SlideShare a Scribd company logo

HTML5 for Security Folks

Vaibhav Gupta, profile picture
Vaibhav Gupta

The document discusses HTML5 and its impact on information security, emphasizing that while many existing vulnerabilities are enhanced by new features, such as CORS and iframe sandboxing, the majority affect the browser rather than the server. It highlights specific risks associated with improper configuration of these features, including session hijacking and user tracking. Additionally, it mentions the importance of content security policies and provides references for further information.

TechnologyNews & Politics
Related topics:
Web Application SecurityApplication Security
1 of 20
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
HTML5 for Security folks!! Have you upgraded your skillset? Vaibhav Gupta Security Researcher - Adobe Twitter: @vaibhavgupta_1
What is HTML5? • The next revision for HTML • Tons of new features/technologies/APIs • Rich multimedia support • Its just an update….old HTML still works! • Blah blah…….“Work in progress”
Information Security Impact • Most attacks are already possible, HTML5 simply makes them easier or more powerful • Great majority of these vulnerabilities affect the browser and doesn’t have any direct impact on the server
Interesting Features • Cross Origin Resource Sharing (CORS) • Web Storage • IFRAME Sandboxing • Web Messaging • Multimedia & Graphics • Getlocation • …… many more!
HTML5 for Security Folks
Cross Origin Resource Sharing
HTML5 for Security Folks
HTML5 for Security Folks
HTML5 for Security Folks
OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US-ASCII Connection: keep-alive Content-Length: 0 Configuring CORS correctly
HTML5 for Security Folks
HTML5 for Security Folks
• Session Hijacking • Confidential Information Risk • User Tracking • Persistent Attack Vectors
IFRAM Sandboxing • Really good security feature ! • “sandbox” attribute disables form submissions, scripts, popups etc. <iframe sandbox src=“http://e.com”></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-scripts” src=“http://e.com”></iframe> • !! Disables JS based frame busting defense !!
Content Security Policy (CSP)
HTML5 for Security Folks
HTML5 for Security Folks
HTML5 for Security Folks
Enough of CRAP !
References: • Examples: slides.html5rocks.com • Slides content: prezi.com/k2ibkogftt2i/understanding-html5- security • And……google.com

More Related Content

PPTX
Html5 security
Krishna T
 
PPTX
JSFoo Chennai 2012
Krishna T
 
PPTX
Secure web messaging in HTML5
Krishna T
 
PPTX
Browser Internals-Same Origin Policy
Krishna T
 
PPTX
Clickjacking DevCon2011
Krishna T
 
PPT
Browser Security
Roberto Suggi Liverani
 
PPTX
Browser Security 101
Stormpath
 
PDF
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Html5 security
Krishna T
 
JSFoo Chennai 2012
Krishna T
 
Secure web messaging in HTML5
Krishna T
 
Browser Internals-Same Origin Policy
Krishna T
 
Clickjacking DevCon2011
Krishna T
 
Browser Security
Roberto Suggi Liverani
 
Browser Security 101
Stormpath
 
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 

What's hot (20)

PPT
Web browser privacy and security
amiable_indian
 
PDF
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
PPTX
14. html 5 security considerations
Eoin Keary
 
PDF
Html5 for Security Folks
n|u - The Open Security Community
 
PDF
Browser Horror Stories
EC-Council
 
PDF
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
PDF
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
PPTX
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
PPTX
Devouring Security XML Attack surface and Defences
gmaran23
 
PDF
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
PDF
Browser security — ROOTS
Andre N. Klingsheim
 
PPT
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
PDF
Html5 localstorage attack vectors
Shreeraj Shah
 
PDF
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
PDF
New Insights into Clickjacking
Marco Balduzzi
 
PPTX
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PPTX
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
PDF
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
PDF
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Web browser privacy and security
amiable_indian
 
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
14. html 5 security considerations
Eoin Keary
 
Html5 for Security Folks
n|u - The Open Security Community
 
Browser Horror Stories
EC-Council
 
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Devouring Security XML Attack surface and Defences
gmaran23
 
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Browser security — ROOTS
Andre N. Klingsheim
 
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Html5 localstorage attack vectors
Shreeraj Shah
 
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
New Insights into Clickjacking
Marco Balduzzi
 
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Ad

Viewers also liked (6)

PPT
HTML Binary Hacks & GIF89a Ployglot
takesako
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
PPT
OAuth 2.0 & Security Considerations
Vaibhav Gupta
 
