SlideShare ist ein Scribd-Unternehmen logo

Security Issues in HTML 5

Als PPTX, PDF herunterladen
Wasif Altaf
Wasif Altaf

This document discusses security issues related to HTML 5. It begins by introducing new features in HTML 5 that enable rich functionality but also introduce new security vulnerabilities. It then reviews vulnerabilities such as cross-site request forgery (CSRF), cross-site scripting (XSS), clickjacking, local storage, and the geolocation API. The document analyzes proposed defenses against CSRF attacks in HTML 5 and proposes a hybrid solution using XMLHttpRequest with specific headers and attributes to help prevent CSRF attacks while using cross-origin requests in HTML 5. Finally, it discusses conclusions and potential future work analyzing the proposed solution and additional HTML 5 security issues.

Technologie
1 von 24
Security Issues in HTML 5 Sara Toufiq (2011-MS-CS-23) Wasif Altaf (2011-MS-CS-19)
Introduction • Technological changes to HTML 4.0 giving rise to many existing and new security threats and vulnerabilities • Security is an important part of HTML 5 specifications from initial • HTML 5 provides us with rich features, with additional tags and enhanced functionality • Exploitation scenarios have not changed in HTML 5 with some exceptions an attacker can do multiple attacks with new features of HTML 5
Vulnerabilities • • • • • Cross-site Request Forgery (CSRF) Cross-site Scripting (XSS) Clickjacking Local Storage Geolocation API
Cross-site Request Forgery (CSRF) • According to (Zeller and Felten, 2008) CrossSite Request Forgery attacks occur when a malicious web site causes a user‟s web browser to perform an unwanted action on a trusted site. • (Jeremiah Blatz, 2011) described that CSRF takes advantage of the inherent statelessness of the web to simulate user actions on one website (the target site) from another website (the attacking site).
Review of Literature (CSRF) • Adam Barth et al. 2008 presented and analyzed defense mechanisms against cross-site requests forgery. Researchers proposed defense mechanisms against CSRF attacks (Login CSRF attacks), third-party content vulnerability, and they also recommended usage of HTTPS. Mainly, they proposed Origin header to be used for all state modifying requests (such as Login and other form submissions) lodged over HTTP POST request method. Through Origin header it can be ensured that authenticated sites‟ lodged requests are entertained only, and hence the requests from attackers are not fulfilled. They advised that Origin header be used over HTTPS by secure websites such as banks and other financial organizations in their web applications. As a future work they proposed to extend the capabilities of Origin header within frame hierarchy.
Review of Literature (CSRF) • Devdatta akhawe et al 2010, discussed CSRF in reference to XMLHttpRequest API and HTML5 form element. They discussed that HTML5 form elements generate GET & POST requests that may lead to CSRF attack. These requests can be sent to any origin but contain certain methods and headers. There is great chance of CSRF attack by using XMLHttpRequest API and HTML 5 form elements as these requests be sent based on data in user‟s cookies and the response are interpreted by user‟s browser. They proposed solution by first checking session integrity by “cause” of each Http Request. When a request is generated, the session should be checked whether the request is from trusted user or not by adding origin header. If the header is not set, then there is chance that the request is sent to attacker‟s server by a POST request. The attacker can redirect the request back to original header as origin header lists original source which violates session integrity. The solution to this vulnerability proposed by them is naming all origins in redirect chain in origin header. The problem with this solution is that naming can be done up to a certain limit otherwise it would lead to server loading, with time and performance issues.
Review of Literature (CSRF) • Devdatta akhawe et al 2010 (Continues), The other solution is to use pre-flight request as subtype of HttpRequest by using CORS that includes number of headers and named as CORSResponse header which leads pre-flight requests to attacker‟s site. This is done as HTML5 allows CORS and now browsers contain open redirectors and does not manage whitelists. These attacks occur when a user requests a page from target website by following link from another website with some input. The solution to this problem proposed is to use referrer header. By using referrer header, CSRF attack can be controlled if the site‟s origin in referrer header is not from trusted user or request is redirected to gateway. But if server sends request to attacker‟s server first (attacker injects some malicious hyperlink) then it leads to CSRF attack. This can be controlled by setting referrer header as no-referrer in requests but still there is possibility to this attack. The flaw in this solution is open redirectors which allow every request to be entertained, including requests which should otherwise be discarded.
