The Security Risks of HTML5 Development 275
CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."
Re:No risks here (Score:2, Informative)
The risk is that in case the client computer is compromised (and a lot of them are) the attacker can steal data that is normally stored server-side. Say what you want, there are more clients-zombies than compromised servers. OTOH, if you have your client compromised, the convenience of stealing a stored session instead of hijacking it while it lasts isn't all that much of a gain for the attackers.
Re:Real developers don't do web development (Score:2, Informative)
I've lived it - you haven't (Score:5, Informative)
I'm sorry... are you saying $175,000/ year isn't a FUCK TON of money?
Basically that is exactly what I'm saying. While no one is asking anyone to cry for the doctors, you seem to think they are incredibly wealthy which demonstrably is not true. Many do quite well in the long run but they pay a steep price to get there.First off that is gross pay and makes no allowance for cost of living in your area. $175K in NYC doesn't go far when even a crappy condo can easily cost $500K. Where I live the gross salary for a GP is more like $90-120K/year. Cut that salary number in half once taxes are taken into account. Furthermore a huge number of doctors graduate with between a quarter million to a half million in debt from their schooling. That takes $20-50K per year right off the top of their pay just in debt service. Don't forget the huge insurance costs which are in the tens of thousands of dollars. Also bear in mind that doctors are not paid for the 4 years on medical school on top of 4+ years of undergrad school and are paid a rather low salary (usually around $40K/year) while in residency which can last for between 3-8 years. That's effectively a decade or more of less than minimum wage work once you calculate the hourly wage while piling up enough debt to pay for a fairly nice house. The opportunity cost is enormous.
Did you start your career 10 years after your college educated peers with a mountain of debt and limited transferable skills? Did anyone have to pass laws to prohibit you from being forced to work more than 80+ hours a week for no extra compensation? (laws which regularly get ignored and endanger patients by the way) Have you ever been required to work 36 hour shifts without any sleep? No. You just looked at the gross salary number and decided they make just a bit less than Bill Gates and live lives of luxury and ease. The real world is a little more complicated than a gross salary figure.
60 - 80 hours a week? Welcome to minimum wage just trying to get by while supporting a family.
I've been there working very long hours for minimum wage or less. Know what? Doctors often have it worse when it comes to lifestyle. They give up a decade or more of your life training working your ass off for an hourly rate of less than minimum wage just to get started in your career with a mountain of debt. They might make a decent salary but many of them hardly get to enjoy it. I've worked a 14 hour day, and my wife who left for work before me was still at work. I've seen her pull 36 hour shifts at the hospital. Being on call means you effectively do not get any sleep and some doctors are on call as often as every 3rd or 4th night and they often don't get a day off in between. My wife spent a year or two working for minimum wage in a lab before medical school and refers to it as the happiest year of her life. Sure she had to scrape to make ends meet but her time outside of work was her own. Becoming a doctor is a objectively miserable experience and even once you begin your career the lifestyle still sucks for many doctors. I don't know how many I've spoken to who would choose another profession if they had the chance to do it all over.
FIX YOUR PERSPECTIVE!
You have no idea what my perspective is. I've been poorer than a church mouse and worked my ass off to get where I am today. I've also have worked with and lived with doctors (including my wife) and seen what they have to go through first hand. I know up close and personal what I am talking about and I'm pretty sure you do not.
Cross-site Security Issues (Score:4, Informative)
Yep. I'm a long-time web developer, and I do a lot of thinking about security and the sorry state of it on the Internets.
Any time you decide to include third-party code in your pages, you are asking for trouble. The list of hijinx that a third-party script can cause (even with strong cross-domain protection) is limited only by the imagination of the attacker. For instance, even if they can't get at your precious session cookie or local storage data, an attacker can modify the DOM, right? And show a big, window-filling DIV that looks exactly like your login screen, complete with your own assets. Good fun.
I cringe when I see big, commercial sites that ought to no better include trackers and other code from services they do not control -- in many cases poorly-funded startups that could fold or be bought out overnight. And if someone unscrupulous gets ahold of the company, or just the domain? Boom, code injection across your entire site.
Because that's exactly what we're talking about: remote code injection as a best practice. It's the most ridiculous head-in-the-sand way to deploy software ever invented. You would never stand for this kind of thing on your desktop (running an unsigned executable over http) but for some reason it's how things are done on web pages. Sure, your browser provides a sandbox, but everything inside that sandbox (your web app!) can still get arbitrarily hacked.
Web security is a huge freaking mess, and it's going to take us a generation to undo the standard procedures and move to a place where security and privacy are more than just buzzwords.