SlideShare uma empresa Scribd logo

Html5 for Security Folks

n|u - The Open Security Community
n|u - The Open Security Community

null Delhi Chapter - August 2013 Meet

EducaçãoTecnologia
1 de 20
Baixar para ler offline
HTML5 for Security folks!! Have you upgraded your skillset? Vaibhav Gupta Security Researcher - Adobe Twitter: @vaibhavgupta_1
What is HTML5? • The next revision for HTML • Tons of new features/technologies/APIs • Rich multimedia support • Its just an update….old HTML still works! • Blah blah…….“Work in progress”
Information Security Impact • Most attacks are already possible, HTML5 simply makes them easier or more powerful • Great majority of these vulnerabilities affect the browser and doesn’t have any direct impact on the server
Interesting Features • Cross Origin Resource Sharing (CORS) • Web Storage • IFRAME Sandboxing • Web Messaging • Multimedia & Graphics • Getlocation • …… many more!
Cross Origin Resource Sharing
OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US-ASCII Connection: keep-alive Content-Length: 0 Configuring CORS correctly
• Session Hijacking • Confidential Information Risk • User Tracking • Persistent Attack Vectors
IFRAM Sandboxing • Really good security feature ! • “sandbox” attribute disables form submissions, scripts, popups etc. <iframe sandbox src=“http://e.com”></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-scripts” src=“http://e.com”></iframe> • !! Disables JS based frame busting defense !!
Content Security Policy (CSP)
Enough of CRAP !
References: • Examples: slides.html5rocks.com • Slides content: prezi.com/k2ibkogftt2i/understanding-html5- security • And……google.com

Recomendados

Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesLiam O'Saurus
 
Mautic landing page setup & case study
Mautic landing page setup & case studyMautic landing page setup & case study
Mautic landing page setup & case studyTim Plummer
 
Joomla 3.5: better—faster—safer
Joomla 3.5: better—faster—saferJoomla 3.5: better—faster—safer
Joomla 3.5: better—faster—safersozzled3904
 
Tuenti teams - Php Conference
Tuenti teams - Php ConferenceTuenti teams - Php Conference
Tuenti teams - Php ConferenceGuille -bisho-
 
Emergency WordPress Troubleshooting
Emergency WordPress TroubleshootingEmergency WordPress Troubleshooting
Emergency WordPress TroubleshootingTiffany Bridge
 
Practical tools for Web Accessibility testing
Practical tools for Web Accessibility testingPractical tools for Web Accessibility testing
Practical tools for Web Accessibility testingToufic Sbeiti
 
HTML5 security
HTML5 securityHTML5 security
HTML5 securitybedney
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Securitysecuriously
 

Recomendados

Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesLiam O'Saurus
 
Mautic landing page setup & case study
Mautic landing page setup & case studyMautic landing page setup & case study
Mautic landing page setup & case studyTim Plummer
 
Joomla 3.5: better—faster—safer
Joomla 3.5: better—faster—saferJoomla 3.5: better—faster—safer
Joomla 3.5: better—faster—safersozzled3904
 
Tuenti teams - Php Conference
Tuenti teams - Php ConferenceTuenti teams - Php Conference
Tuenti teams - Php ConferenceGuille -bisho-
 
Emergency WordPress Troubleshooting
Emergency WordPress TroubleshootingEmergency WordPress Troubleshooting
Emergency WordPress TroubleshootingTiffany Bridge
 
Practical tools for Web Accessibility testing
Practical tools for Web Accessibility testingPractical tools for Web Accessibility testing
Practical tools for Web Accessibility testingToufic Sbeiti
 
HTML5 security
HTML5 securityHTML5 security
HTML5 securitybedney
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Securitysecuriously
 
HTML 5
HTML 5HTML 5
HTML 5Prof. Erwin Globio
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
DevTeach Ottawa - Silverlight5 and HTML5
DevTeach Ottawa - Silverlight5 and HTML5DevTeach Ottawa - Silverlight5 and HTML5
DevTeach Ottawa - Silverlight5 and HTML5Frédéric Harper
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
WHAT IS HTML5?(20100510)
WHAT IS HTML5?(20100510)WHAT IS HTML5?(20100510)
WHAT IS HTML5?(20100510)Shumpei Shiraishi
 
