HTML5 Security Vulnerabilities and Language Overview

What is HTML5?

HTML5 was officially published in October 2014 by the World Wide Web Consortium (W3C) although adoption began earlier by forward thinking organizations and developers who wanted to utilize its futuristic functionalities.

HTML5 (HyperText Markup Language 5) is the markup language used for structuring and presenting content on the World Wide Web. HTML5 is made up of three different kinds of code: HTML, which gives websites their structure; Cascading Style Sheets (CSS), which give websites their presentation attributes; and JavaScript, which powers a majority of the functions that we are used to on modern websites.

HTML5 boasts support for the latest multimedia and is easily readable by humans while consistently understood by computers, browsers and parsers. HTML5 includes features designed for low-powered devices which makes it ideal for hybrid mobile applications.

Setting HTML5 apart from Flash is the fact that HTML5 on its own cannot be used for animation or interactivity since it needs CSS3 or JavaScript to accomplish either.

Source: Wikipedia

Why Was HTML5 Created?

Prior to the release of HTML5, websites were powered by HTML4 which was originally released way back in 1997. While HTML4 was able to deliver the functionalities needed in the earlier stages of widespread internet adoption, as web applications progressed further and further in their functionalities, the demand increased for a markup language that was able to deliver more than simply the static pages that HTML4 was capable of.

HTML4 relied on the heavy use of plugins to provide website users with any functionalities that went beyond simple text and images, something we now take for granted. The use of such a multitude of plugins caused problems for websites which were viewed on multiple browsers and devices since some functionalities may be lost if plugins were not supported.

HTML5 introduced the following elements which have transformed websites into the rich, immersive experiences that they are today which allow once static websites to become application platforms.

  • New semantic elements like , , , and .
  • New attributes of form elements like number, date, time, calendar, and range.
  • New graphic elements: and .
  • New multimedia elements:

Security Threats from Hybrid Mobile Applications

With the new functionalities introduced by HTML5, mobile developers are able build applications which are easily adapted to both Android and iOS devices. Developers use platforms such as Cordova (and Cordova-based tools such as PhoneGap), Appcelerator Titanium and Xamarin to create these “hybrid apps” which are easier to create than platform-dependant native applications, however often lack platform specific native features.

With the convenience of creating hybrid apps, however, comes increased security risk as native applications able to leverage platform-specific built-in security features. Hybrid apps are dependent on webviews which can make them vulnerable to injection attacks when using certain API’s.

HTML5 Security Vulnerabilities

As with any introduction of new functionalities, comes risk. In addition to the rich websites powered by HTML5 that we use to conduct all our online browsing, shopping, communication and more, many of applications that we trust with highly personal data are also developed in HTML5 in order to make them fully functional across all mobile platforms. With this in mind, it’s critical that developers coding in HTML5 ensure that their applications are free from any security flaws that could put the sensitive data that they transmit and store in danger.

Security threats occur when multiple facets of HTML5 are not securely implemented. These include communication APIs (web messaging, cross origin resource sharing, web sockets and server-sent events), Storage APIs (local storage, client-side databases), geolocation, web workers, sandboxed frames and offline applications.

OWASP recommends using the following HTTP headers to further enhance HTML5 security: X-Frame-Options, X-XSS-Protection, Site Transport Security, Content Security Policy and Origin).

HTML5 Security Vulnerabilities in JavaScript:

  • Medium Threat: Client HTML5 Information Exposure
  • Medium Threat: Client HTML5 Insecure Storage
  • Medium Threat: Client HTML5 Store Sensitive data In Web Storage
  • Low Visibility: Client HTML5 Easy To Guess Database Name
  • Low Visibility: Client HTML5 Heuristic Session Insecure Storage

Read more about HTML5 security threats in OWASP’s HTML5 Security Cheat Sheet.

Securing your HTML5 Code

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst HTML5 testing solutions as not only the solution which will keep your HTML5 free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.

When vulnerabilities are detected in the HTML5 code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.