Review of Literature (CSRF) • Jeremiah Blatz, 2011, But again, we cannot depend totally on fact that referer header will go with each request. The fact is that some browsers never send referer header, others send oftenly. There is also possibility that proxy servers strip out this header. So, there is still possibility of CSRF attack.
Review of Literature (CSRF) • Robert McArdle 2011, described that XMLHttpRequest is very common API used in applications specially those websites that make AJAX calls like Gmail, Facebook and Google Maps. Before HTML5, these requests were made only in Same Origin Policy (SOP). HTML5 overcomes this situation and provides a method called Cross Origin Resource Sharing (CORS), which enable users to make XMLHttpRequest throughout the world by adding “AccessControl-Allow-Origin” header in response which itself gives rise to CSRF attack. As HTML5 allows cross origin requests, so by default the response header allows all cross origin requests even if the user doesn‟t set it. This is gap from where attacker can inject some malicious code to victim‟s website. When a victim visits that site, the malicious code makes a cross domain call to attacker‟s site establishing a two-way communication with attacker‟s server through cross domain calls and would be able to send commands using victim‟s browser.
Review of Literature (CSRF) • Shreeraj Shah, 2012 explained CSRF as silent attack over browser by HTML5 Cross Origin Resource Sharing method (CORS). He described that a CSRF attack can be injected through a payload on cross domain page by a request without knowledge of victim. He explained „CORS‟ as a „blind response‟ technique that is controlled by extra HTTP header „origin‟ that hit the target establishing a CSRF vector using XHR – Level 2 on HTML5 pages. XHR establishes a connection using POST method with attribute „withCredentials‟ set to true which allows cookies to be replayed for CSRF attack without knowledge of user. XHR – Level 2 calls embedded in HTML5 browser can open cross domain socket and send Http Request. Browser would go for preflight requests to check policy and allow cookie replay if „withCredentials‟ set to true that would lead towards critical business logic functionalities to be exploited like file uploads on facebook, invoices, contacts etc.
Review of Literature (CSRF) • De Ryck et al. 2012 analyzed emerging web standards in detail from security point of view. They undertook analysis of HTML 5 specifications as well as implementation by major web browsers, and identified 45 security issues. They revealed that through injection of submission controls provided by HTML 5 hidden security tokens from forms can be stolen. As per (Zeller and Felten, 2008) the de facto step against CSRF attack is the use of a unique token to authenticate future requests. Since hidden security tokens can be stolen using injection of submission controls so CSRF attacks are still probable.
Cross-site Scripting (XSS) • Iha and Doi, 2009 stated that, Cross-site scripting attack is a technique which injects a malicious dynamic executable code prepared by an attacker into a user's web browser via vulnerable web applications. Typically, the malicious code is written in the language that can be executed dynamically on the web browser (e.g. JavaScript). As the result of the attack to the user's web browser by using the vulnerable web application, the attacker can force the execution of the malicious code into the user's web browser by avoiding the restrictions in the same origin policy.
Clickjacking • As of Balduzzi et al. 2010, A malicious page constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim‟s clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction).
Review of Literature (Local Storage) • Robert McArdle, 2011, described that HTML5 provides a very useful feature of local storage to save persistent data on user‟s system. It allows the information to store as key pairs and can be easily retrieved even through event handlers and javascript. If developers store sensitive information in local storage then attacker may have access to confidential data or even he can delete the storage data without knowledge of user.
Review of Literature (Local Storage) • Shreeraj Shah, 2012, explained that HTML5 has the feature of local storage for applications to store some information and is available everywhere within application. This feature provides great flexibility on client side but at the same time leverages a way for attacker to steal information via XSS. Local storage not only gives access to local variables but also to global variables. Global variables may contain important information like usernames, passwords, tokens, hash etc that can easily be exploited by attacker through javascript.
