HTMLBasicTutor
08-11-2011, 04:47 PM
Interesting read. Something early adopters of HTML 5 should be aware of:
Although HTML 5 doesn't open up many new attacks, it does open up a broader surface for these attacks. Some examples are the new event attribute in the video tag. This can be used to inject JavaScript in an XSS attack and bypass traditional filters that would have traditionally caught the JavaScript execution of such a scripting attack.
Another method is to use the drag and drop functionality in HTML5 to hide hidden information and trick the user into dropping and dragging this into say a form control. This is a “ClickJacking” attack.
Another attack is HTML cache poisoning, where you can keep a cache alive longer than it should be so you can steal the user’s credentials or even create an HTML5 generated botnet. As HTML and CSS get more sophisticated, these mark-up languages become even more vulnerable to scripting, tunneling, hijacking and a whole variety of attacks.
Think this is years away? No, it can all be done today on any modern browser – even if your site is in HTML5, even if it isn’t using most HTML5 functionality.
Suggestion: Learn the HTML5 vulnerabilities and then prepare the best you can to eliminate those and the use of vulnerable tagging.
5 Black Hat Attack Vulnerabilities & Defensive Strategies (http://searchenginewatch.com/article/2100972/5-Black-Hat-Attack-Vulnerabilities-Defensive-Strategies)
Although HTML 5 doesn't open up many new attacks, it does open up a broader surface for these attacks. Some examples are the new event attribute in the video tag. This can be used to inject JavaScript in an XSS attack and bypass traditional filters that would have traditionally caught the JavaScript execution of such a scripting attack.
Another method is to use the drag and drop functionality in HTML5 to hide hidden information and trick the user into dropping and dragging this into say a form control. This is a “ClickJacking” attack.
Another attack is HTML cache poisoning, where you can keep a cache alive longer than it should be so you can steal the user’s credentials or even create an HTML5 generated botnet. As HTML and CSS get more sophisticated, these mark-up languages become even more vulnerable to scripting, tunneling, hijacking and a whole variety of attacks.
Think this is years away? No, it can all be done today on any modern browser – even if your site is in HTML5, even if it isn’t using most HTML5 functionality.
Suggestion: Learn the HTML5 vulnerabilities and then prepare the best you can to eliminate those and the use of vulnerable tagging.
5 Black Hat Attack Vulnerabilities & Defensive Strategies (http://searchenginewatch.com/article/2100972/5-Black-Hat-Attack-Vulnerabilities-Defensive-Strategies)