Building rich interface components with SharePoint
Building rich interface components with SharePointBuilding rich interface components with SharePoint
Building rich interface components with SharePointLouis-Philippe Lavoie
 
Attacking with html5(lava kumar)
Attacking with html5(lava kumar)Attacking with html5(lava kumar)
Attacking with html5(lava kumar)ClubHack
 
Introduction web tech
Introduction web techIntroduction web tech
Introduction web techLiaquat Rahoo
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
HTML5 (Štěpán Bechynský)
HTML5 (Štěpán Bechynský)HTML5 (Štěpán Bechynský)
HTML5 (Štěpán Bechynský)Národní technická knihovna (NTK)
 
HTML5
HTML5HTML5
HTML5Cygnet Infotech
 
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Three Developer Behaviors to Eliminate 85 Percent of Accessibility DefectsThree Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Three Developer Behaviors to Eliminate 85 Percent of Accessibility DefectsSean Kelly
 
HTML5 - Let’s make the WEB more powerful
HTML5 - Let’s make the WEB more powerfulHTML5 - Let’s make the WEB more powerful
HTML5 - Let’s make the WEB more powerfulNaga Harish M
 
Tapir user manager
Tapir user managerTapir user manager
Tapir user managerPaul Houle
 
Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (US Session)Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (US Session)Raptivity
 
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)Raptivity
 
Html5, Native and Platform based Mobile Applications
Html5, Native and Platform based Mobile ApplicationsHtml5, Native and Platform based Mobile Applications
Html5, Native and Platform based Mobile ApplicationsYoss Cohen
 
Html5
Html5Html5
Html5Western Illinois University Libraries
 
HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentTilak Joshi
 
Fundamentals of HTML5
Fundamentals of HTML5Fundamentals of HTML5
Fundamentals of HTML5St. Petersburg College
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 

Mais conteúdo relacionado

Semelhante a Html5 for Security Folks

BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
DevTeach Ottawa - Silverlight5 and HTML5
DevTeach Ottawa - Silverlight5 and HTML5DevTeach Ottawa - Silverlight5 and HTML5
DevTeach Ottawa - Silverlight5 and HTML5Frédéric Harper
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Building rich interface components with SharePoint
Building rich interface components with SharePointBuilding rich interface components with SharePoint
Building rich interface components with SharePointLouis-Philippe Lavoie
 
Attacking with html5(lava kumar)
Attacking with html5(lava kumar)Attacking with html5(lava kumar)
Attacking with html5(lava kumar)ClubHack
 
Introduction web tech
Introduction web techIntroduction web tech
Introduction web techLiaquat Rahoo
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Three Developer Behaviors to Eliminate 85 Percent of Accessibility DefectsThree Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Three Developer Behaviors to Eliminate 85 Percent of Accessibility DefectsSean Kelly
 
HTML5 - Let’s make the WEB more powerful
HTML5 - Let’s make the WEB more powerfulHTML5 - Let’s make the WEB more powerful
HTML5 - Let’s make the WEB more powerfulNaga Harish M
 
Tapir user manager
Tapir user managerTapir user manager
Tapir user managerPaul Houle
 
Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (US Session)Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (US Session)Raptivity
 
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)Raptivity
 
Html5, Native and Platform based Mobile Applications
Html5, Native and Platform based Mobile ApplicationsHtml5, Native and Platform based Mobile Applications
Html5, Native and Platform based Mobile ApplicationsYoss Cohen
 
HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentTilak Joshi
 

Semelhante a Html5 for Security Folks (20)

HTML 5
HTML 5HTML 5
HTML 5
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
DevTeach Ottawa - Silverlight5 and HTML5
DevTeach Ottawa - Silverlight5 and HTML5DevTeach Ottawa - Silverlight5 and HTML5
DevTeach Ottawa - Silverlight5 and HTML5
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
WHAT IS HTML5?(20100510)
WHAT IS HTML5?(20100510)WHAT IS HTML5?(20100510)
WHAT IS HTML5?(20100510)
 
Building rich interface components with SharePoint
Building rich interface components with SharePointBuilding rich interface components with SharePoint
Building rich interface components with SharePoint
 
