Submit Search
Upload
Html5: attack and defense
•
0 likes
•
795 views
K
Ksenia Peguero
Follow
From the Security BSides London 2013 conference.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 14
Recommended
Browser Security 101
Browser Security 101
Stormpath
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
Securing Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
Spring Security 5
Spring Security 5
Jesus Perez Franco
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
Recommended
Browser Security 101
Browser Security 101
Stormpath
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
Securing Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
Spring Security 5
Spring Security 5
Jesus Perez Franco
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
Spring Security
Spring Security
Manish Sharma
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Codecamp Romania
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Mike Wiesner
iOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
Html5 hacking
Html5 hacking
Iftach Ian Amit
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Making Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Ionic Framework
Html5 local storage
Html5 local storage
ARIF MAHMUD RANA
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
More Related Content
What's hot
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
Spring Security
Spring Security
Manish Sharma
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Codecamp Romania
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Mike Wiesner
What's hot
(8)
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Spring Security
Spring Security
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Similar to Html5: attack and defense
iOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
Html5 hacking
Html5 hacking
Iftach Ian Amit
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Making Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Ionic Framework
Html5 local storage
Html5 local storage
ARIF MAHMUD RANA
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
Google & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
How to Destroy a Database
How to Destroy a Database
John Ashmead
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
HostedbyConfluent
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
Similar to Html5: attack and defense
(20)
iOS Application Security Testing
iOS Application Security Testing
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Html5 hacking
Html5 hacking
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Making Software Secure by Design
Making Software Secure by Design
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Html5 local storage
Html5 local storage
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Google & FIDO Authentication
Google & FIDO Authentication
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
How to Destroy a Database
How to Destroy a Database
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
More from Ksenia Peguero
Finding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
Finding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
More from Ksenia Peguero
(6)
Finding Your Way in Container Security
Finding Your Way in Container Security
Finding Your Way in Container Security
Finding Your Way in Container Security
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
How Secure Is AngularJS?
How Secure Is AngularJS?
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Recently uploaded
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Jago de Vreede
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Recently uploaded
(20)
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Architecting Cloud Native Applications
Architecting Cloud Native Applications
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Html5: attack and defense
1.
Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
2.
Who Am I? •
Software security consultant at Cigital • In security for 4 years 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 2 • MS in Computer Science from George Washington University, USA • Ballroom dancer
3.
HTML5 – a
Living Standard • Cross-origin Resource Sharing (CORS) • Cross-document Messaging • Web Storage • IFRAME Sandboxing • Browser History Management • Geo-location Functionality • etc 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 3
4.
Software Confidence. Achieved.
5.
Configuring CORS correctly Configure
the Access-Control-Allow-Origin header: • Do not use wildcards • Follow the principle of least privilege • Configure PROD environment separately from TEST environment Server configurations: • IIS7 – web.config • Apache – mod_headers 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 5 OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X- Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US- ASCII Connection: keep-alive Content-Length: 0 Header set Access-Control-Allow-Origin http://www.example.com, https://login.example.com
6.
Web Messaging API •
WHO can send messages? • Frames, iframes, parent window • HOW do they send messages? • postMessage(message, target) • window.addEventListener • WHAT is sent in the message? • Text data • Origin • Source 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 6 Attack Attack
7.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 7
8.
How to Do
Web Messaging Securely • Validate origin • Validate data (on the client side) v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. window.addEventListener("message", receiveMessage, false); … function receiveMessage(event){ … if (event.origin !== "http://www.example.com") return; if (!validateEmail(event.data)) return; div.getElementById('user_email_address').textContent = event.data; …} if (event.origin !== "http://www.example.com") if (!validateEmail(event.data))
9.
Web Storage Attacks 7/11/2013
6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 9 LocalStorage SessionStorage Issues: • Client-side trust • Cross-directory attacks: • http://myplatform.com/johnneumann/ • http://myplatform.com/adalovelace/ stored indefinitely tab storage
10.
Protecting Web Storage •
Do not store sensitive information in localStorage. • Use sessionStorage whenever possible. • Clean up localStorage when you don't need it. 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 10 function session_store (user) { sessionStorage.setItem("username", user.name); } function get_user () { var results = sessionStorage.getItem("username"); document.getElementById("divb").textContent = "Thanks for registering:" + results; sessionStorage.clear(); } sessionStorage.clear();
11.
<iframe src="http://www.untrustedpartyiframe.com"> </iframe> Sandbox
Attribute Same Origin Policy A set of restrictions for the inline iframe: •"" (no trust) •allow-same-origin •allow-top-navigation •allow-forms •allow-scripts 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 11 <iframe src="http://www.untrustedpartyiframe.com" sandbox="allow-same-origin"> </iframe> <iframe src="http://www.untrustedpartyiframe.com" sandbox=""> </iframe>
12.
Sandboxing vs Clickjacking Frame-busting
code: WebBanking.html 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 12 Disabling frame-busting code: AttackerPage.html <script> if(top != self) { top.location = self.location; } </script> <iframe src="http://bank.com/WebBanking.html" sandbox=""> </iframe>
13.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 13
14.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 14