Forgot your password?
typodupeerror
Programming Security

The Security Risks of HTML5 Development 275

Posted by samzenpus
from the protect-ya-neck dept.
CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."
This discussion has been archived. No new comments can be posted.

The Security Risks of HTML5 Development

Comments Filter:
  • Javascript (Score:2, Insightful)

    by Anonymous Coward on Monday June 24, 2013 @04:15AM (#44090359)

    Where remote code execution is by design.

  • Nothing new (Score:5, Insightful)

    by Urd.Yggdrasil (1127899) on Monday June 24, 2013 @04:15AM (#44090361)
    Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.
  • Re:Nothing new (Score:5, Insightful)

    by digitalchinky (650880) <dtchky@gmail.com> on Monday June 24, 2013 @04:25AM (#44090375)

    You could also argue that contractors who shop around for the cheapest / fastest deal possible get exactly what they pay for. You want quality work, you have to pay for it, just like in every other industry.

  • Re:Nothing new (Score:4, Insightful)

    by Cenan (1892902) on Monday June 24, 2013 @04:36AM (#44090409)

    I strongly object to using the word "developers" to describe people that are clearly fucking hacks. You don't become a doctor just because you use a scalpel to cut people open. Spade, meet shovel.

    Half the web hacks out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web hackery. As with adding any other new buzzword feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on replacing hacks with real developers instead of trying to cram every new buzzword tech they can into their piece of shit application.

  • Re:Nothing new (Score:0, Insightful)

    by Anonymous Coward on Monday June 24, 2013 @04:53AM (#44090453)

    Except the developers aren't only hurting themselves, they're hurting users? Think before you comment much..?

  • Re:Nothing new (Score:5, Insightful)

    by Calydor (739835) on Monday June 24, 2013 @05:24AM (#44090535)

    What does that have to do with anything? A mechanic using the cheapest possible materials hurts his users when his repairs fail. A house built by the cheapest contractor with the cheapest materials may develop severe faults - to the point of essentially being condemned. How does this not hurt the customers/users?

  • Re:Nothing new (Score:5, Insightful)

    by KiloByte (825081) on Monday June 24, 2013 @05:52AM (#44090623)

    Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

    Just half? Your glasses are of such a bright shade of pink that it must make it hard to see. This sounds so optimistic that you perhaps still have shreds of faith in humanity.

  • Stop it. (Score:5, Insightful)

    by SuricouRaven (1897204) on Monday June 24, 2013 @06:40AM (#44090821)

    Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

    If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

  • Re:Stop it. (Score:2, Insightful)

    by mwvdlee (775178) on Monday June 24, 2013 @06:49AM (#44090853) Homepage

    Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

    If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

    Same thing, but with text-based terminals and same thing but with punchcards.
    Just make it up yourself, I'm too tired to demonstrate the ignorance of what you just said.
    Just remember that every time you press the "Preview" button before posting, you're using Javascript screwing around in the DOM.

  • by Grishnakh (216268) on Monday June 24, 2013 @07:41AM (#44091185)

    Wrong. Why would anyone want to take on such a job?

    Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money (unless they're in a junior position, but the career goal is to have your own practice, or be a "partner" in a top law firm which is mostly the same thing).

    Developers and other software people aren't their own bosses, unless they're contractors. They work for corporations, and are just paid employees, no different from secretaries or janitors. They have zero control over their own work and how they do it: they have to do whatever their boss tells them to. Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?

  • Re:Nothing new (Score:2, Insightful)

    by Anonymous Coward on Monday June 24, 2013 @09:20AM (#44092189)

    While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.

    The real purpose of regulation is so your fucking house doesn't burn down because someone who wasn't trained installed the wiring.

Sigmund Freud is alleged to have said that in the last analysis the entire field of psychology may reduce to biological electrochemistry.

Working...