Attacking with html5(lava kumar)
Attacking with html5(lava kumar)Attacking with html5(lava kumar)
Attacking with html5(lava kumar)
 
Introduction web tech
Introduction web techIntroduction web tech
Introduction web tech
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
HTML5 (Štěpán Bechynský)
HTML5 (Štěpán Bechynský)HTML5 (Štěpán Bechynský)
HTML5 (Štěpán Bechynský)
 
HTML5
HTML5HTML5
HTML5
 
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Three Developer Behaviors to Eliminate 85 Percent of Accessibility DefectsThree Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
 
HTML5 - Let’s make the WEB more powerful
HTML5 - Let’s make the WEB more powerfulHTML5 - Let’s make the WEB more powerful
HTML5 - Let’s make the WEB more powerful
 
Tapir user manager
Tapir user managerTapir user manager
Tapir user manager
 
Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (US Session)Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (US Session)
 
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
 
Html5, Native and Platform based Mobile Applications
Html5, Native and Platform based Mobile ApplicationsHtml5, Native and Platform based Mobile Applications
Html5, Native and Platform based Mobile Applications
 
Html5
Html5Html5
Html5
 
HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
 
Fundamentals of HTML5
Fundamentals of HTML5Fundamentals of HTML5
Fundamentals of HTML5
 

Mais de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mais de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
The Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian CongressThe Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian CongressMaria Paula Aroca
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfChristalin Nelson
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptxmary850239
 
4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptx4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptxmary850239
 
6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroomSamsung Business USA
 
DiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfDiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfChristalin Nelson
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsArubSultan
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxAnupam32727
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...Osopher
 
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...DrVipulVKapoor
 

Último (20)

Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
The Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian CongressThe Emergence of Legislative Behavior in the Colombian Congress
The Emergence of Legislative Behavior in the Colombian Congress
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdf
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx
 
4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptx4.9.24 Social Capital and Social Exclusion.pptx
4.9.24 Social Capital and Social Exclusion.pptx
 
6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
DiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfDiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdf
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristics
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Chi-Square Test Non Parametric Test Categorical Variable
Chi-Square Test Non Parametric Test Categorical VariableChi-Square Test Non Parametric Test Categorical Variable
Chi-Square Test Non Parametric Test Categorical Variable
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
Plagiarism,forms,understand about plagiarism,avoid plagiarism,key significanc...
Plagiarism,forms,understand about plagiarism,avoid plagiarism,key significanc...Plagiarism,forms,understand about plagiarism,avoid plagiarism,key significanc...
Plagiarism,forms,understand about plagiarism,avoid plagiarism,key significanc...
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
 
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
Geoffrey Chaucer Works II UGC NET JRF TGT PGT MA PHD Entrance Exam II History...
 

Html5 for Security Folks

  • 1. HTML5 for Security folks!! Have you upgraded your skillset? Vaibhav Gupta Security Researcher - Adobe Twitter: @vaibhavgupta_1
  • 2. What is HTML5? • The next revision for HTML • Tons of new features/technologies/APIs • Rich multimedia support • Its just an update….old HTML still works! • Blah blah…….“Work in progress”
  • 3. Information Security Impact • Most attacks are already possible, HTML5 simply makes them easier or more powerful • Great majority of these vulnerabilities affect the browser and doesn’t have any direct impact on the server
  • 4. Interesting Features • Cross Origin Resource Sharing (CORS) • Web Storage • IFRAME Sandboxing • Web Messaging • Multimedia & Graphics • Getlocation • …… many more!
  • 5.
  • 7.
  • 8.
  • 9.
  • 10. OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US-ASCII Connection: keep-alive Content-Length: 0 Configuring CORS correctly
  • 11.
  • 12.
  • 13. • Session Hijacking • Confidential Information Risk • User Tracking • Persistent Attack Vectors
  • 14. IFRAM Sandboxing • Really good security feature ! • “sandbox” attribute disables form submissions, scripts, popups etc. <iframe sandbox src=“http://e.com”></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-scripts” src=“http://e.com”></iframe> • !! Disables JS based frame busting defense !!
  • 16.
  • 17.
  • 18.
  • 20. References: • Examples: slides.html5rocks.com • Slides content: prezi.com/k2ibkogftt2i/understanding-html5- security • And……google.com