Geolocation API • De Ryck, 2012, illustrated that, HTML 5 Geolocation API provides us with fast access to maps and allows users to share their current location on site. A user can check his/her location anytime with just internet available. On the other side, it also violates users‟ confidentiality and integrity. The Geolocation API has built-in caching features which save users‟s position which he visited after certain time period, this can be used by attacker to exploit user‟s data.
Problem Statement • To find ultimate defense mechanisms against CSRF attacks in HTML 5
Proposed Work • We have proposed a hybrid solution based on Robert McArdle, 2011 and Shreeraj Shah, 2012 in which they used XMLHttpRequest through ajax calls in cross origin domains using HTML 5 Access-Control-Allow-Origin header, and XMLHttpRequest with attribute “withCredentials” set to true, respectively. Our proposed solution is that, for cross origin requests, we set AccessControl-Allow-Origin header in ajax request with additional attribute “withCredentials” set to true and cache to false to avoid CSRF attack.
Methodology • For cross domain calls, we need to set header “AccessControl-Allow-Origin” to * or to some specific site which allows resource sharing and attribute “withCredentails” provided by HTML 5 to true for credentialed request and to get data in response through cross domain which allows to save response in cookies leading towards CSRF. If we set an additional attribute cache as false in ajax request which does not allow browsers to save response in cache even in cookies. Each time fresh response would be fetch directly from server. In this way, we can avoid CSRF attack and safely use HTML 5 CORS feature. This would work for HTML 5 online applications but this may not work in HTML 5 offline applications in which response and all connect is saved to cache locally for next time use.
Conclusions • We have studied security issues of HTML 5 features and found vulnerabilities in solutions provided. Our main focus has been on CSRF attacks and we have proposed a solution to avoid CSRF attacks while using CORS method of HTML 5. Our proposed solution would work for HTML 5 online applications but as HTML 5 provides us with great and advanced features like offline applications, so this may not be a feasible solution for offline applications.
Future Work • We have proposed a solution to avoid CSRF attack against HTML 5 CORS feature. Technically, we envisage to analyse and validate this solution on different websites with different requests in future. Also, we would focus on some more security issues and attacks posed by HTML 5, that may have been present before advent of HTML 5, or may have risen due to HTML 5‟s advance functionality.
References • Adam Barth et al. 2008, “Robust defenses for cross-site request forgery”, In Proceedings of the 15th ACM conference on Computer and communications security , pp. 75-88, 2008 • Devdatta Akhawe, Adam Barth, Peifung E. Lam, John Mitchell and Dawn Song, “Towards a Formal Foundation of Web Security”, In Proceedings of 2010 23rd IEEE Computer Security Foundations Symposium, pp. 290-304, 2010 • Doug DePerry, “HTML5 SECURITY THE MODERN WEB BROWSER PERSPECTIVE”, iSEC Partners, December 2012 • Genta Iha, Hiroshi Doi, “An Implementation of the Binding Mechanism in the Web Browser for Preventing XSS Attacks: Introducing the Bind-Value Headers”, In Proceedings of 2009 International Conference on Availability, Reliability and Security, pp. 966-971, 2009 • Lavakumar Kuppan, “Attacking with HTML5”, Attack and Defense Labs, 18th October, 2010
References • • • • • • Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel, “A Solution for the Automated Detection of Clickjacking Attacks”, In Proceedings of ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135-144, April 2010 Philippe De Ryck, Lieven Desmet, Frank Piessens, Wouter Joosen, “A Security Analysis of Emerging Web Standards - Extended Version”, Department of Computer Science, K.U.Leuven, May 2012 Robert McArdle, “HTML5 OVERVIEW: A LOOK AT HTML5 ATTACK SCENARIOS”, Trend Micro Research Labs, 2011 Shreeraj Shah, “HTML5 Top 10 Threats Stealth Attacks and Silent Exploits”, Blueinfy Solutions, March 2012 W3C Editor‟s Draft, “Geolocation API Specification”, http://dev.w3.org/geo/api/spec-source.html, May 2012, Accessed 5th April, 2013 Zeller and Felten, “An Implementation of the Binding Mechanism in the Web Browser for Preventing XSS Attacks: Introducing the Bind-Value Headers”, In Proceedings of 2009 International Conference on Availability, Reliability and Security. Pp. 966-971, 2009.
Thank you! Questions?

