDF
Developer’s guide to microsoft enterprise library preview
Steve Xu
 
PDF
Vs 2008
ankurbatla
 
PDF
.net 3.5 and vs 2008
maddinapudi
 
PPTX
E2.0 User Forum
95wolf
 
PPT
Doors 9 Doors Web Access
Bill Duncan
 
DOC
What is future of web with reference to html5 will it devalue current present...
Shahzad
 
PPT
Flex vs HTML5
Ray Wong
 
Step by-step -visual_basic_2008_express_edition_by__microsoft_corporation
Muhammad Martayuda
 
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams
 
Sybase sup hybrid_web_container_article_wp
Prabhakar Manthena
 
IRJET- HTML5 in Web Development: A New Approach
IRJET Journal
 
Validating A Product Key In A Vs
Raj Chanchal
 
Bitrix Intranet Portal
FTS Capital Group Sp. z o.o.
 
Developer’s guide to microsoft enterprise library preview
Steve Xu
 
Vs 2008
ankurbatla
 
.net 3.5 and vs 2008
maddinapudi
 
E2.0 User Forum
95wolf
 
Doors 9 Doors Web Access
Bill Duncan
 
What is future of web with reference to html5 will it devalue current present...
Shahzad
 
Flex vs HTML5
Ray Wong
 
Ad

Viewers also liked (20)

PPT
presentación Historica
ricardozm
 
PDF
Designing society through thinking | University of Helsinki
University of Helsinki
 
PPT
Magapor viii etv_sim
Magapor S.L.
 
PPTX
All things LinkedIn advertising by Robert Brady
IWMM
 
PPTX
Educación en un mundo conectado ppt
Olimpia Castillo
 
PPTX
Manual de imagen funtec
Juan Carlos Otero
 
PDF
Pencil Shavings: 2Q12 GPC, Beirut
Leo Burnett
 
PDF
The Secret Sauce for Innovation (shortform)
Laszlo Szalvay
 
PDF
Spanyol 120x145
BudapestTourism
 
DOC
Oraciones 3ª declinación (5 11-14)
maisaguevara
 
PPTX
Glosario de puentes
KattyPumisacho
 
PDF
Resume 2014
lobaudrysoutenance
 
PPTX
Conociendo a tu hijo en la edad Preescolar (enhanced by VisualBee)
almitahp
 
PDF
World Student magazine - Issue 4
Samantha Wilkins
 
PDF
Finanzierungsmöglichkeiten von IT-Unternehmen durch die Hausbank
förderbar GmbH Die Fördermittelmanufaktur
 
PDF
Web pc minutes 18th november 2014
clerksmpc
 
PPTX
Copia reducida health4.0
Unesco Telemedicine
 
PPTX
Getting Good UX Into Mobile
Steven Hoober
 
PDF
San Juan: Programa 11 de septiembre 2016
UTTA OSPAT
 
PPTX
Le Shop Case Study 2015
Dimitris Tzanos
 
presentación Historica
ricardozm
 
Designing society through thinking | University of Helsinki
University of Helsinki
 
Magapor viii etv_sim
Magapor S.L.
 
All things LinkedIn advertising by Robert Brady
IWMM
 
Educación en un mundo conectado ppt
Olimpia Castillo
 
Manual de imagen funtec
Juan Carlos Otero
 
Pencil Shavings: 2Q12 GPC, Beirut
Leo Burnett
 
The Secret Sauce for Innovation (shortform)
Laszlo Szalvay
 
Spanyol 120x145
BudapestTourism
 
Oraciones 3ª declinación (5 11-14)
maisaguevara
 
Glosario de puentes
KattyPumisacho
 
Resume 2014
lobaudrysoutenance
 
Conociendo a tu hijo en la edad Preescolar (enhanced by VisualBee)
almitahp
 
World Student magazine - Issue 4
Samantha Wilkins
 
Finanzierungsmöglichkeiten von IT-Unternehmen durch die Hausbank
förderbar GmbH Die Fördermittelmanufaktur
 
