HTML 5 – Security Challenges

No post recently due to the extreme lack of anything interesting to post about. Finally yesterday something turned up via the unlikely source of a Linkedin group. Linkedin Groups are usually a hotbed of inanity or self promotionists but the OWASP French Chapter bucked the trend by pointing me in the direction of this HTML 5 article on eWEEK. Much in the news recently due to discussions about the H.264 video format, new features in HTML 5 present some interesting challenges for security. Client side storage is one area highlighted in the article. HTML 5 allows for three types of client side storage which are:

Session Storage similar to cookies but with much more information.

Local Storage, similar to session storage but available to all browser windows and persistent after a window is closed.

Database Storage: Structured data saved in a real local SQL database

The most obvious security risk that springs to mind is data leakage left after an application is closed but there are also other possibilities such as cross domain request forgery and perhaps even local SQL injection!

The article also highlights that the scope for cross domain communication by JavaScript is increased with HTML 5 which allows for more powerful applications but also opens up abuse possibilities.

A little extra research seems to suggest that the above features can be implemented securely but as ever it depends on the developer’s ability to understand the technology and to be aware of how to code in a secure manner.