SlideShare a Scribd company logo

ciso-platform-annual-summit-2013-5 implications of html5 on security by mherfurt

Priyanka Aash
Priyanka Aash

Presented by Martin Herfurt at CISO Platform Annual Summit, 2013.Martin did a lot of work in the field of Bluetooth Security when he founded the trifinite.group in 2004. Currently, he is working for the German IT-Security firm n.runs professionals along with managing his new venture, toothR.

EducationTechnologyArt & Photos
1 of 9
5 Implications of HTML5 on Security © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
HTML5 Specification • Started in the beginning of 2007 • Still an ongoing effort © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
New Vectors For XSS • New tags for hiding Javascript – Tag for Scalable Vector Graphics (SVG) – video • Autofocus attribute – Automatic code execution with ‘onfocus’ © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
Resident XSS Remains in Browser Code is persistently held in local storage Arthur Janc implemented Browser Rootkit Malicious manipulations cannot be detected by Web application • Possibility for XSS worms • • • • © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
Cross Origin Requests • Allows ressource sharing • Circumvents SOP • New Server has to send header: – Access-Control-Allow-Origin: <name> –… • Allows network scanning – Based on responsecode/timing © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
WebSockets • Bi-directional connections • Can circumvent SOP (with tricks) • Can be used for network scans © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
Web Workers • Sandboxed background execution for javascript • Malicious code – Exhaust ressources © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
Storage • Local Storage – 5-10MB depending on Browser • Session Storage – 5-10MB depending on Browser • WebSQL – Similar attack vectors as usual SQL (injections) • Application Cache – Offline availability for certain files • Access permission based on SOP © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
Thank You http://blog.nruns.com/ Martin Herfurt (n.runs professionals GmbH) © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt

Recommended

mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connectNur Shiqim Chok
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsOPNFV
 
Recipe for good secrets management
Recipe for good secrets managementRecipe for good secrets management
Recipe for good secrets managementKevin Gilpin
 

Recommended

mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connectNur Shiqim Chok
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsOPNFV
 
Recipe for good secrets management
Recipe for good secrets managementRecipe for good secrets management
Recipe for good secrets managementKevin Gilpin
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFVOPNFV
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
[201702]Qubit Security Pitch deck
[201702]Qubit Security Pitch deck[201702]Qubit Security Pitch deck
[201702]Qubit Security Pitch deckSeungmin Shin
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Securing Azure Infrastructure
Securing Azure InfrastructureSecuring Azure Infrastructure
Securing Azure InfrastructureKarl Ots
 
Enhancing traffic analysis with elk and snort
Enhancing traffic analysis with elk and snortEnhancing traffic analysis with elk and snort
Enhancing traffic analysis with elk and snortYaashan Raj
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
7 Security Requirements to Accelerate Cloud Adoption
7 Security Requirements to Accelerate Cloud Adoption7 Security Requirements to Accelerate Cloud Adoption
7 Security Requirements to Accelerate Cloud AdoptionProtectWise
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
The user s identities
The user s identitiesThe user s identities
The user s identitiesGiuliano Latini
 
Linkbynet
LinkbynetLinkbynet
LinkbynetCông Trần Minh
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack SecuredJohn Kinsella
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginnersn|u - The Open Security Community
 
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughSecure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughKhash Nakhostin
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Decision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionDecision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionThales e-Security
 

More Related Content

What's hot

'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFVOPNFV
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Sqreen
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
[201702]Qubit Security Pitch deck
[201702]Qubit Security Pitch deck[201702]Qubit Security Pitch deck
[201702]Qubit Security Pitch deckSeungmin Shin
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Securing Azure Infrastructure
Securing Azure InfrastructureSecuring Azure Infrastructure
Securing Azure InfrastructureKarl Ots
 
Enhancing traffic analysis with elk and snort
Enhancing traffic analysis with elk and snortEnhancing traffic analysis with elk and snort
Enhancing traffic analysis with elk and snortYaashan Raj
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
7 Security Requirements to Accelerate Cloud Adoption
7 Security Requirements to Accelerate Cloud Adoption7 Security Requirements to Accelerate Cloud Adoption
7 Security Requirements to Accelerate Cloud AdoptionProtectWise
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containersAqua Security
 
