One of the new high-risk HTML 5 features is the cross-domain trust functionality. The cross-domain trust functionality...
will allow different domains (DNS names) to communicate between iframes in your Web browser. This feature will be tricky for developers to get right initially -- need to verify that the cross-domain requests are received from other domains from domains from which they expect to receive requests -- and even advanced, technical users may find it difficult to understand the risks involved. Malware writers will likely try to abuse this functionality to gain access to sensitive data, since this check may not happen as intended.
One of the most difficult security issues with HTML 5 is the movement of functionality from the server to the client where the server may trust the client perhaps more than it should. One example is the server trusting that the data from a client contains valid, non-malicious input. The server would assume the client is checking for these types of attacks/bugs on his or her own, so there would be a disconnect there. Servers and applications should be programmed to validate data received from the client to ensure it is not malicious.
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
IBM X-Force found MnuBot -- a new banking Trojan -- manipulating C&C servers in an unusual way. Learn how this is possible and how this malware ... Continue Reading
Researchers at Trend Micro found a new strain of malware -- dubbed FacexWorm -- that targets users via a malicious Chrome extension. Discover how ... Continue Reading
Researchers at the 2018 RSA Conference discussed the increasing availability of malware that uses steganography, dubbed stegware. Discover how this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.