Empfohlen

Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handlingmussawir20
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Exception handling
Exception handlingException handling
Exception handlingPhD Research Scholar
 
Java Exception handling
Java Exception handlingJava Exception handling
Java Exception handlingkamal kotecha
 
Displaying information within a window.68
Displaying information within a window.68Displaying information within a window.68
Displaying information within a window.68myrajendra
 
C++ references
C++ referencesC++ references
C++ referencescorehard_by
 
Introduction to matlab
Introduction to matlabIntroduction to matlab
Introduction to matlabMohan Raj
 
Python built in functions
Python built in functionsPython built in functions
Python built in functionsRakshitha S
 

Empfohlen

Php Error Handling
Php Error HandlingPhp Error Handling
Php Error Handlingmussawir20
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Exception handling
Exception handlingException handling
Exception handlingPhD Research Scholar
 
Java Exception handling
Java Exception handlingJava Exception handling
Java Exception handlingkamal kotecha
 
Displaying information within a window.68
Displaying information within a window.68Displaying information within a window.68
Displaying information within a window.68myrajendra
 
C++ references
C++ referencesC++ references
C++ referencescorehard_by
 
Introduction to matlab
Introduction to matlabIntroduction to matlab
Introduction to matlabMohan Raj
 
Python built in functions
Python built in functionsPython built in functions
Python built in functionsRakshitha S
 
Partial redundancy elimination
Partial redundancy eliminationPartial redundancy elimination
Partial redundancy eliminationIshucs
 
Symbol table in compiler Design
Symbol table in compiler DesignSymbol table in compiler Design
Symbol table in compiler DesignKuppusamy P
 
Compiler Design Unit 4
Compiler Design Unit 4Compiler Design Unit 4
Compiler Design Unit 4Jena Catherine Bel D
 
Literals,variables,datatype in C#
Literals,variables,datatype in C#Literals,variables,datatype in C#
Literals,variables,datatype in C#Prasanna Kumar SM
 
Byte stream classes.49
Byte stream classes.49Byte stream classes.49
Byte stream classes.49myrajendra
 
Matlab Introduction
Matlab IntroductionMatlab Introduction
Matlab Introductionideas2ignite
 
Call by value
Call by valueCall by value
Call by valueDharani G
 
Storage class in C Language
Storage class in C LanguageStorage class in C Language
Storage class in C LanguageNitesh Kumar Pandey
 
Java Servlets
Java ServletsJava Servlets
Java ServletsBG Java EE Course
 
Java-java virtual machine
Java-java virtual machineJava-java virtual machine
Java-java virtual machineSurbhi Panhalkar
 
Interface in java ,multiple inheritance in java, interface implementation
Interface in java ,multiple inheritance in java, interface implementationInterface in java ,multiple inheritance in java, interface implementation
Interface in java ,multiple inheritance in java, interface implementationHoneyChintal
 
C format string vulnerability
C format string vulnerabilityC format string vulnerability
C format string vulnerabilitysluge
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in javaElizabeth alexander
 
Methods in Java
Methods in JavaMethods in Java
Methods in JavaJussi Pohjolainen
 
3.looping(iteration statements)
3.looping(iteration statements)3.looping(iteration statements)
3.looping(iteration statements)Hardik gupta
 
Java Streams
Java StreamsJava Streams
Java StreamsM Vishnuvardhan Reddy
 
Exception Handling in JAVA
Exception Handling in JAVAException Handling in JAVA
Exception Handling in JAVASURIT DATTA
 
Preprocessor directives in c language
Preprocessor directives in c languagePreprocessor directives in c language
Preprocessor directives in c languagetanmaymodi4
 
array of object pointer in c++
array of object pointer in c++array of object pointer in c++
array of object pointer in c++Arpita Patel
 
Function C programming
Function C programmingFunction C programming
Function C programmingAppili Vamsi Krishna
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5Sony Arianto
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website أحلام انصارى
 

Weitere ähnliche Inhalte

Was ist angesagt?

Partial redundancy elimination
Partial redundancy eliminationPartial redundancy elimination
Partial redundancy eliminationIshucs
 
Symbol table in compiler Design
Symbol table in compiler DesignSymbol table in compiler Design
Symbol table in compiler DesignKuppusamy P
 
Literals,variables,datatype in C#
Literals,variables,datatype in C#Literals,variables,datatype in C#
Literals,variables,datatype in C#Prasanna Kumar SM
 
Byte stream classes.49
Byte stream classes.49Byte stream classes.49
Byte stream classes.49myrajendra
 
Matlab Introduction
Matlab IntroductionMatlab Introduction
Matlab Introductionideas2ignite
 
Call by value
Call by valueCall by value
Call by valueDharani G
 
Interface in java ,multiple inheritance in java, interface implementation
Interface in java ,multiple inheritance in java, interface implementationInterface in java ,multiple inheritance in java, interface implementation
Interface in java ,multiple inheritance in java, interface implementationHoneyChintal
 
C format string vulnerability
C format string vulnerabilityC format string vulnerability
C format string vulnerabilitysluge
 
3.looping(iteration statements)
3.looping(iteration statements)3.looping(iteration statements)
3.looping(iteration statements)Hardik gupta
 
Exception Handling in JAVA
Exception Handling in JAVAException Handling in JAVA
Exception Handling in JAVASURIT DATTA
 
Preprocessor directives in c language
Preprocessor directives in c languagePreprocessor directives in c language
Preprocessor directives in c languagetanmaymodi4
 
array of object pointer in c++
array of object pointer in c++array of object pointer in c++
array of object pointer in c++Arpita Patel
 

Was ist angesagt? (20)