Web pc minutes 18th november 2014
clerksmpc
 
Copia reducida health4.0
Unesco Telemedicine
 
Getting Good UX Into Mobile
Steven Hoober
 
San Juan: Programa 11 de septiembre 2016
UTTA OSPAT
 
Le Shop Case Study 2015
Dimitris Tzanos
 
Ad

Similar to HTML5 Handling Security Issues, Security Threats for HTML5, HTML5 Application Development Risks (20)

PDF
Qnx html5 hmi
길수 김
 
KEY
Introduction to HTML5/CSS3 In Drupal 7
Mediacurrent
 
PPTX
Mobile Apps Develpment - A Comparison
Lataant Software Technologies
 
PDF
Html5 workshop part 1
NAILBITER
 
PDF
Tech Stack - Angular
Srineel Mazumdar
 
PDF
Migrating to HTML5, Migrating Silverlight to HTML5, Migration Applications t...
Idexcel Technologies
 
PPTX
HTML 5 - A developers perspective
Santhosh Kumar Srinivasan
 
PPTX
HTML5
Western Illinois University Libraries
 
PDF
Html5 Architecture Early Release Wesley Hales
onyemaolaza
 
PPTX
Introduction to silverlight control 4
msarangam
 
PPTX
Introduction to silverlight
msarangam
 
PPTX
Top 10 major benefits of html 5
Parul Rani Sagar
 
PDF
HTML5 Development Benefits, Features and Cost For 2024.pdf
JPLoft Solutions
 
PPTX
CloudBerry
Susmitha M
 
PPTX
Html5
Zahin Omar Alwa
 
PDF
Mobility Solutions - Development of Hybrid Mobile Applications with HTML
Mindteck (India) Limited
 
PPT
European SharePoint Conference: Mobile Applications for SharePoint using HTML5
Christian Heindel
 
PPTX
Directions on microsoft_web_and_cloud_development
Takeshi Shinmura
 
PPT
Advanced Web Technology Microsoft Silverlight
anandk10
 
PDF
Everything That You Need To Know About HTML5
KaneJordy1
 
Qnx html5 hmi
길수 김
 
Introduction to HTML5/CSS3 In Drupal 7
Mediacurrent
 
Mobile Apps Develpment - A Comparison
Lataant Software Technologies
 
Html5 workshop part 1
NAILBITER
 
Tech Stack - Angular
Srineel Mazumdar
 
Migrating to HTML5, Migrating Silverlight to HTML5, Migration Applications t...
Idexcel Technologies
 
HTML 5 - A developers perspective
Santhosh Kumar Srinivasan
 
HTML5
Western Illinois University Libraries
 
Html5 Architecture Early Release Wesley Hales
onyemaolaza
 
Introduction to silverlight control 4
msarangam
 
Introduction to silverlight
msarangam
 
Top 10 major benefits of html 5
Parul Rani Sagar
 
HTML5 Development Benefits, Features and Cost For 2024.pdf
JPLoft Solutions
 
CloudBerry
Susmitha M
 
Html5
Zahin Omar Alwa
 
Mobility Solutions - Development of Hybrid Mobile Applications with HTML
Mindteck (India) Limited
 
European SharePoint Conference: Mobile Applications for SharePoint using HTML5
Christian Heindel
 
Directions on microsoft_web_and_cloud_development
Takeshi Shinmura
 
Advanced Web Technology Microsoft Silverlight
anandk10
 
Everything That You Need To Know About HTML5
KaneJordy1
 

More from Idexcel Technologies (13)

