With the wide-spread adoption of HTML5 and responsive web design, like any new technology, companies need to be aware of the security implications of their design choices. What we are seeing with HTML5 is a number of threats that are less of a concern to traditional web applications are re-emerging and appear to have greater impact on HTML5 applications.
Traditional Vulnerabilities Still Apply
An important thing to consider when developing HTML5 applications is that no matter where the applications are deployed, whether it is a mobile device or web application, the same security best practices for web development still apply. HTML5 applications regardless of deployment can still be plagued with the same vulnerabilities as web applications (SQL injection, cross-site scripting, weak encryption, business logic attacks, etc.). In developing in an HTML5 environment one must consider all web application vulnerabilities as well as a number of other key threats.
Cross Origin Resource Sharing
Modern HTML5 applications often make use of resources and libraries hosted within a company’s control as well as libraries hosted by other providers. It is also common for libraries to make use of shared storage locations and resources. One trend we are seeing with HTML5 applications is that they are often configured to allow resources to be used and shared among external untrusted sources. When developing HTML5 applications, if the application is processing or storing any sensitive data or transactions every effort should be made to ensure that no data is leaked to external sources. Often the mitigation strategy to prevent such data leakage is to implement technical policies/configurations to prevent the flow of data to an untrusted source. A company should make every effort to reduce their exposure in this area by limiting their dependence on untrusted code sources/libraries. If an untrusted external source must be used then the application/server making the request for external source should be restricted to only use resources from a whitelisted list of sources.
Multi-Platform Development Tools
HTML5 applications often make use of local storage in the browser’s memory space or on the mobile device. While use of this feature can make for a better user experience, all too often in our assessments we find sensitive user data throughout the user’s memory space. Developers should assume that any data put in the users memory space will be manipulated and viewed by other applications or malicious actors.
Click/Tap-Jacking (Cross Frame Scripting)
Click-Jacking can occur when a malicious user loads a window or frame on top of a running application. The malicious user then entices a regular user to perform tap or click actions that are passed through to the application running underneath the window. Often the targets of these types of attacks are financial transactions or user account management. In mobile and HTML5 applications we are seeing that the impact of these types of attacks is often quite severe as malicious users are sometimes able to manipulate any action on a user’s mobile device. The best way to protect an application from being exploited by this type of attack is to put checks in place to ensure that the application is loaded in the front most view and configure the application server to only distribute the application if it is in the upper most view. This server configuration setting is referred to as the X-Frame header options.