SlideShare a Scribd company logo
idexcel 
HTML 5 
Handling Security Issues 
White Paper
Introduction 
Lots of key technologies are emerging in the market every day, and with these latest technological advancements come 
the latest security threats. It is common for any new technology to have pitfalls and defects, and although the standards 
are defined, there are always good chances of security lapses and loose threads here and there. One such upcoming key 
technology is HTML5, which is the most recent version of html, codified by W3C (World Wide Web Consortium), which is 
the main body for setting standards for the Web. In this paper, we will try to understand and explore the security issues 
related with this emerging technology. 
2 Page 
Handling Security Issues 
idexcel
HTML 5 
A Peek 
HTML4 was the most successful and widely used 
markup format, and HTML5 has been built on its 
success, with additional feature set, larger than the 
previous version, especially the rich media extensions. 
HTML5 is quite relevant in today’s web development 
industry. It is a collection of individual features, and 
using it does not require throwing away existing markup 
or relearn things. Web applications that worked in 
HTML4 will work in HTML5 because HTML5 supports all 
the form controls from HTML4. 
However, there are some important additions in HTML5, 
such as new input controls, sliders, date pickers etc. It 
has tight integration of JavaScript so that default func-tionality 
of HTML elements can be extended. HTML5 
closely integrates with the browsing devices and offer 
features such as graphics rendering and location aware-ness. 
Application cache feature can be used to down-load 
the application to the browser even in the offline 
3 Page 
mode. 
idexcel 
Handling Security Issues 
Data can be 
stored on a 
user’s 
computer or 
mobile device, 
so web apps 
work without 
an Internet 
connection. 
Web page can 
have flashier 
type with 
more fonts, 
shadows, 
colours and 
other effects. 
Objects move 
on Web pages 
and react to 
the move-ments 
of a 
cursor. 
Audio is 
played 
without a 
plug-in. 
Browser 
makers have 
not agreed on 
formats. 
Interactive 
games can run 
with just a Web 
browser without 
installing other 
software or 
plug-ins. A technology 
called WebGL 
can create 
interactive 3D 
effects using a 
computer’s 
graphics 
processor. 
Video can be 
embedded in a 
Web page 
without a 
plug-in. Brows-er 
makers have 
not agreed on 
formats. 
What Does HTML5 DO
4 Page 
idexcel 
Handling Security Issues 
HTML5 is supported by all the major browsers, and 
there are no fears of cross-browser compatibility as 
there are large polyfill libraries providing support to the 
older browsers. By using LocalStorage and IndexDB, 
developers can store data locally in the browser, and 
this data will persist across sessions. Complicated 
animations can be created by using keyframes. The large 
set of APIs improve performance, enhance the applica-tion 
experience, and reduce the battery drain for the 
mobile devices. The Audio and Video elements can 
stream the multimedia content faster. Older browsers 
can gracefully degrade or can have polyfills loaded to 
implement the new feature without causing and disrup-tion 
in the application. 
DRAG & DROP 
VIDEO ELEMENT 
AUDIO ELEMENT 
CANVAS 
FORM VALIDATION 
HTML5 FORMS 
SEMANTIC ELEMENTS OFFLINE WEB APPS 
BROWSER SUPPORT 
FOR HTML5 ELEMENT 
8 9 3.6 4 
4 
12.5% 62.5% 62.5% 93.8% 81.2% 
4 2 
5 11 11 
87.5% 100% 100% 62.5% 37.5%
Handling Security Issues 
Although, HTML is meant to be a standard, hardware and 
application vendors have their constraint in terms of 
version specification or their current platforms. Addition-ally, 
same specifications are interpreted differently by 
different developers, and hence same functionality is 
implemented slightly differently for different applications. 
Several vendors are definitely implementing HTML5 
features, however, the finalized recommendations or 
specifications are scheduled tentatively for the year 2022. 
can be exploited by using frame busting JavaScript code. 
Web storage encompasses WebSQL and IndexedDB. The 
Session Storage is stored in the browser process memory, 
and hence it is possible to perform DoS, or Denial of 
Service resource exhaustation attacks if storage limit is not 
specified. 
Due to their novelty, Web Sockets get a lot of attention as 
they provide an alternative to the HTTP polling for commu-nication 
from a web page to a remote server. Web Socket 
vulnerabilities most likely centre on server implementa-tion. 
Attacker can abuse the injection flaw to execute the 
code, and can intercept or log messages, or can perform 
server DoS attacks. Geolocation API provides means to 
determine location of the user via JavaScript. It returns 
values such as longitude, latitude and accuracy, and can be 
used for points-of interest applications and navigation 
assistance, but at the same time can give rise to security 
issues due to storage of trails of locations over a period of 
time. 
