Shulou(Shulou.com)06/03 Report--

This article will explain in detail the security issues that need to be kept in mind in HTML5 development, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Application security experts say HTML5 poses new security challenges for developers.

The war of words between Apple and Adobe has led to a lot of speculation about the fate of HTML5. Although the implementation of HTML5 still has a long way to go, it is certain that developers using HTML5 will need to deploy new security features for the application security development life cycle to meet the security challenges brought by HTML5.

So what impact will HTML5 have on the attack surface we need to cover?

Client storage

Earlier versions of HTML only allowed websites to store cookies as local information, and the space was relatively small and could only be used to store simple archival information or as identifiers for data stored in other locations, such as session ID, said Dan Cornell, head of application security research at Denim Group. However, HTML5 LocalStorage allows browsers to store large amounts of data locally, allowing the use of new types of applications.

"the ensuing risk is that sensitive data may be stored on a local user workstation, and attackers who physically access or destroy the workstation can easily obtain sensitive data," Cornell said. "this is more dangerous for users using shared computers."

"by definition, it's really just able to store information on the client system," said Josh Abraham, a security researcher at Rapid7. "then you have the potential for client-side SQL injection attacks, or maybe one of your client's databases is malicious, synchronization problems may occur when synchronized with the production system, or potentially malicious data from the client will be inserted into the production system."

To solve this problem, developers need to be able to verify that the data is malicious, which is actually a very complex problem.

Not everyone agrees on the importance of this issue. Chris Wysopal, chief technology officer of Veracode, said that web applications, for example, have always had many ways to store data through the use of plug-ins or browser extensions.

"there are many known ways to manipulate the currently deployed HTML5 SessionStorage properties, but this problem will not be resolved until the standard is finally determined," Wysopal said.

Cross-domain communication

While other versions of HTML may directly allow JavaScript to make XML HTTP requests back to the original server, HTML5 relaxes this restriction and XML HTTP requests can be sent to any server that allows such requests. Of course, this can also cause serious security problems if the server cannot be trusted.

"for example, I could build a mashup (mash up and merge more than two web applications using public or private databases to form an integrated application) to pull the score of a third-party website through JSON (Javascript Object Notation)," Cornell said. "this site may send malicious data to applications that my user's browser is running. Although HTML5 allows the establishment of new types of applications, it will pose a great security risk to users if developers do not understand the security significance of the applications they have built when they start to use these features. "

For developers who rely on PostMessage () to write applications, they must carefully check to make sure the information comes from their own website, otherwise malicious code from other sites may create malicious information, Wysopal added. This feature itself is not secure, and developers have begun to use different DOM (document object Model) / browser capabilities to emulate cross-domain communication.

Another related issue is that the World wide Web Alliance currently provides a way for cross-source resource sharing designs to bypass homologous policies using similar and cross-domain mechanisms.

"the security features of IE deployments are different from those of Firefox, Chrome, and Safari," he noted. "developers need to make sure that they create the harm of overly lax access control lists, especially because some reference code is currently very insecure.

Iframe security

From a security perspective, HTML5 also has good features, such as the planned support for the sandboxie attribute of iframe.

"this attribute will allow developers to choose how the data is interpreted," Wysopal said. "Unfortunately, like most HTML, this design is likely to be misunderstood and disabled by developers because it is not easy to use. If handled properly, this feature will help protect against malicious third-party advertising or prevent replay of untrusted content."

On the HTML5 development need to keep in mind which security issues to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.