Partial redundancy elimination
Partial redundancy eliminationPartial redundancy elimination
Partial redundancy elimination
 
Symbol table in compiler Design
Symbol table in compiler DesignSymbol table in compiler Design
Symbol table in compiler Design
 
Compiler Design Unit 4
Compiler Design Unit 4Compiler Design Unit 4
Compiler Design Unit 4
 
Literals,variables,datatype in C#
Literals,variables,datatype in C#Literals,variables,datatype in C#
Literals,variables,datatype in C#
 
Byte stream classes.49
Byte stream classes.49Byte stream classes.49
Byte stream classes.49
 
Matlab Introduction
Matlab IntroductionMatlab Introduction
Matlab Introduction
 
Call by value
Call by valueCall by value
Call by value
 
Storage class in C Language
Storage class in C LanguageStorage class in C Language
Storage class in C Language
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
 
Java-java virtual machine
Java-java virtual machineJava-java virtual machine
Java-java virtual machine
 
Interface in java ,multiple inheritance in java, interface implementation
Interface in java ,multiple inheritance in java, interface implementationInterface in java ,multiple inheritance in java, interface implementation
Interface in java ,multiple inheritance in java, interface implementation
 
C format string vulnerability
C format string vulnerabilityC format string vulnerability
C format string vulnerability
 
Exception handling in java
Exception handling in javaException handling in java
Exception handling in java
 
Methods in Java
Methods in JavaMethods in Java
Methods in Java
 
3.looping(iteration statements)
3.looping(iteration statements)3.looping(iteration statements)
3.looping(iteration statements)
 
Java Streams
Java StreamsJava Streams
Java Streams
 
Exception Handling in JAVA
Exception Handling in JAVAException Handling in JAVA
Exception Handling in JAVA
 
Preprocessor directives in c language
Preprocessor directives in c languagePreprocessor directives in c language
Preprocessor directives in c language
 
array of object pointer in c++
array of object pointer in c++array of object pointer in c++
array of object pointer in c++
 
Function C programming
Function C programmingFunction C programming
Function C programming
 

Ähnlich wie Security Issues in HTML 5

Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website أحلام انصارى
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Cyber security 2.pptx
Cyber security 2.pptxCyber security 2.pptx
Cyber security 2.pptxNotSure11
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Cyber Security-Ethical Hacking
Cyber Security-Ethical HackingCyber Security-Ethical Hacking
Cyber Security-Ethical HackingViral Parmar
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Joe Ferguson
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Capgemini
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 

Ähnlich wie Security Issues in HTML 5 (20)

Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Cyber security 2.pptx
Cyber security 2.pptxCyber security 2.pptx
Cyber security 2.pptx
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Cyber Security-Ethical Hacking
Cyber Security-Ethical HackingCyber Security-Ethical Hacking
Cyber Security-Ethical Hacking
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injection
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5
 

Mehr von Wasif Altaf

Java Web Services - Parts of Speech Tagger Web Service
Java Web Services - Parts of Speech Tagger Web ServiceJava Web Services - Parts of Speech Tagger Web Service
Java Web Services - Parts of Speech Tagger Web ServiceWasif Altaf
 
An Introduction to Image Processing and Artificial Intelligence
An Introduction to Image Processing and Artificial IntelligenceAn Introduction to Image Processing and Artificial Intelligence
An Introduction to Image Processing and Artificial IntelligenceWasif Altaf
 
Software User Interface Design Ergonomics
Software User Interface Design ErgonomicsSoftware User Interface Design Ergonomics
Software User Interface Design ErgonomicsWasif Altaf
 
A Review of Microsoft Windows Vista
A Review of Microsoft Windows VistaA Review of Microsoft Windows Vista
A Review of Microsoft Windows VistaWasif Altaf
 
Are Java Primitive Variables Objects?
Are Java Primitive Variables Objects?Are Java Primitive Variables Objects?
Are Java Primitive Variables Objects?Wasif Altaf
 
Modern Logic - Introduction to Logic
Modern Logic - Introduction to LogicModern Logic - Introduction to Logic
Modern Logic - Introduction to LogicWasif Altaf
 
Introduction to Logic
Introduction to LogicIntroduction to Logic
Introduction to LogicWasif Altaf
 
Web Project Presentation - JoinPakForces
Web Project Presentation - JoinPakForcesWeb Project Presentation - JoinPakForces
Web Project Presentation - JoinPakForcesWasif Altaf
 
C++ Preprocessor Directives
C++ Preprocessor DirectivesC++ Preprocessor Directives
C++ Preprocessor DirectivesWasif Altaf
 

