The syntactical features further enable developers to embed graphics, video, and audio into web pages without using third-party tools and plug-ins. But HTML5, like other technologies, has its own pros and cons. Several studies suggest that HTML5 applications are vulnerable to varying security attacks if the code is not written properly. Hence, it becomes essential for organizations to know some of the major HTML5 vulnerabilities to build secure websites and keep corporate data secure.
Top 5 HTML5 Vulnerabilities Each Organization Must Know
1) PostMessage Vulnerabilities
As a robust HTML5 API, postMessage makes it easier for developers to facilitate cross-origin communication between web applications. The developers can use postMessage to make web pages communicate and exchange data regardless of their port, protocol, and hostnames. But developers often forget to implement Same-Origin Policy (SOP) while using postMessage. When the same origin policy is not implemented while using the HTML5 API, the web application becomes vulnerable to cross-site scripting attacks. The developers can easily prevent cross-site scripting attacks by validating the origin or source of message received by the application through the postMessage method. The developers even need to clearly specify the sender or receiver of the message exchange through the postMessage API.
2) CORS Vulnerabilities
When the developers do not implement a Same-Origin Policy, the HTML5 application becomes vulnerable to cross-origin resource sharing (CORS) issues. CORS keeps cross-domain requests secure by implementing three headers. But the developers must implement the headers properly to eliminate CORS vulnerabilities. They can easily prevent CORS attacks by setting value of the Access-Control-Allow-Credentials header as true. When the value of the header is set as true, the application will use and exchange cookies. The developers also need to use Access-Control-Allow-Origin header to specify the origin of web pages for making requests to the server and receiving responses from the web server.
3) Web Storage Vulnerabilities
4) WebSockets Vulnerabilities
Many web developers nowadays use WebSockets to facilitate enable interactive and persistent communication sessions between the web server and browsers. During HTML5 application development, developers use WebSockets to facilitate real-time communication between the server and the client. But the WebSockets protocol lacks built-in authorization and authentication mechanism. Hence, the bidirectional client-server communication facilitated by WebSockets makes the web application vulnerable to Cross-Site WebSocket Hijacking (CSWSH) vulnerability. There are always chances that a user may access multiple WebSockets-enabled web applications on the same browser. If the users accessed any malicious site, it can control the user session through WebSockets.
5) Middleware Vulnerabilities
HTML5 makes it easier for developers to build cross-platform web applications. But the technology relies on a middleware framework to communicate with the underlying operating system in its native language. The middleware has the capability to accept both data and script as input, and execute the scripts automatically. Hence, the middleware framework makes the web application vulnerable to malicious code injection and cross-site scripting (XSS) attacks. While developing a HTML5 application, the developers must explore ways to prevent the middleware from accepting and executing malicious scripts. They must keep the data and script separated, restrict permissions to untrusted code, and prevent the middleware from accepting input from insecure sources.
On the whole, HTML5, like other technologies, has its own shortcomings and vulnerabilities. These HTML5 vulnerabilities make it easier for cyber criminals to execute targeted malware attacks and access corporate data. An organization must conduct proper web application testing continuously in varying user environments to combat these HTML5 vulnerabilities. Also, it must ask developers to overcome HTML5 vulnerabilities by implementing security best practices and referring to HTML5 security cheat sheet.