While developing websites, enterprises have to target multiple devices, platforms, and browsers. HTML5 is emerging as the new standard for web developers. HTML5, along with CSS3 and JavaScript makes it easier for enterprises to make a website look good on both computers and mobile devices. The developers can further combine HTML5, CSS3, and JavaScript to make a website responsive without creating and maintaining separate code bases. The website owners also have the option to use various HTML5 website builders to create custom website and web applications. At the same time, HTML5 helps developers to keep the web applications maintainable and code base clean by providing new syntactical features.
The syntactical features further enable developers to embed graphics, video, and audio into web pages without using third-party tools and plug-ins. But HTML5, like other technologies, has its own pros and cons. Several studies suggest that HTML5 applications are vulnerable to varying security attacks if the code is not written properly. Hence, it becomes essential for organizations to know some of the major HTML5 vulnerabilities to build secure websites and keep corporate data secure.
Top 5 HTML5 Vulnerabilities Each Organization Must Know
1) PostMessage Vulnerabilities
As a robust HTML5 API, postMessage makes it easier for developers to facilitate cross-origin communication between web applications. The developers can use postMessage to make web pages communicate and exchange data regardless of their port, protocol, and hostnames. But developers often forget to implement Same-Origin Policy (SOP) while using postMessage. When the same origin policy is not implemented while using the HTML5 API, the web application becomes vulnerable to cross-site scripting attacks. The developers can easily prevent cross-site scripting attacks by validating the origin or source of message received by the application through the postMessage method. The developers even need to clearly specify the sender or receiver of the message exchange through the postMessage API.
2) CORS Vulnerabilities
When the developers do not implement a Same-Origin Policy, the HTML5 application becomes vulnerable to cross-origin resource sharing (CORS) issues. CORS keeps cross-domain requests secure by implementing three headers. But the developers must implement the headers properly to eliminate CORS vulnerabilities. They can easily prevent CORS attacks by setting value of the Access-Control-Allow-Credentials header as true. When the value of the header is set as true, the application will use and exchange cookies. The developers also need to use Access-Control-Allow-Origin header to specify the origin of web pages for making requests to the server and receiving responses from the web server.
3) Web Storage Vulnerabilities
The local or offline storage feature of HTML5 makes it easier for developers to store user data in a client-side database. They can even enhance the web application’s performance and user experience by storing the frequently accessed data in the client-side database. Despite improving user experience, the local storage feature makes the HTML5 application vulnerable to cross-site scripting (XSS) attacks. As the cyber criminal can access the client-side database through JavaScript code, they can easily inject malicious code or scripts as input through text fields. While enabling the localStorage feature, the developer must validate each text field. Also, they need to ensure that sensitive user data are not stored in the client-side database as they can be accessed by other users. They can even consider not storing any data in the database which can be stored or transmitted as plain text.
4) WebSockets Vulnerabilities
Many web developers nowadays use WebSockets to facilitate enable interactive and persistent communication sessions between the web server and browsers. During HTML5 application development, developers use WebSockets to facilitate real-time communication between the server and the client. But the WebSockets protocol lacks built-in authorization and authentication mechanism. Hence, the bidirectional client-server communication facilitated by WebSockets makes the web application vulnerable to Cross-Site WebSocket Hijacking (CSWSH) vulnerability. There are always chances that a user may access multiple WebSockets-enabled web applications on the same browser. If the users accessed any malicious site, it can control the user session through WebSockets.
5) Middleware Vulnerabilities
HTML5 makes it easier for developers to build cross-platform web applications. But the technology relies on a middleware framework to communicate with the underlying operating system in its native language. The middleware has the capability to accept both data and script as input, and execute the scripts automatically. Hence, the middleware framework makes the web application vulnerable to malicious code injection and cross-site scripting (XSS) attacks. While developing a HTML5 application, the developers must explore ways to prevent the middleware from accepting and executing malicious scripts. They must keep the data and script separated, restrict permissions to untrusted code, and prevent the middleware from accepting input from insecure sources.
On the whole, HTML5, like other technologies, has its own shortcomings and vulnerabilities. These HTML5 vulnerabilities make it easier for cyber criminals to execute targeted malware attacks and access corporate data. An organization must conduct proper web application testing continuously in varying user environments to combat these HTML5 vulnerabilities. Also, it must ask developers to overcome HTML5 vulnerabilities by implementing security best practices and referring to HTML5 security cheat sheet.
No Comment