Thursday, December 8, 2011

Top 10 HTML5 Threats & Attack Vectors

Emerging as popular standard to create Rich Internet Applications and competing with technology stacks like Adobe’s Flex/Flash and Microsoft’s Silverlight is  HTML5[1]. HTML5 brings several new features and functionalities that allow developers to create really attractive and robust applications.  These applications can run on any browser and platform, although with some limitations. HTML5 applications are also supported by mobile devices. Hence, you can create your application once and run it on several devices and browsers. Each time, every new technology stack throws up new security challenges and vulnerabilities. HTML 5, though very promising, is no different. There are security concerns that need to be addressed when creating applications. Let us look at the top 10 possible attack vectors associated with HTML5 and modern browser architecture.

Read full article here (net-security.org)

Top 10 Attack Vectors

1.  ClickJacking & Phishing by mixing layers and iframe         
2.  CSRF and leveraging CORS to bypass SOP             
3.  Attacking WebSQL and client side SQL injection
4.  Stealing information from Storage and Global variables 
5.  HTML 5 tag abuse and XSS          
6.  HTML 5/DOM based XSS and redirects  
7.  DOM injections and Hijacking with HTML 5          
8.  Abusing thick client features      
9.  Using WebSockets for stealth attacks    
10.Abusing WebWorker functionality           

Browser Attack Surface and Layers