1. HTML5 for Security folks!!
Have you upgraded your skillset?
Vaibhav Gupta
Security Researcher - Adobe
Twitter: @vaibhavgupta_1
2. What is HTML5?
• The next revision for HTML
• Tons of new features/technologies/APIs
• Rich multimedia support
• Its just an update….old HTML still works!
• Blah blah…….“Work in progress”
3. Information Security Impact
• Most attacks are already possible, HTML5
simply makes them easier or more powerful
• Great majority of these vulnerabilities affect
the browser and doesn’t have any direct
impact on the server
4. Interesting Features
• Cross Origin Resource Sharing (CORS)
• Web Storage
• IFRAME Sandboxing
• Web Messaging
• Multimedia & Graphics
• Getlocation
• …… many more!
13. • Session Hijacking
• Confidential Information Risk
• User Tracking
• Persistent Attack Vectors
14. IFRAM Sandboxing
• Really good security feature !
• “sandbox” attribute disables form submissions,
scripts, popups etc.
<iframe sandbox src=“http://e.com”></iframe>
• Can be relaxed with few tokens
<iframe sandbox=“allow-scripts” src=“http://e.com”></iframe>
• !! Disables JS based frame busting defense !!