5 Page 
idexcel 
Changing 
Landscape 
HMTL5 is a markup language, not a programming 
language, and hence it is mainly used for Structure and 
Content. Web developers have been using Java, Flash, 
ShockWave and Silverlight for several years, and hence, 
adoption of HTML5 is not high. However, with few giants 
such as Netflix, Facebook, Amazon and YouTube making a 
shift, the industry is gradually moving towards HTML5. It 
opens entirely new range of amazing possibilities for the 
Web such as email clients that work offline and 3D 
environment. 
Attack Vectors 
No doubt that the enhancements in HTML5 are great, 
however, these advancements have opened more 
exploitation vectors for the hackers and cybercriminals. 
HTML5 offers the capabilities such as location awareness, 
access to microphone and webcam, and graphics render-ing, 
and hence provides a much wider access to the 
resources of the computer as compared to its predecessor. 
It has been built to integrate with latest web browsing 
devices, and application cache feature can be used to 
download the application to the browser. 
Scenarios for exploitation have not drastically changed for 
HTML5. The attackers still rely on XSS or Cross-Site Script-ing, 
or lure users to any website to execute malicious 
payload. HTML5 websites still use JavaScript as main 
scripting language, and hence the abuses and vulnerabili-ties 
inherent to the language are still applicable. In 
addition to these, the new XSS vectors in HTML5 use new 
tags and elements, and cybercriminals can use these new 
attributes to execute payloads ( for example, using autofo-cus 
attribute). <iframe sandbox> is another attribute that
Web Workers free the user interface by providing the 
ability for the browser to run scripts in the background. 
Hence long-running JavaScript code does not freeze the 
webpage, however, as the script keeps running in the 
background without user’s knowledge, they keep engag-ing 
system resources. If the web worker is not well-written, 
it will consume system memory, and degrade user experi-ence. 
6 Page 
idexcel 
Handling Security Issues 
With the advancement in HTML5, SVG or Scalable Vector 
Graphics is gaining popularity as well. SVG can be used 
in-addition-to or instead-of <canvas> element, and it 
describes two-dimensional vector graphics in XML. For 
successful exploit, SVG file can be uploaded on the same 
domain as the page with the injection vulnerabilities that 
will support <object>, <iframe> or <embed> tag. 
Vulnerabilities 
of browsers 
The browsers act as a thin client and deal with data from 
cached files and cookies for improved performance. 
HTML5 is being implemented differently by different 
browsers mainly because the standard owned by W3C is 
not in the finalized form. Hence, browsers are using 
varying security models, which can radically affect the 
attack model for the browser. 
Attackers could use the browser information to access the 
computer and may get access to the personal data. HTML5 
offers more offline caching and local storage, and hence, 
browsers contain much more sensitive information. This 
makes the browser a direct gateway to the stored data. 
This small change can cause quite significant security 
issues as browser vendors will be required to make more 
stringent security model, something similar to Operating 
Systems. The security becomes more challenging due to 
loose definition of security model, and browser vendors 
can make independent design decisions.
7 Page 
Privacy 
Issues 
Privacy concerns have resulted in more stringent regula-tions 
related to cookies which are used to track the usage 
across several sites, recording the preferences, purchases 
and clicks made by the users. Browser vendors are giving 
more priority and focus to the privacy features as consum-ers 
and becoming more aware of the data mining and web 
tracking, and hence are demanding more secured models. 
The new local storage mechanism in HTML5 leads to more 
ways to store users’ information, and this could compro-mise 
the personal security. The access model is more 
liberal and local storage is more flexible. As compared to 
cookies in HTML4, the issue of restricting or purging data is 
not very clear. As many people use mobile devices for 
browsing, media tools for the mobile devices add to the 
privacy challenges. 
Legacy 
Issues 
HTML5 defines new helpful APIs (Application Program-ming 
Interfaces) to access cameras, microphone and 
location services, but the security models of these services 
are not well tested, and are known to have security 
loopholes. Insecure use of APIs can leave the websites 
open to the manipulations and attacks in several ways. 
As a result, HTML5 carries a greater risk of data loss and 
invasion of privacy mainly because of the integrated and 
flexible technology. The tags such as video, canvas and 
audio can open new attacking possibilities for the cyber-criminals 
as media related functions can be very compli-cated. 
However, moving the capabilities, as in HTML5, to 
the core language and browser is an enhancement over 
the plugins that have been a constant targets of the cyber-criminals. 
HTML4 and JavaScript had some inherent security issues, 
and they continue to exist in HTML5. The cybercriminals 
are also exploring innovative ways to steal user informa-tion 
or spread malware. The browser vendors have tackled 
many loopholes and patched the security gaps to minimise 
the probability of cyber-attacks. However, as hackers 
investigate more features of HTML5, they will be able to 
find the new ways to trick users, steal clicks and spread 
malware. Hence, software developers need to make their 
filters and validation routines more updated. This includes 
using web application firewalls, or using free add-ons that 
can prevent attacks. 
idexcel 
Handling Security Issues
Handling Security Issues 
8 Page 
idexcel 
Permissions 
Most browsers use sandboxing to isolate themselves from 
the operating system and prevent distribution of malware. 
