Submit Search
Upload
Html5: attack and defense
•
0 likes
•
795 views
K
Ksenia Peguero
Follow
From the Security BSides London 2013 conference.
Read less
Read more
Technology
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 14
Recommended
Browser Security 101
Browser Security 101
Stormpath
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
Securing Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
Spring Security 5
Spring Security 5
Jesus Perez Franco
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
Recommended
Browser Security 101
Browser Security 101
Stormpath
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
Securing Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
Spring Security 5
Spring Security 5
Jesus Perez Franco
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
Spring Security
Spring Security
Manish Sharma
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Codecamp Romania
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Mike Wiesner
iOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
Html5 hacking
Html5 hacking
Iftach Ian Amit
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Making Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Ionic Framework
Html5 local storage
Html5 local storage
ARIF MAHMUD RANA
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
More Related Content
What's hot
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
Spring Security
Spring Security
Manish Sharma
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Codecamp Romania
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Mike Wiesner
What's hot
(8)
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Spring Security
Spring Security
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Similar to Html5: attack and defense
iOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
Html5 hacking
Html5 hacking
Iftach Ian Amit
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Making Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Ionic Framework
Html5 local storage
Html5 local storage
ARIF MAHMUD RANA
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
Google & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
How to Destroy a Database
How to Destroy a Database
John Ashmead
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
HostedbyConfluent
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
CiNPA Security SIG
Similar to Html5: attack and defense
(20)
iOS Application Security Testing
iOS Application Security Testing
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Html5 hacking
Html5 hacking
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Making Software Secure by Design
Making Software Secure by Design
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Html5 local storage
Html5 local storage
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Google & FIDO Authentication
Google & FIDO Authentication
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
How to Destroy a Database
How to Destroy a Database
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
More from Ksenia Peguero
Finding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
Finding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
More from Ksenia Peguero
(6)
Finding Your Way in Container Security
Finding Your Way in Container Security
Finding Your Way in Container Security
Finding Your Way in Container Security
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
How Secure Is AngularJS?
How Secure Is AngularJS?
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Recently uploaded
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Recently uploaded
(20)
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Html5: attack and defense
1.
Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
2.
Who Am I? •
Software security consultant at Cigital • In security for 4 years 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 2 • MS in Computer Science from George Washington University, USA • Ballroom dancer
3.
HTML5 – a
Living Standard • Cross-origin Resource Sharing (CORS) • Cross-document Messaging • Web Storage • IFRAME Sandboxing • Browser History Management • Geo-location Functionality • etc 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 3
4.
Software Confidence. Achieved.
5.
Configuring CORS correctly Configure
the Access-Control-Allow-Origin header: • Do not use wildcards • Follow the principle of least privilege • Configure PROD environment separately from TEST environment Server configurations: • IIS7 – web.config • Apache – mod_headers 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 5 OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X- Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US- ASCII Connection: keep-alive Content-Length: 0 Header set Access-Control-Allow-Origin http://www.example.com, https://login.example.com
6.
Web Messaging API •
WHO can send messages? • Frames, iframes, parent window • HOW do they send messages? • postMessage(message, target) • window.addEventListener • WHAT is sent in the message? • Text data • Origin • Source 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 6 Attack Attack
7.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 7
8.
How to Do
Web Messaging Securely • Validate origin • Validate data (on the client side) v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. window.addEventListener("message", receiveMessage, false); … function receiveMessage(event){ … if (event.origin !== "http://www.example.com") return; if (!validateEmail(event.data)) return; div.getElementById('user_email_address').textContent = event.data; …} if (event.origin !== "http://www.example.com") if (!validateEmail(event.data))
9.
Web Storage Attacks 7/11/2013
6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 9 LocalStorage SessionStorage Issues: • Client-side trust • Cross-directory attacks: • http://myplatform.com/johnneumann/ • http://myplatform.com/adalovelace/ stored indefinitely tab storage
10.
Protecting Web Storage •
Do not store sensitive information in localStorage. • Use sessionStorage whenever possible. • Clean up localStorage when you don't need it. 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 10 function session_store (user) { sessionStorage.setItem("username", user.name); } function get_user () { var results = sessionStorage.getItem("username"); document.getElementById("divb").textContent = "Thanks for registering:" + results; sessionStorage.clear(); } sessionStorage.clear();
11.
<iframe src="http://www.untrustedpartyiframe.com"> </iframe> Sandbox
Attribute Same Origin Policy A set of restrictions for the inline iframe: •"" (no trust) •allow-same-origin •allow-top-navigation •allow-forms •allow-scripts 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 11 <iframe src="http://www.untrustedpartyiframe.com" sandbox="allow-same-origin"> </iframe> <iframe src="http://www.untrustedpartyiframe.com" sandbox=""> </iframe>
12.
Sandboxing vs Clickjacking Frame-busting
code: WebBanking.html 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 12 Disabling frame-busting code: AttackerPage.html <script> if(top != self) { top.location = self.location; } </script> <iframe src="http://bank.com/WebBanking.html" sandbox=""> </iframe>
13.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 13
14.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 14