PPTX
Cloud computing market overview-2017
Idexcel Technologies
 
PDF
Aws certifications – types of certification
Idexcel Technologies
 
PDF
DevOps on AWS
Idexcel Technologies
 
PDF
Benefits of video in marketing
Idexcel Technologies
 
PDF
Performance Testing in Agile Process
Idexcel Technologies
 
PDF
Html for Mobile App Development
Idexcel Technologies
 
PDF
AngularJS - A Powerful Framework For Web Applications
Idexcel Technologies
 
PDF
IT Staffing & Recruiting Case Studies| Goals, Challenges, Solutions
Idexcel Technologies
 
PDF
Application security testing an integrated approach
Idexcel Technologies
 
PDF
Test performance indicators
Idexcel Technologies
 
PDF
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
PDF
Adopting Agile Testing
Idexcel Technologies
 
PDF
Test Automation Framework Design | www.idexcel.com
Idexcel Technologies
 
Cloud computing market overview-2017
Idexcel Technologies
 
Aws certifications – types of certification
Idexcel Technologies
 
DevOps on AWS
Idexcel Technologies
 
Benefits of video in marketing
Idexcel Technologies
 
Performance Testing in Agile Process
Idexcel Technologies
 
Html for Mobile App Development
Idexcel Technologies
 
AngularJS - A Powerful Framework For Web Applications
Idexcel Technologies
 
IT Staffing & Recruiting Case Studies| Goals, Challenges, Solutions
Idexcel Technologies
 
Application security testing an integrated approach
Idexcel Technologies
 
Test performance indicators
Idexcel Technologies
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Adopting Agile Testing
Idexcel Technologies
 
Test Automation Framework Design | www.idexcel.com
Idexcel Technologies
 

Recently uploaded (20)

PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
A Complete Guide to Data Migration Services for Modern Businesses
Aurnex
 
PDF
Keppel Ltd. 1H 2025 Results Presentation Slides
KeppelCorporation
 
PDF
Data Sheet Cloud Integration Platform - dataZap
Chainsys SEO
 
PDF
Drone Spraying in Agriculture, How It’s Enhancing Efficiency and Crop Yields
ganeshdukare428
 
PPT
How to Protect Your New York Business from the Unexpected
Sam Vohra
 
PDF
Followers to Fees - Social media for Speakers
Corey Perlman, Social Media Speaker and Consultant
 
PDF
Rodolfo Belcastro su All Around The Worlds Magazine - Febbraio 2025
Rodolfo Belcastro
 
PDF
MDR Services – 24x7 Managed Detection and Response
CyberNX Technologies Private Limited
 
PPTX
How to best Address your professional Training Program - August 2025.pptx
PaulYoung221210
 
PDF
Employnova Global Services : Outsourcing
Employnova Global Services
 
PPTX
6 Timeless Japanese Concepts to Improve Business Processes
RUPAL AGARWAL
 
PPTX
NTE 2025/20: Updated End User Undertaking (EUU) Form and Guidance
RT Consulting Limited
 
PPTX
GenAI at FinSage Financial Wellness Platform
SUBHANKARGHOSH126678
 
PDF
HOT DAY CAFE , Café Royale isn’t just another coffee shop
PINKY PARLOUR
 
PDF
NewBase 29 July 2025 Energy News issue - 1807 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
PDF
Minnesota’s New Lane-Sharing Law for Motorcycles.pdf
Knowyourright
 
PPTX
Virbyze_Our company profile_Preview.pptx
myckwabs
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PPTX
Mining Services and Iron Ore Transportation in India.pptx
Naaraayani Minerals Pvt.Ltd
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
A Complete Guide to Data Migration Services for Modern Businesses
Aurnex
 
Keppel Ltd. 1H 2025 Results Presentation Slides
KeppelCorporation
 
Data Sheet Cloud Integration Platform - dataZap
Chainsys SEO
 
Drone Spraying in Agriculture, How It’s Enhancing Efficiency and Crop Yields
ganeshdukare428
 
How to Protect Your New York Business from the Unexpected
Sam Vohra
 
Followers to Fees - Social media for Speakers
Corey Perlman, Social Media Speaker and Consultant
 
