2. n|u
Structure
Session 1
Introduction
HTML 5 Basics
Session 2
What’s inn for me ….Developer ?
Session 3
What’s inn for me …. Ethical Hacker ?
Session 4
What’s inn for me …. Code reviewer/ Webtesting ?
5. n|u
Objective
New Feature - HTML, CSS, DOM, and JavaScript
Error handling
Markup vs Scripting
Independence
How it all Started?
W3C & WHATWG(WebHypertext Application Technology Working Group )
9. n|uHTML5 - New Features
Drag and Drop
<canvas> vs SVG
HTML5 Geolocation
Webforms 2.0
local storage & session storage
HTML5 Cache
Web sockets
Webworkers
Server Sent events
10. n|u
What is SVG?
Vector based graphics
Resolution independence
W3C recommendation
Dom Based
What is Canvas?
Speed
Text rendering capabilities
Graphics quality – Max and Min
Animation and accessibility support
Graphics
15. n|u
XHR and Tags
CSRF, Click jacking, XSS
Thick Features
Exploiting browser SQL ports,
SQLi with web workers and messaging
DOM
Dom based XSS
Protocol attacks
Attack vectors
16. n|uSame origin policy
access of one window to another
same protocol://domain:port
multiple subdomains
Bypass methods
Document.domain property
Cross-Origin Resource Sharing
Cross-document messaging
17. n|u
• API
• Site a.com - Site b.com Text only
Access-Control-Allow-Origin: http://hello-world.example
• XMLHttpRequest - Site a.com to b.com
var client = new XMLHttpRequest() client.open("GET",
"http://www.a.com/hello") client.onreadystatechange = function() { /* do
something */ } client.send()
CORS
• HTTP Request
Access-Control-Request-Method (preflight)
Access-Control-Request-Headers (preflight)
• HTTP Response
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Allow-Expose-Headers
Access-Control-Allow-Max-Age (preflight)
Access-Control-Allow-Allow-Methods (preflight)
Access-Control-Allow-Allow-Headers (preflight)
19. n|u
• API
• Requests directly to a web server and load the server response data
directly back into the script
• XMLHttpRequest - Site a.com to b.com
var client = new XMLHttpRequest() client.open("GET",
"http://www.a.com/hello") client.onreadystatechange = function() { /* do
something */ } client.send()
XHR
20. n|uSand Box
• Sandbox is a security mechanism for separating running programs
• Execute un verified code
• Untrusted users and untrusted websites
• Thirdparty scripts
• Code Snippet
<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms"
src="https://platform.twitter.com/widgets/tweet_button.html"
style="border: 0; width:130px; height:20px;"></iframe>
What is Canvas?
The HTML5 &lt;canvas&gt; element is used to draw graphics, on the fly, via scripting (usually JavaScript).
The &lt;canvas&gt; element is only a container for graphics. You must use a script to actually draw the graphics.
Canvas has several methods for drawing paths, boxes, circles, characters, and adding images.
What is SVG?
SVG stands for Scalable Vector Graphics
SVG is used to define vector-based graphics for the Web
SVG defines the graphics in XML format
SVG graphics do NOT lose any quality if they are zoomed or resized
Every element and every attribute in SVG files can be animated
SVG is a W3C recommendation
Same origin policy
The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number[1] – to access each other&apos;s methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.[1] Same origin policy also applies to XMLHttpRequest and to robots.txt.[2]
CORS - Cross origin resource sharing
http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this specification (e.g., specifying Access-Control-Allow-Origin: http://example.org as response header), which would allow that resource to be fetched cross-origin from http://example.org.
XMLHttpRequest (XHR) is an API available in web browser scripting languages such as JavaScript. It is used to send HTTP or HTTPS requests directly to a web server and load the server response data directly back into the script
Same origin policy
The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number[1] – to access each other&apos;s methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.[1] Same origin policy also applies to XMLHttpRequest and to robots.txt.[2]
The term &quot;origin&quot; is defined using the domain name, application layer protocol, and (in most browsers) port number of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same.
In some circumstances the same-origin policy is too restrictive, posing problems for large websites that use multiple subdomains. There are three techniques for relaxing it:
document.domain property
Cross-Origin Resource Sharing
Cross-document messaging