However, the advanced browser capabilities of HTML5 
open up an entire new realm of data theft, commonly 
associated mainly with the operating systems. As the 
browser is capable of accessing local data, breaking the 
sandbox and accessing the data via location or the media 
device, or visiting the infected website with the attack 
code can prove fatal. Although more capabilities have 
been added to the browser, the permission model is still 
unclear, and hence developers need to plan a multi-di-mensional 
security model. 
To summarize, some of the most common threats and 
attacks are as follows 
HTML5 tag abuse and XSS- The interesting tags of 
HTML5 allow dynamic loading of video and audio. These 
tags can be easily abused for CSRF and XSS. 
Stealing of information from Storage and Global 
variables 
CSRF and leveraging CORS to bypass SOP- SOP or Same 
origin policy establishes cross domain connection, and 
bypassing it allows deployment of CSRF attack where 
the attacker can initiate the request to the target 
domain without the knowledge of the victim. CORS or 
Cross Origin Resource Sharing allows the request to hit 
the target. 
Phishing and ClickJacking by mixing layers and iframe- 
ClickJaking is a common attack, mainly in the social 
networking sites that allow reloading into an iframe. 
This gives cyber-criminals an opportunity to initiate 
ClickJacking attacks. 
HTML5/DOM based XSS and redirects- Incidents of 
DOM based XSS attacks are increasing as large applica-tions 
are built using single DOM and Ajax/XHR. Many 
attributes and tags of HTML5 are controlled by DOM 
calls and if these calls have been implemented poorly, 
they can allow more entry points for the cybercriminals. 
Using WebSockets for stealth attacks- This feature 
allows browsers to open sockets for the ports of specific 
IPs. Although the list of usable ports is restricted, the 
attackers can craft a vector to communicate with the 
web-ports and non-web-ports, even if they have restric-tions. 
Abusing thick client features- HTML5 allows thick client 
like features in the UI of the browsers, and attackers can 
leverage these features to craft attack vectors. 
Abusing WebWorker functionality- WebWorker and 
Messaging allow threading using JavaScript. By helping 
in payload delivery, WebWorker can help exploit appli-cations. 
Attacking WebSQL and client side SQL injection- HTML5 
provides enhanced performance by allowing offline 
databases in the form of WebSQL, and this mechanism 
opens up client side SQL injections. Vulnerable applica-tions 
allow attackers to steal information, and transfer it 
across domains.
Most vulnerabilities are caused due to the insecure coding and improper configuration. The new features of HTML5 can 
be used as attack vectors only due to mistakes made by developers and administrators. Cybercriminals are constantly 
exploring new ways to attack the devices, especially when the web technology is deployed across wider range of devic-es. 
HTML5 has introduced very powerful and interesting concepts, but as of now, it is far from perfect. There is still a tug 
of war between usability, security, flexibility and privacy. At the same time, enhanced features are exposing new attack 
surfaces and security issues. 
Security of any application depends on the care taken by the developer, and this includes writing secure code, filtering 
data, and borrowing from cheat sheets such as the ones produced by OWASP (Open Web Application Security Project). 
An important step to prevent incorrect use of data is to implement proper checks in the code. The technology for securi-ty 
needs to catch up with the latest technologies and the vendors need to put more emphasis on privacy controls and 
the guidelines set by regulatory authorities need to be revised and made more stringent. As long as the infrastructure 
and security procedures are modified to stay current on the latest developments, security incidents can be minimized. 
Html5.org contains list of vulnerable attributes along with the vulnerable browsers. 
9 
Conclusion 
Moving Forward 
HTML5, XHR and DOM embedded via JavaScript are being increasingly used to create next generation applications. 
HTML5 has become the backbone of eLearning, social media and web commerce. It is vendor neutral, and native to the 
browser, and hence has far more wider acceptance. 
However, new features and refinements to the web also raise new security concerns. The associated new attack vectors 
need to be diligently identified and security models need to be revised accordingly by the security professionals. Several 
new browsers, or new versions of existing browsers are being introduced quite frequently in the market, and hence, it 
is still a long way before HTML5 is accepted as a worldwide standard. We need consistency across browsers, and strin-gent 
standards set by the universally accepted committees. We must plan well and stay ahead of malicious cyber-attack-ers. 
It is essential to understand all these attack vectors detailed in this paper, and proactively design defence strategies 
before cyber-criminals can leverage these enhanced features of HTML5 to their advantage. 
Page 
idexcel 
Handling Security Issues
idexcel 
Handling Security Issues 
About the Author 
Ponbharathi Bakthaduruvan works as a Technical Lead with Idexcel. He has over eight years’ experience in developing 
enterprise and rich internet applications using HTML5, CSS/CSS3, Adobe Flex and Java/J2EE technologies. He has exper-tise 
in software design, architecture, development, implementation and maintenance of enterprise applications and 
has delivered many successful projects . He has a deep knowledge of UI development using HTML5, CSS3, JavaScript, 
jQuery and developing enterprise level applications using Java, J2EE, Hibernate, Spring, JSP, Servlet, Adobe Flex and 
ActionScript. 