Mehr von Wasif Altaf (9)

Java Web Services - Parts of Speech Tagger Web Service
Java Web Services - Parts of Speech Tagger Web ServiceJava Web Services - Parts of Speech Tagger Web Service
Java Web Services - Parts of Speech Tagger Web Service
 
An Introduction to Image Processing and Artificial Intelligence
An Introduction to Image Processing and Artificial IntelligenceAn Introduction to Image Processing and Artificial Intelligence
An Introduction to Image Processing and Artificial Intelligence
 
Software User Interface Design Ergonomics
Software User Interface Design ErgonomicsSoftware User Interface Design Ergonomics
Software User Interface Design Ergonomics
 
A Review of Microsoft Windows Vista
A Review of Microsoft Windows VistaA Review of Microsoft Windows Vista
A Review of Microsoft Windows Vista
 
Are Java Primitive Variables Objects?
Are Java Primitive Variables Objects?Are Java Primitive Variables Objects?
Are Java Primitive Variables Objects?
 
Modern Logic - Introduction to Logic
Modern Logic - Introduction to LogicModern Logic - Introduction to Logic
Modern Logic - Introduction to Logic
 
Introduction to Logic
Introduction to LogicIntroduction to Logic
Introduction to Logic
 
Web Project Presentation - JoinPakForces
Web Project Presentation - JoinPakForcesWeb Project Presentation - JoinPakForces
Web Project Presentation - JoinPakForces
 
C++ Preprocessor Directives
C++ Preprocessor DirectivesC++ Preprocessor Directives
C++ Preprocessor Directives
 

Kürzlich hochgeladen

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Kürzlich hochgeladen (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Security Issues in HTML 5

