May 01, 2013

Security Concerns Need to Be Addressed with Increasing Use of HTML5

The HTML5 standard is bringing along a lot of security risks as it gains in popularity.For example, with HTML5 a new version of XSS is found: Resident XSS.

“In case of Resident XSS, the malicious JavaScript code will be introduced permanently into the web client of a user,” tech security consultant Carsten Eilers explained in a recent report .“The Resident XSS code remains active as long as the affected window or the affected tab remains open.”

HTML5 is the latest version of HTML code and includes needed advances for the increasing presence of audio, graphics and video found on websites. These advances lead to some concerns as well.

“As HTML5 gains wider adoption, some of its security flaws are beginning to get noticed,” Robert Mullins warned in a 2012 article in Network Computing.

For instance, the European Network and Information Security Agency (ENISA) recently reviewed 13 HTML5 specs and identified some 51 security threats.In addition, Sophos warned that “HTML5 provides far more access to the computer’s resources than its predecessor, offering capabilities like location awareness, local data storage, graphics rendering and system information queries that are built in and quite powerful.”

Among the causes for concern are: cross-origin resource sharing (CORS), click-jacking, HTML5’s unique geolocation and privacy issues, and how HTML5’s WebSocket API disables key network security tools, Network Computing said.

“HTML5 faces a number of threats, including cross-site scripting and resource hijacking,” Shreeraj Shah, the founder of Blueinfy, warned at a recent Black Hat security conference covered by Security Week. “The fact that new Web standard has cross-platform support and integrates several other technologies increases the attack surface.”

“Attacks against HTML5 are stealthy, and silent and generally target the application’s presentation and the business logic layers,” Security Week also advised based on comments from Shah. “CORS is vulnerable to data transfer and origin issues, HTML5 forms can be manipulated, and client-side storage and SQL exposes the application to injection attacks.” 

Edited by Jamie Epstein


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More