About Idexcel 
Idexcel is an innovative provider of IT Products & Services focused on emerging technologies. We help world leading 
companies build efficiencies and stronger businesses. With more than 15 years into existence Idexcel’s main focus is 
client satisfaction and technology innovation. Our industry expertise and a global, collaborative workforce forms the 
backbone of our services. We offer high degree of skills in Enterprise Applications, Cloud Services, Data-warehousing, 
Big Data, Analytic, QA & Testing Services, IT consulting and Staffing. Idexcel product line includes: NDS, ERP, and 
Cync - A revolutionary credit monitoring application for the manufacturing and nancial management. 
For more information log on to www.idexcel.com. 
Global Head quarters 
459 Herndon Parkway Suite 11 
Herndon, VA 20170 
Tel: 703-230-2600 
Fax: 703-467-0218 
Email: inquiry@idexcel.com 
India Operations 
“Crystal Plaza” 9, 10 ,11 
Bhuvanappa Layout, Hosur Road 
Bengaluru – 560 029 
Karnataka 
Tel: +91-80-2550 8830 
Email: inquiry@idexcel.com 
© Copyright, Idexcel. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, 
electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Idexcel. The information contained herein is subject to 
change without notice. All other trademarks mentioned herein are the property of their respective owners.

More Related Content

PPT
Daniel Egan Msdn Tech Days Oc
PPTX
CODE IGNITER
PDF
Secure web conferencing with Adobe
PDF
Customer FX Technical Reference Sheet
PPT
Developing RIAs... 10 reasons to use Adobe Flex
PDF
Fundamental of-web design-trends-20142
PPT
Web 2.0 Tech Talk
PPTX
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Daniel Egan Msdn Tech Days Oc
CODE IGNITER
Secure web conferencing with Adobe
Customer FX Technical Reference Sheet
Developing RIAs... 10 reasons to use Adobe Flex
Fundamental of-web design-trends-20142
Web 2.0 Tech Talk
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js

What's hot (13)

PDF
Step by-step -visual_basic_2008_express_edition_by__microsoft_corporation
PPTX
Fabian Williams SharePoint Saturday New York BCS Deck
PDF
Sybase sup hybrid_web_container_article_wp
PDF
IRJET- HTML5 in Web Development: A New Approach
DOC
Validating A Product Key In A Vs
PPT
Bitrix Intranet Portal
PDF
Developer’s guide to microsoft enterprise library preview
PDF
Vs 2008
PDF
.net 3.5 and vs 2008
PPTX
E2.0 User Forum
PPT
Doors 9 Doors Web Access
DOC
What is future of web with reference to html5 will it devalue current present...
PPT
Flex vs HTML5
Step by-step -visual_basic_2008_express_edition_by__microsoft_corporation
Fabian Williams SharePoint Saturday New York BCS Deck
Sybase sup hybrid_web_container_article_wp
IRJET- HTML5 in Web Development: A New Approach
Validating A Product Key In A Vs
Bitrix Intranet Portal
Developer’s guide to microsoft enterprise library preview
Vs 2008
.net 3.5 and vs 2008
E2.0 User Forum
Doors 9 Doors Web Access
What is future of web with reference to html5 will it devalue current present...
Flex vs HTML5
Ad

Viewers also liked (20)

PPT
presentación Historica
PDF
Designing society through thinking | University of Helsinki
PPT
Magapor viii etv_sim
PPTX
All things LinkedIn advertising by Robert Brady
PPTX
Educación en un mundo conectado ppt
PPTX
Manual de imagen funtec
PDF
Pencil Shavings: 2Q12 GPC, Beirut
PDF
The Secret Sauce for Innovation (shortform)
PDF
Spanyol 120x145
DOC
Oraciones 3ª declinación (5 11-14)
PPTX
Glosario de puentes
PDF
Resume 2014
PPTX
Conociendo a tu hijo en la edad Preescolar (enhanced by VisualBee)
PDF
World Student magazine - Issue 4
PDF
Finanzierungsmöglichkeiten von IT-Unternehmen durch die Hausbank
PDF
Web pc minutes 18th november 2014
PPTX
Copia reducida health4.0
PPTX
Getting Good UX Into Mobile
PDF
San Juan: Programa 11 de septiembre 2016
PPTX
Le Shop Case Study 2015
presentación Historica
Designing society through thinking | University of Helsinki
Magapor viii etv_sim
All things LinkedIn advertising by Robert Brady
Educación en un mundo conectado ppt
Manual de imagen funtec
Pencil Shavings: 2Q12 GPC, Beirut
The Secret Sauce for Innovation (shortform)
Spanyol 120x145
Oraciones 3ª declinación (5 11-14)
Glosario de puentes
Resume 2014
Conociendo a tu hijo en la edad Preescolar (enhanced by VisualBee)
World Student magazine - Issue 4
Finanzierungsmöglichkeiten von IT-Unternehmen durch die Hausbank
Web pc minutes 18th november 2014
Copia reducida health4.0
Getting Good UX Into Mobile
San Juan: Programa 11 de septiembre 2016
Le Shop Case Study 2015
Ad

Similar to HTML5 Handling Security Issues, Security Threats for HTML5, HTML5 Application Development Risks (20)

PDF
Qnx html5 hmi
KEY
Introduction to HTML5/CSS3 In Drupal 7
PPTX
Mobile Apps Develpment - A Comparison
PDF
Html5 workshop part 1
PDF
Tech Stack - Angular
PDF
Migrating to HTML5, Migrating Silverlight to HTML5, Migration Applications t...
