Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

HTML5 Security, Nimrod Luria, Q.Rity by Mind Map: HTML5 Security, Nimrod Luria, Q.Rity
0.0 stars - reviews range from 0 to 5

HTML5 Security, Nimrod Luria, Q.Rity

Application security


From things that cover only what's known, to things that cover what's possible

Web attack vectors

See list in slides


SSL not enough

Same origin/domain policy

HTML5 allows breaking this rule

facebook was hacked using HTML5 cross domain hack

there's a hack to override the function that returns the domain, in order to break it

Top attacks on Web2.0 apps


XML poisoning

RSS injection

Malicious AJAX code execution

HTTP request splitting

WSDL scanning & enumeration

RIA binary manipulation

Sometimes the only strategy is to confuse the enemy

because the logic is downloaded & exposed


Threat focuses




Mitigation techniques

Spoofing -> Authentication

Tempering -> Integrity




Common injection attacks


Xpath injection

SQL injection - client side!

Providing file downloads


iframe sandbox

HTML cache poisoning

SQL DB security

Network Reconnaissance

HTML5 Botnets

Distributed password cracking

Hacking Facebook using HTML5


they ran any URL after the hash, & execute it in AJAX

the attacker exploited this

See full code in slides is trusted by, so the hack enabled full access to any personal data in facebook

More resources

many more in slides