Print Page   |   Contact Us   |   Sign In   |   Register
ISSA International Conference
Blog Home All Blogs
Search all posts for:   

 

View all (11) posts »
 

Attacking and Defending HTML5 Web Environments

Posted By George Hulme, Thursday, October 25, 2012
Updated: Thursday, October 25, 2012

As attendees of the ISSA International Conference this week know, any change to IT systems is very likely to also change an organization’s risk posture. And for better or for worse, the latest version of the HTML language, HTML5 will be no different: it holds the potential to both reduce and to create risk depending on numerous factors. 


HTML5 promises to improve the HTML standard, especially when it comes to eliminating web browser plug-ins and displaying multimedia content. In his presentation, Attacking and Defending HTML5 Web Environments, Pete Lindstrom, research director at market research firm Spire Security, attempted to put the risk associated with HTML5 technologies into perspective. 


"Folks need to acknowledge and understand that HTML5 applications are here in lots of ways, and the growth is continuing,” Lindstrom said. "HTML5 increases the web attack surface. And security teams need to understand its impact on their environment,” he said.


As the argument goes, many of the capabilities of Flash, Java, Ajax, and Comet are rolled into HTML5. "The notion is that this will reduce the attack surface and you get a more simplified and secure browser,” Lindstrom said. "It’s an interesting argument, but if organizations don’t understand how it can also increase their attack surface, HTML5 could in fact increase risk,” he said. 


"What else it can do is accelerate the development of new apps and new functionality that hasn’t been used in the past within organizations,” he said. "This will increase enterprise’s attack surface because it’s growing. This is just an acceleration factor or catalyst for greater use and therefore it’s up to us to determine how we’re going to manage these paths that are becoming more robust,” he said.


One of the things HTML5 will help is to simplify how data is shared across different domains and web sites, and should also provide for more control over that data. "If you’re currently employing lots of workarounds to share data from one app or URL to another, then HTML5 is going to provide a way for you to clean those abilities up. If you are not currently doing those things but aim to do so, this gives you an easier way to do so,” he says. 


However, such data sharing across web sites increases the potential for attacks and for data to be abused. In HTM5, many old familiar attacks will still work, such as DNS Rebinding, Man-in-Middle, Session Hijacking, among others. And there are new attacks, as well, that must be contended with, including promiscuous asterisk, client-side SQL injection, botnet-in-the-browser, and Evercookie. 


According to Lindstrom, there are also three key, broad changes HTML5 brings when in comes to incremental risk. It’s collaborative features creates more entry-points of attack; it’s persistence make longer-lived exploits possible; and increased communication capabilities mean ongoing vulnerabilities and threats. 


What should organization do to reduce their risk? "What I don’t see is people leveraging that opportunity to employ more controls over their data,” Lindstrom says. Part of that solution could include The Web Origin Concept, as well as updating the settings within their web security gateways so that they can address the new capabilities for data sharing found in HTML5. Enterprises also need to make certain that they understand how data can be (read: will be) ultimately shared in their applications if they plan to control risk.

This post has not been tagged.

Share |
Permalink | Comments (0)
 
Community Search
Sign In
Sign In securely
Calendar

1/25/2018 » 1/26/2018
January CISO Forum Scottsdale 2018

1/25/2018
Women in Security Special Interest Group Monthly Webinar Series

2/6/2018
February 2018 Women in Security - Denver Chapter




Copyright © 2016, Information Systems Security Association, All Rights Reserved
Privacy PolicyCopyright Information