PPTX
HTML 5 - A developers perspective
PDF
Html5 Architecture Early Release Wesley Hales
PPTX
Introduction to silverlight control 4
PPTX
Introduction to silverlight
PPTX
Top 10 major benefits of html 5
PDF
HTML5 Development Benefits, Features and Cost For 2024.pdf
PPTX
CloudBerry
PPTX
PDF
Mobility Solutions - Development of Hybrid Mobile Applications with HTML
PPT
European SharePoint Conference: Mobile Applications for SharePoint using HTML5
PPTX
Directions on microsoft_web_and_cloud_development
PPT
Advanced Web Technology Microsoft Silverlight
PDF
Everything That You Need To Know About HTML5
Qnx html5 hmi
Introduction to HTML5/CSS3 In Drupal 7
Mobile Apps Develpment - A Comparison
Html5 workshop part 1
Tech Stack - Angular
Migrating to HTML5, Migrating Silverlight to HTML5, Migration Applications t...
HTML 5 - A developers perspective
Html5 Architecture Early Release Wesley Hales
Introduction to silverlight control 4
Introduction to silverlight
Top 10 major benefits of html 5
HTML5 Development Benefits, Features and Cost For 2024.pdf
CloudBerry
Mobility Solutions - Development of Hybrid Mobile Applications with HTML
European SharePoint Conference: Mobile Applications for SharePoint using HTML5
Directions on microsoft_web_and_cloud_development
Advanced Web Technology Microsoft Silverlight
Everything That You Need To Know About HTML5

More from Idexcel Technologies (13)

PPTX
Cloud computing market overview-2017
PDF
Aws certifications – types of certification
PDF
DevOps on AWS
PDF
Benefits of video in marketing
PDF
Performance Testing in Agile Process
PDF
Html for Mobile App Development
PDF
AngularJS - A Powerful Framework For Web Applications
PDF
IT Staffing & Recruiting Case Studies| Goals, Challenges, Solutions
PDF
Application security testing an integrated approach
PDF
Test performance indicators
PDF
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
PDF
Adopting Agile Testing
PDF
Test Automation Framework Design | www.idexcel.com
Cloud computing market overview-2017
Aws certifications – types of certification
DevOps on AWS
Benefits of video in marketing
Performance Testing in Agile Process
Html for Mobile App Development
AngularJS - A Powerful Framework For Web Applications
IT Staffing & Recruiting Case Studies| Goals, Challenges, Solutions
Application security testing an integrated approach
Test performance indicators
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Adopting Agile Testing
Test Automation Framework Design | www.idexcel.com

Recently uploaded (20)

PPT
Chapter four Project-Preparation material
PDF
DOC-20250806-WA0002._20250806_112011_0000.pdf
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
PDF
WRN_Investor_Presentation_August 2025.pdf
PDF
Nidhal Samdaie CV - International Business Consultant
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
PDF
Lecture 3 - Risk Management and Compliance.pdf
PDF
Reconciliation AND MEMORANDUM RECONCILATION
DOCX
Euro SEO Services 1st 3 General Updates.docx
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
DOCX
Business Management - unit 1 and 2
PDF
Unit 1 Cost Accounting - Cost sheet
PPTX
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
PDF
Hindu Circuler Economy - Model (Concept)
DOCX
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
PDF
Leading with Vision_ How Mohit Bansal Is Shaping Chandigarh’s Real Estate Ren...
PPTX
DMT - Profile Brief About Business .pptx
Chapter four Project-Preparation material
DOC-20250806-WA0002._20250806_112011_0000.pdf
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
Belch_12e_PPT_Ch18_Accessible_university.pptx
WRN_Investor_Presentation_August 2025.pdf
Nidhal Samdaie CV - International Business Consultant
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
Lecture 3 - Risk Management and Compliance.pdf
Reconciliation AND MEMORANDUM RECONCILATION
Euro SEO Services 1st 3 General Updates.docx
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
Business Management - unit 1 and 2
Unit 1 Cost Accounting - Cost sheet
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
Hindu Circuler Economy - Model (Concept)
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
ICG2025_ICG 6th steering committee 30-8-24.pptx
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Leading with Vision_ How Mohit Bansal Is Shaping Chandigarh’s Real Estate Ren...
