Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Security Risks of HTML5 Development

Posted by samzenpus on from the protect-ya-neck dept.

CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."

34 of 275 comments (clear)

  1. Javascript by Anonymous Coward · · Score: 2, Insightful

    Where remote code execution is by design.

  2. Nothing new by Urd.Yggdrasil · · Score: 5, Insightful

    Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.

    1. Re:Nothing new by digitalchinky · · Score: 5, Insightful

      You could also argue that contractors who shop around for the cheapest / fastest deal possible get exactly what they pay for. You want quality work, you have to pay for it, just like in every other industry.

    2. Re:Nothing new by Cenan · · Score: 3, Insightful

      I strongly object to using the word "developers" to describe people that are clearly fucking hacks. You don't become a doctor just because you use a scalpel to cut people open. Spade, meet shovel.

      Half the web hacks out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web hackery. As with adding any other new buzzword feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on replacing hacks with real developers instead of trying to cram every new buzzword tech they can into their piece of shit application.

      --
      ... whatever ...
    3. Re:Nothing new by Calydor · · Score: 4, Insightful

      What does that have to do with anything? A mechanic using the cheapest possible materials hurts his users when his repairs fail. A house built by the cheapest contractor with the cheapest materials may develop severe faults - to the point of essentially being condemned. How does this not hurt the customers/users?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    4. Re:Nothing new by KiloByte · · Score: 4, Insightful

      Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development.

      Just half? Your glasses are of such a bright shade of pink that it must make it hard to see. This sounds so optimistic that you perhaps still have shreds of faith in humanity.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:Nothing new by jbolden · · Score: 2

      Many other industries are regulated to insure that work meets certain quality standards. Further they often have professional associations with real teeth.

    6. Re:Nothing new by Registered+Coward+v2 · · Score: 2

      Many other industries are regulated to insure that work meets certain quality standards. Further they often have professional associations with real teeth.

      While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.

      --
      I'm a consultant - I convert gibberish into cash-flow.
    7. Re:Nothing new by Anonymous Coward · · Score: 2, Insightful

      While that is to a certain extent true; the real value of regulation is limiting competition by requiring licensure and often educational requirements to get and maintain a license.

      The real purpose of regulation is so your fucking house doesn't burn down because someone who wasn't trained installed the wiring.

    8. Re:Nothing new by Wootery · · Score: 2

      the website operator isn't hurt by these things, so they don't care. There's no disincentive to hiring crappy developers.

      It certainly hurts a company's credibility to be hacked. It won't get them shut down by the authorities the way a restaurant with an unsanitary kitchen will be shut down, but it's still going to be a PR problem.

      I haven't got numbers, but I imagine Linode's business suffered at least a bit after they were hacked.

  3. Shouldn't there be full encryption by default? by roman_mir · · Score: 4, Interesting

    At the minimum there should be full data encryption at the client level, that's just to start. Then there are other problems to solve (cross site code accessing information that it shouldn't be able to access)... Basically your desktop will have to solve issues that application and database servers have to solve and I can imagine this is a much more difficult task to accomplish. With application and database servers at least there are people, whose JOB it is to ensure security of the client data (from programmers to testers and administrators), but on the client side... it's very very sketchy, the number of potential problems is enormous.

    --
    You can't handle the truth.
    1. Re:Shouldn't there be full encryption by default? by Common+Joe · · Score: 4, Interesting

      Why the hell is parent modded to -1? roman_mir is spot on. If I'm surfing a website and it wants to store information locally, the web browser should encrypt it for security reasons. As a user, I don't want to have to worry about what information is being written out to my hard drive. Clear text for personal information? Banking information? I've RTFA and it says "[There is] a bank that used example HTML5 code for training developers that put data in permanent storage on the client system as opposed to temporary storage." There are people who say that banking institutions still use java applets. Think long and hard about this. Another question: do modern day browsers encrypt cookies? I don't know for sure, but I suspect they don't.

      And since I've RTFA, I'm going to take this conversation one level further. This ideology sure sounds like a very fat client to me. If we're going to use "sessionStorage, localStorage, and client-side databases" (as per TFA), why not just use an executable? Write the thing in .NET or Java or C? It would be faster for the client and easier to secure from a programming perspective. There's nothing stopping you from using APIs on the web using these languages. Are you saying it's because we can't trust websites? Then why is HTML5 giving access to "system services, such as camera, microphone, and GPS" and allowing "JavaScript to request resources from different domains"? (Again, this is straight from TFA.) About the only thing it doesn't have is unfettered access to the whole hard drive under the user's permissions. Or does it? I don't know. I'm beginning to wonder about how far HTML5 will allow access and under what conditions. Even if HTML 5 asks for permissions on everything it needs to, what do you think the standard user will say to all the "allow access?" questions?

