Soumettre la recherche
Mettre en ligne
Html5: attack and defense
•
0 j'aime
•
795 vues
K
Ksenia Peguero
Suivre
From the Security BSides London 2013 conference.
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 14
Recommandé
Browser Security 101
Browser Security 101
Stormpath
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
Securing Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
Spring Security 5
Spring Security 5
Jesus Perez Franco
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
Recommandé
Browser Security 101
Browser Security 101
Stormpath
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
Securing Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
Spring Security 5
Spring Security 5
Jesus Perez Franco
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
Spring Security
Spring Security
Manish Sharma
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Codecamp Romania
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Mike Wiesner
iOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
Html5 hacking
Html5 hacking
Iftach Ian Amit
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Making Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Ionic Framework
Html5 local storage
Html5 local storage
ARIF MAHMUD RANA
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
Contenu connexe
Tendances
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
Spring Security
Spring Security
Manish Sharma
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
lastrand
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Codecamp Romania
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Mike Wiesner
Tendances
(8)
Web & Cloud Security in the real world
Web & Cloud Security in the real world
Spring Security
Spring Security
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Mobile Authentication for iOS Applications - Stormpath 101
Mobile Authentication for iOS Applications - Stormpath 101
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Iasi code camp 20 april 2013 windows authentication-spring security -kerberos
Enterprise Security mit Spring Security
Enterprise Security mit Spring Security
Similaire à Html5: attack and defense
iOS Application Security Testing
iOS Application Security Testing
Blueinfy Solutions
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
Html5 hacking
Html5 hacking
Iftach Ian Amit
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Making Software Secure by Design
Making Software Secure by Design
Omegapoint Academy
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Digicomp Academy AG
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Ionic Framework
Html5 local storage
Html5 local storage
ARIF MAHMUD RANA
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
Google & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
How to Destroy a Database
How to Destroy a Database
John Ashmead
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
HostedbyConfluent
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
ThreatReel Podcast
Similaire à Html5: attack and defense
(20)
iOS Application Security Testing
iOS Application Security Testing
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Html5 hacking
Html5 hacking
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Making Software Secure by Design
Making Software Secure by Design
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
Ionic Native: Native-powered apps, without the hassle
Ionic Native: Native-powered apps, without the hassle
Html5 local storage
Html5 local storage
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Google & FIDO Authentication
Google & FIDO Authentication
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data Silos
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
How to Destroy a Database
How to Destroy a Database
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
Mitigating One Million Security Threats With Kafka and Spark With Arun Janart...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
Plus de Ksenia Peguero
Finding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
Finding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
Plus de Ksenia Peguero
(6)
Finding Your Way in Container Security
Finding Your Way in Container Security
Finding Your Way in Container Security
Finding Your Way in Container Security
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
How Secure Is AngularJS?
How Secure Is AngularJS?
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Dernier
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
Stephanie Beckett
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
Zilliz
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
FIDO Alliance
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
Mark Opanasiuk
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
CzechDreamin
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
EasyPrinterHelp
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
ChristopherTHyatt
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
FIDO Alliance
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
Jennifer Lim
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
CzechDreamin
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
CzechDreamin
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
DianaGray10
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
Stefano
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
TopCSSGallery
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
FIDO Alliance
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
FIDO Alliance
Dernier
(20)
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Html5: attack and defense
1.
Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
2.
Who Am I? •
Software security consultant at Cigital • In security for 4 years 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 2 • MS in Computer Science from George Washington University, USA • Ballroom dancer
3.
HTML5 – a
Living Standard • Cross-origin Resource Sharing (CORS) • Cross-document Messaging • Web Storage • IFRAME Sandboxing • Browser History Management • Geo-location Functionality • etc 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 3
4.
Software Confidence. Achieved.
5.
Configuring CORS correctly Configure
the Access-Control-Allow-Origin header: • Do not use wildcards • Follow the principle of least privilege • Configure PROD environment separately from TEST environment Server configurations: • IIS7 – web.config • Apache – mod_headers 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 5 OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X- Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US- ASCII Connection: keep-alive Content-Length: 0 Header set Access-Control-Allow-Origin http://www.example.com, https://login.example.com
6.
Web Messaging API •
WHO can send messages? • Frames, iframes, parent window • HOW do they send messages? • postMessage(message, target) • window.addEventListener • WHAT is sent in the message? • Text data • Origin • Source 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 6 Attack Attack
7.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 7
8.
How to Do
Web Messaging Securely • Validate origin • Validate data (on the client side) v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. window.addEventListener("message", receiveMessage, false); … function receiveMessage(event){ … if (event.origin !== "http://www.example.com") return; if (!validateEmail(event.data)) return; div.getElementById('user_email_address').textContent = event.data; …} if (event.origin !== "http://www.example.com") if (!validateEmail(event.data))
9.
Web Storage Attacks 7/11/2013
6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 9 LocalStorage SessionStorage Issues: • Client-side trust • Cross-directory attacks: • http://myplatform.com/johnneumann/ • http://myplatform.com/adalovelace/ stored indefinitely tab storage
10.
Protecting Web Storage •
Do not store sensitive information in localStorage. • Use sessionStorage whenever possible. • Clean up localStorage when you don't need it. 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 10 function session_store (user) { sessionStorage.setItem("username", user.name); } function get_user () { var results = sessionStorage.getItem("username"); document.getElementById("divb").textContent = "Thanks for registering:" + results; sessionStorage.clear(); } sessionStorage.clear();
11.
<iframe src="http://www.untrustedpartyiframe.com"> </iframe> Sandbox
Attribute Same Origin Policy A set of restrictions for the inline iframe: •"" (no trust) •allow-same-origin •allow-top-navigation •allow-forms •allow-scripts 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 11 <iframe src="http://www.untrustedpartyiframe.com" sandbox="allow-same-origin"> </iframe> <iframe src="http://www.untrustedpartyiframe.com" sandbox=""> </iframe>
12.
Sandboxing vs Clickjacking Frame-busting
code: WebBanking.html 7/11/2013 6:59 PM v1.4. © 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 12 Disabling frame-busting code: AttackerPage.html <script> if(top != self) { top.location = self.location; } </script> <iframe src="http://bank.com/WebBanking.html" sandbox=""> </iframe>
13.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 13
14.
Software Confidence. Achieved.v1.4.
© 2012 Cigital Inc. All Rights Reserved. Proprietary and Confidential.7/11/2013 6:59 PM 14