DMT - Profile Brief About Business .pptx

HTML5 Handling Security Issues, Security Threats for HTML5, HTML5 Application Development Risks

  • 1. idexcel HTML 5 Handling Security Issues White Paper
  • 2. Introduction Lots of key technologies are emerging in the market every day, and with these latest technological advancements come the latest security threats. It is common for any new technology to have pitfalls and defects, and although the standards are defined, there are always good chances of security lapses and loose threads here and there. One such upcoming key technology is HTML5, which is the most recent version of html, codified by W3C (World Wide Web Consortium), which is the main body for setting standards for the Web. In this paper, we will try to understand and explore the security issues related with this emerging technology. 2 Page Handling Security Issues idexcel
  • 3. HTML 5 A Peek HTML4 was the most successful and widely used markup format, and HTML5 has been built on its success, with additional feature set, larger than the previous version, especially the rich media extensions. HTML5 is quite relevant in today’s web development industry. It is a collection of individual features, and using it does not require throwing away existing markup or relearn things. Web applications that worked in HTML4 will work in HTML5 because HTML5 supports all the form controls from HTML4. However, there are some important additions in HTML5, such as new input controls, sliders, date pickers etc. It has tight integration of JavaScript so that default func-tionality of HTML elements can be extended. HTML5 closely integrates with the browsing devices and offer features such as graphics rendering and location aware-ness. Application cache feature can be used to down-load the application to the browser even in the offline 3 Page mode. idexcel Handling Security Issues Data can be stored on a user’s computer or mobile device, so web apps work without an Internet connection. Web page can have flashier type with more fonts, shadows, colours and other effects. Objects move on Web pages and react to the move-ments of a cursor. Audio is played without a plug-in. Browser makers have not agreed on formats. Interactive games can run with just a Web browser without installing other software or plug-ins. A technology called WebGL can create interactive 3D effects using a computer’s graphics processor. Video can be embedded in a Web page without a plug-in. Brows-er makers have not agreed on formats. What Does HTML5 DO
  • 4. 4 Page idexcel Handling Security Issues HTML5 is supported by all the major browsers, and there are no fears of cross-browser compatibility as there are large polyfill libraries providing support to the older browsers. By using LocalStorage and IndexDB, developers can store data locally in the browser, and this data will persist across sessions. Complicated animations can be created by using keyframes. The large set of APIs improve performance, enhance the applica-tion experience, and reduce the battery drain for the mobile devices. The Audio and Video elements can stream the multimedia content faster. Older browsers can gracefully degrade or can have polyfills loaded to implement the new feature without causing and disrup-tion in the application. DRAG & DROP VIDEO ELEMENT AUDIO ELEMENT CANVAS FORM VALIDATION HTML5 FORMS SEMANTIC ELEMENTS OFFLINE WEB APPS BROWSER SUPPORT FOR HTML5 ELEMENT 8 9 3.6 4 4 12.5% 62.5% 62.5% 93.8% 81.2% 4 2 5 11 11 87.5% 100% 100% 62.5% 37.5%
  • 5. Handling Security Issues Although, HTML is meant to be a standard, hardware and application vendors have their constraint in terms of version specification or their current platforms. Addition-ally, same specifications are interpreted differently by different developers, and hence same functionality is implemented slightly differently for different applications. Several vendors are definitely implementing HTML5 features, however, the finalized recommendations or specifications are scheduled tentatively for the year 2022. can be exploited by using frame busting JavaScript code. Web storage encompasses WebSQL and IndexedDB. The Session Storage is stored in the browser process memory, and hence it is possible to perform DoS, or Denial of Service resource exhaustation attacks if storage limit is not specified. Due to their novelty, Web Sockets get a lot of attention as they provide an alternative to the HTTP polling for commu-nication from a web page to a remote server. Web Socket vulnerabilities most likely centre on server implementa-tion. Attacker can abuse the injection flaw to execute the code, and can intercept or log messages, or can perform server DoS attacks. Geolocation API provides means to determine location of the user via JavaScript. It returns values such as longitude, latitude and accuracy, and can be used for points-of interest applications and navigation assistance, but at the same time can give rise to security issues due to storage of trails of locations over a period of time. 5 Page idexcel Changing Landscape HMTL5 is a markup language, not a programming language, and hence it is mainly used for Structure and Content. Web developers have been using Java, Flash, ShockWave and Silverlight for several years, and hence, adoption of HTML5 is not high. However, with few giants such as Netflix, Facebook, Amazon and YouTube making a shift, the industry is gradually moving towards HTML5. It opens entirely new range of amazing possibilities for the Web such as email clients that work offline and 3D environment. Attack Vectors No doubt that the enhancements in HTML5 are great, however, these advancements have opened more exploitation vectors for the hackers and cybercriminals. HTML5 offers the capabilities such as location awareness, access to microphone and webcam, and graphics render-ing, and hence provides a much wider access to the resources of the computer as compared to its predecessor. It has been built to integrate with latest web browsing devices, and application cache feature can be used to download the application to the browser. Scenarios for exploitation have not drastically changed for HTML5. The attackers still rely on XSS or Cross-Site Script-ing, or lure users to any website to execute malicious payload. HTML5 websites still use JavaScript as main scripting language, and hence the abuses and vulnerabili-ties inherent to the language are still applicable. In addition to these, the new XSS vectors in HTML5 use new tags and elements, and cybercriminals can use these new attributes to execute payloads ( for example, using autofo-cus attribute). <iframe sandbox> is another attribute that
