Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Security Risks of HTML5 Development

Posted by samzenpus on from the protect-ya-neck dept.

CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."

11 of 275 comments (clear)

  1. Javascript by Anonymous Coward · · Score: 2, Insightful

    Where remote code execution is by design.

  2. Nothing new by Urd.Yggdrasil · · Score: 5, Insightful

    Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.

    1. Re:Nothing new by digitalchinky · · Score: 5, Insightful

      You could also argue that contractors who shop around for the cheapest / fastest deal possible get exactly what they pay for. You want quality work, you have to pay for it, just like in every other industry.

    2. Re:Nothing new by Cenan · · Score: 3, Insightful

      I strongly object to using the word "developers" to describe people that are clearly fucking hacks. You don't become a doctor just because you use a scalpel to cut people open. Spade, meet shovel.

      Half the web hacks out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web hackery. As with adding any other new buzzword feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on replacing hacks with real developers instead of trying to cram every new buzzword tech they can into their piece of shit application.

      --
      ... whatever ...
    3. Re:Nothing new by Anonymous Coward · · Score: 0, Insightful

      Except the developers aren't only hurting themselves, they're hurting users? Think before you comment much..?

    4. Re:Nothing new by Calydor · · Score: 4, Insightful

      What does that have to do with anything? A mechanic using the cheapest possible materials hurts his users when his repairs fail. A house built by the cheapest contractor with the cheapest materials may develop severe faults - to the point of essentially being condemned. How does this not hurt the customers/users?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    5. Re:Nothing new by KiloByte · · Score: 4, Insightful

      Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

      Just half? Your glasses are of such a bright shade of pink that it must make it hard to see. This sounds so optimistic that you perhaps still have shreds of faith in humanity.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    6. Re:Nothing new by Anonymous Coward · · Score: 2, Insightful

      While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.

      The real purpose of regulation is so your fucking house doesn't burn down because someone who wasn't trained installed the wiring.

  3. Stop it. by SuricouRaven · · Score: 4, Insightful

    Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

    If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

    1. Re:Stop it. by mwvdlee · · Score: 1, Insightful

      Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

      If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

      Same thing, but with text-based terminals and same thing but with punchcards.
      Just make it up yourself, I'm too tired to demonstrate the ignorance of what you just said.
      Just remember that every time you press the "Preview" button before posting, you're using Javascript screwing around in the DOM.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. Re:then stop hijacking phrases from other industri by Grishnakh · · Score: 3, Insightful

    Wrong. Why would anyone want to take on such a job?

    Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money (unless they're in a junior position, but the career goal is to have your own practice, or be a "partner" in a top law firm which is mostly the same thing).

    Developers and other software people aren't their own bosses, unless they're contractors. They work for corporations, and are just paid employees, no different from secretaries or janitors. They have zero control over their own work and how they do it: they have to do whatever their boss tells them to. Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?