Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

HTML5 Security, Nimrod Luria, Q.Rity by Mind Map: HTML5 Security, Nimrod Luria, Q.Rity
0.0 stars - reviews range from 0 to 5

HTML5 Security, Nimrod Luria, Q.Rity

Application security

Switching

from, Firewall, Anti-virus, SSL

to, Architecture, Code

From things that cover only what's known, to things that cover what's possible

Web attack vectors

See list in slides

Encryption

SSL not enough

not just in transport, but also in messages

Eg, Wireless provider can terminate SSL

Same origin/domain policy

HTML5 allows breaking this rule

facebook was hacked using HTML5 cross domain hack

there's a hack to override the function that returns the domain, in order to break it

Top attacks on Web2.0 apps

CSRF

XML poisoning

sends many childrens of some node, not limiting the number of children

RSS injection

Malicious AJAX code execution

HTTP request splitting

WSDL scanning & enumeration

RIA binary manipulation

Sometimes the only strategy is to confuse the enemy

because the logic is downloaded & exposed

eg

change signatures, fake requests &c

Threat focuses

1

Drive-by download, eg, (spare) phishing

2

Code obfuscation, hide the exploit vector, evasion of signature-based detection

3

Compromised web sites, malicious code injected to hacked web sites

Mitigation techniques

Spoofing -> Authentication

Strong authentication - using something you have, vs something you know

Tempering -> Integrity

Sign transaction

...

(see in slides)

Attacks

XSS

eg, send link by email that stills your cookie to some site

See in slides some 10 techniques of XSS

Defending, Do not, Don't trust user input, Do, Encoding, Use validation for each request

Common injection attacks

See list in slides

CSRF

Merged sessions, supported everywhere, means that if you have a very secured web site, & you open in another tab a new site that keeps its session active, then you hibernate the machine & opens it, the session of the secured site will still be active

to avoid, Use POST for side-effect operations, ..., (see slides)

Xpath injection

SQL injection - client side!

hack the local data, & then invoke server API's with manipulated data, send tweet from the account of Bill Gates

Providing file downloads

PDF links can execute javascript, http://.../example.pdf#something=javascript:alert('something')

Don't trust the client, always validate according to white list

Untitled

iframe sandbox

removes all limitation on the iframe source

avoid using iframes

HTML cache poisoning

Have sessions for long durations, during which the cached data can be stolen

Tool:, Imposter

SQL DB security

what should & shouldn't be stored on client-side

XSS can run sql injected code, use encoding

Network Reconnaissance

Cross domain XHR & WebSockets can be used in port scanning, search, HTML5 port scanner

HTML5 Botnets

HTML5 WebWorkers allows running bots attacking apps from trusted client machines

Botnets try to, Reach out to victims, Phishing, Twitter masking URL's, Extend execution lifetime

Distributed password cracking

Ravan, JavaScript based tool

Hacking Facebook using HTML5

hacked

touch.facebook.com

to which you connect when logging into facebook from mobile

they ran any URL after the hash, & execute it in AJAX

the attacker exploited this

there wasn't same domain protection

onError wasn't validated, so added:, onerror=$("..").appendChild(script...

See full code in slides

touch.facebook.com is trusted by facebook.com, so the hack enabled full access to any personal data in facebook

More resources

http://html5sec.org/

html5 security cheat sheet

many more in slides