Hi. This is Yoshinori Matsumoto from Watch and Warning Group.
After JPCERT/CC’s publication of a technical research report on HTML5 last October, our group has been working intensively to raise awareness on security issues of web applications utilizing HTML5. We have been given opportunities to speak at various security conferences on this topic, and one of them was my colleague’s presentation at "CODE BLUE" introduced on this blog earlier. This time, I would like to share some of the technical highlights of my presentation on this topic delivered at “OWASP AppSec APAC 2014”
OWASP and OWASP Global AppSec
If you are a security-minded web developer, I am sure you have heard about Open Web Application Security Project (OWASP). OWASP Global AppSec is an international software security conference which deals with web application security. It is organized and held by the OWASP Foundation 4 times a year in various regions, and this time it was held in Japan for the first time from March 17 to 20. You can tell from the number of participants that the locals were very excited about this event - around 400 including developers, researchers, information governance officers, business managers, etc. joined the event.
Under the title “HTML5 Security for Web Application Development”, I referred to the presence of the security issues of web applications using HTML5, along with some demonstrations on functions/elements which inherent risks XMLHttpRequest (XHR) Level2 and HTML5 new input type form and also on the injection attack mitigation measure (Content-Security-Policy HTTP header).
The next demonstration was on <input type="email">, a new input type form in HTML5. This is intended to allow better input control and validation, which restricts the input strings entered from the user only to the email address format. However, this input type can be easily altered by editing the source HTML or sending a request directly to the website. In fact, I showed how this can be simply done by editing the source HTML with a web development tool, namely, Firebug. Thus, this input type is not recommended as a security measure.
A photo of me speaking at OWASP AppSec (taken by koyhoge)
For more information about my presentation, please refer to the slides here.
Research report (in English) on HTML5 security to be published
HTML 5 has given us the opportunity to create richer and interactive websites. However, utilization of HTML5 without understanding its inherent risks may cause unintended results. Therefore, we need to carefully understand about HTML5 security issues upon using them. JPCERT/CC’s research report on this matter intends to provide basic references for web security researchers and developers. It is only in Japanese now, but the English version will be coming up in the end of May. We will let you know via this blog, so stay tuned!
- Yoshinori Matsumoto