      I'm a programmer, but not a web developer. Maybe this article is full of it and maybe it ain't, but in either case, roman_mir should not be modded down for what he is saying. There are legitimate concerns here that he is trying to raise and he hasn't said anything inflammatory in his post.

  4. then stop hijacking phrases from other industries by Anonymous Coward · · Score: 5, Funny

    developer, before the rise of the cyber-douchebag, was someone who built houses for people to live in, or maybe a shopping center or something.

    engineer, before the rise of the cyber-douchebag, was someone who had to get a license in order to build machines that might hurt people if designed wrong

    programmer, before the rise of the cyber-douchebag, used to be happy with their good pay and didnt need to call themselves something they werenrt.

  5. Re:How is more insecure than what we have now? by gbjbaanb · · Score: 4, Interesting

    there's one thing that's "good" about it - usually all that crap would be stored in a cookie and passed back and forth, back and forth each request. At least now the cookie can be a tiny token to pass to the server and all the session-cached data can be stored locally. At least that's what I hope will happen.

    There is a need for local storage, even if its caching data. If you want security, there needs to be built-in support for encrypting the storage and keeping the key in the browser tied to a section of the url of the site you're working with. If that could happen transparently, then we'd have better security than what's we'd get otherwise (you can't use a login as many sites don't have one, and you need to keep each site secure from each other, so you can't even store the key in a cookie in case it gets hijacked as it passes over the network)

    Anyway, at least people are thinking security of this stuff from the start, rather than wait for it to be exploited first.

  6. No risks here by hobarrera · · Score: 3, Interesting

    So... where's the risk? How can my computer be put at risk?
    If an app want to use localStorage, firefox prompts me for permision, and only assings 5KiB or something like that tops.

    The worst scenario I can picture, is my MANUALLY authorizing literally millons of websites and them filling up my disk.

    As for CORS: where's the security issue for the user? CORS is allowed for web hosts that explicitly state they support it. And again, how could that possible expose me?

    1. Re:No risks here by Anonymous Coward · · Score: 2, Informative

      The risk is that in case the client computer is compromised (and a lot of them are) the attacker can steal data that is normally stored server-side. Say what you want, there are more clients-zombies than compromised servers. OTOH, if you have your client compromised, the convenience of stealing a stored session instead of hijacking it while it lasts isn't all that much of a gain for the attackers.

  7. Re:Real developers don't do web development by OG · · Score: 5, Interesting

    Not true at all. I've been programming since I was 6 (now 37), have a degree in CS, and spent the first 13 years of my post-college career doing C++ programming. I transitioned to web development because I find it interesting. I work with other highly intelligent, skilled web developers. Web development has moved beyond putting together a blog. Some people, such as myself, think the challenges involved in putting together a scalable, responsive, functional, secure web app are interesting, and after reaching a bit of burnout in my C++, I feel a bit renewed. Not to mention the fact that learning how best to utilize a new set of languages and technologies has made me a better programmer all around, even benefitting the times I need to switch back to C++ mode.

  8. Re: What the hell is the point of this anyway? by behrooz0az · · Score: 2

    Yes, I believe we have java, Qt, gtk, python, Tk, and a few quadrillion more cross-platform languages and frameworks for that purpose.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  9. Stop it. by SuricouRaven · · Score: 4, Insightful

    Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.

    If you need anything more then HTML, CSS and forms, I hope you have a very good justification.

    1. Re:Stop it. by 0123456 · · Score: 4, Funny

      But the future is web apps replacing local apps so they can run anywhere.

      Except on tablets and phones, where the future is local apps replacing web apps.

      Or something.

      HTML5 looks like a total clusterfsck from here.

    2. Re:Stop it. by Saint+Gerbil · · Score: 2

      The needs of the business world is always changing and the needs of the internet is changing to meet it. HTML 5 isn't just a new shiny stuff which people can use. Its stuff people can do already but need large libraries and stuff to create now.
      Newer libraries just mean that you will download less to the client, in order to provide the rich user experience they expect now a days.

      TFA is pure FUD most of the problems which it highlights exist already. If anything HTML5 sorts out more issues than it creates.

    3. Re:Stop it. by Imagix · · Score: 2

      "Once"?!

    4. Re:Stop it. by Inda · · Score: 2

      No. There were very few decent websites back then. I remember websites that limited me to <1000 chars of text because their backend couldn't handle any more.

