The HTML5 standard is bringing along a lot of security risks as it gains in popularity.For example, with HTML5 a new version of XSS is found: Resident XSS.
“In case of Resident XSS, the malicious JavaScript code will be introduced permanently into the web client of a user,” tech security consultant Carsten Eilers explained in a recent report .“The Resident XSS code remains active as long as the affected window or the affected tab remains open.”
HTML5 is the latest version of HTML code and includes needed advances for the increasing presence of audio, graphics and video found on websites. These advances lead to some concerns as well.
“As HTML5 gains wider adoption, some of its security flaws are beginning to get noticed,” Robert Mullins warned in a 2012 article in Network Computing.
For instance, the European Network and Information Security Agency (ENISA) recently reviewed 13 HTML5 specs and identified some 51 security threats.In addition, Sophos warned that “HTML5 provides far more access to the computer’s resources than its predecessor, offering capabilities like location awareness, local data storage, graphics rendering and system information queries that are built in and quite powerful.”
Among the causes for concern are: cross-origin resource sharing (CORS), click-jacking, HTML5’s unique geolocation and privacy issues, and how HTML5’s WebSocket API disables key network security tools, Network Computing said.
“HTML5 faces a number of threats, including cross-site scripting and resource hijacking,” Shreeraj Shah, the founder of Blueinfy, warned at a recent Black Hat security conference covered by Security Week. “The fact that new Web standard has cross-platform support and integrates several other technologies increases the attack surface.”
“Attacks against HTML5 are stealthy, and silent and generally target the application’s presentation and the business logic layers,” Security Week also advised based on comments from Shah. “CORS is vulnerable to data transfer and origin issues, HTML5 forms can be manipulated, and client-side storage and SQL exposes the application to injection attacks.”
Edited by
Jamie Epstein