中文摘要：

HTML5是目前富互联网应用（RIA）中最重要的技术之一。由于得到了业界厂商的大力支持,发展迅速,已经成为未来Web应用发展的事实标准。新技术的引用,在给用户提供丰富多彩互联网的同时,也引入了新的安全问题：CORS、XHR-LEVEL2等已经打破了浏览器原有的同源策略准则（SOP）;Web Storage、Application Cache等新功能在增强客户端能力的同时,也提供了一些新型的客户端攻击机制;Web Workers、Web Socket等新特性则引入了新的滥用手段。在中国互联网上,越来越多的网站开始逐步采用HTML5技术,但在安全防护方面还存在众多弱点。与此同时,目前大多数Web应用扫描器都不具备检测HTML5安全问题的特性,这使得HTML5安全问题在安全评估与渗透测试过程中成为盲点。深入探讨HTML5新引入的安全威胁,通过对国内支持HTML5大型网站的测试发现了大量安全问题,并对现有Web应用扫描器对HTML5支持情况进行了调查分析,结果验证了国内互联网网站对于HTML5新形态安全威胁的脆弱性。

英文摘要：

HTML5 is one of the most important technologies for the next generation of rich Internet web application（RIA） at present.Strongly supported by the companies in Internet industry,the HTML5 develops very fast and has become the de facto standard of future Web application.While providing rich and varied Internet to users,the deployment of this new technology brings new security problems： CORS,XHR-level2 and so on break the existing criterion of same origin policy（SOP） of browsers somehow;New functions of Web Storage and Application Cache enrich the client-side capability,but they also furnish some novel client-side attacking mechanism.New features like Web Workers and Web Socket may lead to new means of abuse.In China,more and more websites are starting to gradually use HTML5,but a lot of security problems are beyond concern.Moreover,most existing Web application scanners do not have the function to detect HTML5 vulnerabilities,this results in the security issue of HTML5 becomes the blind point in security assessment and penetration test processes.In our paper,we discuss in depth the new security threats imported by HTML5 and find lots security problems in those Chinese large-scale websites supporting HTML5.Meanwhile,we investigate and analyse existing Web application scanners on their HTML5-supporting situation,the results verify the vulnerabilities of Chinese internet websites on the new form security threats of HTML5.