      No. I did not enjoy typing a metric shitload of text into a form, only for the 56k modem to stutter, or the server to wobble, and lose the lot.

      No. Requesting the complete 200kb of HTML when I was only correcting a typo was not good.

      No. Things did not 'just work' every time. How can you forget "this page requires IE3.0".

      No. Uploading a 1.4mb file was a pain in the arse and often failed. Dragging and dropping files onto a webpage is one of those things I really like these days.

      No. Wait. Adverts?

      The WWW is no longer about reading loads and loads of text.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    5. Re:Stop it. by broken_chaos · · Score: 2

      Using a bit of JavaScript is nice. Can be used to add small conveniences that just don't work without it. But it should always gracefully degrade, something that's been essentially completely lost in 'modern' web development. You have JavaScript or you have no page.

  10. What? by Murdoch5 · · Score: 2

    Why are you using client side code to store data? Bad overall concept from the get go. If you really need to store "large" amounts of data for a web session then store a session flag in the client and use encrypted sockets to transport the data to a secure server and flush the temp storage when your done.

  11. Re:then stop hijacking phrases from other industri by magic+maverick+ · · Score: 2

    Labor camp, or any other similar phrases, are just another term for slavery.
    Slavery, forcing a person to work. Labor camp, forcing a person to work. Labor camp=slavery.

    Oh look, even Wikipedia makes that point.

    The United States prison system is being called "a new form of inhumane exploitation." Current penal labor in the U.S., it adds, "has its roots on slavery."

    If you're a real communist you wouldn't be advocating for such shit.

    --
    HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
  12. Re:then stop hijacking phrases from other industri by Grishnakh · · Score: 3, Insightful

    Wrong. Why would anyone want to take on such a job?

    Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money (unless they're in a junior position, but the career goal is to have your own practice, or be a "partner" in a top law firm which is mostly the same thing).

    Developers and other software people aren't their own bosses, unless they're contractors. They work for corporations, and are just paid employees, no different from secretaries or janitors. They have zero control over their own work and how they do it: they have to do whatever their boss tells them to. Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?

  13. User "slashdot.org" by tepples · · Score: 2

    JavaScript: Where each web site has its own user account.

    Web browsers are designed to handle the privilege separation in JavaScript the way operating systems handle user accounts. Each origin has its own account, and origins can't access resources associated with a different origin unless the owner of the different origin has opted into sharing the resource (CORS). Ideally, browser publishers treat violations of origin separation as seriously as OS publishers treat violations of user separation.

    1. Re:User "slashdot.org" by Unordained · · Score: 2

      As far as I can tell, the goal of CORS was purely to prevent someone from repurposing your browser when you visit site X and using your existing SSO/cookies to make authenticated AJAX calls to site Y.

      It doesn't set out to address data-leakage that can occur from script injection into Y, where AJAX calls to X might be embedded so as to export your private data (you can guarantee site X will set a * allow-origin header, and Y's opinion is not sought.)
      It also doesn't prevent attacks from random web clients who can set their own arbitrary request headers. Nothing prevents you from setting up a proxy-server that changes the origin headers, to grant the whole Internet access to a resource someone wanted to be "only from their own website".

      It's a neat little hack, with a very specific goal, which I've found to be poorly explained. People easily get the wrong idea about what CORS was intended to do, and rely on it for more than they should.

  14. There are AES libraries... by ducomputergeek · · Score: 2

    We use HTML5/JS in conjunction with Apache Cordova to create Mobile Apps for iOS & Android. For most applications we're hired to do, mainly form apps really, this combo works well, we can build & deploy quickly. But everything we put into localstorage is encrypted using an AES library. User chooses a password as the key and have to reenter the password to retrieve the information. There is an option to wipe the database and clear all storage if you can't remember the password. It's simple and it keeps the data secure enough for our purposes. We're not storing credit card or other data usually. Is it foolproof, probably not, but better than nothing.

    --
    "The problem with socialism is eventually you run out of other people's money" - Thatcher.
  15. It's simply a matter of surface by Rambo+Tribble · · Score: 2

    Whenever data is brought into a system, the system is subject to attack. Whether from a network connection or distribution media, exploits have always used whatever avenue of infection was available. HTML5 or JavaScript cannot change that fact.

    The ease with which an exploit can be fashioned is largely dependant on the level of access given the attack vector and the complexity of the code governing that vector. From Autoplay to VNC, the more control given the remote source, the more potential for manipulation.

    As we demand more from web applications and the technologies that enable them, we will open avenues of exploitation, almost by definition. New demands on developers, engineers and designers will be a natural result of this.

    On the bright side, this likely means a richer employment environment for web professionals; the flip side is it probably means more jobs for web hacks, too.