  • 6. Web Workers free the user interface by providing the ability for the browser to run scripts in the background. Hence long-running JavaScript code does not freeze the webpage, however, as the script keeps running in the background without user’s knowledge, they keep engag-ing system resources. If the web worker is not well-written, it will consume system memory, and degrade user experi-ence. 6 Page idexcel Handling Security Issues With the advancement in HTML5, SVG or Scalable Vector Graphics is gaining popularity as well. SVG can be used in-addition-to or instead-of <canvas> element, and it describes two-dimensional vector graphics in XML. For successful exploit, SVG file can be uploaded on the same domain as the page with the injection vulnerabilities that will support <object>, <iframe> or <embed> tag. Vulnerabilities of browsers The browsers act as a thin client and deal with data from cached files and cookies for improved performance. HTML5 is being implemented differently by different browsers mainly because the standard owned by W3C is not in the finalized form. Hence, browsers are using varying security models, which can radically affect the attack model for the browser. Attackers could use the browser information to access the computer and may get access to the personal data. HTML5 offers more offline caching and local storage, and hence, browsers contain much more sensitive information. This makes the browser a direct gateway to the stored data. This small change can cause quite significant security issues as browser vendors will be required to make more stringent security model, something similar to Operating Systems. The security becomes more challenging due to loose definition of security model, and browser vendors can make independent design decisions.
  • 7. 7 Page Privacy Issues Privacy concerns have resulted in more stringent regula-tions related to cookies which are used to track the usage across several sites, recording the preferences, purchases and clicks made by the users. Browser vendors are giving more priority and focus to the privacy features as consum-ers and becoming more aware of the data mining and web tracking, and hence are demanding more secured models. The new local storage mechanism in HTML5 leads to more ways to store users’ information, and this could compro-mise the personal security. The access model is more liberal and local storage is more flexible. As compared to cookies in HTML4, the issue of restricting or purging data is not very clear. As many people use mobile devices for browsing, media tools for the mobile devices add to the privacy challenges. Legacy Issues HTML5 defines new helpful APIs (Application Program-ming Interfaces) to access cameras, microphone and location services, but the security models of these services are not well tested, and are known to have security loopholes. Insecure use of APIs can leave the websites open to the manipulations and attacks in several ways. As a result, HTML5 carries a greater risk of data loss and invasion of privacy mainly because of the integrated and flexible technology. The tags such as video, canvas and audio can open new attacking possibilities for the cyber-criminals as media related functions can be very compli-cated. However, moving the capabilities, as in HTML5, to the core language and browser is an enhancement over the plugins that have been a constant targets of the cyber-criminals. HTML4 and JavaScript had some inherent security issues, and they continue to exist in HTML5. The cybercriminals are also exploring innovative ways to steal user informa-tion or spread malware. The browser vendors have tackled many loopholes and patched the security gaps to minimise the probability of cyber-attacks. However, as hackers investigate more features of HTML5, they will be able to find the new ways to trick users, steal clicks and spread malware. Hence, software developers need to make their filters and validation routines more updated. This includes using web application firewalls, or using free add-ons that can prevent attacks. idexcel Handling Security Issues
  • 8. Handling Security Issues 8 Page idexcel Permissions Most browsers use sandboxing to isolate themselves from the operating system and prevent distribution of malware. However, the advanced browser capabilities of HTML5 open up an entire new realm of data theft, commonly associated mainly with the operating systems. As the browser is capable of accessing local data, breaking the sandbox and accessing the data via location or the media device, or visiting the infected website with the attack code can prove fatal. Although more capabilities have been added to the browser, the permission model is still unclear, and hence developers need to plan a multi-di-mensional security model. To summarize, some of the most common threats and attacks are as follows HTML5 tag abuse and XSS- The interesting tags of HTML5 allow dynamic loading of video and audio. These tags can be easily abused for CSRF and XSS. Stealing of information from Storage and Global variables CSRF and leveraging CORS to bypass SOP- SOP or Same origin policy establishes cross domain connection, and bypassing it allows deployment of CSRF attack where the attacker can initiate the request to the target domain without the knowledge of the victim. CORS or Cross Origin Resource Sharing allows the request to hit the target. Phishing and ClickJacking by mixing layers and iframe- ClickJaking is a common attack, mainly in the social networking sites that allow reloading into an iframe. This gives cyber-criminals an opportunity to initiate ClickJacking attacks. HTML5/DOM based XSS and redirects- Incidents of DOM based XSS attacks are increasing as large applica-tions are built using single DOM and Ajax/XHR. Many attributes and tags of HTML5 are controlled by DOM calls and if these calls have been implemented poorly, they can allow more entry points for the cybercriminals. Using WebSockets for stealth attacks- This feature allows browsers to open sockets for the ports of specific IPs. Although the list of usable ports is restricted, the attackers can craft a vector to communicate with the web-ports and non-web-ports, even if they have restric-tions. Abusing thick client features- HTML5 allows thick client like features in the UI of the browsers, and attackers can leverage these features to craft attack vectors. Abusing WebWorker functionality- WebWorker and Messaging allow threading using JavaScript. By helping in payload delivery, WebWorker can help exploit appli-cations. Attacking WebSQL and client side SQL injection- HTML5 provides enhanced performance by allowing offline databases in the form of WebSQL, and this mechanism opens up client side SQL injections. Vulnerable applica-tions allow attackers to steal information, and transfer it across domains.