  • 1. Security Issues in HTML 5 Sara Toufiq (2011-MS-CS-23) Wasif Altaf (2011-MS-CS-19)
  • 2. Introduction • Technological changes to HTML 4.0 giving rise to many existing and new security threats and vulnerabilities • Security is an important part of HTML 5 specifications from initial • HTML 5 provides us with rich features, with additional tags and enhanced functionality • Exploitation scenarios have not changed in HTML 5 with some exceptions an attacker can do multiple attacks with new features of HTML 5
  • 3. Vulnerabilities • • • • • Cross-site Request Forgery (CSRF) Cross-site Scripting (XSS) Clickjacking Local Storage Geolocation API
  • 4. Cross-site Request Forgery (CSRF) • According to (Zeller and Felten, 2008) CrossSite Request Forgery attacks occur when a malicious web site causes a user‟s web browser to perform an unwanted action on a trusted site. • (Jeremiah Blatz, 2011) described that CSRF takes advantage of the inherent statelessness of the web to simulate user actions on one website (the target site) from another website (the attacking site).
  • 5. Review of Literature (CSRF) • Adam Barth et al. 2008 presented and analyzed defense mechanisms against cross-site requests forgery. Researchers proposed defense mechanisms against CSRF attacks (Login CSRF attacks), third-party content vulnerability, and they also recommended usage of HTTPS. Mainly, they proposed Origin header to be used for all state modifying requests (such as Login and other form submissions) lodged over HTTP POST request method. Through Origin header it can be ensured that authenticated sites‟ lodged requests are entertained only, and hence the requests from attackers are not fulfilled. They advised that Origin header be used over HTTPS by secure websites such as banks and other financial organizations in their web applications. As a future work they proposed to extend the capabilities of Origin header within frame hierarchy.
  • 6. Review of Literature (CSRF) • Devdatta akhawe et al 2010, discussed CSRF in reference to XMLHttpRequest API and HTML5 form element. They discussed that HTML5 form elements generate GET & POST requests that may lead to CSRF attack. These requests can be sent to any origin but contain certain methods and headers. There is great chance of CSRF attack by using XMLHttpRequest API and HTML 5 form elements as these requests be sent based on data in user‟s cookies and the response are interpreted by user‟s browser. They proposed solution by first checking session integrity by “cause” of each Http Request. When a request is generated, the session should be checked whether the request is from trusted user or not by adding origin header. If the header is not set, then there is chance that the request is sent to attacker‟s server by a POST request. The attacker can redirect the request back to original header as origin header lists original source which violates session integrity. The solution to this vulnerability proposed by them is naming all origins in redirect chain in origin header. The problem with this solution is that naming can be done up to a certain limit otherwise it would lead to server loading, with time and performance issues.
  • 7. Review of Literature (CSRF) • Devdatta akhawe et al 2010 (Continues), The other solution is to use pre-flight request as subtype of HttpRequest by using CORS that includes number of headers and named as CORSResponse header which leads pre-flight requests to attacker‟s site. This is done as HTML5 allows CORS and now browsers contain open redirectors and does not manage whitelists. These attacks occur when a user requests a page from target website by following link from another website with some input. The solution to this problem proposed is to use referrer header. By using referrer header, CSRF attack can be controlled if the site‟s origin in referrer header is not from trusted user or request is redirected to gateway. But if server sends request to attacker‟s server first (attacker injects some malicious hyperlink) then it leads to CSRF attack. This can be controlled by setting referrer header as no-referrer in requests but still there is possibility to this attack. The flaw in this solution is open redirectors which allow every request to be entertained, including requests which should otherwise be discarded.
  • 8. Review of Literature (CSRF) • Jeremiah Blatz, 2011, But again, we cannot depend totally on fact that referer header will go with each request. The fact is that some browsers never send referer header, others send oftenly. There is also possibility that proxy servers strip out this header. So, there is still possibility of CSRF attack.
  • 9. Review of Literature (CSRF) • Robert McArdle 2011, described that XMLHttpRequest is very common API used in applications specially those websites that make AJAX calls like Gmail, Facebook and Google Maps. Before HTML5, these requests were made only in Same Origin Policy (SOP). HTML5 overcomes this situation and provides a method called Cross Origin Resource Sharing (CORS), which enable users to make XMLHttpRequest throughout the world by adding “AccessControl-Allow-Origin” header in response which itself gives rise to CSRF attack. As HTML5 allows cross origin requests, so by default the response header allows all cross origin requests even if the user doesn‟t set it. This is gap from where attacker can inject some malicious code to victim‟s website. When a victim visits that site, the malicious code makes a cross domain call to attacker‟s site establishing a two-way communication with attacker‟s server through cross domain calls and would be able to send commands using victim‟s browser.
  • 10. Review of Literature (CSRF) • Shreeraj Shah, 2012 explained CSRF as silent attack over browser by HTML5 Cross Origin Resource Sharing method (CORS). He described that a CSRF attack can be injected through a payload on cross domain page by a request without knowledge of victim. He explained „CORS‟ as a „blind response‟ technique that is controlled by extra HTTP header „origin‟ that hit the target establishing a CSRF vector using XHR – Level 2 on HTML5 pages. XHR establishes a connection using POST method with attribute „withCredentials‟ set to true which allows cookies to be replayed for CSRF attack without knowledge of user. XHR – Level 2 calls embedded in HTML5 browser can open cross domain socket and send Http Request. Browser would go for preflight requests to check policy and allow cookie replay if „withCredentials‟ set to true that would lead towards critical business logic functionalities to be exploited like file uploads on facebook, invoices, contacts etc.