Rodolfo Belcastro su All Around The Worlds Magazine - Febbraio 2025
Rodolfo Belcastro
 
MDR Services – 24x7 Managed Detection and Response
CyberNX Technologies Private Limited
 
How to best Address your professional Training Program - August 2025.pptx
PaulYoung221210
 
Employnova Global Services : Outsourcing
Employnova Global Services
 
6 Timeless Japanese Concepts to Improve Business Processes
RUPAL AGARWAL
 
NTE 2025/20: Updated End User Undertaking (EUU) Form and Guidance
RT Consulting Limited
 
GenAI at FinSage Financial Wellness Platform
SUBHANKARGHOSH126678
 
HOT DAY CAFE , Café Royale isn’t just another coffee shop
PINKY PARLOUR
 
NewBase 29 July 2025 Energy News issue - 1807 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
Minnesota’s New Lane-Sharing Law for Motorcycles.pdf
Knowyourright
 
Virbyze_Our company profile_Preview.pptx
myckwabs
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
Mining Services and Iron Ore Transportation in India.pptx
Naaraayani Minerals Pvt.Ltd
 

HTML5 Handling Security Issues, Security Threats for HTML5, HTML5 Application Development Risks

  • 1. idexcel HTML 5 Handling Security Issues White Paper
  • 2. Introduction Lots of key technologies are emerging in the market every day, and with these latest technological advancements come the latest security threats. It is common for any new technology to have pitfalls and defects, and although the standards are defined, there are always good chances of security lapses and loose threads here and there. One such upcoming key technology is HTML5, which is the most recent version of html, codified by W3C (World Wide Web Consortium), which is the main body for setting standards for the Web. In this paper, we will try to understand and explore the security issues related with this emerging technology. 2 Page Handling Security Issues idexcel
  • 3. HTML 5 A Peek HTML4 was the most successful and widely used markup format, and HTML5 has been built on its success, with additional feature set, larger than the previous version, especially the rich media extensions. HTML5 is quite relevant in today’s web development industry. It is a collection of individual features, and using it does not require throwing away existing markup or relearn things. Web applications that worked in HTML4 will work in HTML5 because HTML5 supports all the form controls from HTML4. However, there are some important additions in HTML5, such as new input controls, sliders, date pickers etc. It has tight integration of JavaScript so that default func-tionality of HTML elements can be extended. HTML5 closely integrates with the browsing devices and offer features such as graphics rendering and location aware-ness. Application cache feature can be used to down-load the application to the browser even in the offline 3 Page mode. idexcel Handling Security Issues Data can be stored on a user’s computer or mobile device, so web apps work without an Internet connection. Web page can have flashier type with more fonts, shadows, colours and other effects. Objects move on Web pages and react to the move-ments of a cursor. Audio is played without a plug-in. Browser makers have not agreed on formats. Interactive games can run with just a Web browser without installing other software or plug-ins. A technology called WebGL can create interactive 3D effects using a computer’s graphics processor. Video can be embedded in a Web page without a plug-in. Brows-er makers have not agreed on formats. What Does HTML5 DO
  • 4. 4 Page idexcel Handling Security Issues HTML5 is supported by all the major browsers, and there are no fears of cross-browser compatibility as there are large polyfill libraries providing support to the older browsers. By using LocalStorage and IndexDB, developers can store data locally in the browser, and this data will persist across sessions. Complicated animations can be created by using keyframes. The large set of APIs improve performance, enhance the applica-tion experience, and reduce the battery drain for the mobile devices. The Audio and Video elements can stream the multimedia content faster. Older browsers can gracefully degrade or can have polyfills loaded to implement the new feature without causing and disrup-tion in the application. DRAG & DROP VIDEO ELEMENT AUDIO ELEMENT CANVAS FORM VALIDATION HTML5 FORMS SEMANTIC ELEMENTS OFFLINE WEB APPS BROWSER SUPPORT FOR HTML5 ELEMENT 8 9 3.6 4 4 12.5% 62.5% 62.5% 93.8% 81.2% 4 2 5 11 11 87.5% 100% 100% 62.5% 37.5%
