TD-WS: a threat detection tool of WebSocket and Web Storage in HTML5 websites

The new features of HTML5 greatly increase the convenience for both web developers and users, but they also bring new security threats. Although the web-security community has started to analyze the security threats brought by HTML5, little has been performed to address the security threats for the client-side applications. This paper studies security issues of two popular client-side primitives: WebSocket and Web Storage. The security threats concerned in this paper are private information stealth through WebSocket and cross-site scripting vulnerabilities caused by lacking of sanitization for WebSocket messages and Web Storage data. We analyze the unsafe data flows of these two HTML5 primitives in detail. Based on that, we present a threat detection tool called TD-WS, which can automatically detect the privacy leaks and the cross-site scripting vulnerabilities in WebSocket and Web Storage applications. The results show that TD-WS effectively detects the security threats of WebSocket and Web Storage applications. Copyright © 2016 John Wiley & Sons, Ltd.