  • 11. Review of Literature (CSRF) • De Ryck et al. 2012 analyzed emerging web standards in detail from security point of view. They undertook analysis of HTML 5 specifications as well as implementation by major web browsers, and identified 45 security issues. They revealed that through injection of submission controls provided by HTML 5 hidden security tokens from forms can be stolen. As per (Zeller and Felten, 2008) the de facto step against CSRF attack is the use of a unique token to authenticate future requests. Since hidden security tokens can be stolen using injection of submission controls so CSRF attacks are still probable.
  • 12. Cross-site Scripting (XSS) • Iha and Doi, 2009 stated that, Cross-site scripting attack is a technique which injects a malicious dynamic executable code prepared by an attacker into a user's web browser via vulnerable web applications. Typically, the malicious code is written in the language that can be executed dynamically on the web browser (e.g. JavaScript). As the result of the attack to the user's web browser by using the vulnerable web application, the attacker can force the execution of the malicious code into the user's web browser by avoiding the restrictions in the same origin policy.
  • 13. Clickjacking • As of Balduzzi et al. 2010, A malicious page constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim‟s clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction).
  • 14. Review of Literature (Local Storage) • Robert McArdle, 2011, described that HTML5 provides a very useful feature of local storage to save persistent data on user‟s system. It allows the information to store as key pairs and can be easily retrieved even through event handlers and javascript. If developers store sensitive information in local storage then attacker may have access to confidential data or even he can delete the storage data without knowledge of user.
  • 15. Review of Literature (Local Storage) • Shreeraj Shah, 2012, explained that HTML5 has the feature of local storage for applications to store some information and is available everywhere within application. This feature provides great flexibility on client side but at the same time leverages a way for attacker to steal information via XSS. Local storage not only gives access to local variables but also to global variables. Global variables may contain important information like usernames, passwords, tokens, hash etc that can easily be exploited by attacker through javascript.
  • 16. Geolocation API • De Ryck, 2012, illustrated that, HTML 5 Geolocation API provides us with fast access to maps and allows users to share their current location on site. A user can check his/her location anytime with just internet available. On the other side, it also violates users‟ confidentiality and integrity. The Geolocation API has built-in caching features which save users‟s position which he visited after certain time period, this can be used by attacker to exploit user‟s data.
  • 17. Problem Statement • To find ultimate defense mechanisms against CSRF attacks in HTML 5
  • 18. Proposed Work • We have proposed a hybrid solution based on Robert McArdle, 2011 and Shreeraj Shah, 2012 in which they used XMLHttpRequest through ajax calls in cross origin domains using HTML 5 Access-Control-Allow-Origin header, and XMLHttpRequest with attribute “withCredentials” set to true, respectively. Our proposed solution is that, for cross origin requests, we set AccessControl-Allow-Origin header in ajax request with additional attribute “withCredentials” set to true and cache to false to avoid CSRF attack.
  • 19. Methodology • For cross domain calls, we need to set header “AccessControl-Allow-Origin” to * or to some specific site which allows resource sharing and attribute “withCredentails” provided by HTML 5 to true for credentialed request and to get data in response through cross domain which allows to save response in cookies leading towards CSRF. If we set an additional attribute cache as false in ajax request which does not allow browsers to save response in cache even in cookies. Each time fresh response would be fetch directly from server. In this way, we can avoid CSRF attack and safely use HTML 5 CORS feature. This would work for HTML 5 online applications but this may not work in HTML 5 offline applications in which response and all connect is saved to cache locally for next time use.
  • 20. Conclusions • We have studied security issues of HTML 5 features and found vulnerabilities in solutions provided. Our main focus has been on CSRF attacks and we have proposed a solution to avoid CSRF attacks while using CORS method of HTML 5. Our proposed solution would work for HTML 5 online applications but as HTML 5 provides us with great and advanced features like offline applications, so this may not be a feasible solution for offline applications.
  • 21. Future Work • We have proposed a solution to avoid CSRF attack against HTML 5 CORS feature. Technically, we envisage to analyse and validate this solution on different websites with different requests in future. Also, we would focus on some more security issues and attacks posed by HTML 5, that may have been present before advent of HTML 5, or may have risen due to HTML 5‟s advance functionality.
  • 22. References • Adam Barth et al. 2008, “Robust defenses for cross-site request forgery”, In Proceedings of the 15th ACM conference on Computer and communications security , pp. 75-88, 2008 • Devdatta Akhawe, Adam Barth, Peifung E. Lam, John Mitchell and Dawn Song, “Towards a Formal Foundation of Web Security”, In Proceedings of 2010 23rd IEEE Computer Security Foundations Symposium, pp. 290-304, 2010 • Doug DePerry, “HTML5 SECURITY THE MODERN WEB BROWSER PERSPECTIVE”, iSEC Partners, December 2012 • Genta Iha, Hiroshi Doi, “An Implementation of the Binding Mechanism in the Web Browser for Preventing XSS Attacks: Introducing the Bind-Value Headers”, In Proceedings of 2009 International Conference on Availability, Reliability and Security, pp. 966-971, 2009 • Lavakumar Kuppan, “Attacking with HTML5”, Attack and Defense Labs, 18th October, 2010
  • 23. References • • • • • • Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel, “A Solution for the Automated Detection of Clickjacking Attacks”, In Proceedings of ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135-144, April 2010 Philippe De Ryck, Lieven Desmet, Frank Piessens, Wouter Joosen, “A Security Analysis of Emerging Web Standards - Extended Version”, Department of Computer Science, K.U.Leuven, May 2012 Robert McArdle, “HTML5 OVERVIEW: A LOOK AT HTML5 ATTACK SCENARIOS”, Trend Micro Research Labs, 2011 Shreeraj Shah, “HTML5 Top 10 Threats Stealth Attacks and Silent Exploits”, Blueinfy Solutions, March 2012 W3C Editor‟s Draft, “Geolocation API Specification”, http://dev.w3.org/geo/api/spec-source.html, May 2012, Accessed 5th April, 2013 Zeller and Felten, “An Implementation of the Binding Mechanism in the Web Browser for Preventing XSS Attacks: Introducing the Bind-Value Headers”, In Proceedings of 2009 International Conference on Availability, Reliability and Security. Pp. 966-971, 2009.