4 Dec 2011

New Security Challenges from HTML5


As  HTML5 is gaining in popularity, subsequently new web applications are being created on a daily basis, however in terms of security new challenges are also being created particularly for enterprise security professionals.

The predictions for 2012,  from the HTML5 technology as it introduces new capabilities for rich web application, nevertheless new possible attack gates may be created in combination.

From the HTML4 this technology has powered most of the web for many years, as it consists of a low capability programming language, as a result developers have added and complemented it by embedding programming interpretive objects such as JavaScript, Flash, among others. In terms of security these objects are capable of compromising users as they can inject and manipulate vulnerabilities which in turn made the whole system very insecure.

With HTML5 the requirement to have these embedding objects are almost non existent, as this language and standards has already all functionality and capabilities built in, thus no need to use any of the interpretive objects.

With this new rich capabilities these include a full database that enables users to store gigabytes of information.  As an example, developers and users can execute and process full frame animation, 3D virtual reality or store applications inside the browser.

As a consequence from this technology, in terms of security by allowing to  store data within the browser, the browser itself can become a target and a tool for cyber criminals.

Furthermore, new sandboxing in HTML5 also makes "clickjacking" (tricking web users into revealing confidential information or taking control of their computer while clicking on a seemingly innocuous link) more of a risk, as web pages are no longer able to identify where commands are coming from. HTML5 from its new capabilities around cookies manipulations, which could make the removal of cookies after a certain period redundant.

If developers don't code their sites properly the security implications are that bad code may be run under a huge database of the URLs that users have been to and track all of users field input all from the browser.

Despite these new security challenges problems, there are also security benefits. These include: A reduction of the need for unverified add-ons, furthermore with HTML5 there is the capability for client-side input validation, as well as libraries that can help deal with SQL injection challenges.

Search Keywords Here