  • 5. Handling Security Issues Although, HTML is meant to be a standard, hardware and application vendors have their constraint in terms of version specification or their current platforms. Addition-ally, same specifications are interpreted differently by different developers, and hence same functionality is implemented slightly differently for different applications. Several vendors are definitely implementing HTML5 features, however, the finalized recommendations or specifications are scheduled tentatively for the year 2022. can be exploited by using frame busting JavaScript code. Web storage encompasses WebSQL and IndexedDB. The Session Storage is stored in the browser process memory, and hence it is possible to perform DoS, or Denial of Service resource exhaustation attacks if storage limit is not specified. Due to their novelty, Web Sockets get a lot of attention as they provide an alternative to the HTTP polling for commu-nication from a web page to a remote server. Web Socket vulnerabilities most likely centre on server implementa-tion. Attacker can abuse the injection flaw to execute the code, and can intercept or log messages, or can perform server DoS attacks. Geolocation API provides means to determine location of the user via JavaScript. It returns values such as longitude, latitude and accuracy, and can be used for points-of interest applications and navigation assistance, but at the same time can give rise to security issues due to storage of trails of locations over a period of time. 5 Page idexcel Changing Landscape HMTL5 is a markup language, not a programming language, and hence it is mainly used for Structure and Content. Web developers have been using Java, Flash, ShockWave and Silverlight for several years, and hence, adoption of HTML5 is not high. However, with few giants such as Netflix, Facebook, Amazon and YouTube making a shift, the industry is gradually moving towards HTML5. It opens entirely new range of amazing possibilities for the Web such as email clients that work offline and 3D environment. Attack Vectors No doubt that the enhancements in HTML5 are great, however, these advancements have opened more exploitation vectors for the hackers and cybercriminals. HTML5 offers the capabilities such as location awareness, access to microphone and webcam, and graphics render-ing, and hence provides a much wider access to the resources of the computer as compared to its predecessor. It has been built to integrate with latest web browsing devices, and application cache feature can be used to download the application to the browser. Scenarios for exploitation have not drastically changed for HTML5. The attackers still rely on XSS or Cross-Site Script-ing, or lure users to any website to execute malicious payload. HTML5 websites still use JavaScript as main scripting language, and hence the abuses and vulnerabili-ties inherent to the language are still applicable. In addition to these, the new XSS vectors in HTML5 use new tags and elements, and cybercriminals can use these new attributes to execute payloads ( for example, using autofo-cus attribute). <iframe sandbox> is another attribute that
  • 6. Web Workers free the user interface by providing the ability for the browser to run scripts in the background. Hence long-running JavaScript code does not freeze the webpage, however, as the script keeps running in the background without user’s knowledge, they keep engag-ing system resources. If the web worker is not well-written, it will consume system memory, and degrade user experi-ence. 6 Page idexcel Handling Security Issues With the advancement in HTML5, SVG or Scalable Vector Graphics is gaining popularity as well. SVG can be used in-addition-to or instead-of <canvas> element, and it describes two-dimensional vector graphics in XML. For successful exploit, SVG file can be uploaded on the same domain as the page with the injection vulnerabilities that will support <object>, <iframe> or <embed> tag. Vulnerabilities of browsers The browsers act as a thin client and deal with data from cached files and cookies for improved performance. HTML5 is being implemented differently by different browsers mainly because the standard owned by W3C is not in the finalized form. Hence, browsers are using varying security models, which can radically affect the attack model for the browser. Attackers could use the browser information to access the computer and may get access to the personal data. HTML5 offers more offline caching and local storage, and hence, browsers contain much more sensitive information. This makes the browser a direct gateway to the stored data. This small change can cause quite significant security issues as browser vendors will be required to make more stringent security model, something similar to Operating Systems. The security becomes more challenging due to loose definition of security model, and browser vendors can make independent design decisions.