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughSecure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughKhash Nakhostin
 

What's hot (20)

'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
[201702]Qubit Security Pitch deck
[201702]Qubit Security Pitch deck[201702]Qubit Security Pitch deck
[201702]Qubit Security Pitch deck
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Securing Azure Infrastructure
Securing Azure InfrastructureSecuring Azure Infrastructure
Securing Azure Infrastructure
 
Enhancing traffic analysis with elk and snort
Enhancing traffic analysis with elk and snortEnhancing traffic analysis with elk and snort
Enhancing traffic analysis with elk and snort
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
7 Security Requirements to Accelerate Cloud Adoption
7 Security Requirements to Accelerate Cloud Adoption7 Security Requirements to Accelerate Cloud Adoption
7 Security Requirements to Accelerate Cloud Adoption
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
The user s identities
The user s identitiesThe user s identities
The user s identities
 
Linkbynet
LinkbynetLinkbynet
Linkbynet
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
 
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t EnoughSecure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
Secure Remote Access to AWS: Why OpenVPN & Jump Hosts Aren’t Enough
 

Similar to ciso-platform-annual-summit-2013-5 implications of html5 on security by mherfurt

Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Decision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionDecision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionThales e-Security
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsKaspersky
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...
Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...
Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...HostedbyConfluent
 
Securing your Rails application
Securing your Rails applicationSecuring your Rails application
Securing your Rails applicationclucasKrof
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfibramax
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity Software Ireland
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Ssl Vpn presentation at CoolTech club
Ssl Vpn presentation at CoolTech clubSsl Vpn presentation at CoolTech club
Ssl Vpn presentation at CoolTech clubiplotnikov
 

Similar to ciso-platform-annual-summit-2013-5 implications of html5 on security by mherfurt (20)

Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Decision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryptionDecision criteria and analysis for hardware-based encryption
Decision criteria and analysis for hardware-based encryption
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Introduction to Node.js by Vinothini B
Introduction to Node.js by Vinothini BIntroduction to Node.js by Vinothini B
Introduction to Node.js by Vinothini B
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
 
BlueHat v18 || Scaling security scanning
BlueHat v18 || Scaling security scanningBlueHat v18 || Scaling security scanning
BlueHat v18 || Scaling security scanning
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...
Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...
Driving a Digital Thread Program in Manufacturing with Apache Kafka | Anu Mis...
 
Securing your Rails application
Securing your Rails applicationSecuring your Rails application
Securing your Rails application
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdf
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Ssl Vpn presentation at CoolTech club
Ssl Vpn presentation at CoolTech clubSsl Vpn presentation at CoolTech club
Ssl Vpn presentation at CoolTech club
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 

Recently uploaded (20)

Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 

ciso-platform-annual-summit-2013-5 implications of html5 on security by mherfurt

  • 1. 5 Implications of HTML5 on Security © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 2. HTML5 Specification • Started in the beginning of 2007 • Still an ongoing effort © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 3. New Vectors For XSS • New tags for hiding Javascript – Tag for Scalable Vector Graphics (SVG) – video • Autofocus attribute – Automatic code execution with ‘onfocus’ © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 4. Resident XSS Remains in Browser Code is persistently held in local storage Arthur Janc implemented Browser Rootkit Malicious manipulations cannot be detected by Web application • Possibility for XSS worms • • • • © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 5. Cross Origin Requests • Allows ressource sharing • Circumvents SOP • New Server has to send header: – Access-Control-Allow-Origin: <name> –… • Allows network scanning – Based on responsecode/timing © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 6. WebSockets • Bi-directional connections • Can circumvent SOP (with tricks) • Can be used for network scans © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 7. Web Workers • Sandboxed background execution for javascript • Malicious code – Exhaust ressources © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 8. Storage • Local Storage – 5-10MB depending on Browser • Session Storage – 5-10MB depending on Browser • WebSQL – Similar attack vectors as usual SQL (injections) • Application Cache – Offline availability for certain files • Access permission based on SOP © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt
  • 9. Thank You http://blog.nruns.com/ Martin Herfurt (n.runs professionals GmbH) © 2013, n.runs professionals GmbH – Security Research Team Martin Herfurt