  • 9. Most vulnerabilities are caused due to the insecure coding and improper configuration. The new features of HTML5 can be used as attack vectors only due to mistakes made by developers and administrators. Cybercriminals are constantly exploring new ways to attack the devices, especially when the web technology is deployed across wider range of devic-es. HTML5 has introduced very powerful and interesting concepts, but as of now, it is far from perfect. There is still a tug of war between usability, security, flexibility and privacy. At the same time, enhanced features are exposing new attack surfaces and security issues. Security of any application depends on the care taken by the developer, and this includes writing secure code, filtering data, and borrowing from cheat sheets such as the ones produced by OWASP (Open Web Application Security Project). An important step to prevent incorrect use of data is to implement proper checks in the code. The technology for securi-ty needs to catch up with the latest technologies and the vendors need to put more emphasis on privacy controls and the guidelines set by regulatory authorities need to be revised and made more stringent. As long as the infrastructure and security procedures are modified to stay current on the latest developments, security incidents can be minimized. Html5.org contains list of vulnerable attributes along with the vulnerable browsers. 9 Conclusion Moving Forward HTML5, XHR and DOM embedded via JavaScript are being increasingly used to create next generation applications. HTML5 has become the backbone of eLearning, social media and web commerce. It is vendor neutral, and native to the browser, and hence has far more wider acceptance. However, new features and refinements to the web also raise new security concerns. The associated new attack vectors need to be diligently identified and security models need to be revised accordingly by the security professionals. Several new browsers, or new versions of existing browsers are being introduced quite frequently in the market, and hence, it is still a long way before HTML5 is accepted as a worldwide standard. We need consistency across browsers, and strin-gent standards set by the universally accepted committees. We must plan well and stay ahead of malicious cyber-attack-ers. It is essential to understand all these attack vectors detailed in this paper, and proactively design defence strategies before cyber-criminals can leverage these enhanced features of HTML5 to their advantage. Page idexcel Handling Security Issues
  • 10. idexcel Handling Security Issues About the Author Ponbharathi Bakthaduruvan works as a Technical Lead with Idexcel. He has over eight years’ experience in developing enterprise and rich internet applications using HTML5, CSS/CSS3, Adobe Flex and Java/J2EE technologies. He has exper-tise in software design, architecture, development, implementation and maintenance of enterprise applications and has delivered many successful projects . He has a deep knowledge of UI development using HTML5, CSS3, JavaScript, jQuery and developing enterprise level applications using Java, J2EE, Hibernate, Spring, JSP, Servlet, Adobe Flex and ActionScript. About Idexcel Idexcel is an innovative provider of IT Products & Services focused on emerging technologies. We help world leading companies build efficiencies and stronger businesses. With more than 15 years into existence Idexcel’s main focus is client satisfaction and technology innovation. Our industry expertise and a global, collaborative workforce forms the backbone of our services. We offer high degree of skills in Enterprise Applications, Cloud Services, Data-warehousing, Big Data, Analytic, QA & Testing Services, IT consulting and Staffing. Idexcel product line includes: NDS, ERP, and Cync - A revolutionary credit monitoring application for the manufacturing and nancial management. For more information log on to www.idexcel.com. Global Head quarters 459 Herndon Parkway Suite 11 Herndon, VA 20170 Tel: 703-230-2600 Fax: 703-467-0218 Email: inquiry@idexcel.com India Operations “Crystal Plaza” 9, 10 ,11 Bhuvanappa Layout, Hosur Road Bengaluru – 560 029 Karnataka Tel: +91-80-2550 8830 Email: inquiry@idexcel.com © Copyright, Idexcel. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Idexcel. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.