PPTX
Application Security Risk Rating
Vaibhav Gupta
 
PDF
Security Automation using ZAP
Vaibhav Gupta
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
HTML Binary Hacks & GIF89a Ployglot
takesako
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
OAuth 2.0 & Security Considerations
Vaibhav Gupta
 
Application Security Risk Rating
Vaibhav Gupta
 
Security Automation using ZAP
Vaibhav Gupta
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Ad

Similar to HTML5 for Security Folks (20)

PPT
HTML 5
Prof. Erwin Globio
 
PDF
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
PDF
DevTeach Ottawa - Silverlight5 and HTML5
Frédéric Harper
 
PDF
Html5 Application Security
chuckbt
 
KEY
WHAT IS HTML5?(20100510)
Shumpei Shiraishi
 
PPTX
Building rich interface components with SharePoint
Louis-Philippe Lavoie
 
PDF
Attacking with html5(lava kumar)
ClubHack
 
PPT
Introduction web tech
Liaquat Rahoo
 
PPTX
Owasp2013 johannesullrich
drewz lin
 
PPTX
HTML5 (Štěpán Bechynský)
Národní technická knihovna (NTK)
 
PDF
HTML5
Cygnet Infotech
 
PPTX
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Sean Kelly
 
PPTX
HTML5 - Let’s make the WEB more powerful
Naga Harish M
 
PPT
Tapir user manager
Paul Houle
 
PPTX
Implementing a Multi-Device Approach to E-learning Design (US Session)
Raptivity
 
PPTX
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Raptivity
 
PDF
Html5, Native and Platform based Mobile Applications
Yoss Cohen
 
PPTX
Html5
Western Illinois University Libraries
 
PPT
HTML5: An Introduction To Next Generation Web Development
Tilak Joshi
 
PPTX
Fundamentals of HTML5
St. Petersburg College
 
HTML 5
Prof. Erwin Globio
 
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
DevTeach Ottawa - Silverlight5 and HTML5
Frédéric Harper
 
Html5 Application Security
chuckbt
 
WHAT IS HTML5?(20100510)
Shumpei Shiraishi
 
Building rich interface components with SharePoint
Louis-Philippe Lavoie
 
Attacking with html5(lava kumar)
ClubHack
 
Introduction web tech
Liaquat Rahoo
 
Owasp2013 johannesullrich
drewz lin
 
HTML5 (Štěpán Bechynský)
Národní technická knihovna (NTK)
 
HTML5
Cygnet Infotech
 
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Sean Kelly
 
HTML5 - Let’s make the WEB more powerful
Naga Harish M
 
Tapir user manager
Paul Houle
 
Implementing a Multi-Device Approach to E-learning Design (US Session)
Raptivity
 
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Raptivity
 
Html5, Native and Platform based Mobile Applications
Yoss Cohen
 
Html5
Western Illinois University Libraries
 
HTML5: An Introduction To Next Generation Web Development
Tilak Joshi
 
Fundamentals of HTML5
St. Petersburg College
 

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Cloud computing and distributed systems.
kkkkkhan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 

HTML5 for Security Folks

  • 1. HTML5 for Security folks!! Have you upgraded your skillset? Vaibhav Gupta Security Researcher - Adobe Twitter: @vaibhavgupta_1
  • 2. What is HTML5? • The next revision for HTML • Tons of new features/technologies/APIs • Rich multimedia support • Its just an update….old HTML still works! • Blah blah…….“Work in progress”
  • 3. Information Security Impact • Most attacks are already possible, HTML5 simply makes them easier or more powerful • Great majority of these vulnerabilities affect the browser and doesn’t have any direct impact on the server
  • 4. Interesting Features • Cross Origin Resource Sharing (CORS) • Web Storage • IFRAME Sandboxing • Web Messaging • Multimedia & Graphics • Getlocation • …… many more!
  • 10. OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US-ASCII Connection: keep-alive Content-Length: 0 Configuring CORS correctly
  • 13. • Session Hijacking • Confidential Information Risk • User Tracking • Persistent Attack Vectors
  • 14. IFRAM Sandboxing • Really good security feature ! • “sandbox” attribute disables form submissions, scripts, popups etc. <iframe sandbox src=“http://e.com”></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-scripts” src=“http://e.com”></iframe> • !! Disables JS based frame busting defense !!
  • 20. References: • Examples: slides.html5rocks.com • Slides content: prezi.com/k2ibkogftt2i/understanding-html5- security • And……google.com