Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

HTML5 Security, Nimrod Luria, Q.Rity by Mind Map: HTML5 Security, Nimrod Luria, Q.Rity
0.0 stars - reviews range from 0 to 5

HTML5 Security, Nimrod Luria, Q.Rity

Application security

Switching

From things that cover only what's known, to things that cover what's possible

Web attack vectors

See list in slides

Encryption

SSL not enough

Same origin/domain policy

HTML5 allows breaking this rule

facebook was hacked using HTML5 cross domain hack

there's a hack to override the function that returns the domain, in order to break it

Top attacks on Web2.0 apps

CSRF

XML poisoning

RSS injection

Malicious AJAX code execution

HTTP request splitting

WSDL scanning & enumeration

RIA binary manipulation

Sometimes the only strategy is to confuse the enemy

because the logic is downloaded & exposed

eg

Threat focuses

1

2

3

Mitigation techniques

Spoofing -> Authentication

Tempering -> Integrity

...

Attacks

XSS

Common injection attacks

CSRF

Xpath injection

SQL injection - client side!

Providing file downloads

Untitled

iframe sandbox

HTML cache poisoning

SQL DB security

Network Reconnaissance

HTML5 Botnets

Distributed password cracking

Hacking Facebook using HTML5

hacked

they ran any URL after the hash, & execute it in AJAX

the attacker exploited this

See full code in slides

touch.facebook.com is trusted by facebook.com, so the hack enabled full access to any personal data in facebook

More resources

http://html5sec.org/

many more in slides