  • 7. 7 Page Privacy Issues Privacy concerns have resulted in more stringent regula-tions related to cookies which are used to track the usage across several sites, recording the preferences, purchases and clicks made by the users. Browser vendors are giving more priority and focus to the privacy features as consum-ers and becoming more aware of the data mining and web tracking, and hence are demanding more secured models. The new local storage mechanism in HTML5 leads to more ways to store users’ information, and this could compro-mise the personal security. The access model is more liberal and local storage is more flexible. As compared to cookies in HTML4, the issue of restricting or purging data is not very clear. As many people use mobile devices for browsing, media tools for the mobile devices add to the privacy challenges. Legacy Issues HTML5 defines new helpful APIs (Application Program-ming Interfaces) to access cameras, microphone and location services, but the security models of these services are not well tested, and are known to have security loopholes. Insecure use of APIs can leave the websites open to the manipulations and attacks in several ways. As a result, HTML5 carries a greater risk of data loss and invasion of privacy mainly because of the integrated and flexible technology. The tags such as video, canvas and audio can open new attacking possibilities for the cyber-criminals as media related functions can be very compli-cated. However, moving the capabilities, as in HTML5, to the core language and browser is an enhancement over the plugins that have been a constant targets of the cyber-criminals. HTML4 and JavaScript had some inherent security issues, and they continue to exist in HTML5. The cybercriminals are also exploring innovative ways to steal user informa-tion or spread malware. The browser vendors have tackled many loopholes and patched the security gaps to minimise the probability of cyber-attacks. However, as hackers investigate more features of HTML5, they will be able to find the new ways to trick users, steal clicks and spread malware. Hence, software developers need to make their filters and validation routines more updated. This includes using web application firewalls, or using free add-ons that can prevent attacks. idexcel Handling Security Issues
  • 8. Handling Security Issues 8 Page idexcel Permissions Most browsers use sandboxing to isolate themselves from the operating system and prevent distribution of malware. However, the advanced browser capabilities of HTML5 open up an entire new realm of data theft, commonly associated mainly with the operating systems. As the browser is capable of accessing local data, breaking the sandbox and accessing the data via location or the media device, or visiting the infected website with the attack code can prove fatal. Although more capabilities have been added to the browser, the permission model is still unclear, and hence developers need to plan a multi-di-mensional security model. To summarize, some of the most common threats and attacks are as follows HTML5 tag abuse and XSS- The interesting tags of HTML5 allow dynamic loading of video and audio. These tags can be easily abused for CSRF and XSS. Stealing of information from Storage and Global variables CSRF and leveraging CORS to bypass SOP- SOP or Same origin policy establishes cross domain connection, and bypassing it allows deployment of CSRF attack where the attacker can initiate the request to the target domain without the knowledge of the victim. CORS or Cross Origin Resource Sharing allows the request to hit the target. Phishing and ClickJacking by mixing layers and iframe- ClickJaking is a common attack, mainly in the social networking sites that allow reloading into an iframe. This gives cyber-criminals an opportunity to initiate ClickJacking attacks. HTML5/DOM based XSS and redirects- Incidents of DOM based XSS attacks are increasing as large applica-tions are built using single DOM and Ajax/XHR. Many attributes and tags of HTML5 are controlled by DOM calls and if these calls have been implemented poorly, they can allow more entry points for the cybercriminals. Using WebSockets for stealth attacks- This feature allows browsers to open sockets for the ports of specific IPs. Although the list of usable ports is restricted, the attackers can craft a vector to communicate with the web-ports and non-web-ports, even if they have restric-tions. Abusing thick client features- HTML5 allows thick client like features in the UI of the browsers, and attackers can leverage these features to craft attack vectors. Abusing WebWorker functionality- WebWorker and Messaging allow threading using JavaScript. By helping in payload delivery, WebWorker can help exploit appli-cations. Attacking WebSQL and client side SQL injection- HTML5 provides enhanced performance by allowing offline databases in the form of WebSQL, and this mechanism opens up client side SQL injections. Vulnerable applica-tions allow attackers to steal information, and transfer it across domains.
