HTML5 for Security folks!!
Have you upgraded your skillset?
Vaibhav Gupta
Security Researcher - Adobe
Twitter: @vaibhavgup...
What is HTML5?
• The next revision for HTML
• Tons of new features/technologies/APIs
• Rich multimedia support
• Its just ...
Information Security Impact
• Most attacks are already possible, HTML5
simply makes them easier or more powerful
• Great m...
Interesting Features
• Cross Origin Resource Sharing (CORS)
• Web Storage
• IFRAME Sandboxing
• Web Messaging
• Multimedia...
Cross Origin Resource Sharing
OPTIONS /usermail HTTP/1.1
Origin: mail.example.com
Content-Type: text/html
HTTP/1.0 200 OK
Access-Control-Allow-Origin: h...
• Session Hijacking
• Confidential Information Risk
• User Tracking
• Persistent Attack Vectors
IFRAM Sandboxing
• Really good security feature !
• “sandbox” attribute disables form submissions,
scripts, popups etc.
<i...
Content Security Policy (CSP)
Enough of CRAP !
References:
• Examples: slides.html5rocks.com
• Slides content:
prezi.com/k2ibkogftt2i/understanding-html5-
security
• And...
Html5 for Security Folks
Html5 for Security Folks
Html5 for Security Folks
Html5 for Security Folks
Html5 for Security Folks
Html5 for Security Folks
Html5 for Security Folks
Html5 for Security Folks
Html5 for Security Folks
Upcoming SlideShare
Loading in …5
×

Html5 for Security Folks

1,509 views

Published on

null Delhi Chapter - August 2013 Meet

Published in: Education, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,509
On SlideShare
0
From Embeds
0
Number of Embeds
364
Actions
Shares
0
Downloads
25
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Html5 for Security Folks

  1. 1. HTML5 for Security folks!! Have you upgraded your skillset? Vaibhav Gupta Security Researcher - Adobe Twitter: @vaibhavgupta_1
  2. 2. What is HTML5? • The next revision for HTML • Tons of new features/technologies/APIs • Rich multimedia support • Its just an update….old HTML still works! • Blah blah…….“Work in progress”
  3. 3. Information Security Impact • Most attacks are already possible, HTML5 simply makes them easier or more powerful • Great majority of these vulnerabilities affect the browser and doesn’t have any direct impact on the server
  4. 4. Interesting Features • Cross Origin Resource Sharing (CORS) • Web Storage • IFRAME Sandboxing • Web Messaging • Multimedia & Graphics • Getlocation • …… many more!
  5. 5. Cross Origin Resource Sharing
  6. 6. OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US-ASCII Connection: keep-alive Content-Length: 0 Configuring CORS correctly
  7. 7. • Session Hijacking • Confidential Information Risk • User Tracking • Persistent Attack Vectors
  8. 8. IFRAM Sandboxing • Really good security feature ! • “sandbox” attribute disables form submissions, scripts, popups etc. <iframe sandbox src=“http://e.com”></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-scripts” src=“http://e.com”></iframe> • !! Disables JS based frame busting defense !!
  9. 9. Content Security Policy (CSP)
  10. 10. Enough of CRAP !
  11. 11. References: • Examples: slides.html5rocks.com • Slides content: prezi.com/k2ibkogftt2i/understanding-html5- security • And……google.com

×