  16. Re:Lawyers and doctors are not self employed by bobaferret · · Score: 2

    I'm sorry... are you saying $175,000/ year isn't a FUCK TON of money? boo fucking hoo; 60 - 80 hours a week? Welcome to minimum wage just trying to get by while supporting a family. FIX YOUR PERSPECTIVE!

    </rant>

  17. I've lived it - you haven't by sjbe · · Score: 4, Informative

    I'm sorry... are you saying $175,000/ year isn't a FUCK TON of money?

    Basically that is exactly what I'm saying. While no one is asking anyone to cry for the doctors, you seem to think they are incredibly wealthy which demonstrably is not true. Many do quite well in the long run but they pay a steep price to get there.First off that is gross pay and makes no allowance for cost of living in your area. $175K in NYC doesn't go far when even a crappy condo can easily cost $500K. Where I live the gross salary for a GP is more like $90-120K/year. Cut that salary number in half once taxes are taken into account. Furthermore a huge number of doctors graduate with between a quarter million to a half million in debt from their schooling. That takes $20-50K per year right off the top of their pay just in debt service. Don't forget the huge insurance costs which are in the tens of thousands of dollars. Also bear in mind that doctors are not paid for the 4 years on medical school on top of 4+ years of undergrad school and are paid a rather low salary (usually around $40K/year) while in residency which can last for between 3-8 years. That's effectively a decade or more of less than minimum wage work once you calculate the hourly wage while piling up enough debt to pay for a fairly nice house. The opportunity cost is enormous.

    Did you start your career 10 years after your college educated peers with a mountain of debt and limited transferable skills? Did anyone have to pass laws to prohibit you from being forced to work more than 80+ hours a week for no extra compensation? (laws which regularly get ignored and endanger patients by the way) Have you ever been required to work 36 hour shifts without any sleep? No. You just looked at the gross salary number and decided they make just a bit less than Bill Gates and live lives of luxury and ease. The real world is a little more complicated than a gross salary figure.

    60 - 80 hours a week? Welcome to minimum wage just trying to get by while supporting a family.

    I've been there working very long hours for minimum wage or less. Know what? Doctors often have it worse when it comes to lifestyle. They give up a decade or more of your life training working your ass off for an hourly rate of less than minimum wage just to get started in your career with a mountain of debt. They might make a decent salary but many of them hardly get to enjoy it. I've worked a 14 hour day, and my wife who left for work before me was still at work. I've seen her pull 36 hour shifts at the hospital. Being on call means you effectively do not get any sleep and some doctors are on call as often as every 3rd or 4th night and they often don't get a day off in between. My wife spent a year or two working for minimum wage in a lab before medical school and refers to it as the happiest year of her life. Sure she had to scrape to make ends meet but her time outside of work was her own. Becoming a doctor is a objectively miserable experience and even once you begin your career the lifestyle still sucks for many doctors. I don't know how many I've spoken to who would choose another profession if they had the chance to do it all over.

    FIX YOUR PERSPECTIVE!

    You have no idea what my perspective is. I've been poorer than a church mouse and worked my ass off to get where I am today. I've also have worked with and lived with doctors (including my wife) and seen what they have to go through first hand. I know up close and personal what I am talking about and I'm pretty sure you do not.

  18. Cross-site Security Issues by psydeshow · · Score: 3, Informative

    Yep. I'm a long-time web developer, and I do a lot of thinking about security and the sorry state of it on the Internets.

    Any time you decide to include third-party code in your pages, you are asking for trouble. The list of hijinx that a third-party script can cause (even with strong cross-domain protection) is limited only by the imagination of the attacker. For instance, even if they can't get at your precious session cookie or local storage data, an attacker can modify the DOM, right? And show a big, window-filling DIV that looks exactly like your login screen, complete with your own assets. Good fun.

    I cringe when I see big, commercial sites that ought to no better include trackers and other code from services they do not control -- in many cases poorly-funded startups that could fold or be bought out overnight. And if someone unscrupulous gets ahold of the company, or just the domain? Boom, code injection across your entire site.

    Because that's exactly what we're talking about: remote code injection as a best practice. It's the most ridiculous head-in-the-sand way to deploy software ever invented. You would never stand for this kind of thing on your desktop (running an unsigned executable over http) but for some reason it's how things are done on web pages. Sure, your browser provides a sandbox, but everything inside that sandbox (your web app!) can still get arbitrarily hacked.

    Web security is a huge freaking mess, and it's going to take us a generation to undo the standard procedures and move to a place where security and privacy are more than just buzzwords.