  • 9. Most vulnerabilities are caused due to the insecure coding and improper configuration. The new features of HTML5 can be used as attack vectors only due to mistakes made by developers and administrators. Cybercriminals are constantly exploring new ways to attack the devices, especially when the web technology is deployed across wider range of devic-es. HTML5 has introduced very powerful and interesting concepts, but as of now, it is far from perfect. There is still a tug of war between usability, security, flexibility and privacy. At the same time, enhanced features are exposing new attack surfaces and security issues. Security of any application depends on the care taken by the developer, and this includes writing secure code, filtering data, and borrowing from cheat sheets such as the ones produced by OWASP (Open Web Application Security Project). An important step to prevent incorrect use of data is to implement proper checks in the code. The technology for securi-ty needs to catch up with the latest technologies and the vendors need to put more emphasis on privacy controls and the guidelines set by regulatory authorities need to be revised and made more stringent. As long as the infrastructure and security procedures are modified to stay current on the latest developments, security incidents can be minimized. Html5.org contains list of vulnerable attributes along with the vulnerable browsers. 9 Conclusion Moving Forward HTML5, XHR and DOM embedded via JavaScript are being increasingly used to create next generation applications. HTML5 has become the backbone of eLearning, social media and web commerce. It is vendor neutral, and native to the browser, and hence has far more wider acceptance. However, new features and refinements to the web also raise new security concerns. The associated new attack vectors need to be diligently identified and security models need to be revised accordingly by the security professionals. Several new browsers, or new versions of existing browsers are being introduced quite frequently in the market, and hence, it is still a long way before HTML5 is accepted as a worldwide standard. We need consistency across browsers, and strin-gent standards set by the universally accepted committees. We must plan well and stay ahead of malicious cyber-attack-ers. It is essential to understand all these attack vectors detailed in this paper, and proactively design defence strategies before cyber-criminals can leverage these enhanced features of HTML5 to their advantage. Page idexcel Handling Security Issues
  • 10. idexcel Handling Security Issues About the Author Ponbharathi Bakthaduruvan works as a Technical Lead with Idexcel. He has over eight years’ experience in developing enterprise and rich internet applications using HTML5, CSS/CSS3, Adobe Flex and Java/J2EE technologies. He has exper-tise in software design, architecture, development, implementation and maintenance of enterprise applications and has delivered many successful projects . He has a deep knowledge of UI development using HTML5, CSS3, JavaScript, jQuery and developing enterprise level applications using Java, J2EE, Hibernate, Spring, JSP, Servlet, Adobe Flex and ActionScript. About Idexcel Idexcel is an innovative provider of IT Products & Services focused on emerging technologies. We help world leading companies build efficiencies and stronger businesses. With more than 15 years into existence Idexcel’s main focus is client satisfaction and technology innovation. Our industry expertise and a global, collaborative workforce forms the backbone of our services. We offer high degree of skills in Enterprise Applications, Cloud Services, Data-warehousing, Big Data, Analytic, QA & Testing Services, IT consulting and Staffing. Idexcel product line includes: NDS, ERP, and Cync - A revolutionary credit monitoring application for the manufacturing and nancial management. For more information log on to www.idexcel.com. Global Head quarters 459 Herndon Parkway Suite 11 Herndon, VA 20170 Tel: 703-230-2600 Fax: 703-467-0218 Email: [email protected] India Operations “Crystal Plaza” 9, 10 ,11 Bhuvanappa Layout, Hosur Road Bengaluru – 560 029 Karnataka Tel: +91-80-2550 8830 Email: [email protected] © Copyright, Idexcel. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Idexcel. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.